[
https://issues.apache.org/jira/browse/SOLR-10648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16681687#comment-16681687
]
Jason Gerlowski commented on SOLR-10648:
----------------------------------------
If any users are unswayed by Jan's rationale above (+1, btw) and would like to
hide sysprops from the Admin UI, then there _is_ a workaround for this. Users
can edit {{solr.in.sh}} and define the {{-Dsolr.redaction.system.pattern}}
sysprop under SOLR_OPTS:
{code}
SOLR_OPTS="$SOLR_OPTS
-Dsolr.redaction.system.pattern=(.*password.*|.*PORT|.*KEY)"
{code}
(Credit to Jan, who mentioned this on the mailing list)
> Do not expose STOP.PORT and STOP.KEY in sysProps
> ------------------------------------------------
>
> Key: SOLR-10648
> URL: https://issues.apache.org/jira/browse/SOLR-10648
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: scripts and tools
> Reporter: Jan Høydahl
> Priority: Major
> Labels: security
>
> Currently anyone with HTTP access to Solr can see the Admin UI and all the
> system properties. In there you find
> {noformat}
> -DSTOP.KEY=solrrocks
> -DSTOP.PORT=7983
> {noformat}
> This means that anyone with this info can shut down Solr by hitting that port
> with the key (if it is not firewalled).
> I think the simple solution is to add STOP.PORT and STOP.KEY from
> {{$SOLR_START_OPTS}} to the {{$SOLR_JETTY_CONFIG[@]}} variable. It will still
> be visible on the cmdline but not over HTTP.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
