You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2019/07/29 07:35:00 UTC

[jira] [Commented] (SOLR-7889) Secure ZooKeeper should be easy and the default

    [ https://issues.apache.org/jira/browse/SOLR-7889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16895022#comment-16895022 ] 

Jan Høydahl commented on SOLR-7889:
-----------------------------------

ZK 3.5.5 adds secureClientPort, so i should already be possible to use SSL.
However, in ZK 3.6 there will be something called *port unification* which allows to use the same port for both normal and encrypted traffic, and the zkClient lib will adapt automatically just by telling it to use SSL. That will provide for a better end user experience when migrating a non-ssl ZK ensemble to a SSL one, since you can just upgrade zk and then flip clients to SSL one at a time. Same will go for AdminServer.
But we should first document the current state, as it could take years for a new ZK version to be released :) 

> Secure ZooKeeper should be easy and the default
> -----------------------------------------------
>
>                 Key: SOLR-7889
>                 URL: https://issues.apache.org/jira/browse/SOLR-7889
>             Project: Solr
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jan Høydahl
>            Priority: Critical
>              Labels: security, zookeeper
>
> ZooKeeper security is documented at https://cwiki.apache.org/confluence/display/solr/ZooKeeper+Access+Control but is not trivial to setup, see http://search-lucene.com/m/eHNlqr6EnMrP6O
> As we enable more and more security stuff, securing ZK should be easier to do and ideally the default. This is an umbrella for such improvements.
> When all of this is in place and working, perhaps even Solr should refuse to start if Auth/Autz plugins are in use and ZK communication is not properly protected, e.g. require {{bin/solr start --insecure}} to override.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org