Enabling Solr Clients to Authenticate with a Secure Solr
The process of enabling Solr clients to authenticate with a secure Solr is specific to the client.
- Using Kerberos and curl
- Using solrctl
- Using a
jaas.conf
File -
This enables technologies including:
- Command line solutions
- Java applications
- The MapReduceIndexerTool
Secure Solr requires that the CDP components it interacts with are also secure. Secure Solr interacts with HDFS, ZooKeeper and optionally HBase, MapReduce, and NiFi.
Using Kerberos and curl
You can use Kerberos authentication with clients such as curl
. To use curl
, begin by acquiring valid Kerberos credentials and then run the desired command. For example, you might use commands similar to the following:
$ kinit -kt username.keytab username
$ curl --negotiate -u foo:bar http://solrserver:8983/solr/
Using solrctl
If you are using solrctl
to manage your deployment in an environment that
requires Kerberos authentication, you must have valid Kerberos credentials, which you can
get using kinit
.
Using a jaas.conf
File
Some applications, such as those using the SolrJ library, require a Java Authentication and
Authorization Service (JAAS) configuration file. You can use a file name other than
jaas.conf
, in the following examples jaas-client.conf
is
used.
Creating a JAAS configuration file:
- If you are authenticating using
kinit
to obtain credentials, you can configure the client to use your credentials cache by creating ajaas-client.conf
file with the following contents:
ReplaceClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false useTicketCache=true principal="<user>@EXAMPLE.COM"; };
<user>
with your username, andEXAMPLE.COM
with your Kerberos realm. - If you want the client application to authenticate using a keytab,
modify
jaas-client.conf
as follows:
ReplaceClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/path/to/user.keytab" storeKey=true useTicketCache=false principal="<user>@EXAMPLE.COM"; };
/path/to/user.keytab
with the keytab file you want to use and<user>@EXAMPLE.COM
with the principal in the keytab. If you are using a service principal that includes the hostname, make sure that it is included in thejaas.conf
file (for example,solr/solr01.example.com@EXAMPLE.COM
).
Example usage of a JAAS configuration file:
- Command lineSet the property when invoking the program. For example, if you were using a jar, you might use:
java -Djava.security.auth.login.config=/home/user/jaas-client.conf -jar app.jar
- Java applicationsSet the Java system property
java.security.auth.login.config
. For example, if the JAAS configuration file is located on the filesystem as/home/user/jaas-client.conf
, the Java system propertyjava.security.auth.login.config
must be set to point to this file. Setting a Java system property can be done programmatically, for example using a call such as:System.setProperty("java.security.auth.login.config", "/home/user/jaas-client.conf");
- The MapReduceIndexerToolThe MapReduceIndexerTool uses SolrJ to pass the JAAS configuration file. Using the MapReduceIndexerTool in a secure environment requires the use of the
HADOOP_OPTS
variable to specify the JAAS configuration file. For example, you might issue a command such as the following:HADOOP_OPTS="-Djava.security.auth.login.config=/home/user/jaas-client.conf" \ hadoop jar MapReduceIndexerTool
- Configuring the hbase-indexer CLI
Certain hbase-indexer CLI commands such as
replication-status
attempt to read ZooKeeper hosts owned by HBase. To successfully use these commands in Solr in a secure environment, specify a JAAS configuration file with the HBase principal in theHBASE_INDEXER_OPTS
environment variable. For example, you might issue a command such as the following:HBASE_INDEXER_OPTS="-Djava.security.auth.login.config=/home/user/hbase-jaas.conf" \ hbase-indexer replication-status