[
https://issues.apache.org/jira/browse/SOLR-8756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15452095#comment-15452095
]
Gaƫtan Smet commented on SOLR-8756:
-----------------------------------
Same issue in solr (solrcloud) 6.1.0.
We had a security audit and providing the username password in clear text as
system property was not accepted.
Providing the username password via solr.xml would be very helpful.
> Need 4 config
> "zkDigestUsername"/"zkDigestPassword"/"zkDigestReadonlyUsername"/"zkDigestReadonlyUsername"
> in solr.xml
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-8756
> URL: https://issues.apache.org/jira/browse/SOLR-8756
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
> Affects Versions: 5.3.1
> Environment: Linux 64bit
> Reporter: Forest Soup
> Labels: security
>
> Need 4 config in <solrhome>/solr.xml instead of -D parameter in solr.in.sh.
> like below:
> <solr>
> <solrcloud>
> <str name="zkDigestUsername">zkusername</str>
> <str name="zkDigestPassword">zkpassword</str"zkDigestUsername">
> <str name="zkDigestReadonlyUsername">zkreadonlyusername</str>
> <str
> name="zkDigestReadonlyUsername">readonlypassword</str"zkDigestUsername">
> ...
> Otherwise, any user can use the linux "ps" command showing the full command
> line including the plain text zookeeper username and password. If we use file
> store them, we can control the access of the file not to leak the
> username/password.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
