Skip to main content
Sign in

Replace Solr admin user and restrict ZooKeeper access using ACLs

  • Updated

Goal

Update the security.json file in a Solr 9.3 environment to replace the default admin user and configure ZooKeeper so that only authorized users can modify ZK nodes. This includes revoking access to all other unauthenticated users.

 

Environment

  • Solr 9.3.x

  • ZooKeeper 3.9.x

  • Applicable to standalone or Fusion-based Solr deployments (Fusion 5.x and above)

  • Assumes Solr is secured with Basic Authentication and security.json is managed in ZooKeeper

 

Guide

Add a new Solr user and assign admin role

To add a new user (e.g., solrNew) and grant admin privileges:

  • Create the new user:

curl --user solr:SolrRocks https://<solr-host>:8983/solr/admin/authentication \
-H 'Content-type:application/json' \
-d '{"set-user": {"solrNew": "newpass"}}'

  • Assign admin role to the new user:

curl --user solr:SolrRocks https://<solr-host>:8983/solr/admin/authorization \
-H 'Content-type:application/json' \
-d '{"set-user-role": {"solrNew": ["admin"]}}'

  • Remove the original admin user:

curl --user solrNew:newpass https://<solr-host>:8983/solr/admin/authentication \
-H 'Content-type:application/json' \
-d '{"delete-user": ["solr"]}'

Note: You may assign multiple roles as needed:

"set-user-role": { "solrNew": ["admin", "dev", "readonly"] }

Refer to the Solr rule-based authorization plugin documentation for additional role configuration options.

 

Restrict unauthorized access to ZooKeeper

To limit ZooKeeper access only to specified users:

  • Enable ACLs using the SOLR_ZK_CREDS_AND_ACLS environment variable
    Set this variable in your Solr deployment (in Kubernetes, this would typically be set via Helm values or pod environment variables).

  • Set ACLs using ZooKeeper CLI
    Use zkCli.sh or zookeeper-shell.sh to set permissions on nodes. Example for setting an ACL on the root node:

setAcl / auth:user:password:cdrwa

  • Use a ZooKeeper 'super user'
    Define a ZooKeeper superuser with full access to all nodes. This user should be the only one with permission to modify sensitive nodes or create new entries. Use this pattern to restrict access globally:

addauth digest superuser:superpass
setAcl / digest:superuser:superpass:cdrwa

You can validate that restrictions are enforced by attempting to list or modify nodes with a non-superuser credential.

Note: Once BasicAuth is enabled in Solr, ZooKeeper access is implicitly restricted. However, ACLs offer an additional layer of security and explicit control.

 

Additional resources

 

 

 

 

 

 

Related articles

Powered by Zendesk