Yes, it is important to understand that only trusted clients and persons should be given access to Solr's port.
But it may stil be surprising to users that e.g. passwords to a DB or SSL keystore is available over HTTP when there is no need for them at the client side. I'm not saying itis a bug, but may be surprising. So I think we should continue step by step to address these and have Solr behave after the principle of least surprise, thus the discussion in https://issues.apache.org/jira/browse/SOLR-12976 After locking down secrets as good as possible, the next logical step would be to couple Solr's Authentication/Authorization feature to this, so that if a client has a role with the read/edit securityconfig permission, then she could be allowed to see those properties. So far the authorization is true/false based on handler/HTTPMethod meaning we'd have to add a new /solr/admin/info/system/secrets/ handler which could return those hidden props. But there may not be a need to retrieve these on API level at all. -- Jan Høydahl, search solution architect Cominvent AS - www.cominvent.com > 8. nov. 2018 kl. 19:54 skrev Gus Heck <gus.h...@gmail.com>: > > That's an interesting feature, and it addresses X, but there are lots of > ways to discover system properties. In a managed schema, enter a field name > ${java.version} and you'll get a field named 1.8.0_144 (or whatever). I > still think it's important to address Y they are trying to hide the system > properties from someone they have placed their trust in already. > > On Thu, Nov 8, 2018 at 1:16 PM Jan Høydahl <jan....@cominvent.com> wrote: > >> It's not documented in the Ref Guide, but you can set this system property >> to fix it: >> >> >> SOLR_OPTS="-Dsolr.redaction.system.pattern=(.*password.*|.*your-own-regex.*)" >> >> Then the property will show as --REDACTED— in the UI. >> >> Note that the property still will leak through /solr/admin/metrics and you >> need to add the same exclusion in solr.xml, see >> https://lucene.apache.org/solr/guide/7_5/metrics-reporting.html#the-metrics-hiddensysprops-element >> >> -- >> Jan Høydahl, search solution architect >> Cominvent AS - www.cominvent.com >> >>> 7. nov. 2018 kl. 20:51 skrev Naveen M <navav1...@gmail.com>: >>> >>> Hi, >>> >>> Is there a way to disable jvm properties from the solr UI. >>> >>> It has some information which we don’t want to expose. Any pointers would >>> be helpful. >>> >>> >>> Thanks >> >> > > -- > http://www.the111shift.com
