[jira] [Commented] (SOLR-13463) Solr admin user credentials defined with -Dbasicauth property during start is visible in admin UI to any user.
[ https://issues.apache.org/jira/browse/SOLR-13463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16840738#comment-16840738 ] Jan Høydahl commented on SOLR-13463: You MUST use SSL together with Basic auth. You find instructions in Solr reference guide on how to enable SSL for your cluster. > Solr admin user credentials defined with -Dbasicauth property during start is > visible in admin UI to any user. > -- > > Key: SOLR-13463 > URL: https://issues.apache.org/jira/browse/SOLR-13463 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Admin UI >Affects Versions: 7.7.1 > Environment: QA >Reporter: Vinodh >Priority: Major > Labels: admin-interface, credentials > > We have configured Solr basic authentication in our environment and used > Dbasicauth property to define username:password. Since these property will be > added to Solr startup, the Solr admin username & password details defined > with -Dbasicauth property are displayed in plain text format to all users who > are able to login into admin UI interface in JVM & Java properties sections. > So even a read user who has privileges to login admin UI can able to see > admin user username & password details. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13463) Solr admin user credentials defined with -Dbasicauth property during start is visible in admin UI to any user.
[ https://issues.apache.org/jira/browse/SOLR-13463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16840393#comment-16840393 ] Vinodh commented on SOLR-13463: --- Thanks Jan - it worked fine now. Earlier when I was using "*-Dsolr.httpclient.config=*" property pointing to basicAuth.conf file in which I defined *username:password* format which is incorrect. Instead username and password should be in below format to make it working. httpBasicAuthUser=user httpBasicAuthPassword=password Is there anyway to use Solr user's encrypted password rather than using paling text password which would be really helpful while running curl commands & solrJ API calls where plain text password is given which exposes the password to others. In other words, is there any encryption mechanism to use encrypted passwords instead of using plain text? > Solr admin user credentials defined with -Dbasicauth property during start is > visible in admin UI to any user. > -- > > Key: SOLR-13463 > URL: https://issues.apache.org/jira/browse/SOLR-13463 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Admin UI >Affects Versions: 7.7.1 > Environment: QA >Reporter: Vinodh >Priority: Major > Labels: admin-interface, credentials > > We have configured Solr basic authentication in our environment and used > Dbasicauth property to define username:password. Since these property will be > added to Solr startup, the Solr admin username & password details defined > with -Dbasicauth property are displayed in plain text format to all users who > are able to login into admin UI interface in JVM & Java properties sections. > So even a read user who has privileges to login admin UI can able to see > admin user username & password details. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13463) Solr admin user credentials defined with -Dbasicauth property during start is visible in admin UI to any user.
[ https://issues.apache.org/jira/browse/SOLR-13463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16838602#comment-16838602 ] Jan Høydahl commented on SOLR-13463: Please see https://lucene.apache.org/solr/guide/7_7/solr-control-script-reference.html#enabling-basic-authentication If you try this on a clean solr install you should be able to copy the same commands into solr.in.sh on your current cluster. > Solr admin user credentials defined with -Dbasicauth property during start is > visible in admin UI to any user. > -- > > Key: SOLR-13463 > URL: https://issues.apache.org/jira/browse/SOLR-13463 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Admin UI >Affects Versions: 7.7.1 > Environment: QA >Reporter: Vinodh >Priority: Major > Labels: admin-interface, credentials > > We have configured Solr basic authentication in our environment and used > Dbasicauth property to define username:password. Since these property will be > added to Solr startup, the Solr admin username & password details defined > with -Dbasicauth property are displayed in plain text format to all users who > are able to login into admin UI interface in JVM & Java properties sections. > So even a read user who has privileges to login admin UI can able to see > admin user username & password details. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13463) Solr admin user credentials defined with -Dbasicauth property during start is visible in admin UI to any user.
[ https://issues.apache.org/jira/browse/SOLR-13463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16838302#comment-16838302 ] Vinodh commented on SOLR-13463: --- Hi Jan, I stored username and password in a file as *user:password* format and used "*-Dsolr.httpclient.config=*" property to defined the location of the file. But with this property, I'm getting below error while start solr nodes. Are you referring to this way of storing the password or anything else? Can you please also let me how to achieve what you had mentioned in your comment "we could also add a default redaction of basicauth property like we do for* password* " ? Exception in thread "main" java.lang.ExceptionInInitializerError at org.apache.solr.util.SolrCLI.getHttpClient(SolrCLI.java:598) at org.apache.solr.util.SolrCLI$StatusTool.getStatus(SolrCLI.java:924) at org.apache.solr.util.SolrCLI$StatusTool.runImpl(SolrCLI.java:880) at org.apache.solr.util.SolrCLI$ToolBase.runTool(SolrCLI.java:177) at org.apache.solr.util.SolrCLI.main(SolrCLI.java:283) Caused by: java.lang.IllegalArgumentException: username & password must be specified with org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory at org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory.initHttpClientBuilder(PreemptiveBasicAuthClientBuilderFactory.java:117) at org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory.getHttpClientBuilder(PreemptiveBasicAuthClientBuilderFactory.java:109) at org.apache.solr.client.solrj.impl.HttpClientUtil.(HttpClientUtil.java:155) > Solr admin user credentials defined with -Dbasicauth property during start is > visible in admin UI to any user. > -- > > Key: SOLR-13463 > URL: https://issues.apache.org/jira/browse/SOLR-13463 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Admin UI >Affects Versions: 7.7.1 > Environment: QA >Reporter: Vinodh >Priority: Major > Labels: admin-interface, credentials > > We have configured Solr basic authentication in our environment and used > Dbasicauth property to define username:password. Since these property will be > added to Solr startup, the Solr admin username & password details defined > with -Dbasicauth property are displayed in plain text format to all users who > are able to login into admin UI interface in JVM & Java properties sections. > So even a read user who has privileges to login admin UI can able to see > admin user username & password details. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13463) Solr admin user credentials defined with -Dbasicauth property during start is visible in admin UI to any user.
[ https://issues.apache.org/jira/browse/SOLR-13463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16837504#comment-16837504 ] Jan Høydahl commented on SOLR-13463: This is not a bug. Please use the option to store pw in a file instead, see ref guide. But we could also add a default redaction of basicauth property like we do for* password* > Solr admin user credentials defined with -Dbasicauth property during start is > visible in admin UI to any user. > -- > > Key: SOLR-13463 > URL: https://issues.apache.org/jira/browse/SOLR-13463 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Admin UI >Affects Versions: 7.7.1 > Environment: QA >Reporter: Vinodh >Priority: Major > Labels: admin-interface, credentials > > We have configured Solr basic authentication in our environment and used > Dbasicauth property to define username:password. Since these property will be > added to Solr startup, the Solr admin username & password details defined > with -Dbasicauth property are displayed in plain text format to all users who > are able to login into admin UI interface in JVM & Java properties sections. > So even a read user who has privileges to login admin UI can able to see > admin user username & password details. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
