lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <j...@apache.org>
Subject [jira] [Commented] (SOLR-10076) Hiding keystore and truststore passwords from /admin/info/* outputs
Date Fri, 03 Feb 2017 21:49:51 GMT

    [ https://issues.apache.org/jira/browse/SOLR-10076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15852175#comment-15852175
] 

Jan Høydahl commented on SOLR-10076:
------------------------------------

Been thinking about the same, but perhaps instead of a generic rule about containing password,
we could have a property somewhere for what paths to hide. I would also like to hide the content
of some ZK nodes such as security.json, and there may also be other places where passwords
are exposed through props or APIs...

Ideal would be if this could be coupled with Authorization, so that certain info could be
controlled through group membership in AuthorizationPlugin?

> Hiding keystore and truststore passwords from /admin/info/* outputs
> -------------------------------------------------------------------
>
>                 Key: SOLR-10076
>                 URL: https://issues.apache.org/jira/browse/SOLR-10076
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Mano Kovacs
>
> Passing keystore and truststore password is done by system properties, via cmd line parameter.
> As result, {{/admin/info/properties}} and {{/admin/info/system}} will print out the received
password.
> Proposing solution to automatically redact value of any system property before output,
containing the word {{password}}, and replacing its value with {{******}}.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message