You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2021/10/26 14:59:00 UTC
[jira] [Commented] (SOLR-10100) Hiding credentials from
security.json when retrieving through /admin/zookeeper
[ https://issues.apache.org/jira/browse/SOLR-10100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17434411#comment-17434411 ]
Jan Høydahl commented on SOLR-10100:
------------------------------------
In SOLR-7890 we require CONFIG_READ_PERM to access /admin/zookeeper and if you request the file content of /security.json, we require SECURITY_READ_PERM. We still list the file, but you'll get a 403 when attempting to read it. I think this will solve the intent of this issue. Perhaps some extra code in UI is needed to give a sane message whenever someone clicks security.json in UI without proper permission. The best thing to do would be to print a red text "You need bla bla to access this file".
> Hiding credentials from security.json when retrieving through /admin/zookeeper
> ------------------------------------------------------------------------------
>
> Key: SOLR-10100
> URL: https://issues.apache.org/jira/browse/SOLR-10100
> Project: Solr
> Issue Type: Improvement
> Components: security
> Reporter: Mano Kovacs
> Assignee: Jan Høydahl
> Priority: Major
>
> {{/admin/zookeeper}} API is currently exposing {{security.json}} as-is, which can contain security credentials as well.
> Proposing a configurable list for hiding elements of {{security.json}} when loaded through {{/admin/zookeeper}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org