Hi Susheel, Thank you so much for so quick response! I've created the issue as you requested, please refer to the link:
https://issues.apache.org/jira/browse/SOLR-11369 Thank you! Ivan -----Original Message----- From: Susheel Kumar [mailto:susheel2...@gmail.com] Sent: Tuesday, September 19, 2017 11:29 AM To: solr-user@lucene.apache.org Subject: Re: Zookeeper credentials are showed up on the Solr Admin GUI Hi Ivan, Can you please submit a JIRA/bug report for this at https://issues.apache.org/jira/projects/SOLR Thanks, Susheel On Tue, Sep 19, 2017 at 11:12 AM, Pekhov, Ivan (NIH/NLM/NCBI) [C] < ivan.pek...@nih.gov> wrote: > Hello Guys, > > We've been noticing this problem with Solr version 5.4.1 and it's > still the case for the version 6.6.0. The problem is that we're using > SolrCloud with secured Zookeeper and our users are granted access to > Solr Admin GUI, and, at the same time, they are not supposed to have > access to Zookeeper credentials, i.e. usernames and passwords. > However, we (and some of our > users) have found out that Zookeeper credentials are displayed on at > least two sections of the Solr Admin GUI, i.e. "Dashboard" and "Java > Properties". > > Having taken a look at the JavaScript code that runs behind the scenes > for those pages, we can see that the sensitive parameters ( > -DzkDigestPassword, -DzkDigestReadonlyPassword, > -DzkDigestReadonlyUsername, -DzkDigestUsername > ) are fetched via AJAX from the following two URL paths: > > /solr/admin/info/system > /solr/admin/info/properties > > Could you please consider for the future Solr releases removing the > Zookeeper parameters mentioned above from the output of these URLs and > from other URLs that contain this information in their output, if > there are any besides the ones mentioned? We find that it is be pretty > challenging (and probably impossible) to restrict users from accessing > some particular paths with security.json mechanism, and we think that > that would be beneficial for overall Solr security to hide Zookeeper > credentials. > > Thank you so much for your consideration! > > Best regards, > Ivan Pekhov > >
