Skip to main content
Top
Review meshIQ Products (G2.com)

Enabling ZooKeeper ACL with Solr

For Apache Solr's documentation on this topic, refer to
https://solr.apache.org/guide/8_2/zookeeper-access-control.html#changing-acl-schemes.

This article describes how to enable ZooKeeper ACL (Access Control List) in Solr to access Solr nodes securely.

  1. On ALL Solr nodes. In <SOLR_HOME>/bin/solr/solr.in.sh, uncomment out the following lines:
Don't forget to change the passwords for the admin user and the read only user.
SOLR_ZK_CREDS_AND_ACLS="-DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider \
-DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider \
-DzkDigestUsername=admin-user -DzkDigestPassword=admin \
-DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=readadmin"
SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"
  1. On ALL Solr nodes. In <SOLR_HOME>/server/scripts/cloud-scripts/zkcli.sh, uncomment out the following lines:

Don't forget to change the passwords for the admin user and the read only user.

SOLR_ZK_CREDS_AND_ACLS="-DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider \
-DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider \
-DzkDigestUsername=admin-user -DzkDigestPassword=admin \
-DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=readadmin"
  1. On ANY of the Solr nodes (existing installations). If ZooKeeper ACLs are being added to an existing installation, you have to update the existing Solr entries in ZooKeeper to create the ACLs. You only need to do it once.

Make sure ALL Solr nodes are DOWN before running the following.

In the command below:

  • Change "localhost" to host where ZooKeeper is running
  • Change "xraysolr" to zkchroot (the root folder in ZooKeeper where Solr data is stored). You can find this by checking the file <SOLR_HOME>/bin/solr/solr.in.sh. Find the value for ZK_HOST, and take the part starting with "/". If there is no "/" in ZKHOST, then remove "xraysolr" from the command below, leaving just the "/" at the end.
<SOLR_HOME>/server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:2181 -cmd updateacls /xraysolr
  1. If Xray is connecting directly to Solr (jkool.db.url is defined using Solr url, e.g. http://<host>:8983), then nothing more is needed. Proceed to the Verifying Setup section below.
    If Xray is connecting to Solr via ZooKeeper (which is our recommended way), then you must add the following to global.properties, so SolrJ can connect to ZooKeeper:
property zkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider
property zkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider
property zkDigestUsername=readonly-user
property zkDigestPassword=readadmin

Verifying Setup

To verify that setup is successful, do the following:

  1. Start ZooKeeper and Solr.
  2. Go to the Solr Admin UI.
  3. Check the ZooKeeper ACL parameters in the dashboards.