Solr Authentication

This section describes how to configure Solr to enable authentication.

When authentication is enabled, only specified hosts and users can connect to Solr. Authentication also verifies that clients connect to legitimate servers. This feature prevents spoofing such as impersonation and man-in-the-middle attacks. Search supports Kerberos and LDAP authentication.

Continue reading:

Cloudera Search supports a variety of combinations of authentication protocols:
Authentication Protocol Combinations
Solr Authentication Use Case
No authentication Insecure cluster
Kerberos only The Hadoop cluster has Kerberos turned on and every user (or client) connecting to Solr has a Kerberos principal.
Kerberos and LDAP The Hadoop cluster has Kerberos turned on. External Solr users (or clients) do not have Kerberos principals but do have identities in the LDAP server. Client authentication using LDAP requires that Kerberos is enabled for the cluster. Using LDAP alone is not supported.

Once you are finished setting up authentication, configure Sentry authorization. Authorization involves specifying which resources can be accessed by particular users when they connect through Search. See Configuring Sentry Authorization for Cloudera Search for details.

Enabling Kerberos Authentication for Solr

Solr supports Kerberos authentication. All necessary packages are installed when you install Search. To enable Kerberos, create principals and keytabs and then modify default configurations.

The following instructions only apply to configuring Kerberos in an unmanaged environment. Kerberos configuration is automatically handled by Cloudera Manager if you are using in a Cloudera Manager environment.

To create principals and keytabs

Repeat this process on all Solr server hosts.

  1. Create a Solr service user principal using the syntax: solr/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate with the Hadoop cluster. where: fully.qualified.domain.name is the host where the Solr server is running YOUR-REALM is the name of your Kerberos realm.
    $ kadmin
    kadmin: addprinc -randkey solr/fully.qualified.domain.name@YOUR-REALM.COM
  2. Create a HTTP service user principal using the syntax: HTTP/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used to authenticate user requests coming to the Solr web-services. where: fully.qualified.domain.name is the host where the Solr server is running YOUR-REALM is the name of your Kerberos realm.
    kadmin: addprinc -randkey HTTP/fully.qualified.domain.name@YOUR-REALM.COM
  3. Create keytab files with both principals.
    kadmin: xst -norandkey -k solr.keytab solr/fully.qualified.domain.name \
    HTTP/fully.qualified.domain.name
  4. Test that credentials in the merged keytab file work. For example:
    $ klist -e -k -t solr.keytab
  5. Copy the solr.keytab file to the Solr configuration directory. The owner of the solr.keytab file should be the solr user and the file should have owner-only read permissions.

To modify default configurations

Repeat this process on all Solr server hosts.

  1. Ensure that the following properties appear in /etc/default/solr or /opt/cloudera/parcels/CDH-*/etc/default/solr and that they are uncommented. Modify these properties to match your environment. The relevant properties to be uncommented and modified are:
    SOLR_AUTHENTICATION_TYPE=kerberos
    SOLR_AUTHENTICATION_SIMPLE_ALLOW_ANON=true
    SOLR_AUTHENTICATION_KERBEROS_KEYTAB=/etc/solr/conf/solr.keytab
    SOLR_AUTHENTICATION_KERBEROS_PRINCIPAL=HTTP/localhost@LOCALHOST
    SOLR_AUTHENTICATION_KERBEROS_NAME_RULES=DEFAULT
    SOLR_AUTHENTICATION_JAAS_CONF=/etc/solr/conf/jaas.conf
  2. Set hadoop.security.auth_to_local to match the value specified by SOLR_AUTHENTICATION_KERBEROS_NAME_RULES in /etc/default/solr or /opt/cloudera/parcels/CDH-*/etc/default/solr.
  3. If using applications that use the solrj library, set up the Java Authentication and Authorization Service (JAAS).
    1. Create a jaas.conf file in the Solr configuration directory containing the following settings. This file and its location must match the SOLR_AUTHENTICATION_JAAS_CONF value. Make sure that you substitute a value for principal that matches your particular environment.
      Client {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        useTicketCache=false
        keyTab="/etc/solr/conf/solr.keytab"
        principal="solr/fully.qualified.domain.name@<YOUR-REALM>";
      };

Enabling LDAP Authentication for Solr

Before continuing, make sure that you have completed the steps in Enabling Kerberos Authentication for Solr. Solr supports LDAP authentication for external Solr client including:

  • Command-line tools
  • curl
  • Web browsers
  • Solr Java clients

In some cases, Solr does not support LDAP authentication. Use Kerberos authentication instead in these cases. Solr does not support LDAP authentication with:

  • Search indexing components including the MapReduce indexer, Lily HBase indexer, or Flume.
  • Solr internal requests such as those for replication or querying.
  • Hadoop delegation token management requests such as GETDELEGATIONTOKEN or RENEWDELEGATIONTOKEN.

Configuring LDAP Authentication for Solr using Cloudera Manager

You can configure LDAP-based authentication using Cloudera Manager at the Solr service level.

  1. Go to the Solr service.
  2. Click the Configuration tab.
  3. Select Scope > Solr
  4. Select Category > Security
  5. Select Enable LDAP.
  6. Enter the LDAP URI in the LDAP URI property.
  7. Configure only one of following mutually exclusive parameters:
    • LDAP BaseDN: Replaces the username with a "distinguished name" (DN) of the form: uid=userid,ldap_baseDN. Typically used for OpenLDAP server installation.

    -OR-

    • Active Directory Domain: Replaces the username with a string username@ldap_domain. Typically used for Active Directory server installation.

Configuring LDAP Authentication for Solr Using the Command Line

To enable LDAP authentication using the command line, configure the following environment variables in /etc/default/solr:

SOLR_AUTHENTICATION_HTTP_SCHEMES=Negotiate,Basic
SOLR_AUTHENTICATION_HTTP_DELEGATION_MGMT_SCHEMES=Negotiate
SOLR_AUTHENTICATION_HTTP_BASIC_HANDLER=ldap
SOLR_AUTHENTICATION_HTTP_NEGOTIATE_HANDLER=kerberos
SOLR_AUTHENTICATION_LDAP_PROVIDER_URL=ldap://www.example.com

# Specify value for only one of SOLR_AUTHENTICATION_LDAP_BASE_DN or SOLR_AUTHENTICATION_LDAP_BIND_DOMAIN property.
SOLR_AUTHENTICATION_LDAP_BASE_DN=ou=Users,dc=example,dc=com
# SOLR_AUTHENTICATION_LDAP_BIND_DOMAIN=
# Required when using ‘Start TLS’ extension
# SOLR_AUTHENTICATION_LDAP_ENABLE_START_TLS=false

Securing LDAP Connections

You can secure communications using LDAP-based encryption.

To avoid sending credentials over the wire in clear-text, you must configure a secure connection between both the client and Solr, and between Solr and the LDAP server. The secure connection could use SSL or TLS.

Secure LDAP connections through SSL:

For SSL-enabled LDAP connections, specify a prefix of ldaps:// instead of ldap://. Also, the default port for SSL-enabled LDAP connections is 636 instead of 389.

Secure LDAP connections through TLS:

TLS, the successor to the SSL protocol, is supported by most modern LDAP servers. Unlike SSL connections, TLS connections can be made on the same server port as non-TLS connections. You can enable xxx using Cloudera Manager.

  1. Go to the Solr service.
  2. Click the Configuration tab.
  3. Select Scope > Solr
  4. Select Category > Security
  5. Select Enable LDAP TLS.
  6. Import the LDAP server security certificate in the Solr Trust Store file:
    1. Enter the location for the Solr Trust Store File in Solr TLS/SSL Certificate Trust Store File.
    2. Enter the password for the Solr Trust Store File in Solr TLS/SSL Certificate Trust Store Password.

LDAP Client Configuration

Some HTTP clients such as curl or the Apache Http Java client must be configured to use a particular scheme. For example:

  • curl tool supports using Kerberos or username/password authentication. Kerberos is activated using the --negotiate flag and username/password based authentication is activated using the --basic and -u flags.
  • Apache HttpClient library can be configured to use specific authentication scheme. For more information, see the HTTP authentication chapter of Apache's HttpClient Tutorial.

Typically, web browsers automatically choose a preferred authentication scheme. For more information, see the HTTP authentication topic in The Chromium Projects.

To use LDAP authentication with Solr Java clients, HttpClientConfigurer needs to configured for Solr. This can either be done programmatically or using Java system properties.

For example, programmatic initialization might appear as:

SampleSolrClient.java

import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.client.solrj.impl.PreemptiveBasicAuthConfigurer;
import org.apache.solr.common.params.ModifiableSolrParams;

/**
 * This method initializes the Solr client to use LDAP authentication
 * This configuration is applicable to all Solr clients.
 * @param ldapUserName LDAP user name
 * @param ldapPassword  LDAP user password
 */
public static void initialize(String ldapUserName, String ldapPassword) {
  HttpClientUtil.setConfigurer(new PreemptiveBasicAuthConfigurer());
  ModifiableSolrParams params = new ModifiableSolrParams();
  params.set(HttpClientUtil.PROP_BASIC_AUTH_USER, ldapUserName);
  params.set(HttpClientUtil.PROP_BASIC_AUTH_PASS, ldapPassword);
  // Configure the JVM default parameters.
  PreemptiveBasicAuthConfigurer.setDefaultSolrParams(params);
}

For configuration using system properties, configure the following system properties:

System properties configuration for LDAP authentication
System property Description
solr.httpclient.configurer Fully qualified classname of HttpClientConfigurer implementation. For example, org.apache.solr.client.solrj.impl.PreemptiveBasicAuthConfigurer.
solr.httpclient.config Http client configuration properties file path. For example, ldap-credentials.properties.

For example, the entry in ldap-credentials.properties might appear as:

ldap-credentials.properties

httpBasicAuthUser=user1
httpBasicAuthPassword=passwd