lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <j...@apache.org>
Subject [jira] [Updated] (SOLR-12184) Master/Slave configuration exposes Basic Auth password in plain text.
Date Fri, 07 Sep 2018 14:41:00 GMT

     [ https://issues.apache.org/jira/browse/SOLR-12184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jan Høydahl updated SOLR-12184:
-------------------------------
    Security: Public  (was: Private (Security Issue))

> Master/Slave configuration exposes Basic Auth password in plain text. 
> ----------------------------------------------------------------------
>
>                 Key: SOLR-12184
>                 URL: https://issues.apache.org/jira/browse/SOLR-12184
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: documentation, replication (java)
>    Affects Versions: 7.2
>            Reporter: Syed B. Ahmed
>            Priority: Minor
>         Attachments: SOLR-12184.patch, SOLR-12184.patch
>
>
> Copying my original question and reply from Shawn Heisey.
> {quote}Seems even when we use Secuirty.json with BasicAuthentication Plugin as documented
here -- [https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html]
> , which nicely encrypts the user password using SHA256 encryption,  when it comes to
configuring{quote}
> {quote}Please let me know how I can use the same encrypted password as in Security.json
when setting up Master/Slave Replication for Solr.{quote}
>  
> At the moment, the cleartext password is the only way it can be configured.
>  
> It is not possible to use the same string that goes in security.json for
> a feature like replication.  That string is a one-way hash of the
> password, so it cannot be decrypted.  The replication handler must be
> able to obtain the cleartext password.
>  
> The DIH feature offers password encryption for database passwords. 
> Scroll down a little bit on the following page to the description
> numbered "2":
>  
> [https://lucene.apache.org/solr/guide/6_6/uploading-structured-data-store-data-with-the-data-import-handler.html#configuring-the-dih-configuration-file]
>  
> The replication handler CAN be enhanced to use a the same kind of
> encryption.  Note that this is merely security through obscurity.  If
> whoever is looking at the configuration also has access to the key file,
> then they will be able to decrypt the password.
>  
> Can you file an enhancement issue in Jira to add this capability to
> other handlers like replication?
>  
>  
>  
>  
>  
> Hello,
> Seems even when we use Secuirty.json with BasicAuthentication Plugin as documented here
-- [https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html]
> , which nicely encrypts the user password using SHA256 encryption,  when it comes to
configuring the slave in a Master/Slave Index Replication Strategy, the slave config requires
to give the
> BasicAuthentication password in plain text?  Is it something I got wrong?  But in
my setup of HA with Master/Slave replication it works in this manner.
>  
> [https://lucene.apache.org/solr/guide/7_2/index-replication.html]  this also indicates
the config is in plain text.
>  
>     <!-- If HTTP Basic authentication is enabled on the master, then the slave
>          can be configured with the following -->
>  
>     <str name="httpBasicAuthUser">username</str>
>     <str name="httpBasicAuthPassword">password</str>
>  
>  
> Please let me know how I can use the same encrypted password as in Security.json when
setting up Master/Slave Replication for Solr.
>  
> Thx
> -Syed Ahmed.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message