You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Mark Miller (JIRA)" <ji...@apache.org> on 2017/03/08 09:13:38 UTC
[jira] [Commented] (SOLR-10076) Hiding keystore and truststore
passwords from /admin/info/* outputs
[ https://issues.apache.org/jira/browse/SOLR-10076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900946#comment-15900946 ]
Mark Miller commented on SOLR-10076:
------------------------------------
This looks okay to me. We probably want to push users towards configuring this in a way it's not on the command line though, right? It's nice not to expose it via the web UI when we see it, but you also don't really want it on the command line as that stuff is pretty easy to introspect via people that should not.
Our doc should probably encourage people to use system property on the command line alternatives or we should look at disabling / warning when it's done. I know our start scripts recently still set some of this ssl stuff via the command line, but if that is still the case, we should fix that too.
> Hiding keystore and truststore passwords from /admin/info/* outputs
> -------------------------------------------------------------------
>
> Key: SOLR-10076
> URL: https://issues.apache.org/jira/browse/SOLR-10076
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Mano Kovacs
> Assignee: Mark Miller
> Attachments: SOLR-10076.patch
>
>
> Passing keystore and truststore password is done by system properties, via cmd line parameter.
> As result, {{/admin/info/properties}} and {{/admin/info/system}} will print out the received password.
> Proposing solution to automatically redact value of any system property before output, containing the word {{password}}, and replacing its value with {{******}}.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org