[ https://issues.apache.org/jira/browse/SOLR-11369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16607501#comment-16607501 ]
Steve Rowe commented on SOLR-11369: ----------------------------------- SOLR-10076 fixed this by default in 7.0, to not show system properties that contain "password" (case-insensitively). You can modify the system properties to hide by setting system property {{solr.redaction.system.pattern}} ("{{.\*password.\*}}" is the default pattern). In Solr 6.6.X, sensitive property redaction was not enabled by default. To enable, set system property {{solr.redaction.system.enabled}} to {{true}}. > Zookeeper credentials are showed up on the Solr Admin GUI > --------------------------------------------------------- > > Key: SOLR-11369 > URL: https://issues.apache.org/jira/browse/SOLR-11369 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Admin UI, security > Reporter: Ivan Pekhov > Priority: Major > > Hello Guys, > We've been noticing this problem with Solr version 5.4.1 and it's still the > case for the version 6.6.0. The problem is that we're using SolrCloud with > secured Zookeeper and our users are granted access to Solr Admin GUI, and, at > the same time, they are not supposed to have access to Zookeeper credentials, > i.e. usernames and passwords. However, we (and some of our users) have found > out that Zookeeper credentials are displayed on at least two sections of the > Solr Admin GUI, i.e. "Dashboard" and "Java Properties". > Having taken a look at the JavaScript code that runs behind the scenes for > those pages, we can see that the sensitive parameters ( -DzkDigestPassword, > -DzkDigestReadonlyPassword, -DzkDigestReadonlyUsername, -DzkDigestUsername ) > are fetched via AJAX from the following two URL paths: > /solr/admin/info/system > /solr/admin/info/properties > Could you please consider for the future Solr releases removing the Zookeeper > parameters mentioned above from the output of these URLs and from other URLs > that contain this information in their output, if there are any besides the > ones mentioned? We find that it is be pretty challenging (and probably > impossible) to restrict users from accessing some particular paths with > security.json mechanism, and we think that that would be beneficial for > overall Solr security to hide Zookeeper credentials. > Thank you so much for your consideration! > Best regards, > Ivan Pekhov -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org