[
https://issues.apache.org/jira/browse/SOLR-12778?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris M. Hostetter updated SOLR-12778:
--------------------------------------
Attachment: SOLR-12778.patch
Status: Open (was: Open)
I'm attaching a patch that starts to flesh out support for a new
"{{zkDigestEncryptFile}}" option used by both
{{VMParamsAllAndReadonlyDigestZkACLProvider}} and
{{VMParamsSingleSetCredentialsDigestZkCredentialsProvider}} to decrypt all the
username/password options they read if specified.
The patch also includes a new {{public static String decodeAES(String
base64CipherTxt, File encryptFile)}} method in {{CryptoKeys}} wrapping the
existing {{decodeAES(String base64CipherTxt, String pwd)}} to simplify the
common code of overhead for plugins like this (but i did not refactor the
existing File handling code from DIH because it has a lot of code smells i
didn't want to propogate: assuming limits on the file size, calling {{new
String(byte[])}}, etc...)
----
Unfortunately this patch doesn't work at the moment because the {{CryptoKeys}}
class is in solr-core and these plugins live in solr-solrj.
I know there has ben a lot of concern about hte size & dependencies of solrj,
so i'm not sure how people will/would feel about migrating CryptoKeys into
solrj ... i think it can be done w/o increasing the ivy dependencies, but i
have not yet attempted.
> Support encrypted password for ZK cred/ACL providers
> ----------------------------------------------------
>
> Key: SOLR-12778
> URL: https://issues.apache.org/jira/browse/SOLR-12778
> Project: Solr
> Issue Type: New Feature
> Components: SolrCloud
> Reporter: Jan Høydahl
> Priority: Major
> Attachments: SOLR-12778.patch
>
>
> The {{VMParamsSingleSetCredentialsDigestZkCredentialsProvider}} takes a
> {{zkDigestPassword}} in as a plain-text JVM param, and the
> {{VMParamsAllAndReadonlyDigestZkACLProvider}} takes both {{zkDigestPassword}}
> and {{zkDigestReadonlyPassword}}.
> Propose to give an option to encrypt these password using the same mechanism
> as DIH does:
> # Add a new VM param "zkDigestPasswordEncryptionKeyFile" which is a path to
> a file holding the encryption key
> # Store an encryption key in above mentioned file and restrict access to
> this file so only Solr user can read it.
> # Encrypt the ZK passwords using the encryption key and provide the
> encrypted password in place of the plaintext one
> We could also create a utility command that takes the magic out of encrypting
> the pw:
> {noformat}
> bin/solr util encrypt [-keyfile <file>] <string>{noformat}
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
