Hi Jan
I have been doing some more research on ZooKeeper authentication. It looks like
anyone can connect to Zookeeper and if there is no acls set up they can do
anything. The key is to lock zookeeper down and use a Digest Super user to
carry out any updates etc.
My plan is to lock down nodes using setAcl via Zookeeper Client to help with
security of Zookeeper. Solr seems fine set up as per the notes you recommended
earlier.
If I am reading it correct, users can connect to Zookeeper via zkCli.cmd using
zkCli.cmd -server localhost:2185
and then if access has been restricted (via the setAcl command) they can
overcome this using
addauth digest xxxxxx:password
as long as the ZooKeepers have been set up passing
-Dzookeeper.DigestAuthenticationProvider.superDigest= xxxxxx:EncryptedPassword
I am using windows and I successfully locked down a node using the command
setAcl /solr.xml world:anyone:r
and running
getAcl /solr.xml
returned
'world,'anyone
: r
I then ran
setAcl /solr.xml world:anyone:rcdrwa
and correctly got
Insufficient permission : /solr.xml
So I then ran
addauth digest xxxxxx:password
and when I ran the setAcl command again I still got
Insufficient permission : /solr.xml
The only way I could correct it was to add
-Dzookeeper.skipACL=yes
to all the Zookeepers and and restart them, connect using zkCli.cmd and then
the setAcl command worked. (this approach appears not to be recommended and
would be a faff if there are a large number of zookeepers).
Is there something I have missed in the Zookeeper set up to get superDigest
functionality working in windows. Most of the examples I saw on google were
linux based – so it could be a windows ‘thing’.
Many Thanks
Matthew
Matthew Flowerday | Consultant | IMS – Information Management System
Unisys | [email protected]<mailto:[email protected]>
ENIGMA, Wavendon Business Park, Milton Keynes, MK17 8LX
[cid:[email protected]]<http://www.unisys.com/>
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is for use only by the intended recipient. If you received this in
error, please contact the sender and delete the e-mail and its attachments from
all devices.
[Grey_LI]<http://www.linkedin.com/company/unisys> [Grey_TW]
<http://twitter.com/unisyscorp> [Grey_YT]
<http://www.youtube.com/theunisyschannel> [Grey_FB]
<http://www.facebook.com/unisyscorp> [Grey_Vimeo] <https://vimeo.com/unisys>
[Grey_UB] <http://blogs.unisys.com/>
From: Flowerday, Matthew J
Sent: Monday, January 29, 2024 12:14 PM
To: [email protected]
Subject: RE: Setting up Basic Authentication on Solr Cloud
Hi Jan
Thanks for getting back to me. I had a good read of the link you sent me and
made these changes on each solrCloud server
solr.in.cmd – set up:
set
SOLR_ZK_CREDS_AND_ACLS=-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider
^
-DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider
^
-DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector
^
-DzkDigestUsername=aaaaaaaa -DzkDigestPassword=bbbbbbb ^
-DzkDigestReadonlyUsername=ccccccccccccc -DzkDigestReadonlyPassword=ddddddd
set SOLR_OPTS=%SOLR_OPTS% %SOLR_ZK_CREDS_AND_ACLS%
zkcli.bat – set up:
set
SOLR_ZK_CREDS_AND_ACLS=-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider
^
-DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider
^
-DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector
^
-DzkDigestUsername=aaaaaaaa -DzkDigestPassword=bbbbbbb ^
-DzkDigestReadonlyUsername=ccccccccccccc -DzkDigestReadonlyPassword=ddddddd
And stopped solr on each solrCloud server and then restarted them. The
application (using solrj) could still carry out queries and update records etc.
So all still good thanks.
My question is – how does ZooKeeper know about DigestUsername and
DigestReadonlyUsername as I have not made any ZooKeeper changes.
Currently ZooKeeper is starting up with the parameter
"-Dzookeeper.DigestAuthenticationProvider.superDigest=eeeeeeeeee:fffffffffffffffff"
Could it still be using user eeeeeeeeee and I need to somehow pass the
DigestUsername and DigestReadonlyUsername details etc instead? The
documentation you referenced focussed on just the Solr set up I think.
Many Thanks
Matthew
Matthew Flowerday | Consultant | IMS – Information Management System
Unisys | [email protected]<mailto:[email protected]>
ENIGMA, Wavendon Business Park, Milton Keynes, MK17 8LX
[cid:[email protected]]<http://www.unisys.com/>
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is for use only by the intended recipient. If you received this in
error, please contact the sender and delete the e-mail and its attachments from
all devices.
[Grey_LI]<http://www.linkedin.com/company/unisys> [Grey_TW]
<http://twitter.com/unisyscorp> [Grey_YT]
<http://www.youtube.com/theunisyschannel> [Grey_FB]
<http://www.facebook.com/unisyscorp> [Grey_Vimeo] <https://vimeo.com/unisys>
[Grey_UB] <http://blogs.unisys.com/>
From: Jan Høydahl <[email protected]<mailto:[email protected]>>
Sent: Saturday, January 27, 2024 12:15 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: Setting up Basic Authentication on Solr Cloud
Hi, You probably want to enable SSL for Solr if you use BasicAuth. For ZK, ACL
protection could be the first step, as described in https: //solr. apache.
org/guide/solr/latest/deployment-guide/zookeeper-access-control. html
Protecting ZK connection
Hi,
You probably want to enable SSL for Solr if you use BasicAuth.
For ZK, ACL protection could be the first step, as described in
https://solr.apache.org/guide/solr/latest/deployment-guide/zookeeper-access-control.html
Protecting ZK connection with SSL is probably also smart, but it is
unfortunately not well documented in ref.guide, so you have to find
documentation elsewhere.
Jan
> 26. jan. 2024 kl. 17:17 skrev Flowerday, Matthew J
> <[email protected]<mailto:[email protected]>>:
>
> Hi There
>
> I have been tasked with setting up Basic Authentication on our SolrCloud
> database running ZooKeeper 3.8 and Solr 9.1.1. I have got it working I think
> but there are a few things I would like to check.
>
> I set up a security.json file and placed it in the server/solr folder in a
> single server solr system, restarted solr and used the Admin Tool to set up a
> new user (XXXXXX) and password and disabled the default solr user. The
> modifed security.json file I then copied in to the solrCloud server/solr
> folder.
>
> In the solrCloud solr.in.cmd file I set up these variables
>
> set SOLR_AUTH_TYPE=basic
> set SOLR_AUTHENTICATION_OPTS=-Dbasicauth=XXXXXX:yyyyyyyyyyy
>
> where XXXXXX is the username and yyyyyyyyyyy is the password.
>
> In the ZooKeeper zkServer.cmd I added an extra parameter
>
> call %JAVA% "-Dzookeeper.log.dir=%ZOO_LOG_DIR%"
> "-Dzookeeper.log.file=%ZOO_LOG_FILE%"
> "-Dzookeeper.DigestAuthenticationProvider.superDigest=XXXXXX:mAeU2NK3etoPziu6TdqmLmGjmSN56YUq5hAZhpsPk48=
> O7L5Ofmg8IaXaFbn237ENlKFcC9+NWgCcphYdVJu3es="
> "-XX:+HeapDumpOnOutOfMemoryError" "-XX:OnOutOfMemoryError=cmd /c taskkill
> /pid %%%%p /t /f" -cp "%CLASSPATH%" %ZOOMAIN% "%ZOOCFG%" %*
>
> where XXXXXX is the username.
>
> I then deployed the security.json across the ZooKeepers using the command
>
> solr zk cp file:<Pathname>\security.json zk:/security.json -z localhost:<port
> id>
>
> I then stopped solrCloud processes and all the ZooKeepers and then restarted
> all the ZooKeepers and SolrCloud processes. The Admin Tool then needed the
> username and password to log on.
>
> I changed the wildfly standalone.conf.bat file of our application to have
> this additional java option
>
> REM set up Solr Basic Authentication
> set JAVA_OPTS=%JAVA_OPTS%
> -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory
> -Dbasicauth=XXXXXX: yyyyyyyyyyy
>
> and bounced wildfly. I then logged on to the application and could carry out
> solr searches ok and updates. So, all looks good.
>
> My concern is have I properly configured ZooKeeper for basic authentication.
> In the solr.in.cmd file there is this set up
>
> REM Settings for ZK ACL
> REM set
> SOLR_ZK_CREDS_AND_ACLS=-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider
> ^
> REM
> -DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider
> ^
> REM
> -DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector
> ^
> REM -DzkDigestUsername=admin-user -DzkDigestPassword=CHANGEME-ADMIN-PASSWORD
> ^
> REM -DzkDigestReadonlyUsername=readonly-user
> -DzkDigestReadonlyPassword=CHANGEME-READONLY-PASSWORD
> REM set SOLR_OPTS=%SOLR_OPTS% %SOLR_ZK_CREDS_AND_ACLS%
>
> Which I have not altered. Should I have set up ‘admin-user’ and
> ‘readonly-user ‘ and given a passwords for each to have properly configured
> ZooKeeper or is what I have done (which seems to work ok) fine and
> solr/ZooKeeper are using the solr user details I set up correctly.
>
> Many Thanks
>
> Matthew
>
> Matthew Flowerday | Consultant | IMS – Information Management System
> Unisys | [email protected]<mailto:[email protected]>
> <mailto:[email protected]>
> ENIGMA, Wavendon Business Park, Milton Keynes, MK17 8LX
>
> <http://www.unisys.com/>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is for use only by the intended recipient. If you received this
> in error, please contact the sender and delete the e-mail and its attachments
> from all devices.
> <http://www.linkedin.com/company/unisys> <http://twitter.com/unisyscorp>
> <http://www.youtube.com/theunisyschannel>
> <http://www.facebook.com/unisyscorp> <https://vimeo.com/unisys>
> <http://blogs.unisys.com/>
