[jira] [Updated] (SOLR-8415) Provide command to switch between non/secure mode in ZK
[ https://issues.apache.org/jira/browse/SOLR-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gregory Chanan updated SOLR-8415: - Attachment: SOLR-8415.branch_5x.patch branch 5 patch seems to be based on a previously posted patch, not what was committed. Attached a version based on the committed version. > Provide command to switch between non/secure mode in ZK > --- > > Key: SOLR-8415 > URL: https://issues.apache.org/jira/browse/SOLR-8415 > Project: Solr > Issue Type: Improvement > Components: security, SolrCloud >Reporter: Mike Drob >Assignee: Gregory Chanan > Fix For: Trunk > > Attachments: SOLR-8415.branch_5x.patch, SOLR-8415.branch_5x.patch, > SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch, > SOLR-8415.patch, SOLR-8415.patch > > > We have the ability to run both with and without zk acls, but we don't have a > great way to switch between the two modes. Most common use case, I imagine, > would be upgrading from an old version that did not support this to a new > version that does, and wanting to protect all of the existing content in ZK, > but it is conceivable that a user might want to remove ACLs as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-8415) Provide command to switch between non/secure mode in ZK
[ https://issues.apache.org/jira/browse/SOLR-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mike Drob updated SOLR-8415: Attachment: SOLR-8415.branch_5x.patch Attaching a {{--no-prefix}} patch for branch 5. > Provide command to switch between non/secure mode in ZK > --- > > Key: SOLR-8415 > URL: https://issues.apache.org/jira/browse/SOLR-8415 > Project: Solr > Issue Type: Improvement > Components: security, SolrCloud >Reporter: Mike Drob >Assignee: Gregory Chanan > Fix For: Trunk > > Attachments: SOLR-8415.branch_5x.patch, SOLR-8415.patch, > SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch, > SOLR-8415.patch > > > We have the ability to run both with and without zk acls, but we don't have a > great way to switch between the two modes. Most common use case, I imagine, > would be upgrading from an old version that did not support this to a new > version that does, and wanting to protect all of the existing content in ZK, > but it is conceivable that a user might want to remove ACLs as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-8415) Provide command to switch between non/secure mode in ZK
[ https://issues.apache.org/jira/browse/SOLR-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gregory Chanan updated SOLR-8415: - Attachment: SOLR-8415.patch Here's a patch with some minor changes: - Changed UPDATEACL to UPDATEACLS to match the constant value - Changed the constant value from updateAcls to updateacls for consistency and the test seems to fail without it - Added retryOnConnLoss to javadoc I'll commit this assuming the tests pass. > Provide command to switch between non/secure mode in ZK > --- > > Key: SOLR-8415 > URL: https://issues.apache.org/jira/browse/SOLR-8415 > Project: Solr > Issue Type: Improvement > Components: security, SolrCloud >Reporter: Mike Drob >Assignee: Gregory Chanan > Fix For: Trunk > > Attachments: SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch, > SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch > > > We have the ability to run both with and without zk acls, but we don't have a > great way to switch between the two modes. Most common use case, I imagine, > would be upgrading from an old version that did not support this to a new > version that does, and wanting to protect all of the existing content in ZK, > but it is conceivable that a user might want to remove ACLs as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-8415) Provide command to switch between non/secure mode in ZK
[ https://issues.apache.org/jira/browse/SOLR-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mike Drob updated SOLR-8415: Attachment: SOLR-8415.patch New patch against trunk. Going secure -> insecure, probably can do against a running cluster. Going to a different secure configuration, yea, would need to update {{solr.xml}}. I think that's sufficiently covered in the other sections of the page, though. > Provide command to switch between non/secure mode in ZK > --- > > Key: SOLR-8415 > URL: https://issues.apache.org/jira/browse/SOLR-8415 > Project: Solr > Issue Type: Improvement > Components: security, SolrCloud >Reporter: Mike Drob >Assignee: Gregory Chanan > Fix For: Trunk > > Attachments: SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch > > > We have the ability to run both with and without zk acls, but we don't have a > great way to switch between the two modes. Most common use case, I imagine, > would be upgrading from an old version that did not support this to a new > version that does, and wanting to protect all of the existing content in ZK, > but it is conceivable that a user might want to remove ACLs as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-8415) Provide command to switch between non/secure mode in ZK
[ https://issues.apache.org/jira/browse/SOLR-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mike Drob updated SOLR-8415: Attachment: SOLR-8415.patch Patch with command renamed to UpdateACLs. > Provide command to switch between non/secure mode in ZK > --- > > Key: SOLR-8415 > URL: https://issues.apache.org/jira/browse/SOLR-8415 > Project: Solr > Issue Type: Improvement > Components: security, SolrCloud >Reporter: Mike Drob >Assignee: Gregory Chanan > Fix For: Trunk > > Attachments: SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch, > SOLR-8415.patch, SOLR-8415.patch > > > We have the ability to run both with and without zk acls, but we don't have a > great way to switch between the two modes. Most common use case, I imagine, > would be upgrading from an old version that did not support this to a new > version that does, and wanting to protect all of the existing content in ZK, > but it is conceivable that a user might want to remove ACLs as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-8415) Provide command to switch between non/secure mode in ZK
[ https://issues.apache.org/jira/browse/SOLR-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mike Drob updated SOLR-8415: Attachment: SOLR-8415.patch bq. Why probably? Don't you need to update solr.xml? I was thinking that you don't need to update the Credentials, but now I realize that you would need to update the ACL Provider, otherwise future content will still be locked down. bq. Maybe I'm missing something, but that all seems to be about initial setup. The steps for initial setup and migration are almost identical, aside from needing to convert existing ACLs. How about: {panel} h3. Swapping ACL Schemes Over the lifetime of operating your Solr cluster, you may decide to move from a unsecured ZK to a secured instance. Changing the configured {{zkACLProvider}} in {{solr.xml}} will ensure that newly created nodes are secure, but will not protect the already existing data. To modify all existing ACLs, you can use {{ZkCLI -cmd resetacl [path]}}. Changing ACLs in ZK should only be done while your SolrCloud cluster is stopped. Attempting to do so while Solr is running may result in inconsistent state and some nodes becoming inaccessible. To configure the new ACLs, run ZkCli with the following VM properties: {{-DzkACLProvider=... -DzkCredentialsProvider=...}}. * The Credential Provider must be one that has current admin privileges on the nodes. When omitted, the process will use no credentials (suitable for an unsecure configuration). * The ACL Provider will be used to compute the new ACLs. When omitted, the process will set all permissions to all users, removing any security present. You may use the {{VMParamsSingleSetCredentialsDigestZkCredentialsProvider}} and {{VMParamsAllAndReadonlyDigestZkACLProvider}} implementations as described earlier in the page for these properties. After changing the ZK ACLs, make sure that the contents of your {{solr.xml}} match, as described for initial set up. {panel} I made path required to line up better with clear, and to hopefully reduce accidents. Aside: There has to be a better way to share this than just pasting my proposed changes in a comment each time. Added another test for using the System Properties as well. > Provide command to switch between non/secure mode in ZK > --- > > Key: SOLR-8415 > URL: https://issues.apache.org/jira/browse/SOLR-8415 > Project: Solr > Issue Type: Improvement > Components: security, SolrCloud >Reporter: Mike Drob >Assignee: Gregory Chanan > Fix For: Trunk > > Attachments: SOLR-8415.patch, SOLR-8415.patch, SOLR-8415.patch, > SOLR-8415.patch > > > We have the ability to run both with and without zk acls, but we don't have a > great way to switch between the two modes. Most common use case, I imagine, > would be upgrading from an old version that did not support this to a new > version that does, and wanting to protect all of the existing content in ZK, > but it is conceivable that a user might want to remove ACLs as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-8415) Provide command to switch between non/secure mode in ZK
[ https://issues.apache.org/jira/browse/SOLR-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mike Drob updated SOLR-8415: Attachment: SOLR-8415.patch Attaching a new patch that includes some tests for converting both ways between secure and non secure nodes. Docs should go on the wiki somewhere. I'll write them up as soon as somebody gives me a nudge to help find a good home for them. > Provide command to switch between non/secure mode in ZK > --- > > Key: SOLR-8415 > URL: https://issues.apache.org/jira/browse/SOLR-8415 > Project: Solr > Issue Type: Improvement > Components: security, SolrCloud >Reporter: Mike Drob > Fix For: Trunk > > Attachments: SOLR-8415.patch, SOLR-8415.patch > > > We have the ability to run both with and without zk acls, but we don't have a > great way to switch between the two modes. Most common use case, I imagine, > would be upgrading from an old version that did not support this to a new > version that does, and wanting to protect all of the existing content in ZK, > but it is conceivable that a user might want to remove ACLs as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-8415) Provide command to switch between non/secure mode in ZK
[ https://issues.apache.org/jira/browse/SOLR-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mike Drob updated SOLR-8415: Attachment: SOLR-8415.patch Adding a {{patch -p0}} against trunk. Users can specify if they are setting or removing acls by selecting the appropriate ZkAclProvider using VM props. This will need a bunch of documentation to make clear. Also, still missing tests, but I wanted to get people's feedback on it before I went too far down the rabbit hole. > Provide command to switch between non/secure mode in ZK > --- > > Key: SOLR-8415 > URL: https://issues.apache.org/jira/browse/SOLR-8415 > Project: Solr > Issue Type: Improvement > Components: security, SolrCloud >Reporter: Mike Drob > Fix For: Trunk > > Attachments: SOLR-8415.patch > > > We have the ability to run both with and without zk acls, but we don't have a > great way to switch between the two modes. Most common use case, I imagine, > would be upgrading from an old version that did not support this to a new > version that does, and wanting to protect all of the existing content in ZK, > but it is conceivable that a user might want to remove ACLs as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org