lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <j...@apache.org>
Subject [jira] [Commented] (SOLR-7889) Secure ZooKeeper should be easy and the default
Date Mon, 29 Jul 2019 07:35:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-7889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16895022#comment-16895022
] 

Jan Høydahl commented on SOLR-7889:
-----------------------------------

ZK 3.5.5 adds secureClientPort, so i should already be possible to use SSL.
However, in ZK 3.6 there will be something called *port unification* which allows to use the
same port for both normal and encrypted traffic, and the zkClient lib will adapt automatically
just by telling it to use SSL. That will provide for a better end user experience when migrating
a non-ssl ZK ensemble to a SSL one, since you can just upgrade zk and then flip clients to
SSL one at a time. Same will go for AdminServer.
But we should first document the current state, as it could take years for a new ZK version
to be released :) 

> Secure ZooKeeper should be easy and the default
> -----------------------------------------------
>
>                 Key: SOLR-7889
>                 URL: https://issues.apache.org/jira/browse/SOLR-7889
>             Project: Solr
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jan Høydahl
>            Priority: Critical
>              Labels: security, zookeeper
>
> ZooKeeper security is documented at https://cwiki.apache.org/confluence/display/solr/ZooKeeper+Access+Control
but is not trivial to setup, see http://search-lucene.com/m/eHNlqr6EnMrP6O
> As we enable more and more security stuff, securing ZK should be easier to do and ideally
the default. This is an umbrella for such improvements.
> When all of this is in place and working, perhaps even Solr should refuse to start if
Auth/Autz plugins are in use and ZK communication is not properly protected, e.g. require
{{bin/solr start --insecure}} to override.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message