Jetty/Solr password cheatsheet
Either Google is failing me or the docs for configuring Solr and Jetty could be improved. If you need to lock down Solr on a deadline, the process looks like this - and the process is applicable to any other Jetty-based embedded webserver:
- Change into your Solr directory
- Generate a password hash for the user(s) you intend to use:
chris@server:~/project/solr [git master] $ java -cp lib/jetty-6.1.3.jar:lib/jetty-util-6.1.3.jar org.mortbay.jetty.security.Password ACCOUNT SECRET PASSWORD OBF:… OBF HASH … MD5:… MD5 HASH … CRYPT:… CRYPT HASH …
- Create etc/realm.properties with something like this using the OBF value from above:
admin: OBF HASH, solr-admin
- Add the following into etc/jetty.xml inside the UserRealms set (search for <Set name=”UserRealms”>, which probably has a commented-out example similar to the config below):
<Array type="org.mortbay.jetty.security.UserRealm"> <Item> <New class="org.mortbay.jetty.security.HashUserRealm"> <Set name="name">Solr Administration</Set> <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set> </New> </Item> </Array> - In etc/webdefault.xml add this inside the <web-app> block:
Solr Administration /admin/* solr-admin BASIC Solr Administration
Add this point you should be able to start Solr and verify that the admin interface requires a password. Depending on your site configuration you might want to have a separate password used to make any sort of queries, access /update, etc. This can be done by modifying the url-pattern above - note that the role-name can be used multiple times so you could easily create a policy like “solr-user may access /, solr-updater may access both / and /update and solr-admin may access everything”.
