SOLR-15857: Add AWS Secret Manager support for ZK ACL credentials

[laminelam]

https://issues.apache.org/jira/browse/SOLR-17020

Description

Solr currently connects to Zookeeper and manages ACLs using a set of credentials (when using Digest scheme). These credentials are either passed via the command line (system properties) or fetched from an unencrypted file on every host in the cluster. Clearly, this approach lacks sufficient security.

The proposed change of this contribution intends to integrate AWS Secret Manager for credential storage, offering two primary advantages:
• Improved security measures.
• Streamlined operations by centralizing credential storage, eliminating the need to update multiple hosts/files whenever passwords are changed.

Solution

This is a new module to support storing Zookeeper credentials in an AWS Secret Manager.

Added a new implementation of ZkCredentialsInjector that pulls the creds from AWS SM.

Ref guide in progress...

Tests

Added test cases.
Integration tests also made in AWS environment.

Checklist

Please review the following and check all that apply:

• I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
• I have created a Jira issue and added the issue ID to my pull request title.
• I have given Solr maintainers access to contribute to my PR branch. (optional but recommended)
• I have developed this patch against the main branch.
• I have run ./gradlew check.
• I have added tests for my changes.
• I have added documentation for the Reference Guide

[risdenk]

Why so many ZK clients? Can't the one be used over and over for each create? At least most of the zk clients look to be the same. Also use try-with-resources to avoid the explicit need to close the zk clients

[laminelam]

Hi @risdenk
This is an existing (copied) code. For some reason (race condition?) you need to close and recreate ZKClient to make the nodes creation successful. You don't want to reuse it in the last block because you want to connect to ZK with 'OPEN_ACL_UNSAFE' ACLs.

Refactored the existing code and added new tests cases to void code duplication. Created a new setUpZKNodes method.

I think AbstractDigestZkACLAndCredentialsProvidersTestBase (which BTW is not abstract) needs more refactoring. Didn't want to make this PR bigger than it already is, but we should consider favoring composition over inheritance here.

[HoustonPutman]

Overall I think there might be issues with the various cli tools, using the modules provided by SOLR_MODULES.

[HoustonPutman]

I'm not sure that these names make sense to me. They are not consistent with each other.

• solr.zk.credentials.secret
• solrZkCredentials
• solr.zk.credentials.region

I think these work better.

[laminelam]

Actually, they are not consistent because they don't have the same functionality. Some are VM variable names (internal to Solr, so I followed the same naming convention of the existing creds/acl providers), one is an AWS variable value.
How about this new version?

 public static final String AWS_SM_CREDENTIALS_SECRET_NAME_VM_PARAM = "zkAWSSecretCredentialsSecretName";
private static final String AWS_SM_CREDENTIALS_REGION_VM_PARAM = "zkAWSSecretCredentialsRegion";
private static final String AWS_SM_CREDENTIALS_SECRET_NAME_DEFAULT = "/solr/zk/credentials/dev/secret";

Followed AWS SM recommended naming convention.

Edit: slashes in variable names can cause problems. I am going with this syntax instead: solr.zk.credentials.dev.secret for secret name

[HoustonPutman]

SOLR_MODULES might not be provided, so probably want to use "${SOLR_MODULES:-}"

Also $SOLR_DIR needs to be in quotes.

[laminelam]

The operator has to set SOLR_MODULES in zkcli.*
In the same way we expect it in solr.in.* to enable different modules.
We'll add the missing quotes.

[HoustonPutman]

Are the Solr Modules auto-added with the bin/solr <tool> command?

Also are you sure that ZKCLI.java and SolrCLI.java use the solr.modules option? I thought that was enabled through the solr.xml, which those tools wouldn't know about.

[epugh]

I am curious to find out the answer!

[laminelam]

Thank you @HoustonPutman for looking at this

Little background: We discussed this last year if you remember as part of a bigger PR.

The issue we faced at that time was that SolrJ doesn't "see" the libraries part of the other modules as Solr default class loader does't load classes from different modules. We decided at that time to split the contrib into small ones to make that possible.

One of those contribs (that answers your question) is this one. It enables passing a custom class loader to SolrZKClient.

To answer your question:

• It's not possible to rely on solr.xml for the reason explained here.
• ZKCli and SolrCli don't use solr.modules directly but via NodeConfig. NodeConfig reads solr.modules passed through SOLR_MODULES in zkcli.* or solr.in.*

[laminelam]

Hi Houston,

I have added solr modules to solr and solr.cmd.

PS: There is another way to load the modules without touching solr and solr.cmd but this requires changing a lot of "tool" classes where SolrZkClient instantiation is duplicated (the code is duplicated 12 times in 8 diff classes). I think we should extract the code instantiating the SolrZkClient to a separate class as well as considering merging ZK related tool classes.
@HoustonPutman
@epugh

[epugh]

I would LOVE to see that refactoring on SolrZkClient.. I've been looking more at that code base, and I think there is a LOT of opportunity for clean up. We have a LOT of tickets that are around reducing what is in solr and solr.cmd in favour of Java code, so this is a bit of a step in the wrong direction!

[laminelam]

Hi @epugh
I have a new PR where I separated code instantiating SolrZkClient and CloudSolrClient in ZK related SolrCli tool classes.
The PR adds also a SolrClassLoader to CloudHttp2SolrClient Builder which allows to load solr modules libs without relying on solr and solr.cmd scripts.
As soon as it's approved internally will push it upstream for your review.

[epugh]

This is exciting!

[HoustonPutman]

ZkCli is getting replaced by SolrCLI, so SolrCLI needs support too

[HoustonPutman]

• zkAWSSecretCredentialsSecretName -> zkCredentialsAWSSecretName
• zkAWSSecretCredentialsRegion -> zkCredentialsAWSRegion
• solr.zk.credentials.dev.secret -> solr.zk.credentials.secret

[HoustonPutman]

"$SOLR_MODULES" -> "${SOLR_MODULES:-}"

[laminelam]

Hi @HoustonPutman ,
I have added the changes.
As soon as you're about to approve the PR will update the ref. guide.

[github-actions]

This PR had no visible activity in the past 60 days, labeling it as stale. Any new activity will remove the stale label. To attract more reviewers, please tag someone or notify the dev@solr.apache.org mailing list. Thank you for your contribution!

[epugh]

It looks like you've added the additional support to both the zkcli and the solr scripts, which is great. There is another PR, #2298 that I hope to merge in the next few days which establishes parity between solr zk subommands and what zkcli, and I hope to remove zkcli from the main branch. If that happened, would it make sense/help you to have this support be ONLY available for the solr zk commands?

[epugh]

"through"?

[epugh]

I would LOVE to see that refactoring on SolrZkClient.. I've been looking more at that code base, and I think there is a LOT of opportunity for clean up. We have a LOT of tickets that are around reducing what is in solr and solr.cmd in favour of Java code, so this is a bit of a step in the wrong direction!

[janhoy]

Are we sure this fits as a Solr module? Since this is client-side solrj code, it could be in e.g. solrj-aws-secret instead?

[laminelam]

Are we sure this fits as a Solr module? Since this is client-side solrj code, it could be in e.g. solrj-aws-secret instead?

Actually, this is a server side code.
When Solr starts, it reads ZK creds from a local (clear) text file and uses them to connect to ZK.
With this feature, Solr would get the ZK creds from an AWS Secret Manager, and then proceed to connect to ZK.

Now, from SolrJ side we have 3 options:

• Use the existing mechanism. Get the ZK creds and set them in System Props using the standard way.
• The client can connect to AWS SM to get the creds before passing them to System Props.
• This module can be used to connect directly to AWS SM and inject the creds into SolrJ. Though, the libs have to
  be added to class path.

    System.setProperty("zkACLProvider", "org.apache.solr.common.cloud.DigestZkACLProvider");
    System.setProperty("zkCredentialsProvider", "org.apache.solr.common.cloud.DigestZkCredentialsProvider");
    System.setProperty("zkCredentialsInjector", "org.apache.solr.secret.zk.AWSSecretManagerCredentialsInjector");
    System.setProperty("zkCredentialsAWSSecretName", "myZkSecret");
    System.setProperty("zkCredentialsAWSRegion", "us-east-1");

    CloudSolrClient client = new CloudHttp2SolrClient.Builder(zkHosts)...

Somewhere down the line SolrZkClient will instantiate an AWSSecretManagerCredentialsInjector.

[github-actions]

This PR had no visible activity in the past 60 days, labeling it as stale. Any new activity will remove the stale label. To attract more reviewers, please tag someone or notify the dev@solr.apache.org mailing list. Thank you for your contribution!

[epugh]

I don't know that it changes anything, but at this point the zkcli.bat and zkcli.sh are no longer part of solr! Does that help at all? Also, it sounds like we had a refactoring that you were hoping to push up, did that ever make it fruition?

[github-actions]

This PR has had no activity for 60 days and is now labeled as stale. Any new activity will remove the stale label. To attract more reviewers, please tag people who might be familiar with the code area and/or notify the dev@solr.apache.org mailing list. To exempt this PR from being marked as stale, make it a draft PR or add the label "exempt-stale". If left unattended, this PR will be closed after another 60 days of inactivity. Thank you for your contribution!

[github-actions]

This PR is now closed due to 60 days of inactivity after being marked as stale. Re-opening this PR is still possible, in which case it will be marked as active again.