Configuring custom Kerberos principals and custom system users for Solr

In a Kerberos enabled cluster, the Solr service uses the solr principal by default. Changing the default principal and using custom principals is supported. Principals can be configured on a service-wide level in Cloudera Manager with the Kerberos Principal property. To configure a custom system user, you need to modifty the System User property.

Make sure you have the following privileges:

  • SSH access to the cluster where you want to enable the custom principal
  • administrative privileges in Cloudera Manager
  • HDFS super user access
  1. Stop the Solr service.
  2. Disable ZooKeeper ACL checking temporarily.
    1. In Cloudera Manager, navigate to ZooKeeper > Configuration.
    2. Find the Java Configuration Options for ZooKeeper Server property.
    3. Add the following value:
      -Dzookeeper.skipACL=yes
    4. Click Save Changes.
    5. Restart the ZooKeeper service.
  3. In Cloudera Manager, navigate to Clusters > Solr service > Configuration and find the Kerberos Principal property.
  4. Provide the custom Kerberos principal.
  5. Click Save Changes.
  6. To be able to interact with the Solr service, you must either change the System User name to match the custom Kerberos principal, or add the existing System User name to Solr Service Environment Advanced Configuration Snippet (Safety Valve).
    Select one of the following options:
    OptionDescription
    Change the System User name to match the custom Kerberos principal
    1. In Cloudera Manager, navigate to Clusters > Solr service > Configuration and find the System User property.
    2. Change the user name to match the custom Kerberos principal you have set.
    3. Click Save Changes.
    Keep the original System User name
    1. In Cloudera Manager navigate to Clusters > Solr service > Configuration and find the Solr Service Environment Advanced Configuration Snippet (Safety Valve) property.
    2. Look for the SOLR_SECURITY_PROXY_JAVA_OPTS key.
    3. Append its value with:

      -Dsolr.security.proxyuser.[***SYSTEM_USER***].groups=* -Dsolr.security.proxyuser.[***SYSTEM_USER***].hosts=*

      Replace [***SYSTEM_USER***] with the service user name you want to associate with the custom Kerberos principal.

    4. Click Save Changes.
  7. Create a jaas.conf file containing the following:
    Client {
               com.sun.security.auth.module.Krb5LoginModule required
               useKeyTab=false
               useTicketCache=true
               principal="[***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***]";
               };
    

    Replace [***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***] with your Kerberos principal and realm name.

  8. Set the LOG4J_PROPS environment variable to a log4j.properties file:
    export LOG4J_PROPS=/etc/zookeeper/conf/log4j.properties
  9. Set the ZKCLI_JVM_FLAGS environment variable:
    export ZKCLI_JVM_FLAGS="-Djava.security.auth.login.config=/path/to/jaas.conf \ 
    -DzkACLProvider=org.apache.solr.common.cloud.SaslZkACLProvider \ 
    -Droot.logger=INFO,console \
    -Dsolr.authorization.superuser=[***CUSTOM_SOLR_KERBEROS_PRINCIPAL***]"
  10. Authenticate as the [***CUSTOM_SOLR_KERBEROS_PRINCIPAL***]:
    kinit [***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***]

    Replace [***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***] with your Kerberos principal and realm name.

  11. Run the zkcli.sh script as follows:
    /opt/cloudera/parcels/CDH/lib/solr/bin/zkcli.sh -zkhost [***ZOOKEEPER_SERVER_HOSTNAME***]:[***ZOOKEEPER_SERVER_PORT***] -cmd updateacls /solr

    Replace [***ZOOKEEPER_SERVER_HOSTNAME***] and [***ZOOKEEPER_SERVER_PORT***] with the hostname and port of a ZooKeeper server.

    For example:
    /opt/cloudera/parcels/CDH/lib/solr/bin/zkcli.sh -zkhost zk01.example.com:2181 -cmd updateacls /solr
  12. Check ACLs in Zookeeper:
    zookeeper-client -server ${HOSTNAME}:2181 getAcl /solr
  13. Change ownership of Solr’s HDFS Data Directory. Check the value in Cloudera Manager under Solr > Configuration > HDFS Data Directory.
  14. Execute the following command as the HDFS superuser:
    hdfs dfs -chown -R [***CUSTOM_SOLR_KERBEROS_PRINCIPAL***] [***HDFS_DATA_DIRECTORY***]
  15. Re-enable ZooKeeper ACL check.
    1. In Cloudera Manager, navigate to ZooKeeper > Configuration.
    2. Find the Java Configuration Options for ZooKeeper Server property.
    3. Remove the following value:
      -Dzookeeper.skipACL=yes
    4. Click Save Changes.
    5. Restart the ZooKeeper service.