Apache Solr 访问权限控制
Current state of affairs
SSL support was added in version 4.2 (SolrCloud v4.7).
- Protection of Zookeeper content through ACLs was added in version 5.0
Authentication and Authorization plugin support was added in 5.2 (SolrCloud only)
Basic Auth & Kerberos plugins and Rule-based Authorization plugin was added in 5.3
There is (as of 5.3) no role-based restrictions on the Admin UI, so be aware that anyone with access to Admin UI will be able to do anything with your system.
Need for firewall
Even though you add SSL or Authentication plugins, it is still strongly recommended that the application server containing Solr be firewalled such the only clients with access to Solr are your own. A default/example installation of Solr allows any client with access to it to add, update, and delete documents (and of course search/read too), including access to the Solr configuration and schema files and the administrative user interface.
If there is a need to provide query access to a Solr server from the open internet, it is highly recommended to use a proxy, such as one of these.
Cross-Site Scripting (XSS)
Solr has no known cross-site scripting vulnerabilities.
Quick XSS tip:
Problem: What if you want the browser to highlight text, but you also want to protect yourself from XSS and escape the HTML output? Solution: One solution is to escape the HTML output and then reapply the em tags. Now the rest of the snippet is safe and the browser will recognize the highlighted text.
For example, with groovy/grails you could have the following in your controller:
snippet = snippet.encodeAsHTML()
snippet = snippet.replaceAll('<em>', '<em>')
snippet = snippet.replaceAll('</em>', </em>)
Cross-Site Request Forgery (CSRF)
Even if a Solr instance is protected by good firewalls so that "bad guys" have no direct access, that instance may be at risk to potential "Cross-Site Request Forgery" based attacks if the following are all true:
- Some number of "good guys" have direct access to that Solr instance from their web browsers.
- A "bad guy" knows/guesses the host:port/path of the Solr instance (even though they can not access it directly)
- The bad guy can trick one of the good guy into clicking a maliciously crafted URL, or loading a webpage that contains malicious javascript.
This is because Solr's most basic behavior is to receive updates and deletes via HTTP. If you have a firewall or other security measure restricting Solr's /update handler so it only accepts connections from approved hosts/clients, but you are approved then you could inadvertently be tricked into loading a web page that initiates an HTTP Connection to Solr on your behalf.
It's important to keep this in mind when thinking about what it means to "secure" an instance of Solr (if you have not already).
A basic technique that can be used to mitigate the risk of a possible CSRF attack like this is to configure your Servlet Container so that access to paths which can modify the index (ie: /update, /update/csv, etc...) are restricted either to specific client IPs, or using HTTP Authentication.
Document Level Security
Manifold CF (Connector Framework)
One way to add document level security to your search is through Apache ManifoldCF. ManifoldCF "defines a security model for target repositories that permits them to enforce source-repository security policies".
It works by adding security tokens from the source repositories as metadata on the indexed documents. Then, at query time, a Search Component adds a filter to all queries, matching only documents the logged-in user is allowed to see. ManifoldCF supports AD security out of the box.
Write Your Own RequestHandler or SearchComponent
*Stub - this is incomplete*
If ManifoldCF does not solve your need, first consider writing a ManifoldCF plugin. Or roll your own.
If you need permission based authentication -- where user A can update document 1 and 2, but not 3 -- you will need to augment the request with user information. Either you can add parameters to the query string (?u=XXX&p=YYY) or use a custom dispatcher filter that augments the context:
public class CustomDispatchFilter extends SolrDispatchFilter
{
@Override
protected void execute( HttpServletRequest req, SolrRequestHandler handler, SolrQueryRequest sreq, SolrQueryResponse rsp)
{
// perhaps the whole request
sreq.getContext().put( "HttpServletRequest", req ); // or maybe just the user
sreq.getContext().put( "user", req.getRemoteUser()); core.execute( handler, sreq, rsp );
}
} public class AuthenticatingHandler extends RequestHandlerBase
{
@Override
public void handleRequestBody(SolrQueryRequest req, SolrQueryResponse rsp) throws Exception { HttpServletRequest httpreq = (HttpServletRequest)
req.getContext().get( "HttpServletRequest" ); if( httpreq.isUserInRole( "editor" ) ) {
...
} String user = (String)req.getContext().get( "user" );
...
}
...
}
Streaming Consideration
If streaming is enabled, you need to make sure Solr is as secure as it needs to be. When streaming is enabled, the parameters "stream.url" will go to a remote site and download the content. Likewise, "stream.file" will read a file on disk.
Streaming is disabled by default and is configured from solrconfig.xml
<requestParsers enableRemoteStreaming="false" ... />
在Tomcat6增加 Solr的访问权限方法如下:
编辑tomcat6/Catalina/localhost/solr.xml
<Context docBase="/var/solr/solr.war" debug="" privileged="true" allowLinking="true" crossContext="true"> <Environment name="solr/home" type="java.lang.String" value="/var/solr" override="true"/> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.100,localhost,192.168.1.103,127.0.0.1"/> <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="192.168.1.105"/> </Context>
可参考Tomcat配置文档:http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter
要使上面的配置生效,还需要重新开启tomcat的安全机制
编辑sudo vi /etc/default/tomcat6
注释掉最后一句TOMCAT6_SECURITY=no
参考:
http://www.cnblogs.com/ibook360/archive/2011/11/07/2239247.html
http://wiki.apache.org/solr/SolrSecurity
Apache Solr 访问权限控制的更多相关文章
- 【转】Apache Solr 访问权限控制
本文转自:http://www.cnblogs.com/ibook360/archive/2011/11/07/2239247.html 在Tomcat6增加 Solr的访问权限方法如下: 编辑tom ...
- MongoDB 安全和访问权限控制
MongoDB的访问控制能够有效保证数据库的安全,访问控制是指绑定Application监听的IP地址,设置监听端口,使用账户和密码登录 一,访问控制的参数 1,绑定IP地址 mongod 参数:-- ...
- (转)浅析Java中的访问权限控制
原文地址: http://www.cnblogs.com/dolphin0520/p/3734915.html 今天我们来一起了解一下Java语言中的访问权限控制.在讨论访问权限控制之前,先来讨论一下 ...
- 使用nginx和iptables做访问权限控制(IP和MAC)
之前配置的服务器,相当于对整个内网都是公开的 而且,除了可以通过80端口的nginx来间接访问各项服务,也可以绕过nginx,直接ip地址加端口访问对应服务 这是不对的啊,所以我们要做一些限制 因为只 ...
- [THINKING IN JAVA]访问权限控制
6 访问权限控制 6.1 包:库单元 package.import.import *.import static: 修改classpath环境变量可以将自己写的类库添加至环境变量并在任何java程序中 ...
- Java成员的访问权限控制
Java中的访问权限控制包含两个部分: 类的访问权限控制 类成员的访问权限控制 对类来说,访问权限控制修饰符可以是public或者无修饰符(默认的包访问权限): 对于类成员来说,访问权限控制修饰符可以 ...
- 浅析Java中的访问权限控制
浅析Java中的访问权限控制 今天我们来一起了解一下Java语言中的访问权限控制.在讨论访问权限控制之前,先来讨论一下为何需要访问权限控制.考虑两个场景: 场景1:工程师A编写了一个类ClassA,但 ...
- redis密码设置、访问权限控制等安全设置
redis作为一个高速数据库,在互联网上,必须有对应的安全机制来进行保护,方法有2,如下. 1.比较安全的办法是采用绑定IP的方式来进行控制. 请在redis.conf文件找到如下配置 # If y ...
- JAVA访问权限控制[zhuan]
Java的访问权限控制修饰符,从最大权限到最小权限依次是:public.protected.包访问权限(默认,没有关键字)和private.对于类的访问权限只能是:public和包访问权限(但内部类可 ...
随机推荐
- 安卓模拟器研究-root
http://www.bluestacks.cn/index.asp 下载最新的 BlueStacks 尝试了很久都没有root成功. 百度搜索 找到经验文档 http://jingyan.baid ...
- 投行风云:FO的酸甜苦辣【转】
全世界收入最高的工作大概就是投行的FO前台部门 (Front Office)部门了.但在拿高薪的同时,也伴随着很多人难以想象的苦逼生活.作为投行最低层的分析师(Analyst),通常需要从早上10点工 ...
- String-自定义功能
<script> /* *发现js中的String对象有限,想要对字符串操作的其他功能. *比如:去除字符串两端的空格.这时只能自.定义 */ //去除字符串两端的空格 function ...
- asp.net identity 2.2.0 在WebForm下的角色启用和基本使用(二)
管理用户功能: 界面部分: <%@ Page Title="" Language="C#" MasterPageFile="~/Site.mas ...
- PHP关于依赖注入(控制反转)的解释和例子说明
PHP关于依赖注入(控制反转)的解释和例子说明 发表于2年前(2014-03-20 10:12) 阅读(726) | 评论(1) 8人收藏此文章, 我要收藏 赞2 阿里云双11绽放在即 1111 ...
- NEC学习 ---- 模块 - tab[含标题]
简要介绍, 默认居左, Tab不定宽, “标题”和“更多”可删, 扩展类可以自由组合, 依赖于reset.css(之前的模块以及布局都依赖这个css) 那么这个效果是怎么实现的呢? CSS代码: . ...
- Task示例,多线程
class Program { static void Main(string[] args) { Run(); } public static async void Run() { var task ...
- [SLAM]Karto SLAM算法学习(草稿)
Karto_slam算法是一个Graph based SLAM算法.包括前端和后端.关于代码要分成两块内容来看. 一类是OpenKarto项目,是最初的开源代码,包括算法的核心内容: https:// ...
- [原创]java WEB学习笔记98:Spring学习---Spring Bean配置及相关细节:如何在配置bean,Spring容器(BeanFactory,ApplicationContext),如何获取bean,属性赋值(属性注入,构造器注入),配置bean细节(字面值,包含特殊字符,引用bean,null值,集合属性list map propert),util 和p 命名空间
本博客的目的:①总结自己的学习过程,相当于学习笔记 ②将自己的经验分享给大家,相互学习,互相交流,不可商用 内容难免出现问题,欢迎指正,交流,探讨,可以留言,也可以通过以下方式联系. 本人互联网技术爱 ...
- sql 中实现往表中插入一条记录并返回当前记录的ID
写一条存储过程,实现往User中插入一条记录并返回当前UserId(自增长id) --推荐写法 if(Exists(select * from sys.objects where name=N'Usp ...