[
https://issues.apache.org/jira/browse/SOLR-11369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16607501#comment-16607501
]
Steve Rowe commented on SOLR-11369:
-----------------------------------
SOLR-10076 fixed this by default in 7.0, to not show system properties that
contain "password" (case-insensitively). You can modify the system properties
to hide by setting system property {{solr.redaction.system.pattern}}
("{{.\*password.\*}}" is the default pattern).
In Solr 6.6.X, sensitive property redaction was not enabled by default. To
enable, set system property {{solr.redaction.system.enabled}} to {{true}}.
> Zookeeper credentials are showed up on the Solr Admin GUI
> ---------------------------------------------------------
>
> Key: SOLR-11369
> URL: https://issues.apache.org/jira/browse/SOLR-11369
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Admin UI, security
> Reporter: Ivan Pekhov
> Priority: Major
>
> Hello Guys,
> We've been noticing this problem with Solr version 5.4.1 and it's still the
> case for the version 6.6.0. The problem is that we're using SolrCloud with
> secured Zookeeper and our users are granted access to Solr Admin GUI, and, at
> the same time, they are not supposed to have access to Zookeeper credentials,
> i.e. usernames and passwords. However, we (and some of our users) have found
> out that Zookeeper credentials are displayed on at least two sections of the
> Solr Admin GUI, i.e. "Dashboard" and "Java Properties".
> Having taken a look at the JavaScript code that runs behind the scenes for
> those pages, we can see that the sensitive parameters ( -DzkDigestPassword,
> -DzkDigestReadonlyPassword, -DzkDigestReadonlyUsername, -DzkDigestUsername )
> are fetched via AJAX from the following two URL paths:
> /solr/admin/info/system
> /solr/admin/info/properties
> Could you please consider for the future Solr releases removing the Zookeeper
> parameters mentioned above from the output of these URLs and from other URLs
> that contain this information in their output, if there are any besides the
> ones mentioned? We find that it is be pretty challenging (and probably
> impossible) to restrict users from accessing some particular paths with
> security.json mechanism, and we think that that would be beneficial for
> overall Solr security to hide Zookeeper credentials.
> Thank you so much for your consideration!
> Best regards,
> Ivan Pekhov
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
