Closed twagoo closed 6 years ago
Example of security.json
content for metata hackathon instance of the VLO:
{
"authentication":{
"blockUnknown":false,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"<password hash>"},
"":{"v":0}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{"index": 1, "name":"update","role":"admin"},
{"index": 2, "name":"config-edit","role":"admin"},
{"index": 3, "name":"security-read","role":"admin"},
{"index": 4, "name":"security-edit","role":"admin"},
{"index": 5, "name":"schema-read","role":"admin"},
{"index": 6, "name":"schema-edit","role":"admin"},
{"index": 7, "name":"core-admin-read","role":"admin"},
{"index": 8, "name":"core-admin-edit","role":"admin"},
{"index": 9, "name":"collection-admin-read","role":"admin"},
{"index": 10, "name":"collection-admin-edit","role":"admin"}
],
"user-role":{"solr":"admin"}
}
}
A complete solution should also define a user and group for the importer and assign update permissions.
(Thus protected Solr instance currently running at http://hackathon.cmdi.clarin.eu/solr/)
Here's another good reason for closing down Solr as much as possible
Apache SOLR: the new target for cryptominers
I suppose even less benign things can be done by exploiting the possibility of retrieving and executing arbitrary scripts...
Adaptations for Docker: fd0df1acb27a55085699591981ccb4dfa24d2115...18de291b69605537220c6f27b7dae33d5c32c7e2
Now merged into development, closing.
Adaptations in docker image: gitlab/503ccd3
Adaptations in docker compose setup: gitlab/6e3dda
Use the authentication and rule based authorisation plugins to (optionally for non-dev?) limit the kinds of operations various clients are permitted to carry out. Most importantly, the VLO web app should only need read access to the VLO index. Should there exist a way of indirectly carrying out a harmful operation via a query or otherwise, this should implement an additional line of defence. The importer would need write/commit rights, but no admin permissions (which allow for triggering various scary operations).