[ https://issues.apache.org/jira/browse/SOLR-12778?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris M. Hostetter updated SOLR-12778: -------------------------------------- Attachment: SOLR-12778.patch Status: Open (was: Open) I'm attaching a patch that starts to flesh out support for a new "{{zkDigestEncryptFile}}" option used by both {{VMParamsAllAndReadonlyDigestZkACLProvider}} and {{VMParamsSingleSetCredentialsDigestZkCredentialsProvider}} to decrypt all the username/password options they read if specified. The patch also includes a new {{public static String decodeAES(String base64CipherTxt, File encryptFile)}} method in {{CryptoKeys}} wrapping the existing {{decodeAES(String base64CipherTxt, String pwd)}} to simplify the common code of overhead for plugins like this (but i did not refactor the existing File handling code from DIH because it has a lot of code smells i didn't want to propogate: assuming limits on the file size, calling {{new String(byte[])}}, etc...) ---- Unfortunately this patch doesn't work at the moment because the {{CryptoKeys}} class is in solr-core and these plugins live in solr-solrj. I know there has ben a lot of concern about hte size & dependencies of solrj, so i'm not sure how people will/would feel about migrating CryptoKeys into solrj ... i think it can be done w/o increasing the ivy dependencies, but i have not yet attempted. > Support encrypted password for ZK cred/ACL providers > ---------------------------------------------------- > > Key: SOLR-12778 > URL: https://issues.apache.org/jira/browse/SOLR-12778 > Project: Solr > Issue Type: New Feature > Components: SolrCloud > Reporter: Jan Høydahl > Priority: Major > Attachments: SOLR-12778.patch > > > The {{VMParamsSingleSetCredentialsDigestZkCredentialsProvider}} takes a > {{zkDigestPassword}} in as a plain-text JVM param, and the > {{VMParamsAllAndReadonlyDigestZkACLProvider}} takes both {{zkDigestPassword}} > and {{zkDigestReadonlyPassword}}. > Propose to give an option to encrypt these password using the same mechanism > as DIH does: > # Add a new VM param "zkDigestPasswordEncryptionKeyFile" which is a path to > a file holding the encryption key > # Store an encryption key in above mentioned file and restrict access to > this file so only Solr user can read it. > # Encrypt the ZK passwords using the encryption key and provide the > encrypted password in place of the plaintext one > We could also create a utility command that takes the magic out of encrypting > the pw: > {noformat} > bin/solr util encrypt [-keyfile <file>] <string>{noformat} > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org