Hi Ivan, Can you please submit a JIRA/bug report for this at https://issues.apache.org/jira/projects/SOLR
Thanks, Susheel On Tue, Sep 19, 2017 at 11:12 AM, Pekhov, Ivan (NIH/NLM/NCBI) [C] < ivan.pek...@nih.gov> wrote: > Hello Guys, > > We've been noticing this problem with Solr version 5.4.1 and it's still > the case for the version 6.6.0. The problem is that we're using SolrCloud > with secured Zookeeper and our users are granted access to Solr Admin GUI, > and, at the same time, they are not supposed to have access to Zookeeper > credentials, i.e. usernames and passwords. However, we (and some of our > users) have found out that Zookeeper credentials are displayed on at least > two sections of the Solr Admin GUI, i.e. "Dashboard" and "Java Properties". > > Having taken a look at the JavaScript code that runs behind the scenes for > those pages, we can see that the sensitive parameters ( -DzkDigestPassword, > -DzkDigestReadonlyPassword, -DzkDigestReadonlyUsername, -DzkDigestUsername > ) are fetched via AJAX from the following two URL paths: > > /solr/admin/info/system > /solr/admin/info/properties > > Could you please consider for the future Solr releases removing the > Zookeeper parameters mentioned above from the output of these URLs and from > other URLs that contain this information in their output, if there are any > besides the ones mentioned? We find that it is be pretty challenging (and > probably impossible) to restrict users from accessing some particular paths > with security.json mechanism, and we think that that would be beneficial > for overall Solr security to hide Zookeeper credentials. > > Thank you so much for your consideration! > > Best regards, > Ivan Pekhov > >
