Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-16809

Converge sysProp redaction logic in PropertiesRequestHandler and MetricsAPI

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 9.3
    • metrics
    • None

    Description

      Currently there are two APIs to get the sysProps from a Solr process.

      • /admin/info/properties
      • /admin/info/metrics

      Unfortunately the logic for redacting sensitive information is different and configured separately for these two endpoints.

      For /admin/info/properties redaction occurs if "solr.redaction.system.enabled" is set to true, which it is by default. Then a reg-ex matcher for the sysProp key can be configured by "solr.redaction.system.pattern", and the default is ".password." (case-insensitive).

      For /admin/info/metrics, redaction always occurs. The default list of sensitive properties is:

      • "javax.net.ssl.keyStorePassword"
      • "javax.net.ssl.trustStorePassword"
      • "basicauth"
      • "zkDigestPassword"
      • "zkDigestReadonlyPassword"
      • "aws.secretKey" // AWS SDK v1
      • "aws.secretAccessKey" // AWS SDK v2
      • "http.proxyPassword"

      Notice that a few of these do not include the word "password". So the "basicauth" and "aws.secretKey" and "aws.secretAccessKey" options will be passed to the AdminUI by default.

      I suggest that we merge the logic between these two and have them be configurable the same way. I think having this list is important, but also having a blanket "(password|secret)" filter is also safe.

      Unfortunately the Metrics API redaction list is only configurable in the solr.xml under the <metrics> tag, which doesn't really apply to /info/properties. So we will probably want to move that out from metrics (back-compat for 9x of course) and add an envVar/sysProp that will make it easier for users to configure.

      Attachments

        1. SOLR-16809-1.patch
          35 kB
          Houston Putman
        2. SOLR-16809.patch
          30 kB
          Houston Putman

        Issue Links

          Activity

            People

              houston Houston Putman
              houston Houston Putman
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: