[
https://issues.apache.org/jira/browse/SOLR-11279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16215109#comment-16215109
]
Jan Høydahl commented on SOLR-11279:
------------------------------------
bq. but "solr:SolrRocks" is not safe.
But when you install Solr the first time, you only use this password during
setup, and then change it using APIs, not? After install Solr is completely
open, then after you upload security.json to ZK with some default pw, you use
this to configure everything. Then, if you like you can pull the resulting
security.json file from ZK and ship it with your deploy script?
I still don't think we should encourage hand-editing of users in security.json.
> It is necessary to specify how to generate a password when used Basic
> Authentication!
> --------------------------------------------------------------------------------------
>
> Key: SOLR-11279
> URL: https://issues.apache.org/jira/browse/SOLR-11279
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: documentation
> Affects Versions: 5.3.1
> Reporter: chenmin
> Labels: documentation, security
> Fix For: master (8.0)
>
> Attachments: SOLR-11279.patch
>
>
> Follow the documentation ,"Usernames and passwords (as a
> sha256(password+salt) hash) could be added when the file is created.
> Actually, I do not know how to generate a password.
> Finding code as:
> public static String getSaltedHashedValue(String pwd) {
> final Random r = new SecureRandom();
> byte[] salt = new byte[32];
> r.nextBytes(salt);
> String saltBase64 = Base64.encodeBase64String(salt);
> String val = sha256(pwd, saltBase64) + " " + saltBase64;
> return val;
> }
> I think we shoud give an example to generate password in ref guide!
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
