You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2022/03/04 23:51:00 UTC

[jira] [Commented] (SOLR-16077) Solr basic authentication is undocumented and a bit strange

    [ https://issues.apache.org/jira/browse/SOLR-16077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17501588#comment-17501588 ] 

Jan Høydahl commented on SOLR-16077:
------------------------------------

Most users would likely use the HTTP API to add users, thus not needing to care ahout the hash algo etc.

Here is a small Java code I wrote 6 years ago to generate this yourself: [https://github.com/cominvent/solr-tools/blob/master/src/main/java/com/cominvent/solr/SolrPasswordHash.java]

You marked this as a bug in Authentication component. I cannot see a user-facing bug. Perhaps the code can be cleaned up a bit? Cannot answer for the double hashing.

Are you proposing changes to the documentation, the code or both?

> Solr basic authentication is undocumented and a bit strange
> -----------------------------------------------------------
>
>                 Key: SOLR-16077
>                 URL: https://issues.apache.org/jira/browse/SOLR-16077
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>            Reporter: Ben
>            Priority: Major
>              Labels: documentation, easyfix, security
>
> I'm working with Solr 7 because reasons, but the issue also seems to persist in the current code base.
> h2. Documentation
> Here's the Solr 8.1 documentation for the [Basic Authentication Plugin|[https://solr.apache.org/guide/8_1/basic-authentication-plugin.html]]. In the security.json example, we see
> {code:java}
> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}, {code}
> but the only explanation given for this is "A user called 'solr', with a password {{'SolrRocks'}} has been defined."
> What's missing is:
>  * Explanation of how to produce such a credential string. In psuedocode, this amounts to:
>  ** 
> {code:java}
> encode_base64(sha256(sha256(salt + password))) + " " + encode_base64(salt){code}
>  * The salt used, in addition to the password used, so that users can test that their produced credentials will match Solr's handling.
> I've spent a good bit of searching through articles and watching videos, and I couldn't find any that actually explained this until I saw the source code. The only explanation I've seen for adding users was to first stand up an unauthenticated instance, and then add them via the API, which doesn't translate well into automated deployments.
> h2. Code
> Let's get back to that pseudocode.
> {code:java}
> encode_base64(sha256(sha256(salt + password))) + " " + encode_base64(salt){code}
> Strangely, we're hashing twice! Here it is in [the source|https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java#L129]. In more detail:
> {code:java}
>     if (saltKey != null) {
>       digest.reset();
>       digest.update(Base64.getDecoder().decode(saltKey));
>     }
>     byte[] btPass = digest.digest(password.getBytes(StandardCharsets.UTF_8));
>     digest.reset();
>     btPass = digest.digest(btPass);
>     return Base64.getEncoder().encodeToString(btPass); {code}
> Some observations:
>  * Nit: the salt is base64'd before being passed to the function then immediately unbase64'd again, but that's beside the point.
>  * The salt is added to the message, then the password, and then digest() is called. This produces a SHA256 hash digest.
>  * digest() [basically calls reset()|https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html], so there's no need to call reset()
>  * The previous digest is then hashed again! This is surprising. Is there a reason?
> h2. Outro
> I'm not too familiar with secure coding practices, especially in Java, so perhaps this was to work around some sort of limitation with java.secure.MessageDigest when this particular code was produced 7 years ago. It certainly seems strange to do this in terms of code quality, but I feel like my more immediate issue is that it's incredibly non-obvious to an end user just trying to secure a Solr instance.
> Is there a reason it's coded this way? How should end-users learn how to configure security.json? If the code is updated to use only a single round of SHA256 hashing, how will existing Solr deployments update smoothly?
> Thanks!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org