When SearchStax Managed Solr creates a new Solr deployment, we lock down the Zookeeper ensemble so that it cannot be reached from the Internet. To upload a configuration to Zookeeper, you have to add an IP Filter that whitelists your work computer or subnet.
We take this precaution because Zookeeper doesn’t require authentication. Anyone who knows (or can guess) your Zookeeper endpoint can use zkcli.sh/.bat to make malicious changes to your deployment’s configuration files. Even worse, there are no logs of such meddling. You can’t tell who changed the files.
As a further precaution, we have modified the SearchStax IP Filtering controls to prohibit giving the Zookeeper ensemble a 0.0.0.0/0 filter.
When ZooKeeper becomes “Unreachable”
Most IT departments and ISPs issue IP addresses using the Dynamic Host Configuration Protocol (DHCP). From time to time, your workstation’s IP address will change without warning. When it does, you’ll have to update your Zookeeper IP filter settings.
When ZooKeeper becomes “unreachable,” check the IP filters first.
Zookeeper Best Practice
For truly secure Zookeeper management, do not use zkcli at all. Use the SearchStax API instead. The API’s Zookeeper methods require SearchStax user authentication, and they record entries in the SearchStax access logs. Even better, they are not affected by changes in IP addresses.
Secure Zookeeper Access
The SearchStax API includes a rich set of methods for remote configuration and management of SearchStax Solr deployments. One small part of that is a set of five secure Zookeeper methods:
- list: Returns a list of named configurations from a Zookeeper ensemble.
- create: Creates/uploads a configset to the Zookeeper ensemble.
- read: Returns a list of config files from a configuration in the Zookeeper ensemble.
- delete: Deletes a configset from the Zookeeper ensemble.
- download: Downloads a configset from the Zookeeper ensemble.
Your API Key authorizes these actions on each of the associated deployments. Each link leads to full syntax and examples in both Bash and PowerShell.
Ask Us for an API Key
An API Key is a persistant authorization key that gives you access to one or more specific deployments. The key itself is a long string of random-looking characters. One API Key can cover multiple deployments in the same account. Each deployment may be associated with only one API Key.
You can use the SearchStax API to generate your own API Key, but that is an involved process. To save you time, SearchStax Support will be happy to create an API Key for you:
- Make a list of the deployments you’d like to access with your API Key. Use the deployment ID numbers (ss123456) to identify the deployments.
- Contact SearchStax Support. Give us the list of deployments.