CODEWITHSUNDEEP
solrapache-zookeeperaclsolrj
yan-huck
yan-huck

Reputation: 1

SolrJ not working with Zookeeper ACLs. Error message "KeeperErrorCode = NoAuth for /live_nodes"?

I am new to Solr and Zookeeper. I set up a Solr Cloud cluster with Zookeeper in Docker. For implementations Im using SolrJ. I used the CloudSolrClient to communicate with Solr Cloud. Everything worked well until I tried to use Zookeeper ACLs with Solr. If I try to connect my CloudSolrClient with Zk ACls I get the error message "KeeperErrorCode = NoAuth for /live_nodes". And it always starts with this:

o.apache.solr.common.cloud.SolrZkClient  : Using default ZkACLProvider. DefaultZkACLProvider is not secure, it creates 'OPEN_ACL_UNSAFE' ACLs to Zookeeper nodes

First of all this is how my docker-compose.yml looks like:

services:
  solr1:
    image: solr:9.7
    container_name: solr1
    restart: always
    environment:
      ZK_HOST: zookeeper:2181
      SOLR_HEAP: 1g
    depends_on:
      - zookeeper
    volumes:
      - ./security/security.json:/var/security.json
      - solr1:/var/solr
      - ./scripts/solr.in.sh:/etc/default/solr.in.sh
      - ./configs/solr.xml:/var/solr/data/solr.xml
    command: bash -c "docker-entrypoint.sh solr zk cp file:/var/security.json zk:/security.json && exec solr-foreground"
    ports:
      - 8983:8983

  zookeeper:
    image: zookeeper:3.7.2
    container_name: zookeeper
    hostname: zookeeper
    restart: always
    ports:
      - 2181:2181
    environment:
      ZOO_MY_ID: 1
      ZOO_SERVERS: server.1=zookeeper:2888:3888;2181
      ZOO_4LW_COMMANDS_WHITELIST: mntr, conf, ruok
      ZOO_CFG_EXTRA: "metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider metricsProvider.httpPort=7000 metricsProvider.exportJvmInfo=true"

volumes:
  solr1:

My solr.in.sh looks like this:

SOLR_ZK_CREDS_AND_ACLS="-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider \
  -DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider \
  -DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector \
  -DzkDigestUsername=admin-user -DzkDigestPassword=password-changed\
  -DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=password-changed" 
SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"

In my solr.xml I also added these:

<str name="zkCredentialsProvider">${zkCredentialsProvider:org.apache.solr.common.cloud.DigestZkCredentialsProvider}</str>
    <str name="zkACLProvider">${zkACLProvider:org.apache.solr.common.cloud.DigestZkACLProvider}</str>
    <str name="zkCredentialsInjector">${zkCredentialsInjector:org.apache.solr.common.cloud.VMParamsZkCredentialsInjector}</str>

And this is how I connect my CloudSolrClient:

    public CloudSolrClient startCloudClient() {
        final CloudSolrClient cloudSolrClient = new CloudSolrClient.Builder(List.of("localhost:2181"), Optional.empty())
.canUseZkACLs(true)                
.build();
        cloudSolrClient.connect();
}

I than tried to tell Zookeeper what it should use to authenticate but nothing worked. I also connected to the Zookeeper container with "docker exec -it zookeeper /apache-zookeeper-3.7.2-bin/bin/zkCli.sh -server localhost:2181" and to test if the ACLs working. I tried these steps:

[zk: localhost:2181(CONNECTED) 1] getAcl /live_nodes
Insufficient permission : /live_nodes
[zk: localhost:2181(CONNECTED) 2] addauth digest admin-user:password-changed
[zk: localhost:2181(CONNECTED) 3] getAcl /live_nodes
'digest,'admin-user:8is0294sdjFKDa9fduiji3iffd8s
: cdrwa
'digest,'readonly-user:ff4Fd8fs8dflk64Ffsd9grOJK
: r

So I think the ACLs are working. But I don't know how I can authenticate through my CloudSolrClient now?

---SOLUTION---

I tried to set system properties before initializing my CloudSolrClient but with wrong properties. So now with them it worked for me:

    System.setProperty("zkACLProvider", "org.apache.solr.common.cloud.DigestZkACLProvider");
    System.setProperty("zkCredentialsProvider", "org.apache.solr.common.cloud.DigestZkCredentialsProvider");
    System.setProperty("zkCredentialsInjector", "org.apache.solr.common.cloud.VMParamsZkCredentialsInjector");
    System.setProperty("zkDigestUsername", "admin-user");
    System.setProperty("zkDigestPassword", "password-changed");

Upvotes: 0

Views: 150

Answers (0)

Related Questions