How to enable read-only access to Opensolr Index ?

1 like 0 dislike
36 views
Hi,

We are a current customer with a dedicated instance.

We currently utilise HTTP auth for security.
One of our customers has asked if they can have read-only access to a particular index.
It seems like this might be support in the following way.

1. Add IP restrictions set to "/" for our IP address
2. Add our customer's IP address and set the restriction to "/search"

Will that work?
If so, are there any concerns we should be aware of?
If no, are there any other options for giving read-only access?
asked May 9 in Other topics by Ezra Wolfe

1 Answer

0 like 0 dislike
 
Best answer

Hey there

In order to better understand the way the IP restrictions work, you need to get familiar with the Solr RequestHandlers

https://cwiki.apache.org/confluence/display/solr/RequestHandlers+and+SearchComponents+in+SolrConfig

By default, most applications, will use the /update request handler to write into the index, and /select to read from the index (I’m assuming your own as well, as long as you haven’t defined any other custom request handlers in your solrconfig.xml file)

Now, long story short, since you can define your own RequestHandlers inside your solrconfig.xml file as you saw in the documentation above, in order to apply read-only access to a certain index, all you have to do is:

- Remove any wildcard access “all” from “/“ which implicitly overrides everything and grants full access to any IP on ALL request handlers.

- Add client’s specific IP address access to /select, /search, /admin/ping or any other handlers that the client’s application may be using.

That way, you have NO IPs reaching /update (to write data), and you only have granted access to certain IPs to /select or otherwise to read from the index.

However, I will stress that it sometimes may not be enough for an application to have access to /select or /search alone (unless of course it’s a custom application where the developers know exactly those are the only endpoints being used).

However, I’ll give you the example of Drupal.

If you want to make a Drupal website read-only from a SOLR index, you’d also have to provide access to /admin/ping (because drupal uses that to determine if the solr server is UP or DOWN).

But, again, for a custom application (aka: if you know what you’re doing), your approach is very much OK:

- Simply remove all existing rules
- Add specific IP rules to the READ request handlers that you have created (AND/OR, of course, the built-in solr read handler, which is /select).

Hope this helps.

answered May 9 by Cip
selected May 24 by admin
...