[jira] [Commented] (SOLR-11369) Zookeeper credentials are showed up on the Solr Admin GUI

Fri, 14 Dec 2018 05:22:18 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-11369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16721396#comment-16721396
 ] 

Jan Høydahl commented on SOLR-11369:
------------------------------------

Linking in SOLR-12976 as relevant reference. Guess this Jira could be closed 
now, as it is fixed in 7.x and a better system will be handled by SOLR-12976

> Zookeeper credentials are showed up on the Solr Admin GUI
> ---------------------------------------------------------
>
>                 Key: SOLR-11369
>                 URL: https://issues.apache.org/jira/browse/SOLR-11369
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI, security
>            Reporter: Ivan Pekhov
>            Priority: Major
>
> Hello Guys,
> We've been noticing this problem with Solr version 5.4.1 and it's still the 
> case for the version 6.6.0. The problem is that we're using SolrCloud with 
> secured Zookeeper and our users are granted access to Solr Admin GUI, and, at 
> the same time, they are not supposed to have access to Zookeeper credentials, 
> i.e. usernames and passwords. However, we (and some of our users) have found 
> out that Zookeeper credentials are displayed on at least two sections of the 
> Solr Admin GUI, i.e. "Dashboard" and "Java Properties".
> Having taken a look at the JavaScript code that runs behind the scenes for 
> those pages, we can see that the sensitive parameters ( -DzkDigestPassword, 
> -DzkDigestReadonlyPassword, -DzkDigestReadonlyUsername, -DzkDigestUsername ) 
> are fetched via AJAX from the following two URL paths:
> /solr/admin/info/system
> /solr/admin/info/properties
> Could you please consider for the future Solr releases removing the Zookeeper 
> parameters mentioned above from the output of these URLs and from other URLs 
> that contain this information in their output, if there are any besides the 
> ones mentioned? We find that it is be pretty challenging (and probably 
> impossible) to restrict users from accessing some particular paths with 
> security.json mechanism, and we think that that would be beneficial for 
> overall Solr security to hide Zookeeper credentials.
> Thank you so much for your consideration!
> Best regards,
> Ivan Pekhov



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to