[jira] [Commented] (SOLR-10076) Hiding keystore and truststore passwords from /admin/info/* outputs

Wed, 08 Mar 2017 23:08:54 -0800 

    [ 
https://issues.apache.org/jira/browse/SOLR-10076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15902592#comment-15902592
 ] 

Mark Miller commented on SOLR-10076:
------------------------------------

So I think we want to make sure the search for 'password' is case insensitive 
due to things like javax.net.ssl.trustStorePassword. Could use a test for that 
too.

We should move RedactionUtils.java to org.apache.solr.util probably.

Greg did something similar in Cloudera Search lucene-solr repo as a temporary 
hack, but used '--REDACTED--' I think that is more clear than the ****** 
redaction string. 

Given the affect this could have on tools/scripts that read output, I think 
it's not a huge deal if we changed it, but I don't see a strong reason to do it 
and that should usually favour back compat, even if we would guess those 
affected might be very few. We can do it by default in 7 and anyone looking for 
this in 6.5 and beyond will know they need it and it didn't exist in 6.4 and < 
and can turn it on. Seems like the least friction.

> Hiding keystore and truststore passwords from /admin/info/* outputs
> -------------------------------------------------------------------
>
>                 Key: SOLR-10076
>                 URL: https://issues.apache.org/jira/browse/SOLR-10076
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Mano Kovacs
>            Assignee: Mark Miller
>         Attachments: SOLR-10076.patch
>
>
> Passing keystore and truststore password is done by system properties, via 
> cmd line parameter.
> As result, {{/admin/info/properties}} and {{/admin/info/system}} will print 
> out the received password.
> Proposing solution to automatically redact value of any system property 
> before output, containing the word {{password}}, and replacing its value with 
> {{******}}.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to