Ivan Pekhov created SOLR-11369:
----------------------------------
Summary: Zookeeper credentials are showed up on the Solr Admin GUI
Key: SOLR-11369
URL: https://issues.apache.org/jira/browse/SOLR-11369
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: Admin UI, security
Reporter: Ivan Pekhov
Hello Guys,
We've been noticing this problem with Solr version 5.4.1 and it's still the
case for the version 6.6.0. The problem is that we're using SolrCloud with
secured Zookeeper and our users are granted access to Solr Admin GUI, and, at
the same time, they are not supposed to have access to Zookeeper credentials,
i.e. usernames and passwords. However, we (and some of our users) have found
out that Zookeeper credentials are displayed on at least two sections of the
Solr Admin GUI, i.e. "Dashboard" and "Java Properties".
Having taken a look at the JavaScript code that runs behind the scenes for
those pages, we can see that the sensitive parameters ( -DzkDigestPassword,
-DzkDigestReadonlyPassword, -DzkDigestReadonlyUsername, -DzkDigestUsername )
are fetched via AJAX from the following two URL paths:
/solr/admin/info/system
/solr/admin/info/properties
Could you please consider for the future Solr releases removing the Zookeeper
parameters mentioned above from the output of these URLs and from other URLs
that contain this information in their output, if there are any besides the
ones mentioned? We find that it is be pretty challenging (and probably
impossible) to restrict users from accessing some particular paths with
security.json mechanism, and we think that that would be beneficial for overall
Solr security to hide Zookeeper credentials.
Thank you so much for your consideration!
Best regards,
Ivan Pekhov
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
