Zookeeper credentials are showed up on the Solr Admin GUI

["Pekhov, Ivan (NIH/NLM/NCBI) [C]" <iv...@nih.gov>]

Hello Guys,

We've been noticing this problem with Solr version 5.4.1 and it's still the case for the version 6.6.0. The problem is that we're using SolrCloud with secured Zookeeper and our users are granted access to Solr Admin GUI, and, at the same time, they are not supposed to have access to Zookeeper credentials, i.e. usernames and passwords. However, we (and some of our users) have found out that Zookeeper credentials are displayed on at least two sections of the Solr Admin GUI, i.e. "Dashboard" and "Java Properties".

Having taken a look at the JavaScript code that runs behind the scenes for those pages, we can see that the sensitive parameters ( -DzkDigestPassword, -DzkDigestReadonlyPassword, -DzkDigestReadonlyUsername, -DzkDigestUsername ) are fetched via AJAX from the following two URL paths:

/solr/admin/info/system
/solr/admin/info/properties

Could you please consider for the future Solr releases removing the Zookeeper parameters mentioned above from the output of these URLs and from other URLs that contain this information in their output, if there are any besides the ones mentioned? We find that it is be pretty challenging (and probably impossible) to restrict users from accessing some particular paths with security.json mechanism, and we think that that would be beneficial for overall Solr security to hide Zookeeper credentials.

Thank you so much for your consideration!

Best regards,
Ivan Pekhov

RE: Zookeeper credentials are showed up on the Solr Admin GUI

["Pekhov, Ivan (NIH/NLM/NCBI) [C]" <iv...@nih.gov>]

Hi Susheel,

Thank you so much for so quick response! I've created the issue as you requested, please refer to the link:

https://issues.apache.org/jira/browse/SOLR-11369

Thank you!
Ivan

-----Original Message-----
From: Susheel Kumar [mailto:susheel2777@gmail.com] 
Sent: Tuesday, September 19, 2017 11:29 AM
To: solr-user@lucene.apache.org
Subject: Re: Zookeeper credentials are showed up on the Solr Admin GUI

Hi Ivan, Can you please submit a JIRA/bug report for this at https://issues.apache.org/jira/projects/SOLR

Thanks,
Susheel

On Tue, Sep 19, 2017 at 11:12 AM, Pekhov, Ivan (NIH/NLM/NCBI) [C] < ivan.pekhov@nih.gov> wrote:

> Hello Guys,
>
> We've been noticing this problem with Solr version 5.4.1 and it's 
> still the case for the version 6.6.0. The problem is that we're using 
> SolrCloud with secured Zookeeper and our users are granted access to 
> Solr Admin GUI, and, at the same time, they are not supposed to have 
> access to Zookeeper credentials, i.e. usernames and passwords. 
> However, we (and some of our
> users) have found out that Zookeeper credentials are displayed on at 
> least two sections of the Solr Admin GUI, i.e. "Dashboard" and "Java Properties".
>
> Having taken a look at the JavaScript code that runs behind the scenes 
> for those pages, we can see that the sensitive parameters ( 
> -DzkDigestPassword, -DzkDigestReadonlyPassword, 
> -DzkDigestReadonlyUsername, -DzkDigestUsername
> ) are fetched via AJAX from the following two URL paths:
>
> /solr/admin/info/system
> /solr/admin/info/properties
>
> Could you please consider for the future Solr releases removing the 
> Zookeeper parameters mentioned above from the output of these URLs and 
> from other URLs that contain this information in their output, if 
> there are any besides the ones mentioned? We find that it is be pretty 
> challenging (and probably impossible) to restrict users from accessing 
> some particular paths with security.json mechanism, and we think that 
> that would be beneficial for overall Solr security to hide Zookeeper credentials.
>
> Thank you so much for your consideration!
>
> Best regards,
> Ivan Pekhov
>
>

Re: Zookeeper credentials are showed up on the Solr Admin GUI

[Susheel Kumar <su...@gmail.com>]

Hi Ivan, Can you please submit a JIRA/bug report for this at
https://issues.apache.org/jira/projects/SOLR

Thanks,
Susheel

On Tue, Sep 19, 2017 at 11:12 AM, Pekhov, Ivan (NIH/NLM/NCBI) [C] <
ivan.pekhov@nih.gov> wrote:

> Hello Guys,
>
> We've been noticing this problem with Solr version 5.4.1 and it's still
> the case for the version 6.6.0. The problem is that we're using SolrCloud
> with secured Zookeeper and our users are granted access to Solr Admin GUI,
> and, at the same time, they are not supposed to have access to Zookeeper
> credentials, i.e. usernames and passwords. However, we (and some of our
> users) have found out that Zookeeper credentials are displayed on at least
> two sections of the Solr Admin GUI, i.e. "Dashboard" and "Java Properties".
>
> Having taken a look at the JavaScript code that runs behind the scenes for
> those pages, we can see that the sensitive parameters ( -DzkDigestPassword,
> -DzkDigestReadonlyPassword, -DzkDigestReadonlyUsername, -DzkDigestUsername
> ) are fetched via AJAX from the following two URL paths:
>
> /solr/admin/info/system
> /solr/admin/info/properties
>
> Could you please consider for the future Solr releases removing the
> Zookeeper parameters mentioned above from the output of these URLs and from
> other URLs that contain this information in their output, if there are any
> besides the ones mentioned? We find that it is be pretty challenging (and
> probably impossible) to restrict users from accessing some particular paths
> with security.json mechanism, and we think that that would be beneficial
> for overall Solr security to hide Zookeeper credentials.
>
> Thank you so much for your consideration!
>
> Best regards,
> Ivan Pekhov
>
>