[
https://issues.apache.org/jira/browse/SOLR-8792?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15241254#comment-15241254
]
Ishan Chattopadhyaya edited comment on SOLR-8792 at 4/14/16 2:34 PM:
---------------------------------------------------------------------
Finally managed to have it work for me. Attached the patch for a fix to
bin/solr script.
Here are the steps that need to be taken to enable ZK ACLs (assuming the
attached patch is committed or applied).
# Start a fresh ZK instance (lets assume the hostname is zk1).
# Add the following to the {{./server/solr/solr.xml}} file's {{SolrCloud}}
section:
{code}
<str
name="zkCredentialsProvider">org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider</str>
<str
name="zkACLProvider">org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider</str>
{code}
# In the bin/solr.in.sh's section called {{Settings for ZK ACL}}, provide all
the passwords etc. (one could uncomment and edit the existing lines there).
Here's an example:
{code}
# Settings for ZK ACL
SOLR_ZK_CREDS_AND_ACLS="-DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS
-DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS -DzkDigestUsername=admin-user
-DzkDigestPassword=admin-password"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS
-DzkDigestReadonlyUsername=readonly-user
-DzkDigestReadonlyPassword=readonly-password"
SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"
{code}
# Start Solr. {{bin/solr start -e cloud -z zk1:2181 -noprompt}}
# To ensure that unauthorized access is restricted, try uploading a configset
to ZK (without any changes to the zkcli.sh):
{code}
server/scripts/cloud-scripts/zkcli.sh -cmd upconfig -confname basic -z
zk1:2181 -confdir server/solr/configsets/basic_configs
{code}
This should result in an error:
{code}
Exception in thread "main" java.io.IOException: Error uploading file
server/solr/configsets/basic_configs/conf/_rest_managed.json to zookeeper path
/configs/basic/conf/_rest_managed.json
at
org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:78)
at
org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:65)
at java.nio.file.Files.walkFileTree(Files.java:2670)
at java.nio.file.Files.walkFileTree(Files.java:2742)
at
org.apache.solr.common.cloud.ZkConfigManager.uploadToZK(ZkConfigManager.java:65)
at
org.apache.solr.common.cloud.ZkConfigManager.uploadConfigDir(ZkConfigManager.java:142)
at org.apache.solr.cloud.ZkCLI.main(ZkCLI.java:227)
Caused by: org.apache.zookeeper.KeeperException$NoAuthException:
KeeperErrorCode = NoAuth for /configs/basic
at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
at
org.apache.solr.common.cloud.SolrZkClient$10.execute(SolrZkClient.java:503)
at
org.apache.solr.common.cloud.ZkCmdExecutor.retryOperation(ZkCmdExecutor.java:60)
at
org.apache.solr.common.cloud.SolrZkClient.makePath(SolrZkClient.java:500)
at
org.apache.solr.common.cloud.SolrZkClient.makePath(SolrZkClient.java:411)
at
org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:75)
... 6 more
{code}
# To have zkcli.sh work, add the credentials to zkcli.sh
{code}
SOLR_ZK_CREDS_AND_ACLS="-DzkDigestUsername=admin-user
-DzkDigestPassword=admin-password \
-DzkDigestReadonlyUsername=readonly-user
-DzkDigestReadonlyPassword=readonly-password"
java ... $SOLR_ZK_CREDS_AND_ACLS ... org.apache.solr.cloud.ZkCLI -cmd ...
{code}
was (Author: ichattopadhyaya):
Finally managed to have it work for me. Attached the patch for a fix to
bin/solr script.
Here are the steps that need to be taken to enable ZK ACLs (assuming the
attached patch is committed or applied).
# Start a fresh ZK instance (lets assume the hostname is zk1).
# Add the following to the {{./server/solr/solr.xml}} file's {{SolrCloud}}
section:
{code}
<str
name="zkCredentialsProvider">org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider</str>
<str
name="zkACLProvider">org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider</str>
{code}
# In the bin/solr.in.sh's section called {{Settings for ZK ACL}}, provide all
the passwords etc. Here's an example:
{code}
# Settings for ZK ACL
SOLR_ZK_CREDS_AND_ACLS="-DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS
-DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS -DzkDigestUsername=admin-user
-DzkDigestPassword=admin-password"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS
-DzkDigestReadonlyUsername=readonly-user
-DzkDigestReadonlyPassword=readonly-password"
SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"
{code}
# Start Solr. {{bin/solr start -e cloud -z zk1:2181 -noprompt}}
# To ensure that unauthorized access is restricted, try uploading a configset
to ZK (without any changes to the zkcli.sh):
{code}
server/scripts/cloud-scripts/zkcli.sh -cmd upconfig -confname basic -z
zk1:2181 -confdir server/solr/configsets/basic_configs
{code}
This should result in an error:
{code}
Exception in thread "main" java.io.IOException: Error uploading file
server/solr/configsets/basic_configs/conf/_rest_managed.json to zookeeper path
/configs/basic/conf/_rest_managed.json
at
org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:78)
at
org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:65)
at java.nio.file.Files.walkFileTree(Files.java:2670)
at java.nio.file.Files.walkFileTree(Files.java:2742)
at
org.apache.solr.common.cloud.ZkConfigManager.uploadToZK(ZkConfigManager.java:65)
at
org.apache.solr.common.cloud.ZkConfigManager.uploadConfigDir(ZkConfigManager.java:142)
at org.apache.solr.cloud.ZkCLI.main(ZkCLI.java:227)
Caused by: org.apache.zookeeper.KeeperException$NoAuthException:
KeeperErrorCode = NoAuth for /configs/basic
at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
at
org.apache.solr.common.cloud.SolrZkClient$10.execute(SolrZkClient.java:503)
at
org.apache.solr.common.cloud.ZkCmdExecutor.retryOperation(ZkCmdExecutor.java:60)
at
org.apache.solr.common.cloud.SolrZkClient.makePath(SolrZkClient.java:500)
at
org.apache.solr.common.cloud.SolrZkClient.makePath(SolrZkClient.java:411)
at
org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:75)
... 6 more
{code}
# To have zkcli.sh work, add the credentials to zkcli.sh
{code}
SOLR_ZK_CREDS_AND_ACLS="-DzkDigestUsername=admin-user
-DzkDigestPassword=admin-password \
-DzkDigestReadonlyUsername=readonly-user
-DzkDigestReadonlyPassword=readonly-password"
java ... $SOLR_ZK_CREDS_AND_ACLS ... org.apache.solr.cloud.ZkCLI -cmd ...
{code}
> ZooKeeper ACL not restricting access to zkcli
> ---------------------------------------------
>
> Key: SOLR-8792
> URL: https://issues.apache.org/jira/browse/SOLR-8792
> Project: Solr
> Issue Type: Bug
> Components: Authentication, documentation
> Affects Versions: 5.0
> Reporter: Esther Quansah
> Labels: acl, authentication, security, zkcli, zkcli.sh, zookeeper
> Attachments: SOLR-8792.patch
>
>
> The documentation presented here:
> https://cwiki.apache.org/confluence/display/solr/ZooKeeper+Access+Control
> details the process of securing Solr content in ZooKeeper using ACLs. In the
> example usages, it is mentioned that access to zkcli can be restricted by
> adding credentials to the zkcli.sh script in addition to adding the
> appropriate classnames to solr.xml. With the scripts in zkcli.sh, another
> machine should not be able to read or write from the host ZK without the
> necessary credentials. At this time, machines are able to read/write from the
> host ZK with or without these credentials.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
