Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-12184

Master/Slave configuration exposes Basic Auth password in plain text.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 7.2
    • None
    • documentation, replication (java)
    • None

    Description

      Copying my original question and reply from Shawn Heisey.

      Seems even when we use Secuirty.json with BasicAuthentication Plugin as documented here – https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html
      , which nicely encrypts the user password using SHA256 encryption,  when it comes to configuring

      Please let me know how I can use the same encrypted password as in Security.json when setting up Master/Slave Replication for Solr.

       
      At the moment, the cleartext password is the only way it can be configured.
       
      It is not possible to use the same string that goes in security.json for
      a feature like replication.  That string is a one-way hash of the
      password, so it cannot be decrypted.  The replication handler must be
      able to obtain the cleartext password.
       
      The DIH feature offers password encryption for database passwords. 
      Scroll down a little bit on the following page to the description
      numbered "2":
       
      https://lucene.apache.org/solr/guide/6_6/uploading-structured-data-store-data-with-the-data-import-handler.html#configuring-the-dih-configuration-file
       
      The replication handler CAN be enhanced to use a the same kind of
      encryption.  Note that this is merely security through obscurity.  If
      whoever is looking at the configuration also has access to the key file,
      then they will be able to decrypt the password.
       
      Can you file an enhancement issue in Jira to add this capability to
      other handlers like replication?
       
       
       
       
       
      Hello,
      Seems even when we use Secuirty.json with BasicAuthentication Plugin as documented here – https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html
      , which nicely encrypts the user password using SHA256 encryption,  when it comes to configuring the slave in a Master/Slave Index Replication Strategy, the slave config requires to give the
      BasicAuthentication password in plain text?  Is it something I got wrong?  But in my setup of HA with Master/Slave replication it works in this manner.
       
      https://lucene.apache.org/solr/guide/7_2/index-replication.html  this also indicates the config is in plain text.
       
          <!-- If HTTP Basic authentication is enabled on the master, then the slave
               can be configured with the following -->
       
          <str name="httpBasicAuthUser">username</str>
          <str name="httpBasicAuthPassword">password</str>
       
       
      Please let me know how I can use the same encrypted password as in Security.json when setting up Master/Slave Replication for Solr.
       
      Thx
      -Syed Ahmed.

      Attachments

        1. SOLR-12184.patch
          2 kB
          Jan Høydahl
        2. SOLR-12184.patch
          2 kB
          Jan Høydahl

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. SOLR-9640 Support PKI authentication and SSL in standalone-mode master/slave auth with local security.json

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              sbua2003 Syed B. Ahmed
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: