Hi, You probably want to enable SSL for Solr if you use BasicAuth. For ZK, ACL protection could be the first step, as described in https://solr.apache.org/guide/solr/latest/deployment-guide/zookeeper-access-control.html Protecting ZK connection with SSL is probably also smart, but it is unfortunately not well documented in ref.guide, so you have to find documentation elsewhere.
Jan > 26. jan. 2024 kl. 17:17 skrev Flowerday, Matthew J > <[email protected]>: > > Hi There > > I have been tasked with setting up Basic Authentication on our SolrCloud > database running ZooKeeper 3.8 and Solr 9.1.1. I have got it working I think > but there are a few things I would like to check. > > I set up a security.json file and placed it in the server/solr folder in a > single server solr system, restarted solr and used the Admin Tool to set up a > new user (XXXXXX) and password and disabled the default solr user. The > modifed security.json file I then copied in to the solrCloud server/solr > folder. > > In the solrCloud solr.in.cmd file I set up these variables > > set SOLR_AUTH_TYPE=basic > set SOLR_AUTHENTICATION_OPTS=-Dbasicauth=XXXXXX:yyyyyyyyyyy > > where XXXXXX is the username and yyyyyyyyyyy is the password. > > In the ZooKeeper zkServer.cmd I added an extra parameter > > call %JAVA% "-Dzookeeper.log.dir=%ZOO_LOG_DIR%" > "-Dzookeeper.log.file=%ZOO_LOG_FILE%" > "-Dzookeeper.DigestAuthenticationProvider.superDigest=XXXXXX:mAeU2NK3etoPziu6TdqmLmGjmSN56YUq5hAZhpsPk48= > O7L5Ofmg8IaXaFbn237ENlKFcC9+NWgCcphYdVJu3es=" > "-XX:+HeapDumpOnOutOfMemoryError" "-XX:OnOutOfMemoryError=cmd /c taskkill > /pid %%%%p /t /f" -cp "%CLASSPATH%" %ZOOMAIN% "%ZOOCFG%" %* > > where XXXXXX is the username. > > I then deployed the security.json across the ZooKeepers using the command > > solr zk cp file:<Pathname>\security.json zk:/security.json -z localhost:<port > id> > > I then stopped solrCloud processes and all the ZooKeepers and then restarted > all the ZooKeepers and SolrCloud processes. The Admin Tool then needed the > username and password to log on. > > I changed the wildfly standalone.conf.bat file of our application to have > this additional java option > > REM set up Solr Basic Authentication > set JAVA_OPTS=%JAVA_OPTS% > -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory > -Dbasicauth=XXXXXX: yyyyyyyyyyy > > and bounced wildfly. I then logged on to the application and could carry out > solr searches ok and updates. So, all looks good. > > My concern is have I properly configured ZooKeeper for basic authentication. > In the solr.in.cmd file there is this set up > > REM Settings for ZK ACL > REM set > SOLR_ZK_CREDS_AND_ACLS=-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider > ^ > REM > -DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider > ^ > REM > -DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector > ^ > REM -DzkDigestUsername=admin-user -DzkDigestPassword=CHANGEME-ADMIN-PASSWORD > ^ > REM -DzkDigestReadonlyUsername=readonly-user > -DzkDigestReadonlyPassword=CHANGEME-READONLY-PASSWORD > REM set SOLR_OPTS=%SOLR_OPTS% %SOLR_ZK_CREDS_AND_ACLS% > > Which I have not altered. Should I have set up ‘admin-user’ and > ‘readonly-user ‘ and given a passwords for each to have properly configured > ZooKeeper or is what I have done (which seems to work ok) fine and > solr/ZooKeeper are using the solr user details I set up correctly. > > Many Thanks > > Matthew > > Matthew Flowerday | Consultant | IMS – Information Management System > Unisys | [email protected] <mailto:[email protected]> > ENIGMA, Wavendon Business Park, Milton Keynes, MK17 8LX > > <http://www.unisys.com/> > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is for use only by the intended recipient. If you received this > in error, please contact the sender and delete the e-mail and its attachments > from all devices. > <http://www.linkedin.com/company/unisys> <http://twitter.com/unisyscorp> > <http://www.youtube.com/theunisyschannel> > <http://www.facebook.com/unisyscorp> <https://vimeo.com/unisys> > <http://blogs.unisys.com/>
