[
https://issues.apache.org/jira/browse/SOLR-7889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16895022#comment-16895022
]
Jan Høydahl commented on SOLR-7889:
---
ZK 3.5.5 adds secureClientPort, so i should already be possible to use SSL.
However, in ZK 3.6 there will be something called *port unification* which
allows to use the same port for both normal and encrypted traffic, and the
zkClient lib will adapt automatically just by telling it to use SSL. That will
provide for a better end user experience when migrating a non-ssl ZK ensemble
to a SSL one, since you can just upgrade zk and then flip clients to SSL one at
a time. Same will go for AdminServer.
But we should first document the current state, as it could take years for a
new ZK version to be released :)
> Secure ZooKeeper should be easy and the default
> ---
>
> Key: SOLR-7889
> URL: https://issues.apache.org/jira/browse/SOLR-7889
> Project: Solr
> Issue Type: Improvement
> Components: security
>Reporter: Jan Høydahl
>Priority: Critical
> Labels: security, zookeeper
>
> ZooKeeper security is documented at
> https://cwiki.apache.org/confluence/display/solr/ZooKeeper+Access+Control but
> is not trivial to setup, see http://search-lucene.com/m/eHNlqr6EnMrP6O
> As we enable more and more security stuff, securing ZK should be easier to do
> and ideally the default. This is an umbrella for such improvements.
> When all of this is in place and working, perhaps even Solr should refuse to
> start if Auth/Autz plugins are in use and ZK communication is not properly
> protected, e.g. require {{bin/solr start --insecure}} to override.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
