You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ge...@apache.org on 2019/12/11 12:16:18 UTC

[lucene-solr] branch master updated: SOLR-13972: Warn about insecure settings on startup (#1058)

This is an automated email from the ASF dual-hosted git repository.

gerlowskija pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/master by this push:
     new d8aa045  SOLR-13972: Warn about insecure settings on startup (#1058)
d8aa045 is described below

commit d8aa04575f2f011ba95fe69f0e9c5526733039c3
Author: Jason Gerlowski <ge...@apache.org>
AuthorDate: Wed Dec 11 07:16:09 2019 -0500

    SOLR-13972: Warn about insecure settings on startup (#1058)
---
 .../src/java/org/apache/solr/core/CoreContainer.java    | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/solr/core/src/java/org/apache/solr/core/CoreContainer.java b/solr/core/src/java/org/apache/solr/core/CoreContainer.java
index a9db133..f494f50 100644
--- a/solr/core/src/java/org/apache/solr/core/CoreContainer.java
+++ b/solr/core/src/java/org/apache/solr/core/CoreContainer.java
@@ -40,6 +40,7 @@ import java.util.concurrent.Future;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Maps;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.http.auth.AuthSchemeProvider;
 import org.apache.http.client.CredentialsProvider;
 import org.apache.http.config.Lookup;
@@ -657,6 +658,7 @@ public class CoreContainer {
 
     securityConfHandler = isZooKeeperAware() ? new SecurityConfHandlerZk(this) : new SecurityConfHandlerLocal(this);
     reloadSecurityProperties();
+    warnUsersOfInsecureSettings();
     this.backupRepoFactory = new BackupRepositoryFactory(cfg.getBackupRepositoryPlugins());
 
     createHandler(ZK_PATH, ZookeeperInfoHandler.class.getName(), ZookeeperInfoHandler.class);
@@ -897,6 +899,21 @@ public class CoreContainer {
     initializeAuditloggerPlugin((Map<String, Object>) securityConfig.getData().get("auditlogging"));
   }
 
+  private void warnUsersOfInsecureSettings() {
+    if (authenticationPlugin == null || authorizationPlugin == null) {
+      log.warn("Not all security plugins configured!  authentication={} authorization={}.  Solr is only as secure as " +
+          "you make it. Consider configuring authentication/authorization before exposing Solr to users internal or " +
+          "external.  See https://s.apache.org/solrsecurity for more info",
+          (authenticationPlugin != null) ? "enabled" : "disabled",
+          (authorizationPlugin != null) ? "enabled" : "disabled");
+    }
+
+    if (authenticationPlugin !=null && StringUtils.isNotEmpty(System.getProperty("solr.jetty.https.port"))) {
+      log.warn("Solr authentication is enabled, but SSL is off.  Consider enabling SSL to protect user credentials and " +
+          "data with encryption.");
+    }
+  }
+
   private static void checkForDuplicateCoreNames(List<CoreDescriptor> cds) {
     Map<String, Path> addedCores = Maps.newHashMap();
     for (CoreDescriptor cd : cds) {