Security options for Standalone Solr without zookeeper

Question

I am using Solr 6.2.1.2 as standalone search with my Sitecore 8, what options I have to secure my search without using Zookepper. Not much documentation available specially for Standalone Solr security.

Thanks in advance.

Answer 1

Nirav Desai in case that you want just to make a few tests on Solr with authentication turned on, without depending on Zookeeper, then you have to wait for the next stable release of Solr 6.5 or 7.0 (current version of Solr is 6.4.1).

In the next release of Solr supports a standalone version of BasicAuthPlugin.

Once you have the latest version of Solr, you just need to create a security.json file in ${solr.home}/server/solr directory and restart the Solr server.

Afterwards call http://localhost:8983/solr/admin/authentication and you should see that the authentication was enabled.

Development details on the standalone support for BasicAuthPlugin can be found here:

https://issues.apache.org/jira/browse/SOLR-9481

Documentation details for the BasicAuthPlugin can be found here:

https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin

Answer 2

Even though, Solr is nowadays delivered with its own Jetty, it is still just a web application for a container application. Thus, it relies completely on its surroundings for things like authentication or authorization. The shiny new Solrcloud mode works with Zookeper, that's why so many solutions exist that use Zookeepers security features. It's just already there.

When you run Solr as stand-alone server without the cloud features, you will have to configure the underlying Jetty server accordingly or use some other software for security. I would recommend using nginx here.

1. Block external traffic to the Solr port via iptables
2. Configure nginx to forward a certain URL to your Solr
3. Configure nginx to allow certain sub-URLs only for certain servers