[jira] [Created] (SOLR-12976) Unify RedactionUtils and metrics hiddenSysProps settings

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (SOLR-12976) Unify RedactionUtils and metrics hiddenSysProps settings

JIRA jira@apache.org
Jan Høydahl created SOLR-12976:
----------------------------------

             Summary: Unify RedactionUtils and metrics hiddenSysProps settings
                 Key: SOLR-12976
                 URL: https://issues.apache.org/jira/browse/SOLR-12976
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
          Components: security
            Reporter: Jan Høydahl


System properties can contain sensitive data, and they are easily available from the Admin UI (/admin/info/system) and also from the Metrics API (/admin/metrics).

By default the {{/admin/info/system}} redacts any sys prop with a key containing *password*. This can be configured with sysprop {{-Dsolr.redaction.system.pattern=<regex>}}

The metrics API by default hides these sysprops from the API output:
{code:java}
    "javax.net.ssl.keyStorePassword",
    "javax.net.ssl.trustStorePassword",
    "basicauth",
    "zkDigestPassword",
    "zkDigestReadonlyPassword"
{code}
You can redefine these by adding a section to {{solr.xml}}:
{code:xml}
<metrics>
 <hiddenSysProps>
   <str>foo</str>
   <str>bar</str>
   <str>baz</str>
 </hiddenSysProps>
</metrics>{code}
h2. Unifying the two

It is not very user firiendly to have two different systems for redacting system properties and two sets of defaults. This goals of this issue are
 * Keep only one set of defaults
 * Both metrics and system info handler will use the same source
 * It should be possible to change and persist the list without a full cluster restart, preferably though some API



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]