You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Ishan Chattopadhyaya (JIRA)" <ji...@apache.org> on 2016/04/14 16:29:25 UTC

[jira] [Comment Edited] (SOLR-8792) ZooKeeper ACL not restricting access to zkcli

    [ https://issues.apache.org/jira/browse/SOLR-8792?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15241254#comment-15241254 ] 

Ishan Chattopadhyaya edited comment on SOLR-8792 at 4/14/16 2:28 PM:
---------------------------------------------------------------------

Finally managed to have it work for me. Attached the patch for a fix to bin/solr script.

Here are the steps that need to be taken to enable ZK ACLs (assuming the attached patch is committed or applied).

# Start a fresh ZK instance (lets assume the hostname is zk1).
# Add the following to the {{./server/solr/solr.xml}} file's {{SolrCloud}} section:
{code}
<str name="zkCredentialsProvider">org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider</str>
<str name="zkACLProvider">org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider</str>
{code}
# In the bin/solr.in.sh's section called {{Settings for ZK ACL}}, provide all the passwords etc. Here's an example:
{code}
# Settings for ZK ACL
SOLR_ZK_CREDS_AND_ACLS="-DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS -DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS -DzkDigestUsername=admin-user -DzkDigestPassword=admin-password"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS -DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=readonly-password"
SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"
{code}
# Start Solr. {{bin/solr start -e cloud -z zk1:2181 -noprompt}}
# To ensure that unauthorized access is restricted, try uploading a configset to ZK (without any changes to the zkcli.sh):
{code}
server/scripts/cloud-scripts/zkcli.sh -cmd upconfig -confname basic -z 
zk1:2181 -confdir server/solr/configsets/basic_configs
{code}
 This should result in an error:
{code}
Exception in thread "main" java.io.IOException: Error uploading file server/solr/configsets/basic_configs/conf/_rest_managed.json to zookeeper path /configs/basic/conf/_rest_managed.json
	at org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:78)
	at org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:65)
	at java.nio.file.Files.walkFileTree(Files.java:2670)
	at java.nio.file.Files.walkFileTree(Files.java:2742)
	at org.apache.solr.common.cloud.ZkConfigManager.uploadToZK(ZkConfigManager.java:65)
	at org.apache.solr.common.cloud.ZkConfigManager.uploadConfigDir(ZkConfigManager.java:142)
	at org.apache.solr.cloud.ZkCLI.main(ZkCLI.java:227)
Caused by: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /configs/basic
	at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
	at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
	at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
	at org.apache.solr.common.cloud.SolrZkClient$10.execute(SolrZkClient.java:503)
	at org.apache.solr.common.cloud.ZkCmdExecutor.retryOperation(ZkCmdExecutor.java:60)
	at org.apache.solr.common.cloud.SolrZkClient.makePath(SolrZkClient.java:500)
	at org.apache.solr.common.cloud.SolrZkClient.makePath(SolrZkClient.java:411)
	at org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:75)
	... 6 more

{code}
# To have zkcli.sh work, add the credentials to zkcli.sh
{code}

SOLR_ZK_CREDS_AND_ACLS="-DzkDigestUsername=admin-user -DzkDigestPassword=admin-password \
-DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=readonly-password"
 
java ... $SOLR_ZK_CREDS_AND_ACLS ... org.apache.solr.cloud.ZkCLI -cmd ...
{code}


was (Author: ichattopadhyaya):
Finally managed to have it work for me. Attached the patch for a fix to bin/solr script.

Here are the steps that need to be taken to enable ZK ACLs (assuming the attached patch is committed or applied).

# Start a fresh ZK instance (lets assume the hostname is zk1).
# Add the following to the {{./server/solr/solr.xml}} file's {{SolrCloud}} section:
{code}
<str name="zkCredentialsProvider">org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider</str>
<str name="zkACLProvider">org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider</str>
{code}
# In the bin/solr.in.sh's section called {{Settings for ZK ACL}}, provide all the passwords etc. Here's an example:
{code}
# Settings for ZK ACL
SOLR_ZK_CREDS_AND_ACLS="-DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS -DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS -DzkDigestUsername=admin-user -DzkDigestPassword=admin-password"
SOLR_ZK_CREDS_AND_ACLS="$SOLR_ZK_CREDS_AND_ACLS -DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=readonly-password"
SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"
{code}
# Start Solr. {{bin/solr start -e cloud -z zk1:2181 -noprompt}}
# To ensure that unauthorized access is restricted, try uploading a configset to ZK (without any changes to the zkcli.sh):
{code}
server/scripts/cloud-scripts/zkcli.sh -cmd upconfig -confname basic -z 
zk1:2181 -confdir server/solr/configsets/basic_configs
{code}
 This should result in an error:
{code}
Exception in thread "main" java.io.IOException: Error uploading file server/solr/configsets/basic_configs/conf/_rest_managed.json to zookeeper path /configs/basic/conf/_rest_managed.json
	at org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:78)
	at org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:65)
	at java.nio.file.Files.walkFileTree(Files.java:2670)
	at java.nio.file.Files.walkFileTree(Files.java:2742)
	at org.apache.solr.common.cloud.ZkConfigManager.uploadToZK(ZkConfigManager.java:65)
	at org.apache.solr.common.cloud.ZkConfigManager.uploadConfigDir(ZkConfigManager.java:142)
	at org.apache.solr.cloud.ZkCLI.main(ZkCLI.java:227)
Caused by: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /configs/basic
	at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
	at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
	at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
	at org.apache.solr.common.cloud.SolrZkClient$10.execute(SolrZkClient.java:503)
	at org.apache.solr.common.cloud.ZkCmdExecutor.retryOperation(ZkCmdExecutor.java:60)
	at org.apache.solr.common.cloud.SolrZkClient.makePath(SolrZkClient.java:500)
	at org.apache.solr.common.cloud.SolrZkClient.makePath(SolrZkClient.java:411)
	at org.apache.solr.common.cloud.ZkConfigManager$1.visitFile(ZkConfigManager.java:75)
	... 6 more

{code}

# To have zkcli.sh work, add the credentials to zkcli.sh
{code}

SOLR_ZK_CREDS_AND_ACLS="-DzkDigestUsername=admin-user -DzkDigestPassword=admin-password \
-DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=readonly-password"
 
java ... $SOLR_ZK_CREDS_AND_ACLS ... org.apache.solr.cloud.ZkCLI -cmd ...
{code}

> ZooKeeper ACL not restricting access to zkcli
> ---------------------------------------------
>
>                 Key: SOLR-8792
>                 URL: https://issues.apache.org/jira/browse/SOLR-8792
>             Project: Solr
>          Issue Type: Bug
>          Components: Authentication, documentation
>    Affects Versions: 5.0
>            Reporter: Esther Quansah
>              Labels: acl, authentication, security, zkcli, zkcli.sh, zookeeper
>         Attachments: SOLR-8792.patch
>
>
> The documentation presented here: https://cwiki.apache.org/confluence/display/solr/ZooKeeper+Access+Control
> details the process of securing Solr content in ZooKeeper using ACLs. In the example usages, it is mentioned that access to zkcli can be restricted by adding credentials to the zkcli.sh script in addition to adding the appropriate classnames to solr.xml. With the scripts in zkcli.sh, another machine should not be able to read or write from the host ZK without the necessary credentials. At this time, machines are able to read/write from the host ZK with or without these credentials.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org