lucene-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ctarg...@apache.org
Subject lucene-solr:jira/solr-10290: SOLR-10296: conversion, letters J + K
Date Sun, 07 May 2017 17:00:21 GMT
Repository: lucene-solr
Updated Branches:
  refs/heads/jira/solr-10290 d77278df6 -> c4b547c55


SOLR-10296: conversion, letters J + K


Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/c4b547c5
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/c4b547c5
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/c4b547c5

Branch: refs/heads/jira/solr-10290
Commit: c4b547c55a0461f8a7d4191a0e233d8a59d113de
Parents: d77278d
Author: Cassandra Targett <ctargett@apache.org>
Authored: Sun May 7 11:59:51 2017 -0500
Committer: Cassandra Targett <ctargett@apache.org>
Committed: Sun May 7 11:59:51 2017 -0500

----------------------------------------------------------------------
 solr/solr-ref-guide/src/java-properties.adoc    |  2 +-
 solr/solr-ref-guide/src/jvm-settings.adoc       |  4 +-
 .../src/kerberos-authentication-plugin.adoc     | 72 +++++++++-----------
 3 files changed, 37 insertions(+), 41 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/c4b547c5/solr/solr-ref-guide/src/java-properties.adoc
----------------------------------------------------------------------
diff --git a/solr/solr-ref-guide/src/java-properties.adoc b/solr/solr-ref-guide/src/java-properties.adoc
index d656d2b..7b6553c 100644
--- a/solr/solr-ref-guide/src/java-properties.adoc
+++ b/solr/solr-ref-guide/src/java-properties.adoc
@@ -4,5 +4,5 @@
 
 The Java Properties screen provides easy access to one of the most essential components of
a top-performing Solr systems. With the Java Properties screen, you can see all the properties
of the JVM running Solr, including the class paths, file encodings, JVM memory settings, operating
system, and more.
 
+.Java Properties Screen
 image::images/java-properties/javaproperties.png[image,width=593,height=250]
-

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/c4b547c5/solr/solr-ref-guide/src/jvm-settings.adoc
----------------------------------------------------------------------
diff --git a/solr/solr-ref-guide/src/jvm-settings.adoc b/solr/solr-ref-guide/src/jvm-settings.adoc
index abe1766..dbb0640 100644
--- a/solr/solr-ref-guide/src/jvm-settings.adoc
+++ b/solr/solr-ref-guide/src/jvm-settings.adoc
@@ -2,7 +2,9 @@
 :page-shortname: jvm-settings
 :page-permalink: jvm-settings.html
 
-Configuring your JVM can be a complex topic. A full discussion is beyond the scope of this
document. Luckily, most modern JVMs are quite good at making the best use of available resources
with default settings. The following sections contain a few tips that may be helpful when
the defaults are not optimal for your situation.
+Optimizing the JVM can be a key factor in getting the most from your Solr installation.
+
+Configuring your JVM can be a complex topic and a full discussion is beyond the scope of
this document. Luckily, most modern JVMs are quite good at making the best use of available
resources with default settings. The following sections contain a few tips that may be helpful
when the defaults are not optimal for your situation.
 
 For more general information about improving Solr performance, see https://wiki.apache.org/solr/SolrPerformanceFactors.
 

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/c4b547c5/solr/solr-ref-guide/src/kerberos-authentication-plugin.adoc
----------------------------------------------------------------------
diff --git a/solr/solr-ref-guide/src/kerberos-authentication-plugin.adoc b/solr/solr-ref-guide/src/kerberos-authentication-plugin.adoc
index c555f8c..8f45083 100644
--- a/solr/solr-ref-guide/src/kerberos-authentication-plugin.adoc
+++ b/solr/solr-ref-guide/src/kerberos-authentication-plugin.adoc
@@ -2,21 +2,21 @@
 :page-shortname: kerberos-authentication-plugin
 :page-permalink: kerberos-authentication-plugin.html
 
-If you are using Kerberos to secure your network environment, the Kerberos authentication
plugin can be used to secure a Solr cluster. This allows Solr to use a Kerberos service principal
and keytab file to authenticate with ZooKeeper and between nodes of the Solr cluster (if applicable).
Users of the Admin UI and all clients (such as <<using-solrj.adoc#using-solrj,SolrJ>>)
would also need to have a valid ticket before being able to use the UI or send requests to
Solr.
+If you are using Kerberos to secure your network environment, the Kerberos authentication
plugin can be used to secure a Solr cluster.
+
+This allows Solr to use a Kerberos service principal and keytab file to authenticate with
ZooKeeper and between nodes of the Solr cluster (if applicable). Users of the Admin UI and
all clients (such as <<using-solrj.adoc#using-solrj,SolrJ>>) would also need to
have a valid ticket before being able to use the UI or send requests to Solr.
 
 Support for the Kerberos authentication plugin is available in SolrCloud mode or standalone
mode.
 
 [TIP]
 ====
-
 If you are using Solr with a Hadoop cluster secured with Kerberos and intend to store your
Solr indexes in HDFS, also see the section <<running-solr-on-hdfs.adoc#running-solr-on-hdfs,Running
Solr on HDFS>> for additional steps to configure Solr for that purpose. The instructions
on this page apply only to scenarios where Solr will be secured with Kerberos. If you only
need to store your indexes in a Kerberized HDFS system, please see the other section referenced
above.
-
 ====
 
 [[KerberosAuthenticationPlugin-HowSolrWorksWithKerberos]]
 == How Solr Works With Kerberos
 
-When setting up Solr to use Kerberos, configurations are put in place for Solr to use a __service
principal__, or a Kerberos username, which is registered with the Key Distribution Center
(KDC) to authenticate requests. The configurations define the service principal name and the
location of the keytab file that contains the credentials.
+When setting up Solr to use Kerberos, configurations are put in place for Solr to use a _service
principal_, or a Kerberos username, which is registered with the Key Distribution Center (KDC)
to authenticate requests. The configurations define the service principal name and the location
of the keytab file that contains the credentials.
 
 [[KerberosAuthenticationPlugin-security.json]]
 === security.json
@@ -43,7 +43,11 @@ Since a Solr cluster requires internode communication, each node must also
be ab
 [[KerberosAuthenticationPlugin-KerberizedZooKeeper]]
 === Kerberized ZooKeeper
 
-When setting up a kerberized SolrCloud cluster, it is recommended to enable Kerberos security
for Zookeeper as well. In such a setup, the client principal used to authenticate requests
with Zookeeper can be shared for internode communication as well. This has the benefit of
not needing to renew the ticket granting tickets (TGTs) separately, since the Zookeeper client
used by Solr takes care of this. To achieve this, a single JAAS configuration (with the app
name as Client) can be used for the Kerberos plugin as well as for the Zookeeper client. See
the configuration section below for an example of starting Zookeeper in Kerberos mode.
+When setting up a kerberized SolrCloud cluster, it is recommended to enable Kerberos security
for Zookeeper as well.
+
+In such a setup, the client principal used to authenticate requests with Zookeeper can be
shared for internode communication as well. This has the benefit of not needing to renew the
ticket granting tickets (TGTs) separately, since the Zookeeper client used by Solr takes care
of this. To achieve this, a single JAAS configuration (with the app name as Client) can be
used for the Kerberos plugin as well as for the Zookeeper client.
+
+See the <<ZooKeeper Configuration>> section below for an example of starting
Zookeeper in Kerberos mode.
 
 [[KerberosAuthenticationPlugin-BrowserConfiguration]]
 === Browser Configuration
@@ -58,9 +62,7 @@ Detailed information on how to set up your browser is beyond the scope of
this d
 .Consult Your Kerberos Admins!
 [WARNING]
 ====
-
 Before attempting to configure Solr to use Kerberos authentication, please review each step
outlined below and consult with your local Kerberos administrators on each detail to be sure
you know the correct values for each parameter. Small errors can cause Solr to not start or
not function properly, and are notoriously difficult to diagnose.
-
 ====
 
 Configuration of the Kerberos plugin has several parts:
@@ -76,9 +78,7 @@ We'll walk through each of these steps below.
 .Using Hostnames
 [IMPORTANT]
 ====
-
 To use host names instead of IP addresses, use the `SOLR_HOST` configuration in `bin/solr.in.sh`
or pass a `-Dhost=<hostname>` system parameter during Solr startup. This guide uses
IP addresses. If you specify a hostname, replace all the IP addresses in the guide with the
Solr hostname as appropriate.
-
 ====
 
 [[KerberosAuthenticationPlugin-GetServicePrincipalsandKeytabs]]
@@ -88,9 +88,9 @@ Before configuring Solr, make sure you have a Kerberos service principal
for eac
 
 This example assumes the hostname is `192.168.0.107` and your home directory is `/home/foo/`.
This example should be modified for your own environment.
 
-[source,bash]
+[source,plain]
 ----
-root@kdc:/# kadmin.local 
+root@kdc:/# kadmin.local
 Authenticating as principal foo/admin@EXAMPLE.COM with password.
 
 kadmin.local:  addprinc HTTP/192.168.0.107
@@ -128,7 +128,7 @@ export JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas-clie
 
 The JAAS configuration file should contain the following parameters. Be sure to change the
`principal` and `keyTab` path as appropriate. The file must be located in the path defined
in the step above, with the filename specified.
 
-[source,java]
+[source,plain]
 ----
 Server {
  com.sun.security.auth.module.Krb5LoginModule required
@@ -144,7 +144,7 @@ Server {
 
 Finally, add the following lines to the ZooKeeper configuration file `zoo.cfg`:
 
-[source,java]
+[source,plain]
 ----
 authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
 jaasLoginRenew=3600000
@@ -152,7 +152,7 @@ jaasLoginRenew=3600000
 
 Once all of the pieces are in place, start ZooKeeper with the following parameter pointing
to the JAAS configuration file:
 
-[source,java]
+[source,bash]
 ----
 bin/zkServer.sh start -Djava.security.auth.login.config=/etc/zookeeper/conf/jaas-client.conf
 ----
@@ -175,9 +175,7 @@ More details on how to use a `/security.json` file in Solr are available
in the
 
 [IMPORTANT]
 ====
-
 If you already have a `/security.json` file in Zookeeper, download the file, add or modify
the authentication section and upload it back to ZooKeeper using the <<command-line-utilities.adoc#command-line-utilities,Command
Line Utilities>> available in Solr.
-
 ====
 
 [[KerberosAuthenticationPlugin-DefineaJAASConfigurationFile]]
@@ -189,7 +187,7 @@ The following example can be copied and modified slightly for your environment.
 
 In the below example, we have created a JAAS configuration file with the name and path of
`/home/foo/jaas-client.conf`. We will use this name and path when we define the Solr start
parameters in the next section. Note that the client `principal` here is the same as the service
principal. This will be used to authenticate internode requests and requests to Zookeeper.
Make sure to use the correct `principal` hostname and the `keyTab` file path.
 
-[source,java]
+[source,plain]
 ----
 Client {
   com.sun.security.auth.module.Krb5LoginModule required
@@ -218,16 +216,16 @@ The main properties we are concerned with are the `keyTab` and `principal`
prope
 
 While starting up Solr, the following host-specific parameters need to be passed. These parameters
can be passed at the command line with the `bin/solr` start command (see <<solr-control-script-reference.adoc#solr-control-script-reference,Solr
Control Script Reference>> for details on how to pass system parameters) or defined
in `bin/solr.in.sh` or `bin/solr.in.cmd` as appropriate for your operating system.
 
-[width="100%",cols="34%,33%,33%",options="header",]
+[width="100%",options="header",]
 |===
 |Parameter Name |Required |Description
-|solr.kerberos.name.rules |No |Used to map Kerberos principals to short names. Default value
is `DEFAULT`. Example of a name rule: `RULE:[1:$1@$0](.*EXAMPLE.COM)s/@.*// `
-|solr.kerberos.cookie.domain |Yes |Used to issue cookies and should have the hostname of
the Solr node.
-|solr.kerberos.cookie.portaware |No |When set to true, cookies are differentiated based on
host and port, as opposed to standard cookies which are not port aware. This should be set
if more than one Solr node is hosted on the same host. The default is false.
-|solr.kerberos.principal |Yes |The service principal.
-|solr.kerberos.keytab |Yes |Keytab file path containing service principal credentials.
-|solr.kerberos.jaas.appname |No |The app name (section name) within the JAAS configuration
file which is required for internode communication. Default is `Client`, which is used for
Zookeeper authentication as well. If different users are used for ZooKeeper and Solr, they
will need to have separate sections in the JAAS configuration file.
-|java.security.auth.login.config |Yes |Path to the JAAS configuration file for configuring
a Solr client for internode communication.
+|`solr.kerberos.name.rules` |No |Used to map Kerberos principals to short names. Default
value is `DEFAULT`. Example of a name rule: `RULE:[1:$1@$0](.\*EXAMPLE.COM)s/@.*//`
+|`solr.kerberos.cookie.domain` |Yes |Used to issue cookies and should have the hostname of
the Solr node.
+|`solr.kerberos.cookie.portaware` |No |When set to true, cookies are differentiated based
on host and port, as opposed to standard cookies which are not port aware. This should be
set if more than one Solr node is hosted on the same host. The default is false.
+|`solr.kerberos.principal` |Yes |The service principal.
+|`solr.kerberos.keytab` |Yes |Keytab file path containing service principal credentials.
+|`solr.kerberos.jaas.appname` |No |The app name (section name) within the JAAS configuration
file which is required for internode communication. Default is `Client`, which is used for
Zookeeper authentication as well. If different users are used for ZooKeeper and Solr, they
will need to have separate sections in the JAAS configuration file.
+|`java.security.auth.login.config` |Yes |Path to the JAAS configuration file for configuring
a Solr client for internode communication.
 |===
 
 Here is an example that could be added to `bin/solr.in.sh`. Make sure to change this example
to use the right hostname and the keytab file path.
@@ -241,7 +239,6 @@ SOLR_AUTHENTICATION_OPTS="-Djava.security.auth.login.config=/home/foo/jaas-clien
 .KDC with AES-256 encryption
 [IMPORTANT]
 ====
-
 If your KDC uses AES-256 encryption, you need to add the Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files to your JRE before a kerberized Solr can interact
with the KDC.
 
 You will know this when you see an error like this in your Solr logs : "KrbException: Encryption
type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled"
@@ -249,7 +246,6 @@ You will know this when you see an error like this in your Solr logs :
"KrbExcep
 For Java 1.8, this is available here: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html.
 
 Replace the `local_policy.jar` present in `JAVA_HOME/jre/lib/security/` with the new `local_policy.jar`
from the downloaded package and restart the Solr node.
-
 ====
 
 [[KerberosAuthenticationPlugin-UsingDelegationTokens]]
@@ -265,15 +261,15 @@ There are a few use cases for Solr where this might be helpful:
 
 To enable delegation tokens, several parameters must be defined. These parameters can be
passed at the command line with the `bin/solr` start command (see <<solr-control-script-reference.adoc#solr-control-script-reference,Solr
Control Script Reference>> for details on how to pass system parameters) or defined
in `bin/solr.in.sh` or `bin/solr.in.cmd` as appropriate for your operating system.
 
-[width="100%",cols="34%,33%,33%",options="header",]
+[width="100%",options="header",]
 |===
 |Parameter Name |Required |Description
-|solr.kerberos.delegation.token.enabled |Yes, to enable tokens |False by default, set to
true to enable delegation tokens.
-|solr.kerberos.delegation.token.kind |No |Type of delegation tokens. By default this is `solr-dt`.
Likely this does not need to change. No other option is available at this time.
-|solr.kerberos.delegation.token.validity |No |Time, in seconds, for which delegation tokens
are valid. The default is 36000 seconds.
-|solr.kerberos.delegation.token.signer.secret.provider |No |Where delegation token information
is stored internally. The default is `zookeeper` which must be the location for delegation
tokens to work across Solr servers (when running in SolrCloud mode). No other option is available
at this time.
-|solr.kerberos.delegation.token.signer.secret.provider.zookeper.path |No |The ZooKeeper path
where the secret provider information is stored. This is in the form of the path + /security/token.
The path can include the chroot or the chroot can be omitted if you are not using it. This
example includes the chroot: `server1:9983,``server2:9983,``server3:9983``/solr/security/token`.
-|solr.kerberos.delegation.token.secret.manager.znode.working.path |No |The ZooKeeper path
where token information is stored. This is in the form of the path + /security/zkdtsm. The
path can include the chroot or the chroot can be omitted if you are not using it. This example
includes the chroot: `server1:9983,``server2:9983,``server3:9983``/solr/security/zkdtsm`.
+|`solr.kerberos.delegation.token.enabled` |Yes, to enable tokens |False by default, set to
true to enable delegation tokens.
+|`solr.kerberos.delegation.token.kind` |No |Type of delegation tokens. By default this is
`solr-dt`. Likely this does not need to change. No other option is available at this time.
+|`solr.kerberos.delegation.token.validity` |No |Time, in seconds, for which delegation tokens
are valid. The default is 36000 seconds.
+|`solr.kerberos.delegation.token.signer.secret.provider` |No |Where delegation token information
is stored internally. The default is `zookeeper` which must be the location for delegation
tokens to work across Solr servers (when running in SolrCloud mode). No other option is available
at this time.
+|`solr.kerberos.delegation.token.signer.secret.provider.zookeper.path` |No |The ZooKeeper
path where the secret provider information is stored. This is in the form of the path + /security/token.
The path can include the chroot or the chroot can be omitted if you are not using it. This
example includes the chroot: `server1:9983,server2:9983,server3:9983/solr/security/token`.
+|`solr.kerberos.delegation.token.secret.manager.znode.working.path` |No |The ZooKeeper path
where token information is stored. This is in the form of the path + /security/zkdtsm. The
path can include the chroot or the chroot can be omitted if you are not using it. This example
includes the chroot: `server1:9983,server2:9983,server3:9983/solr/security/zkdtsm`.
 |===
 
 [[KerberosAuthenticationPlugin-StartSolr]]
@@ -289,8 +285,8 @@ bin/solr -c -z server1:2181,server2:2181,server3:2181/solr
 [[KerberosAuthenticationPlugin-TesttheConfiguration]]
 === Test the Configuration
 
-1.  Do a `kinit` with your username. For example, "`kinit user@EXAMPLE.COM`".
-2.  Try to access Solr using `curl`. You should get a successful response.
+. Do a `kinit` with your username. For example, `kinit \user@EXAMPLE.COM`.
+. Try to access Solr using `curl`. You should get a successful response.
 +
 [source,bash]
 ----
@@ -308,7 +304,7 @@ System.setProperty("java.security.auth.login.config", "/home/foo/jaas-client.con
 HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer());
 ----
 
-You need to specify a Kerberos service principal for the client and a corresponding keytab
in the JAAS client configuration file above. This principal should be different from the service
principal we created for Solr .
+You need to specify a Kerberos service principal for the client and a corresponding keytab
in the JAAS client configuration file above. This principal should be different from the service
principal we created for Solr.
 
 Here’s an example:
 
@@ -375,7 +371,5 @@ CloudSolrClient client = new CloudSolrClient.Builder()
 
 [TIP]
 ====
-
 Hadoop's delegation token responses are in JSON map format. A response parser for that is
available in `DelegationTokenResponse`. Other response parsers may not work well with Hadoop
responses.
-
 ====


Mime
View raw message