lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <j...@apache.org>
Subject [jira] [Resolved] (SOLR-11369) Zookeeper credentials are showed up on the Solr Admin GUI
Date Fri, 14 Dec 2018 13:23:00 GMT

     [ https://issues.apache.org/jira/browse/SOLR-11369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jan Høydahl resolved SOLR-11369.
--------------------------------
    Resolution: Workaround

> Zookeeper credentials are showed up on the Solr Admin GUI
> ---------------------------------------------------------
>
>                 Key: SOLR-11369
>                 URL: https://issues.apache.org/jira/browse/SOLR-11369
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI, security
>            Reporter: Ivan Pekhov
>            Priority: Major
>
> Hello Guys,
> We've been noticing this problem with Solr version 5.4.1 and it's still the case for
the version 6.6.0. The problem is that we're using SolrCloud with secured Zookeeper and our
users are granted access to Solr Admin GUI, and, at the same time, they are not supposed to
have access to Zookeeper credentials, i.e. usernames and passwords. However, we (and some
of our users) have found out that Zookeeper credentials are displayed on at least two sections
of the Solr Admin GUI, i.e. "Dashboard" and "Java Properties".
> Having taken a look at the JavaScript code that runs behind the scenes for those pages,
we can see that the sensitive parameters ( -DzkDigestPassword, -DzkDigestReadonlyPassword,
-DzkDigestReadonlyUsername, -DzkDigestUsername ) are fetched via AJAX from the following two
URL paths:
> /solr/admin/info/system
> /solr/admin/info/properties
> Could you please consider for the future Solr releases removing the Zookeeper parameters
mentioned above from the output of these URLs and from other URLs that contain this information
in their output, if there are any besides the ones mentioned? We find that it is be pretty
challenging (and probably impossible) to restrict users from accessing some particular paths
with security.json mechanism, and we think that that would be beneficial for overall Solr
security to hide Zookeeper credentials.
> Thank you so much for your consideration!
> Best regards,
> Ivan Pekhov



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message