You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2018/09/07 14:41:00 UTC
[jira] [Updated] (SOLR-12184) Master/Slave configuration exposes
Basic Auth password in plain text.
[ https://issues.apache.org/jira/browse/SOLR-12184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Høydahl updated SOLR-12184:
-------------------------------
Security: Public (was: Private (Security Issue))
> Master/Slave configuration exposes Basic Auth password in plain text.
> ----------------------------------------------------------------------
>
> Key: SOLR-12184
> URL: https://issues.apache.org/jira/browse/SOLR-12184
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: documentation, replication (java)
> Affects Versions: 7.2
> Reporter: Syed B. Ahmed
> Priority: Minor
> Attachments: SOLR-12184.patch, SOLR-12184.patch
>
>
> Copying my original question and reply from Shawn Heisey.
> {quote}Seems even when we use Secuirty.json with BasicAuthentication Plugin as documented here -- [https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html]
> , which nicely encrypts the user password using SHA256 encryption, when it comes to configuring{quote}
> {quote}Please let me know how I can use the same encrypted password as in Security.json when setting up Master/Slave Replication for Solr.{quote}
>
> At the moment, the cleartext password is the only way it can be configured.
>
> It is not possible to use the same string that goes in security.json for
> a feature like replication. That string is a one-way hash of the
> password, so it cannot be decrypted. The replication handler must be
> able to obtain the cleartext password.
>
> The DIH feature offers password encryption for database passwords.
> Scroll down a little bit on the following page to the description
> numbered "2":
>
> [https://lucene.apache.org/solr/guide/6_6/uploading-structured-data-store-data-with-the-data-import-handler.html#configuring-the-dih-configuration-file]
>
> The replication handler CAN be enhanced to use a the same kind of
> encryption. Note that this is merely security through obscurity. If
> whoever is looking at the configuration also has access to the key file,
> then they will be able to decrypt the password.
>
> Can you file an enhancement issue in Jira to add this capability to
> other handlers like replication?
>
>
>
>
>
> Hello,
> Seems even when we use Secuirty.json with BasicAuthentication Plugin as documented here -- [https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html]
> , which nicely encrypts the user password using SHA256 encryption, when it comes to configuring the slave in a Master/Slave Index Replication Strategy, the slave config requires to give the
> BasicAuthentication password in plain text? Is it something I got wrong? But in my setup of HA with Master/Slave replication it works in this manner.
>
> [https://lucene.apache.org/solr/guide/7_2/index-replication.html] this also indicates the config is in plain text.
>
> <!-- If HTTP Basic authentication is enabled on the master, then the slave
> can be configured with the following -->
>
> <str name="httpBasicAuthUser">username</str>
> <str name="httpBasicAuthPassword">password</str>
>
>
> Please let me know how I can use the same encrypted password as in Security.json when setting up Master/Slave Replication for Solr.
>
> Thx
> -Syed Ahmed.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org