lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ishan Chattopadhyaya (JIRA)" <>
Subject [jira] [Commented] (SOLR-10076) Hiding keystore and truststore passwords from /admin/info/* outputs
Date Tue, 21 Feb 2017 10:41:44 GMT


Ishan Chattopadhyaya commented on SOLR-10076:

bq. I was not aware of the security.json exposing password
Passwords are not exposed. Salted hashes of the passwords are, though.

bq. In general, I would not add password visibility based on privileges. I think passwords
should not be revertible, as that would expose them to the reliability of the authorization
plugin and the admin users' cautiousness.
In the case of security.json, we should encourage and try to ensure that proper authorization
is in place while starting a Solr cluster.  To an authorized admin user, I don't see why we
shouldn't show salted hashes of passwords. Anyway, we can deal with that issue on SOLR-7890/SOLR-10100.

> Hiding keystore and truststore passwords from /admin/info/* outputs
> -------------------------------------------------------------------
>                 Key: SOLR-10076
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Mano Kovacs
>         Attachments: SOLR-10076.patch
> Passing keystore and truststore password is done by system properties, via cmd line parameter.
> As result, {{/admin/info/properties}} and {{/admin/info/system}} will print out the received
> Proposing solution to automatically redact value of any system property before output,
containing the word {{password}}, and replacing its value with {{******}}.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message