[
https://issues.apache.org/jira/browse/SOLR-10076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15875762#comment-15875762
]
Ishan Chattopadhyaya commented on SOLR-10076:
---------------------------------------------
bq. I was not aware of the security.json exposing password
Passwords are not exposed. Salted hashes of the passwords are, though.
bq. In general, I would not add password visibility based on privileges. I
think passwords should not be revertible, as that would expose them to the
reliability of the authorization plugin and the admin users' cautiousness.
In the case of security.json, we should encourage and try to ensure that proper
authorization is in place while starting a Solr cluster. To an authorized
admin user, I don't see why we shouldn't show salted hashes of passwords.
Anyway, we can deal with that issue on SOLR-7890/SOLR-10100.
> Hiding keystore and truststore passwords from /admin/info/* outputs
> -------------------------------------------------------------------
>
> Key: SOLR-10076
> URL: https://issues.apache.org/jira/browse/SOLR-10076
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Mano Kovacs
> Attachments: SOLR-10076.patch
>
>
> Passing keystore and truststore password is done by system properties, via
> cmd line parameter.
> As result, {{/admin/info/properties}} and {{/admin/info/system}} will print
> out the received password.
> Proposing solution to automatically redact value of any system property
> before output, containing the word {{password}}, and replacing its value with
> {{******}}.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
