Enabling Solr clients to authenticate with a secure Solr
Secure Solr requires that the CDP components it interacts with are also secure. The process of enabling Solr clients to authenticate with a secure Solr is specific to the client.
- Using Kerberos and curl
- Using solrctl
- Using a JAAS file
-
This enables technologies including:
- Command line solutions
- Java applications
- The MapReduceIndexerTool
Using Kerberos and curl
You can use Kerberos authentication with clients such as curl
. To use curl
, begin by acquiring valid Kerberos credentials and then run the desired command. For example, you might use commands similar to the following:
$ kinit -kt username.keytab username
$ curl --negotiate -u foo:bar http://solrserver:8983/solr/
Using solrctl
If you use solrctl
to manage your deployment in an environment that
requires Kerberos authentication, you must have valid Kerberos credentials, which you can
get using kinit
.
Using a JAAS file
Some applications, such as those using the SolrJ library, require a Java Authentication and
Authorization Service (JAAS) configuration file. You can use a file name other than
jaas.conf
, in the following examples jaas-client.conf
is
used.
Example usage of a JAAS configuration file
- Command lineSet the property when invoking the program. For example, if you were using a jar, you might use:
java -Djava.security.auth.login.config=/home/user/jaas-client.conf -jar app.jar
- Java applicationsSet the Java system property
java.security.auth.login.config
. For example, if the JAAS configuration file is located on the filesystem as/home/user/jaas-client.conf
, the Java system propertyjava.security.auth.login.config
must be set to point to this file. Setting a Java system property can be done programmatically, for example using a call such as:System.setProperty("java.security.auth.login.config", "/home/user/jaas-client.conf");
- MapReduceIndexerToolThe MapReduceIndexerTool uses SolrJ to pass the JAAS configuration file. Using the MapReduceIndexerTool in a secure environment requires the use of the
HADOOP_OPTS
variable to specify the JAAS configuration file. For example, you might issue a command such as the following:HADOOP_OPTS="-Djava.security.auth.login.config=/home/user/jaas-client.conf" \ hadoop jar MapReduceIndexerTool
- Configuring the hbase-indexer CLI
Certain hbase-indexer CLI commands such as
replication-status
attempt to read ZooKeeper hosts owned by HBase. To successfully use these commands in Solr in a secure environment, specify a JAAS configuration file with the HBase principal in theHBASE_INDEXER_OPTS
environment variable. For example, you might issue a command such as the following:HBASE_INDEXER_OPTS="-Djava.security.auth.login.config=/home/user/hbase-jaas.conf" \ hbase-indexer replication-status