prateeksinghalgit commented on code in PR #3750: URL: https://github.com/apache/solr/pull/3750#discussion_r3469346644
########## solr/solr-ref-guide/modules/deployment-guide/pages/backup-restore.adoc: ########## @@ -826,3 +826,124 @@ https://docs.aws.amazon.com/sdkref/latest/guide/settings-global.html[These optio * Retries ** RetryMode (`LEGACY`, `STANDARD`, `ADAPTIVE`) ** Max Attempts + +=== AzureBlobBackupRepository + +Stores and retrieves backup files in a Microsoft Azure Blob Storage container. + +This is provided via the `azure-blob-repository` xref:configuration-guide:solr-modules.adoc[Solr Module] that needs to be enabled before use. + +This plugin supports multiple authentication methods: connection strings, account keys, SAS tokens, and Azure Identity (Managed Identity, Service Principal, Azure CLI). +For Azure Identity, ensure the identity has the "Storage Blob Data Contributor" role on the storage account. + +[source,xml] +---- +<backup> + <repository name="azure_blob" class="org.apache.solr.azureblob.AzureBlobBackupRepository" default="false"> + <str name="azure.blob.container.name">solr-backup</str> + <str name="azure.blob.connection.string">DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=mykey;EndpointSuffix=core.windows.net</str> + </repository> +</backup> +---- + +AzureBlobBackupRepository accepts the following options for configuration: + +`azure.blob.container.name`:: ++ +[%autowidth,frame=none] +|=== +|Required |Default: none +|=== ++ +The name of the Azure Blob Storage container. The container must exist before performing backup operations. + +`azure.blob.connection.string`:: ++ +[%autowidth,frame=none] +|=== +|Optional |Default: none +|=== ++ +Complete Azure Storage connection string. Mutually exclusive with other authentication methods. + +`azure.blob.account.name`:: ++ +[%autowidth,frame=none] +|=== +|Optional |Default: none +|=== ++ +Azure Storage account name. Used with account key or SAS token authentication. + +`azure.blob.account.key`:: ++ +[%autowidth,frame=none] +|=== +|Optional |Default: none +|=== ++ +Azure Storage account access key. Mutually exclusive with SAS token and Azure Identity. + +`azure.blob.sas.token`:: ++ +[%autowidth,frame=none] +|=== +|Optional |Default: none +|=== ++ +SAS token for time-limited access. Must include `srt=sco` and `sp=rwdlac` permissions. +The `&` characters must be XML-escaped as `&`. + +`azure.blob.endpoint`:: ++ +[%autowidth,frame=none] +|=== +|Optional |Default: none +|=== ++ +Azure Blob Storage endpoint URL (e.g., `https://myaccount.blob.core.windows.net`). +Required for Azure Identity authentication. + +`azure.blob.tenant.id`:: ++ +[%autowidth,frame=none] +|=== +|Optional |Default: none +|=== ++ +Azure AD tenant ID for Service Principal authentication. + +`azure.blob.client.id`:: ++ +[%autowidth,frame=none] +|=== +|Optional |Default: none +|=== ++ +Azure AD application (client) ID for Service Principal authentication. + +`azure.blob.client.secret`:: ++ +[%autowidth,frame=none] +|=== +|Optional |Default: none +|=== ++ +Azure AD application secret for Service Principal authentication. + +`location`:: ++ +[%autowidth,frame=none] +|=== +|Optional |Default: none +|=== ++ +Default path prefix within the container for backup storage. + +The target container must already exist; it is not created automatically. + +==== Known Limitation: Azure Identity and the Security Manager + +Azure Identity authentication (Managed Identity, Service Principal, and `DefaultAzureCredential`) does not work when Solr is started with the Java Security Manager enabled, which is the default (`SOLR_SECURITY_MANAGER_ENABLED=true`). +To use Azure Identity, set `SOLR_SECURITY_MANAGER_ENABLED=false` before starting Solr. +The Connection String, Account Key, and SAS Token authentication methods are unaffected and work with the Security Manager enabled. Review Comment: Looked into it, there is. The only SM denials come from the developer credentials that spawn a subprocess — Azure CLI and Azure PowerShell — e.g. access denied ("java.io.FilePermission" "/bin/sh" "execute"). For the Azure CLI credential specifically, I iterated to the minimal working grant and confirmed the backup then completed and the files landed in the container: permission java.io.FilePermission "/bin/sh", "execute"; permission java.io.FilePermission "/dev/null", "read,write"; I've rewritten the ref-guide section accordingly: Managed Identity / Service Principal work with the default policy (no change needed); the CLI/PowerShell credentials need the grant above (paths are platform-specific) and are really only for local dev; otherwise prefer Managed Identity / Service Principal or set SOLR_SECURITY_MANAGER_ENABLED=false. I deliberately did not add this grant to the shipped security.policy, to keep the default minimal. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
