lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Susheel Kumar <susheel2...@gmail.com>
Subject Re: Zookeeper credentials are showed up on the Solr Admin GUI
Date Tue, 19 Sep 2017 15:28:43 GMT
Hi Ivan, Can you please submit a JIRA/bug report for this at
https://issues.apache.org/jira/projects/SOLR

Thanks,
Susheel

On Tue, Sep 19, 2017 at 11:12 AM, Pekhov, Ivan (NIH/NLM/NCBI) [C] <
ivan.pekhov@nih.gov> wrote:

> Hello Guys,
>
> We've been noticing this problem with Solr version 5.4.1 and it's still
> the case for the version 6.6.0. The problem is that we're using SolrCloud
> with secured Zookeeper and our users are granted access to Solr Admin GUI,
> and, at the same time, they are not supposed to have access to Zookeeper
> credentials, i.e. usernames and passwords. However, we (and some of our
> users) have found out that Zookeeper credentials are displayed on at least
> two sections of the Solr Admin GUI, i.e. "Dashboard" and "Java Properties".
>
> Having taken a look at the JavaScript code that runs behind the scenes for
> those pages, we can see that the sensitive parameters ( -DzkDigestPassword,
> -DzkDigestReadonlyPassword, -DzkDigestReadonlyUsername, -DzkDigestUsername
> ) are fetched via AJAX from the following two URL paths:
>
> /solr/admin/info/system
> /solr/admin/info/properties
>
> Could you please consider for the future Solr releases removing the
> Zookeeper parameters mentioned above from the output of these URLs and from
> other URLs that contain this information in their output, if there are any
> besides the ones mentioned? We find that it is be pretty challenging (and
> probably impossible) to restrict users from accessing some particular paths
> with security.json mechanism, and we think that that would be beneficial
> for overall Solr security to hide Zookeeper credentials.
>
> Thank you so much for your consideration!
>
> Best regards,
> Ivan Pekhov
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message