Thank you @Jason for responding. We store the plain text password in basicAuth.conf file. This is a normal file & we are securing it only with 600 file permissions so that others cannot read it. We also run various solr APIs in our custom script for various purposes using curl commands which needs admin user credentials to perform operations. If admin credentials details from basicAuth.conf file or from curl commands are exposed/compromised, eventually any person within the organization who knows credentials can login to admin UI and perform any read/write operations. This is a concern and auditing issue as well.
Regards, Vinodh -----Original Message----- From: Jason Gerlowski <gerlowsk...@gmail.com> Sent: Thursday, November 14, 2019 6:38 AM To: solr-user@lucene.apache.org Subject: Re: Anyway to encrypt admin user plain text password in Solr ATTENTION! This email originated outside of DTCC; exercise caution. Hi, To clarify, Solr credentials are stored and shown in a few different places. In some situations the password might live in your "solr.in.sh" file. It also might live in a separate basicAuth.conf file. If you're using SolrCloud, the password might appear in Solr's Admin UI (depending on your version of Solr). The password is also stored in ZooKeeper. Some of these locations already store the credentials in an encrypted form. Other locations are only problematic if attackers have access to the disk that Solr is running on, at which point you have much bigger problems. If you can be more specific about the exposure you're concerned about, we can discuss whether there's an actual security concern there and how to work around it. Best, Jason On Wed, Nov 13, 2019 at 11:22 AM Kommu, Vinodh K. <vko...@dtcc.com> wrote: > > Does anyone have an any idea on this? If so, please help. > > Thanks > From: Kommu, Vinodh K. > Sent: Monday, November 11, 2019 4:11 PM > To: solr-user@lucene.apache.org > Subject: Anyway to encrypt admin user plain text password in Solr > > Hi, > > After creating admin user in Solr when security is enabled, we have to store > the admin user's credentials in plain text format. Is there any option or a > way to encrypt the plain text password? > > Thanks, > Vinodh > DTCC DISCLAIMER: This email and any files transmitted with it are > confidential and intended solely for the use of the individual or entity to > whom they are addressed. If you have received this email in error, please > notify us immediately and delete the email and any attachments from your > system. The recipient should check this email and any attachments for the > presence of viruses. The company accepts no liability for any damage caused > by any virus transmitted by this email. DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
