Solr Authentication
This section describes how to configure Solr to enable authentication.
When authentication is enabled, only specified hosts and users can connect to Solr. Authentication also verifies that clients connect to legitimate servers. This feature prevents spoofing such as impersonation and man-in-the-middle attacks. Search supports Kerberos and LDAP authentication.
Continue reading:
Solr Authentication | Use Case |
---|---|
No authentication | Insecure cluster |
Kerberos only | The Hadoop cluster has kerberos turned on and every user (or client) connecting to Solr has a Kerberos principal. |
Kerberos and LDAP | The Hadoop cluster has kerberos turned on. External Solr users (or clients) don’t have Kerberos principal but do have an identity in the LDAP server. |
Once you are finished setting up authentication, configure Sentry authorization. Authorization involves specifying which resources can be accessed by particular users when they connect through Search. See Configuring Sentry Authorization for Solr for details.
Enabling Kerberos Authentication for Solr
Solr supports Kerberos authentication. All necessary packages are installed when you install Search. To enable Kerberos, create principals and keytabs and then modify default configurations.
The following instructions only apply to configuring Kerberos in an unmanaged environment. Kerberos configuration is automatically handled by Cloudera Manager if you are using in a Cloudera Manager environment.
To create principals and keytabs
Repeat this process on all Solr server hosts.
- Create a Solr service user principal using the syntax: solr/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate with the Hadoop cluster. where: fully.qualified.domain.name is the host where the Solr server is running YOUR-REALM is the name of your Kerberos realm.
$ kadmin kadmin: addprinc -randkey solr/fully.qualified.domain.name@YOUR-REALM.COM
- Create a HTTP service user principal using the syntax: HTTP/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate user requests coming to the Solr web-services. where: fully.qualified.domain.name is the host where the Solr server is running YOUR-REALM is the name of your Kerberos realm.
kadmin: addprinc -randkey HTTP/fully.qualified.domain.name@YOUR-REALM.COM
Note:The HTTP/ component of the HTTP service user principal must be upper case as shown in the syntax and example above.
- Create keytab files with both principals.
kadmin: xst -norandkey -k solr.keytab solr/fully.qualified.domain.name \ HTTP/fully.qualified.domain.name
- Test that credentials in the merged keytab file work. For example:
$ klist -e -k -t solr.keytab
- Copy the solr.keytab file to the Solr configuration directory. The owner of the solr.keytab file should be the solr user and the file should have owner-only read permissions.
To modify default configurations
Repeat this process on all Solr server hosts.
- Ensure that the following properties appear in /etc/default/solr or
/opt/cloudera/parcels/CDH-*/etc/default/solr and that they are uncommented. Modify these properties to match your environment. The relevant properties to be uncommented
and modified are:
SOLR_AUTHENTICATION_TYPE=kerberos SOLR_AUTHENTICATION_SIMPLE_ALLOW_ANON=true SOLR_AUTHENTICATION_KERBEROS_KEYTAB=/etc/solr/conf/solr.keytab SOLR_AUTHENTICATION_KERBEROS_PRINCIPAL=HTTP/localhost@LOCALHOST SOLR_AUTHENTICATION_KERBEROS_NAME_RULES=DEFAULT SOLR_AUTHENTICATION_JAAS_CONF=/etc/solr/conf/jaas.conf
Note: Modify the values for these properties to match your environment. For example, the SOLR_AUTHENTICATION_KERBEROS_PRINCIPAL=HTTP/localhost@LOCALHOST must include the principal instance and Kerberos realm for your environment. That is often different from localhost@LOCALHOST. - Set hadoop.security.auth_to_local to match the value specified by
SOLR_AUTHENTICATION_KERBEROS_NAME_RULES in /etc/default/solr or /opt/cloudera/parcels/CDH-*/etc/default/solr.
Note: For information on how to configure the rules, see Configuring the Mapping from Kerberos Principals to Short Names. For additional information on using Solr with HDFS, see Configuring Solr for Use with HDFS.
- If using applications that use the solrj library, set up the Java
Authentication and Authorization Service (JAAS).
- Create a jaas.conf file in the Solr configuration directory
containing the following settings. This file and its location must match the SOLR_AUTHENTICATION_JAAS_CONF value. Make sure that you substitute a value for principal that matches your particular environment.
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true useTicketCache=false keyTab="/etc/solr/conf/solr.keytab" principal="solr/fully.qualified.domain.name@<YOUR-REALM>"; };
- Create a jaas.conf file in the Solr configuration directory
containing the following settings. This file and its location must match the SOLR_AUTHENTICATION_JAAS_CONF value. Make sure that you substitute a value for principal that matches your particular environment.
Enabling LDAP Authentication for Solr
Solr supports LDAP authentication for external Solr client including:
- Command-line tools
- curl
- Web browsers
- Solr Java clients
In some cases, Solr does not support LDAP authentication. Use Kerberos authentication instead in these cases. Solr does not support LDAP authentication with:
- Search indexing components including the MapReduce indexer, Lily HBase indexer, or Flume.
- Solr internal requests such as those for replication or querying.
- Hadoop delegation token management requests such as GETDELEGATIONTOKEN or RENEWDELEGATIONTOKEN.
Configuring LDAP Authentication for Solr using Cloudera Manager
You can configure LDAP-based authentication using Cloudera Manager at the Solr service level.
- Go to the Solr service.
- Click the Configuration tab.
- Select
- Select
- Select Enable LDAP.
- Enter the LDAP URI in the LDAP URI property.
- Configure only one of following mutually exclusive parameters:
- LDAP BaseDN: Replaces the username with a "distinguished name" (DN) of the form: uid=userid,ldap_baseDN. Typically used for OpenLDAP server installation.
-OR-
- LDAP Domain: Replaces the username with a string username@ldap_domain. Typically used for Active Directory server installation.
Configuring LDAP Authentication for Solr Using the Command Line
To enable LDAP authentication using the command line, configure the following environment variables in /etc/default/solr:
SOLR_AUTHENTICATION_HTTP_SCHEMES=Negotiate,Basic SOLR_AUTHENTICATION_HTTP_DELEGATION_MGMT_SCHEMES=Negotiate SOLR_AUTHENTICATION_HTTP_BASIC_HANDLER=ldap SOLR_AUTHENTICATION_HTTP_NEGOTIATE_HANDLER=kerberos SOLR_AUTHENTICATION_LDAP_PROVIDER_URL=ldap://www.example.com # Specify value for only one of SOLR_AUTHENTICATION_LDAP_BASE_DN or SOLR_AUTHENTICATION_LDAP_BIND_DOMAIN property. SOLR_AUTHENTICATION_LDAP_BASE_DN=ou=Users,dc=example,dc=com # SOLR_AUTHENTICATION_LDAP_BIND_DOMAIN= # Required when using ‘Start TLS’ extension # SOLR_AUTHENTICATION_LDAP_ENABLE_START_TLS=false
Securing LDAP Connections
You can secure communications using LDAP-based encryption.
To avoid sending credentials over the wire in clear-text, you must configure a secure connection between both the client and Solr, and between Solr and the LDAP server. The secure connection could use SSL or TLS.
Secure LDAP connections through SSL:
For SSL-enabled LDAP connections, specify a prefix of ldaps:// instead of ldap://. Also, the default port for SSL-enabled LDAP connections is 636 instead of 389.
Secure LDAP connections through TLS:
TLS, the successor to the SSL protocol, is supported by most modern LDAP servers. Unlike SSL connections, TLS connections can be made on the same server port as non-TLS connections. You can enable xxx using Cloudera Manager.
- Go to the Solr service.
- Click the Configuration tab.
- Select
- Select
- Select Enable LDAP TLS.
- Import the LDAP server security certificate in the Solr Trust Store file:
- Enter the location for the Solr Trust Store File in Solr TLS/SSL Certificate Trust Store File.
- Enter the password for the Solr Trust Store File in Solr TLS/SSL Certificate Trust Store Password.
LDAP Client Configuration
Some HTTP clients such as curl or the Apache Http Java client must be configured to use a particular scheme. For example:
- curl tool supports using Kerberos or username/password authentication. Kerberos is activated using the --negotiate flag and username/password based authentication is activated using the --basic and -u flags.
- Apache HttpClient library can be configured to use specific authentication scheme. For more information, see the HTTP authentication chapter of Apache's HttpClient Tutorial.
Typically, web browsers automatically choose a preferred authentication scheme. For more information, see the HTTP authentication topic in The Chromium Projects.
To use LDAP authentication with Solr Java clients, HttpClientConfigurer needs to configured for Solr. This can either be done programmatically or using Java system properties.
For example, programmatic initialization might appear as:
SampleSolrClient.java import org.apache.solr.client.solrj.impl.HttpClientUtil; import org.apache.solr.client.solrj.impl.PreemptiveBasicAuthConfigurer; import org.apache.solr.common.params.ModifiableSolrParams; /** * This method initializes the Solr client to use LDAP authentication * This configuration is applicable to all Solr clients. * @param ldapUserName LDAP user name * @param ldapPassword LDAP user password */ public static void initialize(String ldapUserName, String ldapPassword) { HttpClientUtil.setConfigurer(new PreemptiveBasicAuthConfigurer()); ModifiableSolrParams params = new ModifiableSolrParams(); params.set(HttpClientUtil.PROP_BASIC_AUTH_USER, ldapUserName); params.set(HttpClientUtil.PROP_BASIC_AUTH_PASS, ldapPassword); // Configure the JVM default parameters. PreemptiveBasicAuthConfigurer.setDefaultSolrParams(params); }
For configuration using system properties, configure the following system properties:
System property | Description |
---|---|
solr.httpclient.configurer | Fully qualified classname of HttpClientConfigurer implementation. For example, org.apache.solr.client.solrj.impl.PreemptiveBasicAuthConfigurer. |
solr.httpclient.config | Http client configuration properties file path. For example, ldap-credentials.properties. |
For example, the entry in ldap-credentials.properties might appear as:
ldap-credentials.properties httpBasicAuthUser=user1 httpBasicAuthPassword=passwd
<< Configuring Oozie HA with Kerberos | ©2016 Cloudera, Inc. All rights reserved | Using Kerberos with Solr >> |
Terms and Conditions Privacy Policy |