lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <j...@apache.org>
Subject [jira] [Created] (SOLR-10202) Auto resolve urlScheme, remove cluster property
Date Fri, 24 Feb 2017 12:05:45 GMT
Jan Høydahl created SOLR-10202:
----------------------------------

             Summary: Auto resolve urlScheme, remove cluster property
                 Key: SOLR-10202
                 URL: https://issues.apache.org/jira/browse/SOLR-10202
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
          Components: SolrCloud
            Reporter: Jan Høydahl


Spinoff from SOLR-9640.

Today we need to explicitly set {{urlScheme}} cluster property to enable SSL, at the same
time as we need to set all the SSL env variables on each node. As discussed in SOLR-9640,
we could be smarter about this so an admin only need to setup {{solr.in.sh}} with keystore
to enable SSL.

h3. How
Perhaps simplified a bit, but in principle, at node start, if {{solr.jetty.keystore}} (one
out of several possiilities) is defined then use https, else http :-) Then, if the administrator
has mixed it up and failed to configure {{solr.jetty.keystore}} on one of the nodes, then
that node will not be able to communicate with the others over {{http}}, it will get {{curl:
(52) Empty reply from server}}. Opposite, an SSL enabled node trying to talk to a Solr node
that is not SSL enabled over {{https}}, will get {{curl: (35) Unknown SSL protocol error in
connection to localhost:-9847}} (not the curl error of course, but similar).

I don't think the nodes need to tell ZK about SSL at all?

So my claim is that this will not give bigger risk of misconfiguration, cause if you add a
new node to the cluster without SSL, it will generate a lot of BUZZ in the logs and it will
never receive any unencrypted data from the other nodes since connections will fail. Agree?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message