Skip to main content
Lucidworks Search uses a number of security measures:
  • Authenticating UI users – Lucidworks Search authenticates users when they log in. Logging in creates a new Lucidworks Search session. Lucidworks Search also authenticates users when the Sessions REST API creates a session.
  • Authorizing UI users – Lucidworks Search authorizes users to use specific parts of the Lucidworks Search UI.
    UI users must also be authorized to make API requests, because the UI makes API requests.
  • Authenticating and authorizing users who make API requests
  • Password Encryption- Lucidworks Search uses 128-bit AES keys to encrypt passwords and “AES/CBC/PKCS7Padding” for the cipher. The ciphertext is also signed.
  • Using session cookies
  • Using an external authentication provider (optional) - A security realm can specify use of an external authentication provider, such as LDAP, JWT, or SAML.
  • Constraining the documents that are indexed (optional)
  • Trimming the documents that are returned by queries based on authorization (optional)

Lucidworks Search user login

When logging into the Lucidworks Search UI, a user provides a username and password, as well as their assigned security realm. An administrator must specify these in Lucidworks Search (using the native security realm) or configure Lucidworks Search to use an external authentication provider (for example, LDAP or SAML). See Access control. Lucidworks Search uses roles defined by permissions to authorize Lucidworks Search UI access and perform tasks in Lucidworks Search, including searching. The recommended method to delegate permissions is as follows:
  • Assign each user to a role and create custom roles as needed.
  • Assign permissions on a per-app basis.

Manage users with security realms

Lucidworks Search uses security realms to authenticate users of the Lucidworks Search UI. Each user has an assigned security realm, which the user must select when logging in. If the user selects a different realm, authentication fails. A security realm also provides a list of roles as follows:
  • The list always includes the role(s) that are specified in the security realm.
  • (Optional) If an external directory service (such as LDAP) is used for authentication, the list can also contain roles that are mapped from the names of the directory-service groups. That is, you can configure a security realm to return group information for users from that same directory service.
  • (Optional) The security realm can reference one or more Lucidworks Search roles or, when using an external directory service provider, use group membership information from the provider to determine roles for users. Lucidworks Search maps the group names to role names and adds these roles to the user’s list of roles.
Lucidworks Search does not use permissions from LDAP to authorize UI access or API requests. It only obtains group names (optionally), which are used as role names or are mapped to role names. If an Active Directory Security Query Trimming Stage is used, then directory-service permissions are used for trimming. If a connector supports security trimming, then connector permissions are used for trimming.

Per-Request Authentication

Requests to the Lucidworks Search REST API must specify a security realm for per-request authentication, unless a session cookie is used (which contains information about the security realm). Lucidworks Search authorizes requested operations based on API permissions specified for the user and for the user’s role(s). Lucidworks Search considers the role(s) specified in the user definition and in the security realm. Lucidworks Search creates a list of roles when a session is created, that is, when a user logs in or when the Sessions REST API creates a session. Authorization based on permissions and its layering is at request time. You can define multiple security realms for a Lucidworks Search instance. A Lucidworks Search instance can manage multiple security realms, which allows users from different domains to have (different levels of) access to specific Lucidworks Search collections.

Read-only root file system

Lucidworks Search 5.9.9 and later supports a read-only root file system to safeguard against unauthorized modifications, protecting your deployment against malicious software and other attacks. Most services operate efficiently in this mode, and for components that need write access, a separate writable mount is available. It should only be enabled for services that do not require CRUD access. The table below lists the services that support a read-only root file system, the ones that have it enabled by default, and the Lucidworks Search release in which support was added. Contact Lucidworks to customize how read-only root file system access is configured for your Lucidworks Search deployment.
Chart NamePod NameContainer NameSupportedDefault enabledSupported version
admin-uiadmin-uiadmin-ui5.9.9+
api-gatewayapi-gatewayinit/api-gateway5.9.9+
api-gatewayapi-gatewayapi-gateway5.9.9+
api-gatewayapi-gatewaygenerate-jks5.9.9+
apps-managerapps-managerapps-manager5.9.9+
argoargo-serverargo-server5.9.10+
argoargo-executorexecutor5.9.10+
argoargo-mainContainermainContainer5.9.10+
argoargo-controllercontroller5.9.10+
argo/miniominiominio5.9.10+
argo/miniominiominio5.9.10+
argo/miniomake-bucket-jobminio-mc5.9.10+
argo-common-workflowsdelete-modelinit/main/wait5.9.10+
argo-common-workflowsdeploy-modelinit/main/wait5.9.10+
argo-common-workflowsmilvus-maintenanceinit/main/wait5.9.10+
argo-common-workflowsupload-model-to-cloudinit/main/wait5.9.10+
async-parsingasync-parsingtika-server5.9.9+
async-parsingasync-parsingasync-parsing5.9.9+
auth-uiauth-uiauth-ui5.9.9+
classic-rest-serviceclassic-rest-serviceinit/import-certs5.9.10+
classic-rest-serviceclassic-rest-serviceclassic-rest-service5.9.9+
classificationargo/classificationinit/wait/main5.9.10+
connector-pluginconnector-plugininit/import-certs5.9.10+
connector-pluginconnector-pluginconnector-plugin5.9.9+
connectorsconnectorsconnectors5.9.9+
connectors-backendCRD5.9.9+
connectors-backendconnectors-backendconnectors-backend5.9.9+
fusion-adminfusion-adminadmin5.9.9+
fusion-commonscheck-admin5.9.9+
fusion-commonscheck-api-gateway5.9.9+
fusion-commonscheck-indexing5.9.9+
fusion-commonscheck-kafka5.9.9+
fusion-commonscheck-logstash5.9.9+
fusion-commonscheck-pulsar5.9.9+
fusion-commonssetup-keystore-and-properties5.9.9+
fusion-commonscheck-zk5.9.9+
fusion-config-syncfusion-config-syncfusion-config-sync5.9.9+
fusion-data-augmentationargo/data-augmentation/volume-fixinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/init-workspaceinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/write-job-configsinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/write-io-configsinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/add-zkhostinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/pull-data-training-and-metadatainit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/pull-data-training-and-metadata-cloudinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/volume-fix2init/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/synonym-listinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/download-synonym-dictionaryinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/keystroke-listinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/download-keystroke-blobinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/augmentinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/push-augmented-datainit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/push-augmented-data-cloudinit/main/wait5.9.10+
fusion-indexingfusion-indexingfusion-indexing5.9.9+
fusion-resourcesfusion-resources-secret-hooksetup-keystore-and-properties5.9.10+
insightsinsightsinsights5.9.9+
job-launcherjob-launcherjob-launcher5.9.9+
job-launcherjob-launcherkubectl-runner5.9.9+
job-launcherjob-launcher-spark-cleanupkubectl-runner5.9.9+
job-launcherspark-kubernetes-driverspark-kubernetes-driver5.9.10+
job-launcherspark-kubernetes-executorspark-kubernetes-executor5.9.10+
job-rest-serverjob-rest-serverjob-rest-server5.9.9+
kafkakafka-metricskafka-exporter5.9.10+
kafkakafka-provisioninginit/wait-for-available-kafka5.9.10+
kafkakafka-provisioningkafka-provisioning5.9.10+
kafkakafkakafka5.9.10+
kafkakafkajmx-exporter5.9.10+
kafkakafkainit/check-zk5.9.9+
kafkakafkainit/auto-discovery5.9.10+
kafkakafkainit/volume-permissions5.9.10+
lwai-gatewaylwai-gatewaylwai-gateway5.9.9+
ml-model-serviceml-model-servicejava-service5.9.9+
ml-model-serviceml-model-service-namespace-hookkubectl-runner5.9.9+
ml-model-service/ambassadorambassadorambassador5.9.10+
ml-model-service/ambassadorambassadorprometheus-exporter5.9.10+
ml-model-service/milvusmilvus-writablemilvus5.9.10+
ml-model-service/milvusmilvus-writableinit/wait-for-mysql5.9.10+
ml-model-service/milvusmilvus-writableinit/create-for-share-storage5.9.10+
ml-model-service/milvusmilvus-adminadmin5.9.10+
ml-model-service/milvusmilvus-admininit/wait-for-milvus5.9.10+
ml-model-service/milvusmilvus-mishardsinit/wait-for-mysql5.9.10+
ml-model-service/milvusmilvus-mishardsinit/wait-for-mysql5.9.10+
ml-model-service/milvusmilvus-mishardsmishards5.9.10+
ml-model-service/milvus/mysqlmysqlinit/remove-lost-found5.9.10+
ml-model-service/milvus/mysqlmysqlmysql5.9.10+
pm-uipm-uipm-ui5.9.9+
query-pipelinequery-pipelinequery-pipeline5.9.9+
question-answeringargo/qna-coldstart/init-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/write-job-configsinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/write-io-configsinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/write-io-configsinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/add-zkHostinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/pull-datainit/wait/main5.9.10+
question-answeringargo/qna-coldstart/pull-data-cloudinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/traininit/wait/main5.9.10+
question-answeringargo/qna-coldstart/list-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/post-modelinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/apply-seldon-deploymentinit/wait/main5.9.10+
question-answeringargo/qna-supervised/init-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-supervised/write-job-configsinit/wait/main5.9.10+
question-answeringargo/qna-supervised/write-io-configsinit/wait/main5.9.10+
question-answeringargo/qna-supervised/add-zkhostinit/wait/main5.9.10+
question-answeringargo/qna-supervised/pull-qa-data-cloudinit/wait/main5.9.10+
question-answeringargo/qna-supervised/pull-qa-datainit/wait/main5.9.10+
question-answeringargo/qna-supervised/traininit/wait/main5.9.10+
question-answeringargo/qna-supervised/train-with-textsinit/wait/main5.9.10+
question-answeringargo/qna-supervised/list-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-supervised/post-modelinit/wait/main5.9.10+
question-answeringargo/qna-supervised/apply-seldon-deploymentinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/init-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/write-job-configsinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/write-io-configsinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/add-zkhostinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/list-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/pull-eval-datainit/wait/main5.9.10+
question-answeringargo/qna-evaluation/pull-eval-data-cloudinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/evaluateinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/push-eval-results-cloudinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/push-eval-resultsinit/wait/main5.9.10+
recommenderargo/item-recommender-userinit/wait/main5.9.10+
recommenderargo/item-recommender-user/init-workspaceinit/wait/main5.9.10+
recommenderargo/item-recommender-user/write-job-configsinit/wait/main5.9.10+
recommenderargo/item-recommender-user/write-io-configsinit/wait/main5.9.10+
recommenderargo/item-recommender-user/add-zkhostinit/wait/main5.9.10+
recommenderargo/item-recommender-user/pull-data-training-and-metadatainit/wait/main5.9.10+
recommenderargo/item-recommender-user/pull-data-training-and-metadata-cloudinit/wait/main5.9.10+
recommenderargo/item-recommender-user/train-with-metadatainit/wait/main5.9.10+
recommenderargo/item-recommender-user/train-without-metadatainit/wait/main5.9.10+
recommenderargo/item-recommender-user/push-recommendationsinit/wait/main5.9.10+
recommenderargo/item-recommender-user/push-recommendations-cloudinit/wait/main5.9.10+
recommenderargo/item-recommender-user/add-default-exclude-queryinit/wait/main5.9.10+
recommenderargo/item-recommender-user/init-workspaceinit/wait/main5.9.10+
recommenderargo/item-recommender-content/copy-modelinit/wait/main5.9.10+
recommenderargo/item-recommender-content/write-job-configsinit/wait/main5.9.10+
recommenderargo/item-recommender-content/write-io-configsinit/wait/main5.9.10+
recommenderargo/item-recommender-content/add-zkhostinit/wait/main5.9.10+
recommenderargo/item-recommender-content/pull-datainit/wait/main5.9.10+
recommenderargo/item-recommender-content/pull-data-cloudinit/wait/main5.9.10+
recommenderargo/item-recommender-content/traininit/wait/main5.9.10+
recommenderargo/item-recommender-content/push-contentinit/wait/main5.9.10+
recommenderargo/item-recommender-content/push-content-cloudinit/wait/main5.9.10+
recommenderargo/item-recommender-content/add-default-exclude-queryinit/wait/main5.9.10+
recommenderargo/item-recommender-content/delete-old-content-recommendationsinit/wait/main5.9.10+
reverse-searchreverse-searchinit/set-reverse-search-zone5.9.10+
reverse-searchreverse-searchinit/check-zk5.9.9+
reverse-searchreverse-searchinit/enable-tls-in-reverse-search5.9.10+
reverse-searchreverse-searchreverse-search5.9.10+
rules-uirules-uirules-ui5.9.9+
seldon-core-operatorseldon-controller-managermanager5.9.10+
seldon-core-operatorseldon-spartakus-volunteerseldon-spartakus-volunteer5.9.9+
seldon-core-operatorcrd/SeldonDeployment✅/❌5.9.9+
solrsolrinit/set-solr-zone5.9.10+
solrsolrinit/enable-tls-in-solr5.9.10+
solrconfigset-bootstrapconfigset-bootstrap5.9.10+
solrsolrsolr5.9.10+
solrsolr-exporterexporter5.9.10+
solrsolr-exporterinit/solr-init5.9.10+
solr-managedconfigset-bootstrapconfigset-bootstrap5.9.10+
solr-managedexporterexporter5.9.10+
solr-managedexporterinit/solr-init5.9.10+
solr-managedsolrinit/set-solr-zone5.9.10+
solr-managedsolrinit/enable-tls-in-solr5.9.10+
solr-managedsolrsolr5.9.10+
solr-managedsolrprocess-raw5.9.10+
solr-backup-runnersolr-backup-runner-backupsolr-backups5.9.10+
solr-backup-runnersolr-backup-runner-prunesolr-prune5.9.10+
templatingtemplatingtemplating5.9.9+
webappswebappswebapps5.9.9+
zookeeperzookeeperzookeeper5.9.10+
zookeeperzookeeperjmx-exporter5.9.10+
zookeeperzookeeperzookeeper-exporter5.9.10+
zookeeperzookeeper-chrootsmain5.9.10+

Restrictive mode for query pipelines

In Lucidworks Search 5.9.15 and later, you can choose restrictive mode for any query pipeline. Restrictive mode safeguards the pipeline against unintended or unsafe changes. The default mode is permissive mode. See Restrictive Mode for complete details about how restrictive mode works and how to enable it.