This is the documentation for Cloudera 5.2.x.
Documentation for other versions is available at Cloudera Documentation.

Search Authentication

This section describes how to configure Search in CDH 5 to enable Kerberos security and Sentry.

Configuring Search to Use Kerberos

Cloudera Search supports Kerberos authentication. All necessary packages are installed when you install Search. To enable Kerberos, create principals and keytabs and then modify default configurations.

The following instructions only apply to configuring Kerberos in an unmanaged environment. Kerberos configuration is automatically handled by Cloudera Manager if you are using Search in a Cloudera Manager environment.

To create principals and keytabs

Repeat this process on all Solr server hosts.

  1. Create a Solr service user principal using the syntax: solr/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate with the Hadoop cluster. where: fully.qualified.domain.name is the host where the Solr server is running YOUR-REALM is the name of your Kerberos realm.
    $ kadmin
    kadmin: addprinc -randkey solr/fully.qualified.domain.name@YOUR-REALM.COM
  2. Create a HTTP service user principal using the syntax: HTTP/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate user requests coming to the Solr web-services. where: fully.qualified.domain.name is the host where the Solr server is running YOUR-REALM is the name of your Kerberos realm.
    kadmin: addprinc -randkey HTTP/fully.qualified.domain.name@YOUR-REALM.COM
      Note:

    The HTTP/ component of the HTTP service user principal must be upper case as shown in the syntax and example above.

  3. Create keytab files with both principals.
    kadmin: xst -norandkey -k solr.keytab solr/fully.qualified.domain.name \
    HTTP/fully.qualified.domain.name
  4. Test that credentials in the merged keytab file work. For example:
    $ klist -e -k -t solr.keytab
  5. Copy the solr.keytab file to the Solr configuration directory. The owner of the solr.keytab file should be the solr user and the file should have owner-only read permissions.

To modify default configurations

Repeat this process on all Solr server hosts.

  1. Ensure that the following properties appear in /etc/default/solr and that they are uncommented. Modify these properties to match your environment. The relevant properties to be uncommented and modified are:
    SOLR_AUTHENTICATION_TYPE=kerberos
    SOLR_AUTHENTICATION_SIMPLE_ALLOW_ANON=true
    SOLR_AUTHENTICATION_KERBEROS_KEYTAB=/etc/solr/conf/solr.keytab
    SOLR_AUTHENTICATION_KERBEROS_PRINCIPAL=HTTP/localhost@LOCALHOST
    SOLR_AUTHENTICATION_KERBEROS_NAME_RULES=DEFAULT
    SOLR_AUTHENTICATION_JAAS_CONF=/etc/solr/conf/jaas.conf
      Note: Modify the values for these properties to match your environment. For example, the SOLR_AUTHENTICATION_KERBEROS_PRINCIPAL=HTTP/localhost@LOCALHOST must include the principal instance and Kerberos realm for your environment. That is often different from localhost@LOCALHOST.
  2. Set hadoop.security.auth_to_local to match the value specified by SOLR_AUTHENTICATION_KERBEROS_NAME_RULES in /etc/default/solr.
      Note: For information on how to configure the rules, see Configuring the Mapping from Kerberos Principals to Short Names. For additional information on using Solr with HDFS, see Configuring Solr for Use with HDFS.
  3. If using applications that use the solrj library, set up the Java Authentication and Authorization Service (JAAS).
    1. Create a jaas.conf file in the Solr configuration directory containing the following settings. This file and its location must match the SOLR_AUTHENTICATION_JAAS_CONF value. Make sure that you substitute a value for principal that matches your particular environment.
      Client {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        useTicketCache=false
        keyTab="/etc/solr/conf/solr.keytab"
        principal="solr/fully.qualified.domain.name@<YOUR-REALM>";
      };

Using Kerberos

The process of enabling Solr clients to authenticate with a secure Solr is specific to the client. This section demonstrates:

Secure Solr requires that the CDH components that it interacts with are also secure. Secure Solr interacts with HDFS, ZooKeeper and optionally HBase, MapReduce, and Flume. See Cloudera Security or the CDH 4 Security Guide for more information.

Using Kerberos and curl

You can use Kerberos authentication with clients such as curl. To use curl, begin by acquiring valid Kerberos credentials and then execute the desired command. For example, you might use commands similar to the following:

$ kinit -kt username.keytab username
$ curl --negotiate -u: foo:bar http://solrserver:8983/solr/
  Note: Depending on the tool used to connect, additional arguments may be required. For example, with curl, --negotiate and -u are required. The username and password specified with -u is not actually checked because Kerberos is used. As a result, any value such as foo:bar or even just : is acceptable. While any value can be provided for -u, note that the option is required. Omitting -u results in a 401 Unauthorized error, even though the -u value is not actually used.

Using solrctl

If you are using solrctl to manage your deployment in an environment that requires Kerberos authentication, you must have valid Kerberos credentials, which you can get using kinit. For more information on solrctl, see Solrctl Reference

Configuring SolrJ Library Usage

If using applications that use the solrj library, begin by establishing a Java Authentication and Authorization Service (JAAS) configuration file.

Create a JAAS file:

  • If you have already used kinit to get credentials, you can have the client use those credentials. In such a case, modify your jaas-client.conf file to appear as follows:
    Client {
     com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=false
     useTicketCache=true
     principal="user/fully.qualified.domain.name@<YOUR-REALM>";
     };
    where user/fully.qualified.domain.name@<YOUR-REALM> is replaced with your credentials.
  • You want the client application to authenticate using a keytab you specify:
    Client {
     com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
     keyTab="/path/to/keytab/user.keytab"
     storeKey=true
     useTicketCache=false
     principal="user/fully.qualified.domain.name@<YOUR-REALM>"; 
    };
    where /path/to/keytab/user.keytab is the keytab file you wish to use and user/fully.qualified.domain.name@<YOUR-REALM> is the principal in that keytab you wish to use.

Use the JAAS file to enable solutions:

  • Command line solutions
    Set the property when invoking the program. For example, if you were using a a jar, you might use:
    java -Djava.security.auth.login.config=/home/user/jaas-client.conf -jar app.jar
  • Java applications
    Set the Java system property java.security.auth.login.config. For example, if the JAAS configuration file is located on the filesystem as /home/user/jaas-client.conf. The Java system property java.security.auth.login.config must be set to point to this file. Setting a Java system property can be done programmatically, for example using a call such as:
    System.setProperty("java.security.auth.login.config", "/home/user/jaas-client.conf");
  • The MapReduceIndexerTool
    The MapReduceIndexerTool uses SolrJ to pass the JAAS configuration file. Using the MapReduceIndexerTool in a secure environment requires the use of the HADOOP_OPTS variable to specify the JAAS configuration file. For example, you might issue a command such as the following:
    HADOOP_OPTS="-Djava.security.auth.login.config=/home/user/jaas.conf" \
    hadoop jar MapReduceIndexerTool
  • Configuring the hbase-indexer CLI

    Certain hbase-indexer CLI commands such as replication-status attempt to read ZooKeeper hosts owned by HBase. To successfully use these commands in Search for CDH 5 in a secure environment, specify a JAAS configuration file with the HBase principal in the HBASE_INDEXER_OPTS environment variable. For example, you might issue a command such as the following:

    HBASE_INDEXER_OPTS="-Djava.security.auth.login.config=/home/user/hbase-jaas.conf" \
    hbase-indexer replication-status

Configuring Flume Morphline Solr Sink Usage

Repeat this process on all Flume hosts:

  1. If you have not created a keytab file, do so now at /etc/flume-ng/conf/flume.keytab. This file should contain the service principal flume/<fully.qualified.domain.name>@<YOUR-REALM>. See the CDH 5 Security Guide for more information.
  2. Create a JAAS configuration file for flume at /etc/flume-ng/conf/jaas-client.conf. The file should appear as follows:
    Client {
     com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
     useTicketCache=false
     keyTab="/etc/flume-ng/conf/flume.keytab"
     principal="flume/<fully.qualified.domain.name>@<YOUR-REALM>";
    };
  3. Add the flume JAAS configuration to the JAVA_OPTS in /etc/flume-ng/conf/flume-env.sh. For example, you might change:
    JAVA_OPTS="-Xmx500m"
    to:
    JAVA_OPTS="-Xmx500m -Djava.security.auth.login.config=/etc/flume-ng/conf/jaas-client.conf"