Hey Dima, You're not missing anything — there is no REST/HTTP API endpoint for uploading security.json to ZooKeeper. It's a known gap in Solr 9's "everything is API" story.
Your options are the two CLI approaches you already found: bin/solr zk cp file:security.json zk:/security.json -z localhost:9983 bin/solr auth enable — which bootstraps a default BasicAuth security.json for you. The reason there's no dedicated API is a chicken-and-egg problem: security.json is the file that configures authentication itself, so Solr needs it in ZK before the auth endpoints are meaningful. Once it's loaded, you can modify it via the Authentication and Authorization APIs (POST to /api/cluster/security/authentication for adding users, /api/cluster/security/authorization for permissions), but the initial bootstrap has to go through the CLI or direct ZK manipulation. As for the broader frustration about Solr 9 standalone mode and the embedded ZK — you're right that the docs are inconsistent. The old pattern of dropping files into server/solr/ no longer works for many things including security.json and configsets. The embedded ZooKeeper runs on port 9983 by default, and -z localhost:9983 is the key to making bin/solr zk commands work against it, but it's barely mentioned in the docs. Worth filing a docs JIRA if one doesn't already exist — the disconnect between the "everything through embedded ZK" reality and the filesystem-based instructions scattered through the docs catches a lot of people. Ciprian. Opensolr.com Your Path to AI Search <https://opensolr.com/> [email protected] https://opensolr.com <https://opensolr.com/> VAT: RO-35410526 > On 12 Feb 2026, at 00:56, Dmitri Maziuk <[email protected]> wrote: > > Hi all, > > when setting up a standalone solr 9 node, none of the filesystem-based > instructions in TFM work anymore. E.g. copying security.json to server/solr > does noting. Same goes for configsets etc.: that's still in the docs all over > the place, whereas `-z localhost:9983` is mentioned once someplace that > wouldn't be obvious to a new user. > > But my main question is, now that "everything is API", is there an API call > for uploading security.json to zookeeper? > > All I'm able to find is 2 CLI options: to upload security.json or enable auth > with the default one. Configset API requires "name" parameter and > security.json does not go into a "name"d configset. > > Am I missing something or does API call simply not exist? > > TIA, > Dima >
smime.p7s
Description: S/MIME cryptographic signature
