Managing Auditing
Also available as:
PDF

Configure Kerberos for SolrCloud

How to configure Kerberos for SolrCloud.

  1. Create a principal "solr" in your KDC. You can make it host-specific or headless.
  2. Log in as the root user to the KDC server and create the keytabs for users "solr" and HTTP.
    kadmin.local
    Authenticating as principal root/admin@EXAMPLE.COM with password.
    kadmin.local:  addprinc -randkey solr@EXAMPLE.COM
    WARNING: no policy specified for solr@EXAMPLE.COM; defaulting to no policy
    Principal "solr@EXAMPLE.COM" created.
    kadmin.local:  xst -k solr.service.keytab solr@EXAMPLE.COM
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:solr.service.keytab.
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:solr.service.keytab.
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:solr.service.keytab.
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:solr.service.keytab.
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:solr.service.keytab.
    Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:solr.service.keytab.
    kadmin.local:  quit
    The example above creates a headless keytab for the "solr" service user. You should create one keytab per host. You should also create a principal for each host on which Solr is running. Use the procedure shown above, but use the principal name with the host. For example:
    kadmin.local:  addprinc -randkey solr/<SOLR_HOST_NAME>@EXAMPLE.COM
    You will also need another keytab for Spnego. This is used by Solr to authenticate HTTP requests. Follow the process shown above, but replace "solr" with "HTTP". For example:
    kadmin.local
    kadmin.local:  addprinc -randkey HTTP@EXAMPLE.COM
    kadmin.local:  xst -k HTTP.keytab HTTP@EXAMPLE.COM
    kadmin.local:  quit
  3. After the keytabs are created, run the following commands to copy them to all of the hosts running Solr, chown to "solr", and chmod to 400.
    mkdir -p /opt/solr/conf
    #scp both the keytab files to the above folder
    chown solr:solr /opt/solr/conf/solr.service.keytab
    usermod -a -G hadoop solr
    chmod 400 /opt/solr/conf/solr.service.keytab
    chown solr:solr /opt/solr/conf/HTTP.keytab
    chmod 400 /opt/solr/conf/HTTP.keytab
    Note
    Note

    The usermod -a -G hadoop solr command is required if you are using the HTTP (Spnego) keytab that is generated by Ambari.