Security
Also available as:
PDF
loading table of contents...

Configuring SolrCloud for Kerberos

[Note]Note

Beginning with Ambari-2.4.0.0 and HDP-2.5.0, Ranger uses the Ambari Infra SolrCloud instance by default. Therefore, this procedure is only necessary for earlier versions, or if you are setting up additional SolrCloud instances.

[Note]Note

SolrCloud with Kerberos requires Apache ZooKeeper and MIT Kerberos. You should also review the other SolrCloud Prerequisites.

Use the following steps to configure SolrCloud for Kerberos.

Configure Kerberos for SolrCloud

Use the following procedure to configure Kerberos for SolrCloud.

  1. Create a principal "solr" in your KDC. You can make it host-specific or headless.

  2. Log in as the root user to the KDC server and create the keytabs for users "solr" and HTTP.

    kadmin.local
    Authenticating as principal root/admin@EXAMPLE.COM with password.
    kadmin.local:  addprinc -randkey solr@EXAMPLE.COM
    WARNING: no policy specified for solr@EXAMPLE.COM; defaulting to no policy
    Principal "solr@EXAMPLE.COM" created.
    kadmin.local:  xst -k solr.service.keytab solr@EXAMPLE.COM
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:solr.service.keytab.
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:solr.service.keytab.
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:solr.service.keytab.
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:solr.service.keytab.
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:solr.service.keytab.
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:solr.service.keytab.
    kadmin.local:  quit

    The example above creates a headless keytab for the "solr" service user. You should create one keytab per host. You should also create a principal for each host on which Solr is running. Use the procedure shown above, but use the principal name with the host. For example:

    kadmin.local:  addprinc -randkey solr/<SOLR_HOST_NAME>@EXAMPLE.COM

    You will also need another keytab for Spnego. This is used by Solr to authenticate HTTP requests. Follow the process shown above, but replace "solr" with "HTTP". For example:

    kadmin.local
    kadmin.local:  addprinc -randkey HTTP@EXAMPLE.COM
    kadmin.local:  xst -k HTTP.keytab HTTP@EXAMPLE.COM
    kadmin.local:  quit
  3. After the keytabs are created, run the following commands to copy them to all of the hosts running Solr, chown to "solr", and chmod to 400.

    mkdir -p /opt/solr/conf
    #scp both the keytab files to the above folder
    chown solr:solr /opt/solr/conf/solr.service.keytab
    usermod -a -G hadoop solr
    chmod 400 /opt/solr/conf/solr.service.keytab
    chown solr:solr /opt/solr/conf/HTTP.keytab
    chmod 400 /opt/solr/conf/HTTP.keytab
    [Note]Note

    The usermod -a -G hadoop solr command is required if you are using the HTTP (Spnego) keytab that is generated by Ambari.

Configure SolrCloud for Kerberos

Use the following procedure to configure SolrCloud for Kerberos.

  1. Run the following commands:

    cd /opt/solr
    mkdir /opt/solr/conf
  2. Create a new JAAS file in the /opt/solr/conf directory:

    vi /opt/solr/conf/solr_jaas.conf

    Add the following lines to the solr_jaas.conf file, but replace the REALM name @EXAMPLE.COM with your REALM.

    Client {
           com.sun.security.auth.module.Krb5LoginModule required
           useKeyTab=true
           keyTab="/opt/solr/conf/solr.service.keytab"
           storeKey=true
           useTicketCache=true
           debug=true
           principal="solr@EXAMPLE.COM";
    };
  3. Copy the solr_jaas.conf file to all of the hosts on which Solr is running.

  4. Edit the solr.in.sh file in the <SOLR_INSTALL_HOME>/bin/ directory:

    vi $SOLR_INSTALL_HOME/ranger_audit_server/scripts/solr.in.sh

    Add the following lines at the end of the solr.in.sh file:

    SOLR_JAAS_FILE=/opt/solr/conf/solr_jaas.conf
    SOLR_HOST=`hostname -f`
    ZK_HOST="$ZK_HOST1:2181,$ZK_HOST2:2181,$ZK_HOST3:2181/ranger_audits" 
    KERBEROS_REALM="EXAMPLE.COM"
    SOLR_KEYTAB=/opt/solr/conf/solr.service.keytab
    SOLR_KERB_PRINCIPAL=HTTP@${KERBEROS_REALM}
    SOLR_KERB_KEYTAB=/opt/solr/conf/HTTP.keytab
    SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
    SOLR_AUTHENTICATION_OPTS=" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin
     -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL}
     -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST} -Dhost=${SOLR_HOST}
     -Dsolr.kerberos.name.rules=DEFAULT"
  5. Copy the solr.in.sh file to all of the hosts on which Solr is running.

  6. Run the following command to enable Kerberos as the authentication scheme by updating the security.json file in ZooKeeper.

    $SOLR_INSTALL_HOME/server/scripts/cloud-scripts/zkcli.sh -zkhost  $ZK_HOST:2181 -cmd put /ranger_audits/security.json '{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}'
  7. Run the following commands to restart Solr on all hosts.

    /opt/solr/ranger_audit_server/scripts/stop_solr.sh
    /opt/solr/ranger_audit_server/scripts/start_solr.sh
  8. On the Ambari dashboard, select Ranger > Configs > Ranger Audit, then enable External SolrCloud Kerberos by clicking the OFF button. The button label changes to ON when External SolrCloud Kerberos is enabled.

  9. Click Save, then restart Ranger and all required services.

Connecting to Kerberos-enabled SolrCloud

To connect to Kerberos-enabled Solr from your local machine:

  1. On both Linux and Mac, copy the /etc/krb5.conf file from the Solr host to your local /etc/krb5.conf. If you already have a local /etc/krb5.conf file, merge the two files.

  2. Log in to the KDC host as root and run the following commands to create a KDC user:

    kadmin.local
    kadmin.local: addprinc $USERNAME@EXAMPLE.COM
    kadmin.local: quit 
  3. Run the following command on your local machine.

    kinit $USERNAME@EXAMPLE.COM
  4. You can now use a browser to connect to the Solr URL.