[
https://issues.apache.org/jira/browse/SOLR-8756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15177420#comment-15177420
]
Marius Grama commented on SOLR-8756:
------------------------------------
[~forest_soup] the functionality that you are suggesting would need some
structural changes in the ZkACLProvider and ZkCredentialsProvider concrete
classes.
If you look in
{code:title=ZkController.java}
public ZkController(final CoreContainer cc, String zkServerAddress, int
zkClientConnectTimeout, CloudConfig cloudConfig, final
CurrentCoreDescriptorProvider registerOnReconnect){
// ...
String zkACLProviderClass = cloudConfig.getZkACLProviderClass();
ZkACLProvider zkACLProvider = null;
if (zkACLProviderClass != null && zkACLProviderClass.trim().length() > 0) {
zkACLProvider = cc.getResourceLoader().newInstance(zkACLProviderClass,
ZkACLProvider.class);
} else {
zkACLProvider = new DefaultZkACLProvider();
}
String zkCredentialsProviderClass =
cloudConfig.getZkCredentialsProviderClass();
if (zkCredentialsProviderClass != null &&
zkCredentialsProviderClass.trim().length() > 0) {
strat.setZkCredentialsToAddAutomatically(cc.getResourceLoader().newInstance(zkCredentialsProviderClass,
ZkCredentialsProvider.class));
} else {
strat.setZkCredentialsToAddAutomatically(new
DefaultZkCredentialsProvider());
}
// ....
}
{code}
you can see that the cloudConfig parameter is not passed to the constructors
of ZkCredentialsProvider and ZkACLProvider concrete classes.
The current implementations of these classes are fully unaware of the
CloudConfig.
I think that the functionality that you are suggesting makes sense.
Does anybody see anything against introducing CloudConfig as constructor
parameter for the constructors of ZkACLProvider and ZkCredentialsProvider
concrete classes ?
> Need 4 config
> "zkDigestUsername"/"zkDigestPassword"/"zkDigestReadonlyUsername"/"zkDigestReadonlyUsername"
> in solr.xml
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-8756
> URL: https://issues.apache.org/jira/browse/SOLR-8756
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
> Affects Versions: 5.3.1
> Environment: Linux 64bit
> Reporter: Forest Soup
> Labels: security
>
> Need 4 config in <solrhome>/solr.xml instead of -D parameter in solr.in.sh.
> like below:
> <solr>
> <solrcloud>
> <str name="zkDigestUsername">zkusername</str>
> <str name="zkDigestPassword">zkpassword</str"zkDigestUsername">
> <str name="zkDigestReadonlyUsername">zkreadonlyusername</str>
> <str
> name="zkDigestReadonlyUsername">readonlypassword</str"zkDigestUsername">
> ...
> Otherwise, any user can use the linux "ps" command showing the full command
> line including the plain text zookeeper username and password. If we use file
> store them, we can control the access of the file not to leak the
> username/password.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
