[
https://issues.apache.org/jira/browse/SOLR-10076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900946#comment-15900946
]
Mark Miller commented on SOLR-10076:
------------------------------------
This looks okay to me. We probably want to push users towards configuring this
in a way it's not on the command line though, right? It's nice not to expose it
via the web UI when we see it, but you also don't really want it on the command
line as that stuff is pretty easy to introspect via people that should not.
Our doc should probably encourage people to use system property on the command
line alternatives or we should look at disabling / warning when it's done. I
know our start scripts recently still set some of this ssl stuff via the
command line, but if that is still the case, we should fix that too.
> Hiding keystore and truststore passwords from /admin/info/* outputs
> -------------------------------------------------------------------
>
> Key: SOLR-10076
> URL: https://issues.apache.org/jira/browse/SOLR-10076
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Mano Kovacs
> Assignee: Mark Miller
> Attachments: SOLR-10076.patch
>
>
> Passing keystore and truststore password is done by system properties, via
> cmd line parameter.
> As result, {{/admin/info/properties}} and {{/admin/info/system}} will print
> out the received password.
> Proposing solution to automatically redact value of any system property
> before output, containing the word {{password}}, and replacing its value with
> {{******}}.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
