[
https://issues.apache.org/jira/browse/SOLR-8440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16001322#comment-16001322
]
Hrishikesh Gadre commented on SOLR-8440:
----------------------------------------
[~ichattopadhyaya]
bq. In both options, the actual credentials will stay in clear text (either in
solr.in.sh or a separate file). I don't see how this improves either security
or ease of use.
The main difference is that the second option allows admins to customize the
file permissions upfront such that the config file will be readable only to a
set of trusted users on the system. Specifying password on the command-line has
number of [security related
issues|https://unix.stackexchange.com/questions/78734/why-shouldnt-someone-use-passwords-in-the-command-line]
BTW what are the default file-permissions for the solr.in.sh ? Is it world
readable?
bq. It will also help ignorant users, who might inadvertently copy the
redacted line to the solr.in.sh and nothing will work for him.
The second option also helps in this case. Since it just provides a file-system
path, it is quite safe to be printed on the command-line. If a malicious user
attempt to read this configuration file, he would get file permissions error
from the operating system (assuming permissions are setup appropriately).
> Script support for enabling basic auth
> --------------------------------------
>
> Key: SOLR-8440
> URL: https://issues.apache.org/jira/browse/SOLR-8440
> Project: Solr
> Issue Type: New Feature
> Components: scripts and tools
> Reporter: Jan Høydahl
> Assignee: Ishan Chattopadhyaya
> Labels: authentication, security
> Attachments: SOLR-8440.patch, SOLR-8440.patch, SOLR-8440.patch,
> SOLR-8440.patch, SOLR-8440.patch, SOLR-8440.patch
>
>
> Now that BasicAuthPlugin will be able to work without an AuthorizationPlugin
> (SOLR-8429), it would be sweet to provide a super simple way to "Password
> protect Solr"™ right from the command line:
> {noformat}
> bin/solr basicAuth -adduser -user solr -pass SolrRocks
> {noformat}
> It would take the mystery out of enabling one single password across the
> board. The command would do something like this
> # Check if HTTPS is enabled, and if not, print a friendly warning
> # Check if {{/security.json}} already exists
> ## NO => create one with only plugin class defined
> ## YES => Abort if exists but plugin is not {{BasicAuthPlugin}}
> # Using security REST API, add the new user
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
