Configuring Solr Server for Limited Anonymous Access

By default, Solr has no Authentication or Authorization configured which is convenient for development but dangerous for deployment. Once a Solr cluster has been configured to limit access via Authentication and Authorization, credentials are required for any access of the system.

However, it is possible to restrict access to most features of a Solr cluster while leaving specific endpoints available for anonymous use.

Allowing Anonymous Access to Solr

First, you need to allow anonymous access to Solr by disabling the blockUnknown configuration parameter using the Authentication API. Simply set blockUnknown to false using the authentication endpoint on the instance:

echo '{"set-property": {"blockUnknown":false}}' | http 'https://solr.aaronwalker.dev:8983/solr/admin/authentication'

Once this is disabled, anonymous users can make requests to the Solr instance.

Granting Anonymous Users Access to Specific Endpoints

Explicit access must be granted to endpoints before anonymous users can use those endpoints as the existing Authorization configuration will likely block them.

For example, setting the following permission configuration using the Authorization API will grant anonymous users access to the “select” endpoint by specifying the special “null” role.

{
  "set-permission": {
    "name": "anonymous_select",
    "path": "/select/*",
    "role": null
  }
}

echo '{"set-permission": {"name": "anonymous_select","path": "/select/*","role": null}}' | http 'https://solr.aaronwalker.dev:8983/solr/admin/authorization'

Restoring Security Configuration

These changes can be rolled back by simply deleting the added role (which must be done by index, “5” is used as an example below) and disabling anonymous logins:

echo '{"set-property": {"blockUnknown":true}}' | http 'https://solr.aaronwalker.dev:8983/solr/admin/authentication'

echo '{"delete-permission": 5 }' | http 'https://solr.aaronwalker.dev:8983/solr/admin/authorization'

References:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.