lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörn Franke (JIRA) <j...@apache.org>
Subject [jira] [Commented] (SOLR-7893) Document ZooKeeper SSL support
Date Wed, 31 Jul 2019 19:31:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-7893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16897468#comment-16897468
] 

Jörn Franke commented on SOLR-7893:
-----------------------------------

I did some initial tests with Solr 8.2

First you need to add the jetty-all.jar of Zookeeper 3.5.5 to the classpath of Solr. I created
a Solr issue for this, so this should be fixed in 8.2.1 or 8.3.0. Meanwhile you can copy it
manually.

Second, even after deploying and configuring it, I get a unknown certificate issue. The thing
is  I configured a truststore with my CAs and a certificate signed by the CAs. This is really
strange, because it should work this way, but it does not. I do not go for self-signed certificate,
because aside the security issues with them, they would cause operational overhead (every
time the ZK cluster is extended I need to the additional unsigned CA then to all truststores
of Solr - that does not make sense to me). I also need to clarify with the ZK user list why
the client needs to provide an own certificate. The Zookeeper server - I understand, but the
client does not need one, because I use for authentication Kerberos and not certificates.

 

I also noticed that secureClientPort and clientPort have to be set mandatory and they have
to be set to different ports, otherwise you get in ZK a cannot bind address issue.

 

Once I have it figured out all, I will put it into a document. For completeness, I will also
include SSL between the ZooKeeper servers (not really a Solr issue, but for making Solr secure
we should also take into account the complete picture with ZK).

 

> Document ZooKeeper SSL support
> ------------------------------
>
>                 Key: SOLR-7893
>                 URL: https://issues.apache.org/jira/browse/SOLR-7893
>             Project: Solr
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Major
>              Labels: ssl, zookeeper
>
> Once ZooKeeper supports SSL properly, Solr should start using it for all communication.
See comments in https://cwiki.apache.org/confluence/display/solr/Enabling+SSL
> {quote}
> ZooKeeper does not support encrypted communication with clients like Solr.  There are
several related JIRA tickets where SSL support is being planned/worked on: ZOOKEEPER-235;
ZOOKEEPER-236; ZOOKEEPER-733; and  ZOOKEEPER-1000.
> {quote}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message