Configuring SolrCloud for Kerberos

« Prev

	Note
	Beginning with Ambari-2.4.0.0 and HDP-2.5.0, Ranger uses the Ambari Infra SolrCloud instance by default. Therefore, this procedure is only necessary for earlier versions, or if you are setting up additional SolrCloud instances.

	Note
	SolrCloud with Kerberos requires Apache ZooKeeper and MIT Kerberos. You should also review the other SolrCloud Prerequisites.

Use the following steps to configure SolrCloud for Kerberos.

Configure Kerberos for SolrCloud

Use the following procedure to configure Kerberos for SolrCloud.

Create a principal "solr" in your KDC. You can make it host-specific or headless.

kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  addprinc -randkey solr@EXAMPLE.COM
WARNING: no policy specified for solr@EXAMPLE.COM; defaulting to no policy
Principal "solr@EXAMPLE.COM" created.
kadmin.local:  xst -k solr.service.keytab solr@EXAMPLE.COM
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:solr.service.keytab.
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:solr.service.keytab.
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:solr.service.keytab.
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:solr.service.keytab.
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:solr.service.keytab.
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:solr.service.keytab.
kadmin.local:  quit

The example above creates a headless keytab for the "solr" service user. You should create one keytab per host. You should also create a principal for each host on which Solr is running. Use the procedure shown above, but use the principal name with the host. For example:

kadmin.local:  addprinc -randkey solr/<SOLR_HOST_NAME>@EXAMPLE.COM

You will also need another keytab for Spnego. This is used by Solr to authenticate HTTP requests. Follow the process shown above, but replace "solr" with "HTTP". For example:

kadmin.local
kadmin.local:  addprinc -randkey HTTP@EXAMPLE.COM
kadmin.local:  xst -k HTTP.keytab HTTP@EXAMPLE.COM
kadmin.local:  quit

After the keytabs are created, run the following commands to copy them to all of the hosts running Solr, chown to "solr", and chmod to 400.
```
mkdir -p /opt/solr/conf
#scp both the keytab files to the above folder
chown solr:solr /opt/solr/conf/solr.service.keytab
usermod -a -G hadoop solr
chmod 400 /opt/solr/conf/solr.service.keytab
chown solr:solr /opt/solr/conf/HTTP.keytab
chmod 400 /opt/solr/conf/HTTP.keytab
```
Note
The usermod -a -G hadoop solr command is required if you are using the HTTP (Spnego) keytab that is generated by Ambari.

Configure SolrCloud for Kerberos

Use the following procedure to configure SolrCloud for Kerberos.

Run the following commands:
```
cd /opt/solr
mkdir /opt/solr/conf
```

Create a new JAAS file in the /opt/solr/conf directory:

vi /opt/solr/conf/solr_jaas.conf

Add the following lines to the solr_jaas.conf file, but replace the REALM name @EXAMPLE.COM with your REALM.

Client {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/opt/solr/conf/solr.service.keytab"
       storeKey=true
       useTicketCache=true
       debug=true
       principal="solr@EXAMPLE.COM";
};

Copy the solr_jaas.conf file to all of the hosts on which Solr is running.

Edit the solr.in.sh file in the <SOLR_INSTALL_HOME>/bin/ directory:

vi $SOLR_INSTALL_HOME/ranger_audit_server/scripts/solr.in.sh

Add the following lines at the end of the solr.in.sh file:

SOLR_JAAS_FILE=/opt/solr/conf/solr_jaas.conf
SOLR_HOST=`hostname -f`
ZK_HOST="$ZK_HOST1:2181,$ZK_HOST2:2181,$ZK_HOST3:2181/ranger_audits" 
KERBEROS_REALM="EXAMPLE.COM"
SOLR_KEYTAB=/opt/solr/conf/solr.service.keytab
SOLR_KERB_PRINCIPAL=HTTP@${KERBEROS_REALM}
SOLR_KERB_KEYTAB=/opt/solr/conf/HTTP.keytab
SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
SOLR_AUTHENTICATION_OPTS=" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin
 -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL}
 -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST} -Dhost=${SOLR_HOST}
 -Dsolr.kerberos.name.rules=DEFAULT"

Copy the solr.in.sh file to all of the hosts on which Solr is running.

Run the following command to enable Kerberos as the authentication scheme by updating the security.json file in ZooKeeper.

$SOLR_INSTALL_HOME/server/scripts/cloud-scripts/zkcli.sh -zkhost  $ZK_HOST:2181 -cmd put /ranger_audits/security.json '{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}'

Run the following commands to restart Solr on all hosts.

/opt/solr/ranger_audit_server/scripts/stop_solr.sh
/opt/solr/ranger_audit_server/scripts/start_solr.sh

On the Ambari dashboard, select Ranger > Configs > Ranger Audit, then enable External SolrCloud Kerberos by clicking the OFF button. The button label changes to ON when External SolrCloud Kerberos is enabled.
Click Save, then restart Ranger and all required services.

Connecting to Kerberos-enabled SolrCloud

To connect to Kerberos-enabled Solr from your local machine:

On both Linux and Mac, copy the /etc/krb5.conf file from the Solr host to your local /etc/krb5.conf. If you already have a local /etc/krb5.conf file, merge the two files.
Log in to the KDC host as root and run the following commands to create a KDC user:
```
kadmin.local
kadmin.local: addprinc $USERNAME@EXAMPLE.COM
kadmin.local: quit 
```
Run the following command on your local machine.
```
kinit $USERNAME@EXAMPLE.COM
```
You can now use a browser to connect to the Solr URL.

	Note
	The usermod -a -G hadoop solr command is required if you are using the HTTP (Spnego) keytab that is generated by Ambari.