[
https://issues.apache.org/jira/browse/SOLR-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Drob updated SOLR-8415:
----------------------------
Attachment: SOLR-8415.patch
bq. Why probably? Don't you need to update solr.xml?
I was thinking that you don't need to update the Credentials, but now I realize
that you would need to update the ACL Provider, otherwise future content will
still be locked down.
bq. Maybe I'm missing something, but that all seems to be about initial setup.
The steps for initial setup and migration are almost identical, aside from
needing to convert existing ACLs.
How about:
{panel}
h3. Swapping ACL Schemes
Over the lifetime of operating your Solr cluster, you may decide to move from a
unsecured ZK to a secured instance. Changing the configured {{zkACLProvider}}
in {{solr.xml}} will ensure that newly created nodes are secure, but will not
protect the already existing data. To modify all existing ACLs, you can use
{{ZkCLI -cmd resetacl [path]}}.
Changing ACLs in ZK should only be done while your SolrCloud cluster is
stopped. Attempting to do so while Solr is running may result in inconsistent
state and some nodes becoming inaccessible. To configure the new ACLs, run
ZkCli with the following VM properties: {{-DzkACLProvider=...
-DzkCredentialsProvider=...}}.
* The Credential Provider must be one that has current admin privileges on the
nodes. When omitted, the process will use no credentials (suitable for an
unsecure configuration).
* The ACL Provider will be used to compute the new ACLs. When omitted, the
process will set all permissions to all users, removing any security present.
You may use the {{VMParamsSingleSetCredentialsDigestZkCredentialsProvider}} and
{{VMParamsAllAndReadonlyDigestZkACLProvider}} implementations as described
earlier in the page for these properties.
After changing the ZK ACLs, make sure that the contents of your {{solr.xml}}
match, as described for initial set up.
{panel}
I made path required to line up better with clear, and to hopefully reduce
accidents.
Aside: There has to be a better way to share this than just pasting my proposed
changes in a comment each time.
Added another test for using the System Properties as well.
> Provide command to switch between non/secure mode in ZK
> -------------------------------------------------------
>
> Key: SOLR-8415
> URL: https://issues.apache.org/jira/browse/SOLR-8415
> Project: Solr
> Issue Type: Improvement
> Components: security, SolrCloud
> Reporter: Mike Drob
> Assignee: Gregory Chanan
> Fix For: Trunk
>
> Attachments: SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch,
> SOLR-8415.patch
>
>
> We have the ability to run both with and without zk acls, but we don't have a
> great way to switch between the two modes. Most common use case, I imagine,
> would be upgrading from an old version that did not support this to a new
> version that does, and wanting to protect all of the existing content in ZK,
> but it is conceivable that a user might want to remove ACLs as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
