Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Done
-
None
-
None
-
None
Description
System properties can contain sensitive data, and they are easily available from the Admin UI (/admin/info/system) and also from the Metrics API (/admin/metrics).
By default the /admin/info/system redacts any sys prop with a key containing password. This can be configured with sysprop -Dsolr.redaction.system.pattern=<regex>
The metrics API by default hides these sysprops from the API output:
"javax.net.ssl.keyStorePassword",
"javax.net.ssl.trustStorePassword",
"basicauth",
"zkDigestPassword",
"zkDigestReadonlyPassword"
You can redefine these by adding a section to solr.xml: (https://lucene.apache.org/solr/guide/7_5/metrics-reporting.html#the-metrics-hiddensysprops-element)
<metrics> <hiddenSysProps> <str>foo</str> <str>bar</str> <str>baz</str> </hiddenSysProps> </metrics>
Unifying the two
It is not very user firiendly to have two different systems for redacting system properties and two sets of defaults. This goals of this issue are
- Keep only one set of defaults
- Both metrics and system info handler will use the same source
- It should be possible to change and persist the list without a full cluster restart, preferably though some API
Note that the solr.redaction.system.pattern property is not documented in the ref guide, so this Jira should also fix documentation!
Attachments
Issue Links
- relates to
-
SOLR-11369 Zookeeper credentials are showed up on the Solr Admin GUI
-
- Resolved
-