SOLR-17864: Migrate System Properties to modern equivalents. (#3500)

epugh · web-flow · commit 54e9edaef2f6 · 2025-08-28T06:20:42.000-04:00
* Migrate authentication.plugin and basicauth to modern equivalents.

* Be more generic in what we filter.  Do not show credentials.

* Batch more of conversions.  Removed deprecated solr.redaction.system.pattern.

* Migrate to EnvUtils
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
@@ -175,7 +175,7 @@ REM Settings for authentication
 REM Please configure only one of SOLR_AUTHENTICATION_CLIENT_BUILDER or SOLR_AUTH_TYPE parameters
 REM set SOLR_AUTHENTICATION_CLIENT_BUILDER=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory
 REM set SOLR_AUTH_TYPE=basic
-REM set SOLR_AUTHENTICATION_OPTS=-Dbasicauth=solr:SolrRocks
+REM set SOLR_AUTHENTICATION_OPTS=-Dsolr.security.auth.basicauth.credentials=solr:SolrRocks
 
 REM Settings for ZK ACL
 REM set SOLR_ZK_CREDS_AND_ACLS=-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider ^
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
@@ -191,7 +191,7 @@
 # Please configure only one of SOLR_AUTHENTICATION_CLIENT_BUILDER or SOLR_AUTH_TYPE parameters
 #SOLR_AUTHENTICATION_CLIENT_BUILDER="org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory"
 #SOLR_AUTH_TYPE="basic"
-#SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks"
+#SOLR_AUTHENTICATION_OPTS="-Dsolr.security.auth.basicauth.credentials=solr:SolrRocks"
 
 # Settings for ZK ACL
 #SOLR_ZK_CREDS_AND_ACLS="-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider \
diff --git a/solr/core/src/java/org/apache/solr/cli/AuthTool.java b/solr/core/src/java/org/apache/solr/cli/AuthTool.java
@@ -343,7 +343,7 @@ private void printAuthEnablingInstructions(String username, String password) {
           "\nAdd the following lines to the solr.in.cmd file so that the solr.cmd script can use subsequently.\n");
       CLIO.out(
           "set SOLR_AUTH_TYPE=basic\n"
-              + "set SOLR_AUTHENTICATION_OPTS=\"-Dbasicauth="
+              + "set SOLR_AUTHENTICATION_OPTS=\"-Dsolr.security.auth.basicauth.credentials="
               + username
               + ":"
               + password
@@ -353,7 +353,7 @@ private void printAuthEnablingInstructions(String username, String password) {
           "\nAdd the following lines to the solr.in.sh file so that the ./solr script can use subsequently.\n");
       CLIO.out(
           "SOLR_AUTH_TYPE=\"basic\"\n"
-              + "SOLR_AUTHENTICATION_OPTS=\"-Dbasicauth="
+              + "SOLR_AUTHENTICATION_OPTS=\"-Dsolr.security.auth.basicauth.credentials="
               + username
               + ":"
               + password
diff --git a/solr/core/src/java/org/apache/solr/core/NodeConfig.java b/solr/core/src/java/org/apache/solr/core/NodeConfig.java
@@ -40,6 +40,7 @@
 import org.apache.solr.common.SolrException;
 import org.apache.solr.common.SolrException.ErrorCode;
 import org.apache.solr.common.cloud.SolrZkClient;
+import org.apache.solr.common.util.EnvUtils;
 import org.apache.solr.common.util.StrUtils;
 import org.apache.solr.logging.LogWatcherConfig;
 import org.apache.solr.search.CacheConfig;
@@ -495,7 +496,7 @@ public boolean isSysPropHidden(String sysPropName) {
 
   public static final String REDACTED_SYS_PROP_VALUE = "--REDACTED--";
 
-  /** Returns the a system property value, or "--REDACTED--" if the system property is hidden */
+  /** Returns the system property value, or "--REDACTED--" if the system property is hidden */
   public String getRedactedSysPropValue(String sysPropName) {
     return hiddenSysPropPattern.test(sysPropName)
         ? REDACTED_SYS_PROP_VALUE
@@ -619,7 +620,7 @@ public static class NodeConfigBuilder {
     private Set<Path> allowPaths = Collections.emptySet();
     private List<String> allowUrls = Collections.emptyList();
     private boolean hideStackTrace =
-        !(Boolean.parseBoolean(System.getProperty("solr.responses.stacktrace.enabled", "true")));
+        !EnvUtils.getPropertyAsBool("solr.responses.stacktrace.enabled", true);
 
     private final Path solrHome;
     private final String nodeName;
@@ -648,7 +649,7 @@ public static class NodeConfigBuilder {
         Set.of(
             "javax\\.net\\.ssl\\.keyStorePassword",
             "javax\\.net\\.ssl\\.trustStorePassword",
-            "basicauth",
+            ".*credentials",
             "zkDigestPassword",
             "zkDigestReadonlyPassword",
             "aws\\.secretKey", // AWS SDK v1
@@ -862,25 +863,17 @@ public NodeConfigBuilder setHiddenSysProps(String hiddenSysProps) {
     }
 
     /**
-     * Finds list of hiddenSysProps requested by system property or environment variable or the
-     * default
+     * Finds list of hiddenSysProps requested in priority of solr.xml, system properties or the
+     * default set
      *
-     * @return set of raw hidden sysProps, may be regex
+     * @return set of raw hidden system properties, may be regex
      */
-    private Set<String> resolveHiddenSysPropsFromSysPropOrEnvOrDefault(String hiddenSysProps) {
-      // Fall back to sysprop and env.var if nothing configured through solr.xml
+    private Set<String> resolveHiddenSysProps(String hiddenSysProps) {
+      // Fall back to system properties if nothing configured through solr.xml
       if (!StrUtils.isNotNullOrEmpty(hiddenSysProps)) {
-        String fromProps = System.getProperty("solr.hiddenSysProps");
-        // Back-compat for solr 9x
-        // DEPRECATED: Remove in 10.0
-        if (StrUtils.isNotNullOrEmpty(fromProps)) {
-          fromProps = System.getProperty("solr.redaction.system.pattern");
-        }
-        String fromEnv = System.getenv("SOLR_HIDDEN_SYS_PROPS");
+        String fromProps = EnvUtils.getProperty("solr.responses.hidden.sys.props");
         if (StrUtils.isNotNullOrEmpty(fromProps)) {
           hiddenSysProps = fromProps;
-        } else if (StrUtils.isNotNullOrEmpty(fromEnv)) {
-          hiddenSysProps = fromEnv;
         }
       }
       Set<String> hiddenSysPropSet = Collections.emptySet();
@@ -939,7 +932,7 @@ public NodeConfig build() {
           hideStackTrace,
           configSetServiceClass,
           modules,
-          resolveHiddenSysPropsFromSysPropOrEnvOrDefault(hiddenSysProps));
+          resolveHiddenSysProps(hiddenSysProps));
     }
 
     public NodeConfigBuilder setSolrResourceLoader(SolrResourceLoader resourceLoader) {
diff --git a/solr/core/src/java/org/apache/solr/security/AuthenticationPlugin.java b/solr/core/src/java/org/apache/solr/security/AuthenticationPlugin.java
@@ -38,7 +38,7 @@
  */
 public abstract class AuthenticationPlugin implements SolrInfoBean {
 
-  public static final String AUTHENTICATION_PLUGIN_PROP = "authenticationPlugin";
+  public static final String AUTHENTICATION_PLUGIN_PROP = "solr.security.auth.plugin";
   public static final String HTTP_HEADER_X_SOLR_AUTHDATA = "X-Solr-AuthData";
 
   // Metrics
diff --git a/solr/core/src/test/org/apache/solr/cloud/RecoveryZkTestWithAuth.java b/solr/core/src/test/org/apache/solr/cloud/RecoveryZkTestWithAuth.java
@@ -50,7 +50,7 @@ public static void setupCluster() throws Exception {
       System.setProperty(
           HttpClientUtil.SYS_PROP_HTTP_CLIENT_BUILDER_FACTORY,
           "org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory");
-      System.setProperty("basicauth", SecurityJson.USER_PASS);
+      System.setProperty("solr.security.auth.basicauth.credentials", SecurityJson.USER_PASS);
     }
 
     cluster =
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestAuthenticationFramework.java b/solr/core/src/test/org/apache/solr/cloud/TestAuthenticationFramework.java
@@ -58,7 +58,7 @@ public void setUp() throws Exception {
 
   private void setupAuthenticationPlugin() {
     System.setProperty(
-        "authenticationPlugin",
+        "solr.security.auth.plugin",
         "org.apache.solr.cloud.TestAuthenticationFramework$MockAuthenticationPlugin");
     MockAuthenticationPlugin.expectedUsername = null;
     MockAuthenticationPlugin.expectedPassword = null;
@@ -85,7 +85,7 @@ public void testBasics() throws Exception {
 
   @Override
   public void tearDown() throws Exception {
-    System.clearProperty("authenticationPlugin");
+    System.clearProperty("solr.security.auth.plugin");
     shutdownCluster();
     super.tearDown();
   }
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestPullReplica.java b/solr/core/src/test/org/apache/solr/cloud/TestPullReplica.java
@@ -89,7 +89,7 @@ private String suggestedCollectionName() {
 
   @BeforeClass
   public static void createTestCluster() throws Exception {
-    System.setProperty("cloudSolrClientMaxStaleRetries", "1");
+    System.setProperty("solr.solrj.cloud.max.stale.retries", "1");
     System.setProperty("zkReaderGetLeaderRetryTimeoutMs", "1000");
 
     configureCluster(2) // 2 + random().nextInt(3)
@@ -99,7 +99,7 @@ public static void createTestCluster() throws Exception {
 
   @AfterClass
   public static void tearDownCluster() {
-    System.clearProperty("cloudSolrClientMaxStaleRetries");
+    System.clearProperty("solr.solrj.cloud.max.stale.retries");
     System.clearProperty("zkReaderGetLeaderRetryTimeoutMs");
     TestInjection.reset();
   }
diff --git a/solr/core/src/test/org/apache/solr/handler/admin/PropertiesRequestHandlerTest.java b/solr/core/src/test/org/apache/solr/handler/admin/PropertiesRequestHandlerTest.java
@@ -39,7 +39,10 @@ public static void beforeClass() throws Exception {
   public void testRedaction() throws Exception {
     for (String propName :
         new String[] {
-          "some.password", "javax.net.ssl.trustStorePassword", "basicauth", "some.Secret"
+          "some.password",
+          "javax.net.ssl.trustStorePassword",
+          "solr.security.auth.basicauth.credentials",
+          "some.Secret"
         }) {
       System.setProperty(propName, PASSWORD);
       NamedList<Object> properties = readProperties();
diff --git a/solr/core/src/test/org/apache/solr/metrics/JvmMetricsTest.java b/solr/core/src/test/org/apache/solr/metrics/JvmMetricsTest.java
@@ -85,9 +85,9 @@ public void testAltBufferPoolMetricSet() {
 
   @Test
   public void testSystemProperties() {
-    if (System.getProperty("basicauth") == null) {
+    if (System.getProperty("solr.security.auth.basicauth.credentials") == null) {
       // make sure it's set
-      System.setProperty("basicauth", "foo:bar");
+      System.setProperty("solr.security.auth.basicauth.credentials", "foo:bar");
     }
     SolrMetricManager metricManager = getJetty().getCoreContainer().getMetricManager();
     Map<String, Metric> metrics = metricManager.registry("solr.jvm").getMetrics();
@@ -101,6 +101,9 @@ public void testSystemProperties() {
             (k, v) -> {
               if (NodeConfig.NodeConfigBuilder.DEFAULT_HIDDEN_SYS_PROPS.contains(k)) {
                 assertNull("hidden property " + k + " present!", values.get(k));
+              } else if (k == "solr.security.auth.basicauth.credentials") {
+                // DEFAULT_HIDDEN_SYS_PROPS.contains doesn't match a partial pattern.
+                assertNull("hidden property " + k + " present!", values.get(k));
               } else {
                 assertEquals(v, values.get(String.valueOf(k)));
               }
diff --git a/solr/solr-ref-guide/modules/deployment-guide/pages/basic-authentication-plugin.adoc b/solr/solr-ref-guide/modules/deployment-guide/pages/basic-authentication-plugin.adoc
@@ -335,7 +335,7 @@ Alternatively, users can use SolrJ's `PreemptiveBasicAuthClientBuilderFactory` t
 To enable this feature, users should set the following system property `-Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory`.
 `PreemptiveBasicAuthClientBuilderFactory` allows applications to provide credentials in two different ways:
 
-. The `basicauth` system property can be passed, containing the credentials directly (e.g., `-Dbasicauth=username:password`).
+. The `solr.security.auth.basicauth.credentials` system property can be passed, containing the credentials directly (e.g., `-Dsolr.security.auth.basicauth.credentials=username:password`).
 This option is straightforward, but may expose the credentials in the command line, depending on how they're set.
 . The `solr.httpclient.config` system property can be passed, containing a path to a properties file holding the credentials.
 Inside this file the username and password can be specified as `httpBasicAuthUser` and `httpBasicAuthPassword`, respectively.
@@ -356,7 +356,7 @@ Add the following line to the `solr.in.sh` or `solr.in.cmd` file:
 [source,bash]
 ----
 SOLR_AUTH_TYPE="basic"
-SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks"
+SOLR_AUTHENTICATION_OPTS="-Dsolr.security.auth.basicauth.credentials=solr:SolrRocks"
 ----
 
 This tells the `bin/solr` command line to to use "basic" as the type of authentication, and to pass credentials with the user-name "solr" and password "SolrRocks".
diff --git a/solr/solr-ref-guide/modules/deployment-guide/pages/metrics-reporting.adoc b/solr/solr-ref-guide/modules/deployment-guide/pages/metrics-reporting.adoc
@@ -149,7 +149,7 @@ If this section is not defined, the following default configuration is used whic
   <hiddenSysProps>
     <str>javax.net.ssl.keyStorePassword</str>
     <str>javax.net.ssl.trustStorePassword</str>
-    <str>basicauth</str>
+    <str>solr.security.auth.basicauth.credentials</str>
     <str>zkDigestPassword</str>
     <str>zkDigestReadonlyPassword</str>
   </hiddenSysProps>
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudSolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudSolrClient.java
@@ -89,7 +89,7 @@ public abstract class CloudSolrClient extends SolrClient {
 
   // no of times collection state to be reloaded if stale state error is received
   private static final int MAX_STALE_RETRIES =
-      Integer.parseInt(System.getProperty("cloudSolrClientMaxStaleRetries", "5"));
+      Integer.parseInt(System.getProperty("solr.solrj.cloud.max.stale.retries", "5"));
   private final Random rand = new Random();
 
   private final boolean updatesToLeaders;
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/PreemptiveBasicAuthClientBuilderFactory.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/PreemptiveBasicAuthClientBuilderFactory.java
@@ -57,7 +57,8 @@ public class PreemptiveBasicAuthClientBuilderFactory implements HttpClientBuilde
    * this will expose the password on the command-line, it is not very secure. But this mechanism is
    * added for backwards compatibility.
    */
-  public static final String SYS_PROP_BASIC_AUTH_CREDENTIALS = "basicauth";
+  public static final String SYS_PROP_BASIC_AUTH_CREDENTIALS =
+      "solr.security.auth.basicauth.credentials";
 
   private static PreemptiveAuth requestInterceptor = new PreemptiveAuth(new BasicScheme());
 
@@ -152,7 +153,7 @@ public CredentialsResolver() {
             || StrUtils.isNullOrEmpty(ss.get(0))
             || StrUtils.isNullOrEmpty(ss.get(1))) {
           throw new IllegalArgumentException(
-              "Invalid Authentication credentials: Please provide 'basicauth' in the 'user:password' format");
+              "Invalid Authentication credentials: Please provide 'solr.security.auth.basicauth.credentials' in the 'user:password' format");
         }
         defaultParams =
             new MapSolrParams(
diff --git a/solr/solrj/src/resources/DeprecatedSystemPropertyMappings.properties b/solr/solrj/src/resources/DeprecatedSystemPropertyMappings.properties
@@ -23,3 +23,8 @@ disable.config.edit=solr.api.config.edit.enabled
 configset.upload.enabled=solr.configset.upload.enabled
 disable.v2.api=solr.api.v2.enabled
 solr.hide.stack.trace=solr.responses.stacktrace.enabled
+authentication.plugin=solr.security.auth.plugin
+basicauth=solr.security.auth.basicauth.credentials
+cloud.solr.client.max.stale.retries=solr.solrj.cloud.max.stale.retries
+configset.upload.enabled=solr.configset.upload.enabled
+solr.hidden.sys.props=solr.responses.hidden.sys.props
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpSolrClientTestBase.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpSolrClientTestBase.java
@@ -89,7 +89,7 @@ public static void beforeTest() throws Exception {
 
   @Override
   public void tearDown() throws Exception {
-    System.clearProperty("basicauth");
+    System.clearProperty("solr.security.auth.basicauth.credentials");
     System.clearProperty(HttpClientUtil.SYS_PROP_HTTP_CLIENT_BUILDER_FACTORY);
     DebugServlet.clear();
     super.tearDown();

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ public static void setupCluster() throws Exception {`
`50`	`50`	`System.setProperty(`
`51`	`51`	`HttpClientUtil.SYS_PROP_HTTP_CLIENT_BUILDER_FACTORY,`
`52`	`52`	`"org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory");`
`53`		`- System.setProperty("basicauth", SecurityJson.USER_PASS);`
	`53`	`+ System.setProperty("solr.security.auth.basicauth.credentials", SecurityJson.USER_PASS);`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`cluster =`