[
https://issues.apache.org/jira/browse/SOLR-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15122280#comment-15122280
]
Mike Drob commented on SOLR-8415:
---------------------------------
Yes, that needs to be changed. Here's a fully updated section.
{panel}
h3. Changing ACL Schemes
Over the lifetime of operating your Solr cluster, you may decide to move from a
unsecured ZK to a secured instance. Changing the configured {{zkACLProvider}}
in {{solr.xml}} will ensure that newly created nodes are secure, but will not
protect the already existing data. To modify all existing ACLs, you can use
{{ZkCLI -cmd updateAcls /zk-path}}.
Changing ACLs in ZK should only be done while your SolrCloud cluster is
stopped. Attempting to do so while Solr is running may result in inconsistent
state and some nodes becoming inaccessible. To configure the new ACLs, run
ZkCli with the following VM properties: {{-DzkACLProvider=...
-DzkCredentialsProvider=...}}.
* The Credential Provider must be one that has current admin privileges on the
nodes. When omitted, the process will use no credentials (suitable for an
unsecure configuration).
* The ACL Provider will be used to compute the new ACLs. When omitted, the
process will set all permissions to all users, removing any security present.
You may use the {{VMParamsSingleSetCredentialsDigestZkCredentialsProvider}} and
{{VMParamsAllAndReadonlyDigestZkACLProvider}} implementations as described
earlier in the page for these properties.
After changing the ZK ACLs, make sure that the contents of your {{solr.xml}}
match, as described for initial set up.
{panel}
> Provide command to switch between non/secure mode in ZK
> -------------------------------------------------------
>
> Key: SOLR-8415
> URL: https://issues.apache.org/jira/browse/SOLR-8415
> Project: Solr
> Issue Type: Improvement
> Components: security, SolrCloud
> Reporter: Mike Drob
> Assignee: Gregory Chanan
> Fix For: 5.5, Trunk
>
> Attachments: SOLR-8415.branch_5x.patch, SOLR-8415.branch_5x.patch,
> SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch,
> SOLR-8415.patch, SOLR-8415.patch
>
>
> We have the ability to run both with and without zk acls, but we don't have a
> great way to switch between the two modes. Most common use case, I imagine,
> would be upgrading from an old version that did not support this to a new
> version that does, and wanting to protect all of the existing content in ZK,
> but it is conceivable that a user might want to remove ACLs as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
