prateeksinghalgit commented on code in PR #3750:
URL: https://github.com/apache/solr/pull/3750#discussion_r3469346644


##########
solr/solr-ref-guide/modules/deployment-guide/pages/backup-restore.adoc:
##########
@@ -826,3 +826,124 @@ 
https://docs.aws.amazon.com/sdkref/latest/guide/settings-global.html[These optio
 * Retries
 ** RetryMode (`LEGACY`, `STANDARD`, `ADAPTIVE`)
 ** Max Attempts
+
+=== AzureBlobBackupRepository
+
+Stores and retrieves backup files in a Microsoft Azure Blob Storage container.
+
+This is provided via the `azure-blob-repository` 
xref:configuration-guide:solr-modules.adoc[Solr Module] that needs to be 
enabled before use.
+
+This plugin supports multiple authentication methods: connection strings, 
account keys, SAS tokens, and Azure Identity (Managed Identity, Service 
Principal, Azure CLI).
+For Azure Identity, ensure the identity has the "Storage Blob Data 
Contributor" role on the storage account.
+
+[source,xml]
+----
+<backup>
+  <repository name="azure_blob" 
class="org.apache.solr.azureblob.AzureBlobBackupRepository" default="false">
+    <str name="azure.blob.container.name">solr-backup</str>
+    <str 
name="azure.blob.connection.string">DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=mykey;EndpointSuffix=core.windows.net</str>
+  </repository>
+</backup>
+----
+
+AzureBlobBackupRepository accepts the following options for configuration:
+
+`azure.blob.container.name`::
++
+[%autowidth,frame=none]
+|===
+|Required |Default: none
+|===
++
+The name of the Azure Blob Storage container. The container must exist before 
performing backup operations.
+
+`azure.blob.connection.string`::
++
+[%autowidth,frame=none]
+|===
+|Optional |Default: none
+|===
++
+Complete Azure Storage connection string. Mutually exclusive with other 
authentication methods.
+
+`azure.blob.account.name`::
++
+[%autowidth,frame=none]
+|===
+|Optional |Default: none
+|===
++
+Azure Storage account name. Used with account key or SAS token authentication.
+
+`azure.blob.account.key`::
++
+[%autowidth,frame=none]
+|===
+|Optional |Default: none
+|===
++
+Azure Storage account access key. Mutually exclusive with SAS token and Azure 
Identity.
+
+`azure.blob.sas.token`::
++
+[%autowidth,frame=none]
+|===
+|Optional |Default: none
+|===
++
+SAS token for time-limited access. Must include `srt=sco` and `sp=rwdlac` 
permissions.
+The `&` characters must be XML-escaped as `&amp;`.
+
+`azure.blob.endpoint`::
++
+[%autowidth,frame=none]
+|===
+|Optional |Default: none
+|===
++
+Azure Blob Storage endpoint URL (e.g., 
`https://myaccount.blob.core.windows.net`).
+Required for Azure Identity authentication.
+
+`azure.blob.tenant.id`::
++
+[%autowidth,frame=none]
+|===
+|Optional |Default: none
+|===
++
+Azure AD tenant ID for Service Principal authentication.
+
+`azure.blob.client.id`::
++
+[%autowidth,frame=none]
+|===
+|Optional |Default: none
+|===
++
+Azure AD application (client) ID for Service Principal authentication.
+
+`azure.blob.client.secret`::
++
+[%autowidth,frame=none]
+|===
+|Optional |Default: none
+|===
++
+Azure AD application secret for Service Principal authentication.
+
+`location`::
++
+[%autowidth,frame=none]
+|===
+|Optional |Default: none
+|===
++
+Default path prefix within the container for backup storage.
+
+The target container must already exist; it is not created automatically.
+
+==== Known Limitation: Azure Identity and the Security Manager
+
+Azure Identity authentication (Managed Identity, Service Principal, and 
`DefaultAzureCredential`) does not work when Solr is started with the Java 
Security Manager enabled, which is the default 
(`SOLR_SECURITY_MANAGER_ENABLED=true`).
+To use Azure Identity, set `SOLR_SECURITY_MANAGER_ENABLED=false` before 
starting Solr.
+The Connection String, Account Key, and SAS Token authentication methods are 
unaffected and work with the Security Manager enabled.

Review Comment:
   Looked into it, there is. 
   The only SM denials come from the developer credentials that spawn a 
subprocess — Azure CLI and Azure PowerShell — e.g. access denied 
("java.io.FilePermission" "/bin/sh" "execute").
   
   For the Azure CLI credential specifically, I iterated to the minimal working 
grant and confirmed the backup then completed and the files landed in the 
container:
   permission java.io.FilePermission "/bin/sh", "execute";
   permission java.io.FilePermission "/dev/null", "read,write";
   
   I've rewritten the ref-guide section accordingly: Managed Identity / Service 
Principal work with the default policy (no change needed); the CLI/PowerShell 
credentials need the grant above (paths are platform-specific) and are really 
only for local dev; otherwise prefer Managed Identity / Service Principal or 
set SOLR_SECURITY_MANAGER_ENABLED=false. 
   
   I deliberately did not add this grant to the shipped security.policy, to 
keep the default minimal.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to