lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marius Grama (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-8756) Need 4 config "zkDigestUsername"/"zkDigestPassword"/"zkDigestReadonlyUsername"/"zkDigestReadonlyUsername" in solr.xml
Date Thu, 03 Mar 2016 07:31:18 GMT

    [ https://issues.apache.org/jira/browse/SOLR-8756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15177420#comment-15177420
] 

Marius Grama commented on SOLR-8756:
------------------------------------

[~forest_soup] the functionality that you are suggesting would need some structural changes
in the ZkACLProvider and ZkCredentialsProvider concrete classes.
If you look in 

{code:title=ZkController.java}
public ZkController(final CoreContainer cc, String zkServerAddress, int zkClientConnectTimeout,
CloudConfig cloudConfig, final CurrentCoreDescriptorProvider registerOnReconnect){
    // ...

    String zkACLProviderClass = cloudConfig.getZkACLProviderClass();
    ZkACLProvider zkACLProvider = null;
    if (zkACLProviderClass != null && zkACLProviderClass.trim().length() > 0) {
      zkACLProvider = cc.getResourceLoader().newInstance(zkACLProviderClass, ZkACLProvider.class);
    } else {
      zkACLProvider = new DefaultZkACLProvider();
    }

    String zkCredentialsProviderClass = cloudConfig.getZkCredentialsProviderClass();
    if (zkCredentialsProviderClass != null && zkCredentialsProviderClass.trim().length()
> 0) {
      strat.setZkCredentialsToAddAutomatically(cc.getResourceLoader().newInstance(zkCredentialsProviderClass,
ZkCredentialsProvider.class));
    } else {
      strat.setZkCredentialsToAddAutomatically(new DefaultZkCredentialsProvider());
    }

   // ....
}
{code}

you can see that the cloudConfig parameter is not passed to the constructors  of ZkCredentialsProvider
and ZkACLProvider concrete classes.
The current implementations of these classes are fully unaware of the CloudConfig.

I think that the functionality that you are suggesting makes sense.
Does anybody see anything against introducing CloudConfig as constructor parameter for the
constructors of ZkACLProvider and ZkCredentialsProvider concrete classes ?

> Need 4 config "zkDigestUsername"/"zkDigestPassword"/"zkDigestReadonlyUsername"/"zkDigestReadonlyUsername"
in solr.xml
> ---------------------------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-8756
>                 URL: https://issues.apache.org/jira/browse/SOLR-8756
>             Project: Solr
>          Issue Type: Bug
>          Components: security, SolrCloud
>    Affects Versions: 5.3.1
>         Environment: Linux 64bit
>            Reporter: Forest Soup
>              Labels: security
>
> Need 4 config in <solrhome>/solr.xml instead of -D parameter in solr.in.sh.
> like below:
> <solr>
>   <solrcloud>
>     <str name="zkDigestUsername">zkusername</str>
>     <str name="zkDigestPassword">zkpassword</str"zkDigestUsername">
>     <str name="zkDigestReadonlyUsername">zkreadonlyusername</str>
>     <str name="zkDigestReadonlyUsername">readonlypassword</str"zkDigestUsername">
> ...
> Otherwise, any user can use the linux "ps" command showing the full command line including
the plain text zookeeper username and password. If we use file store them, we can control
the access of the file not to leak the username/password.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message