[jira] [Commented] (SOLR-12976) Unify RedactionUtils and metrics hiddenSysProps settings

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (SOLR-12976) Unify RedactionUtils and metrics hiddenSysProps settings

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/SOLR-12976?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16681486#comment-16681486 ]

Jan Høydahl commented on SOLR-12976:

One use case could be multi tenancy. So you have a clients that get, say, only read access to collection "foo", while another client gets r/w access to collection "bar". Yet another client will have admin access. This is enforced by the auth framework. So in this case it is important to make sure that the "foo" client only can query this one collection and not see any system-level secrets on any of the API endpoints.

Also, you don't want secrets to leak out to the monitoring tool you are using, since it is not given that everyone with access to monitoring DB are also super-users.

Now, I guess that the Admin UI will be pretty crippled already if you only have read access to one collection, and no other permissions. Then the dashboard won't even display anything meaningful and I don't think you'll get to use any of the /admin/ handlers, so that is an easy one. But if you have an administrator that should be allowed to create new collections or maintain a schema via schema API, he/she should not necessarily also be allowed to see other secrets?

> Unify RedactionUtils and metrics hiddenSysProps settings
> --------------------------------------------------------
>                 Key: SOLR-12976
>                 URL: https://issues.apache.org/jira/browse/SOLR-12976
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public)
>          Components: security
>            Reporter: Jan Høydahl
>            Priority: Major
> System properties can contain sensitive data, and they are easily available from the Admin UI (/admin/info/system) and also from the Metrics API (/admin/metrics).
> By default the {{/admin/info/system}} redacts any sys prop with a key containing *password*. This can be configured with sysprop {{-Dsolr.redaction.system.pattern=<regex>}}
> The metrics API by default hides these sysprops from the API output:
> {code:java}
>     "javax.net.ssl.keyStorePassword",
>     "javax.net.ssl.trustStorePassword",
>     "basicauth",
>     "zkDigestPassword",
>     "zkDigestReadonlyPassword"
> {code}
> You can redefine these by adding a section to {{solr.xml}}: ([https://lucene.apache.org/solr/guide/7_5/metrics-reporting.html#the-metrics-hiddensysprops-element])
> {code:xml}
> <metrics>
>  <hiddenSysProps>
>    <str>foo</str>
>    <str>bar</str>
>    <str>baz</str>
>  </hiddenSysProps>
> </metrics>{code}
> h2. Unifying the two
> It is not very user firiendly to have two different systems for redacting system properties and two sets of defaults. This goals of this issue are
>  * Keep only one set of defaults
>  * Both metrics and system info handler will use the same source
>  * It should be possible to change and persist the list without a full cluster restart, preferably though some API
> Note that the {{solr.redaction.system.pattern}} property is not documented in the ref guide, so this Jira should also fix documentation!

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]