Hi Susheel,

Thank you so much for so quick response! I've created the issue as you 
requested, please refer to the link:

https://issues.apache.org/jira/browse/SOLR-11369

Thank you!
Ivan

-----Original Message-----
From: Susheel Kumar [mailto:susheel2...@gmail.com] 
Sent: Tuesday, September 19, 2017 11:29 AM
To: solr-user@lucene.apache.org
Subject: Re: Zookeeper credentials are showed up on the Solr Admin GUI

Hi Ivan, Can you please submit a JIRA/bug report for this at 
https://issues.apache.org/jira/projects/SOLR

Thanks,
Susheel

On Tue, Sep 19, 2017 at 11:12 AM, Pekhov, Ivan (NIH/NLM/NCBI) [C] < 
ivan.pek...@nih.gov> wrote:

> Hello Guys,
>
> We've been noticing this problem with Solr version 5.4.1 and it's 
> still the case for the version 6.6.0. The problem is that we're using 
> SolrCloud with secured Zookeeper and our users are granted access to 
> Solr Admin GUI, and, at the same time, they are not supposed to have 
> access to Zookeeper credentials, i.e. usernames and passwords. 
> However, we (and some of our
> users) have found out that Zookeeper credentials are displayed on at 
> least two sections of the Solr Admin GUI, i.e. "Dashboard" and "Java 
> Properties".
>
> Having taken a look at the JavaScript code that runs behind the scenes 
> for those pages, we can see that the sensitive parameters ( 
> -DzkDigestPassword, -DzkDigestReadonlyPassword, 
> -DzkDigestReadonlyUsername, -DzkDigestUsername
> ) are fetched via AJAX from the following two URL paths:
>
> /solr/admin/info/system
> /solr/admin/info/properties
>
> Could you please consider for the future Solr releases removing the 
> Zookeeper parameters mentioned above from the output of these URLs and 
> from other URLs that contain this information in their output, if 
> there are any besides the ones mentioned? We find that it is be pretty 
> challenging (and probably impossible) to restrict users from accessing 
> some particular paths with security.json mechanism, and we think that 
> that would be beneficial for overall Solr security to hide Zookeeper 
> credentials.
>
> Thank you so much for your consideration!
>
> Best regards,
> Ivan Pekhov
>
>

Reply via email to