[
https://issues.apache.org/jira/browse/SOLR-12184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16607198#comment-16607198
]
Jan Høydahl commented on SOLR-12184:
------------------------------------
Making this issue public as there is no security hole, it is common knowledge
that config files is a bad place to put passwords.
Sample RefGuide documentation patch attached which spells this out and suggests
using a property and variable substitution for this password instead, which is
not perfect either since pw will leak from the terminal with e.g. {{ps -aux}}
but still slightly better.
> Master/Slave configuration exposes Basic Auth password in plain text.
> ----------------------------------------------------------------------
>
> Key: SOLR-12184
> URL: https://issues.apache.org/jira/browse/SOLR-12184
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: documentation, replication (java)
> Affects Versions: 7.2
> Reporter: Syed B. Ahmed
> Priority: Minor
> Attachments: SOLR-12184.patch, SOLR-12184.patch
>
>
> Copying my original question and reply from Shawn Heisey.
> {quote}Seems even when we use Secuirty.json with BasicAuthentication Plugin
> as documented here --
> [https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html]
> , which nicely encrypts the user password using SHA256 encryption, when it
> comes to configuring{quote}
> {quote}Please let me know how I can use the same encrypted password as in
> Security.json when setting up Master/Slave Replication for Solr.{quote}
>
> At the moment, the cleartext password is the only way it can be configured.
>
> It is not possible to use the same string that goes in security.json for
> a feature like replication. That string is a one-way hash of the
> password, so it cannot be decrypted. The replication handler must be
> able to obtain the cleartext password.
>
> The DIH feature offers password encryption for database passwords.
> Scroll down a little bit on the following page to the description
> numbered "2":
>
> [https://lucene.apache.org/solr/guide/6_6/uploading-structured-data-store-data-with-the-data-import-handler.html#configuring-the-dih-configuration-file]
>
> The replication handler CAN be enhanced to use a the same kind of
> encryption. Note that this is merely security through obscurity. If
> whoever is looking at the configuration also has access to the key file,
> then they will be able to decrypt the password.
>
> Can you file an enhancement issue in Jira to add this capability to
> other handlers like replication?
>
>
>
>
>
> Hello,
> Seems even when we use Secuirty.json with BasicAuthentication Plugin as
> documented here --
> [https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html]
> , which nicely encrypts the user password using SHA256 encryption, when it
> comes to configuring the slave in a Master/Slave Index Replication Strategy,
> the slave config requires to give the
> BasicAuthentication password in plain text? Is it something I got wrong?
> But in my setup of HA with Master/Slave replication it works in this manner.
>
> [https://lucene.apache.org/solr/guide/7_2/index-replication.html] this also
> indicates the config is in plain text.
>
> <!-- If HTTP Basic authentication is enabled on the master, then the slave
> can be configured with the following -->
>
> <str name="httpBasicAuthUser">username</str>
> <str name="httpBasicAuthPassword">password</str>
>
>
> Please let me know how I can use the same encrypted password as in
> Security.json when setting up Master/Slave Replication for Solr.
>
> Thx
> -Syed Ahmed.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
