Hi Jan Thanks for getting back to me. I had a good read of the link you sent me and made these changes on each solrCloud server
solr.in.cmd – set up: set SOLR_ZK_CREDS_AND_ACLS=-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider ^ -DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider ^ -DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector ^ -DzkDigestUsername=aaaaaaaa -DzkDigestPassword=bbbbbbb ^ -DzkDigestReadonlyUsername=ccccccccccccc -DzkDigestReadonlyPassword=ddddddd set SOLR_OPTS=%SOLR_OPTS% %SOLR_ZK_CREDS_AND_ACLS% zkcli.bat – set up: set SOLR_ZK_CREDS_AND_ACLS=-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider ^ -DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider ^ -DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector ^ -DzkDigestUsername=aaaaaaaa -DzkDigestPassword=bbbbbbb ^ -DzkDigestReadonlyUsername=ccccccccccccc -DzkDigestReadonlyPassword=ddddddd And stopped solr on each solrCloud server and then restarted them. The application (using solrj) could still carry out queries and update records etc. So all still good thanks. My question is – how does ZooKeeper know about DigestUsername and DigestReadonlyUsername as I have not made any ZooKeeper changes. Currently ZooKeeper is starting up with the parameter "-Dzookeeper.DigestAuthenticationProvider.superDigest=eeeeeeeeee:fffffffffffffffff" Could it still be using user eeeeeeeeee and I need to somehow pass the DigestUsername and DigestReadonlyUsername details etc instead? The documentation you referenced focussed on just the Solr set up I think. Many Thanks Matthew Matthew Flowerday | Consultant | IMS – Information Management System Unisys | [email protected]<mailto:[email protected]> ENIGMA, Wavendon Business Park, Milton Keynes, MK17 8LX [cid:[email protected]]<http://www.unisys.com/> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all devices. [Grey_LI]<http://www.linkedin.com/company/unisys> [Grey_TW] <http://twitter.com/unisyscorp> [Grey_YT] <http://www.youtube.com/theunisyschannel> [Grey_FB] <http://www.facebook.com/unisyscorp> [Grey_Vimeo] <https://vimeo.com/unisys> [Grey_UB] <http://blogs.unisys.com/> From: Jan Høydahl <[email protected]> Sent: Saturday, January 27, 2024 12:15 AM To: [email protected] Subject: Re: Setting up Basic Authentication on Solr Cloud Hi, You probably want to enable SSL for Solr if you use BasicAuth. For ZK, ACL protection could be the first step, as described in https: //solr. apache. org/guide/solr/latest/deployment-guide/zookeeper-access-control. html Protecting ZK connection ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/JZxO7R1e!Xo6dao6Hdx852Tag5bu6oWCeoUuhTev6OgGfLlOIHzledu08dFJ4AXxrbbS3aqoEImHwuA7tYVQwvXd9Z-eISPBgTvgds4jBYtXpgBJEYj0hMaUl$> ZjQcmQRYFpfptBannerEnd Hi, You probably want to enable SSL for Solr if you use BasicAuth. For ZK, ACL protection could be the first step, as described in https://solr.apache.org/guide/solr/latest/deployment-guide/zookeeper-access-control.html Protecting ZK connection with SSL is probably also smart, but it is unfortunately not well documented in ref.guide, so you have to find documentation elsewhere. Jan > 26. jan. 2024 kl. 17:17 skrev Flowerday, Matthew J > <[email protected]<mailto:[email protected]>>: > > Hi There > > I have been tasked with setting up Basic Authentication on our SolrCloud > database running ZooKeeper 3.8 and Solr 9.1.1. I have got it working I think > but there are a few things I would like to check. > > I set up a security.json file and placed it in the server/solr folder in a > single server solr system, restarted solr and used the Admin Tool to set up a > new user (XXXXXX) and password and disabled the default solr user. The > modifed security.json file I then copied in to the solrCloud server/solr > folder. > > In the solrCloud solr.in.cmd file I set up these variables > > set SOLR_AUTH_TYPE=basic > set SOLR_AUTHENTICATION_OPTS=-Dbasicauth=XXXXXX:yyyyyyyyyyy > > where XXXXXX is the username and yyyyyyyyyyy is the password. > > In the ZooKeeper zkServer.cmd I added an extra parameter > > call %JAVA% "-Dzookeeper.log.dir=%ZOO_LOG_DIR%" > "-Dzookeeper.log.file=%ZOO_LOG_FILE%" > "-Dzookeeper.DigestAuthenticationProvider.superDigest=XXXXXX:mAeU2NK3etoPziu6TdqmLmGjmSN56YUq5hAZhpsPk48= > O7L5Ofmg8IaXaFbn237ENlKFcC9+NWgCcphYdVJu3es=" > "-XX:+HeapDumpOnOutOfMemoryError" "-XX:OnOutOfMemoryError=cmd /c taskkill > /pid %%%%p /t /f" -cp "%CLASSPATH%" %ZOOMAIN% "%ZOOCFG%" %* > > where XXXXXX is the username. > > I then deployed the security.json across the ZooKeepers using the command > > solr zk cp file:<Pathname>\security.json zk:/security.json -z localhost:<port > id> > > I then stopped solrCloud processes and all the ZooKeepers and then restarted > all the ZooKeepers and SolrCloud processes. The Admin Tool then needed the > username and password to log on. > > I changed the wildfly standalone.conf.bat file of our application to have > this additional java option > > REM set up Solr Basic Authentication > set JAVA_OPTS=%JAVA_OPTS% > -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory > -Dbasicauth=XXXXXX: yyyyyyyyyyy > > and bounced wildfly. I then logged on to the application and could carry out > solr searches ok and updates. So, all looks good. > > My concern is have I properly configured ZooKeeper for basic authentication. > In the solr.in.cmd file there is this set up > > REM Settings for ZK ACL > REM set > SOLR_ZK_CREDS_AND_ACLS=-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider > ^ > REM > -DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider > ^ > REM > -DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector > ^ > REM -DzkDigestUsername=admin-user -DzkDigestPassword=CHANGEME-ADMIN-PASSWORD > ^ > REM -DzkDigestReadonlyUsername=readonly-user > -DzkDigestReadonlyPassword=CHANGEME-READONLY-PASSWORD > REM set SOLR_OPTS=%SOLR_OPTS% %SOLR_ZK_CREDS_AND_ACLS% > > Which I have not altered. Should I have set up ‘admin-user’ and > ‘readonly-user ‘ and given a passwords for each to have properly configured > ZooKeeper or is what I have done (which seems to work ok) fine and > solr/ZooKeeper are using the solr user details I set up correctly. > > Many Thanks > > Matthew > > Matthew Flowerday | Consultant | IMS – Information Management System > Unisys | [email protected]<mailto:[email protected]> > <mailto:[email protected]> > ENIGMA, Wavendon Business Park, Milton Keynes, MK17 8LX > > <http://www.unisys.com/> > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is for use only by the intended recipient. If you received this > in error, please contact the sender and delete the e-mail and its attachments > from all devices. > <http://www.linkedin.com/company/unisys> <http://twitter.com/unisyscorp> > <http://www.youtube.com/theunisyschannel> > <http://www.facebook.com/unisyscorp> <https://vimeo.com/unisys> > <http://blogs.unisys.com/>
