[jira] [Commented] (SOLR-11369) Zookeeper credentials are showed up on the Solr Admin GUI

Fri, 10 Jan 2020 09:35:31 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-11369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17013085#comment-17013085
 ] 

Jason Gerlowski commented on SOLR-11369:
----------------------------------------

This is fixed in 7.x and above.  SOLR-12976 isn't about hiding specific 
properties, it's about combining a few settings to make them easier to 
use/understand.

> Zookeeper credentials are showed up on the Solr Admin GUI
> ---------------------------------------------------------
>
>                 Key: SOLR-11369
>                 URL: https://issues.apache.org/jira/browse/SOLR-11369
>             Project: Solr
>          Issue Type: Bug
>          Components: Admin UI, security
>            Reporter: Ivan Pekhov
>            Priority: Major
>
> Hello Guys,
> We've been noticing this problem with Solr version 5.4.1 and it's still the 
> case for the version 6.6.0. The problem is that we're using SolrCloud with 
> secured Zookeeper and our users are granted access to Solr Admin GUI, and, at 
> the same time, they are not supposed to have access to Zookeeper credentials, 
> i.e. usernames and passwords. However, we (and some of our users) have found 
> out that Zookeeper credentials are displayed on at least two sections of the 
> Solr Admin GUI, i.e. "Dashboard" and "Java Properties".
> Having taken a look at the JavaScript code that runs behind the scenes for 
> those pages, we can see that the sensitive parameters ( -DzkDigestPassword, 
> -DzkDigestReadonlyPassword, -DzkDigestReadonlyUsername, -DzkDigestUsername ) 
> are fetched via AJAX from the following two URL paths:
> /solr/admin/info/system
> /solr/admin/info/properties
> Could you please consider for the future Solr releases removing the Zookeeper 
> parameters mentioned above from the output of these URLs and from other URLs 
> that contain this information in their output, if there are any besides the 
> ones mentioned? We find that it is be pretty challenging (and probably 
> impossible) to restrict users from accessing some particular paths with 
> security.json mechanism, and we think that that would be beneficial for 
> overall Solr security to hide Zookeeper credentials.
> Thank you so much for your consideration!
> Best regards,
> Ivan Pekhov



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to