Enabling Solr clients to authenticate with a secure Solr

Secure Solr requires that the CDP components it interacts with are also secure. The process of enabling Solr clients to authenticate with a secure Solr is specific to the client.

Cloudera Search supports the following options:
  • Using Kerberos and curl
  • Using solrctl
  • Using a JAAS file
  • This enables technologies including:
    • Command line solutions
    • Java applications
    • The MapReduceIndexerTool

Using Kerberos and curl

You can use Kerberos authentication with clients such as curl. To use curl, begin by acquiring valid Kerberos credentials and then run the desired command. For example, you might use commands similar to the following:

$ kinit -kt username.keytab username
$ curl --negotiate -u foo:bar http://solrserver:8983/solr/

Using solrctl

If you use solrctl to manage your deployment in an environment that requires Kerberos authentication, you must have valid Kerberos credentials, which you can get using kinit.

Using a JAAS file

Some applications, such as those using the SolrJ library, require a Java Authentication and Authorization Service (JAAS) configuration file. You can use a file name other than jaas.conf, in the following examples jaas-client.conf is used.

Example usage of a JAAS configuration file

  • Command line
    Set the property when invoking the program. For example, if you were using a jar, you might use:
    java -Djava.security.auth.login.config=/home/user/jaas-client.conf -jar app.jar
  • Java applications
    Set the Java system property java.security.auth.login.config. For example, if the JAAS configuration file is located on the filesystem as /home/user/jaas-client.conf, the Java system property java.security.auth.login.config must be set to point to this file. Setting a Java system property can be done programmatically, for example using a call such as:
    System.setProperty("java.security.auth.login.config", "/home/user/jaas-client.conf");
  • MapReduceIndexerTool
    The MapReduceIndexerTool uses SolrJ to pass the JAAS configuration file. Using the MapReduceIndexerTool in a secure environment requires the use of the HADOOP_OPTS variable to specify the JAAS configuration file. For example, you might issue a command such as the following:
    HADOOP_OPTS="-Djava.security.auth.login.config=/home/user/jaas-client.conf" \
    hadoop jar MapReduceIndexerTool
  • Configuring the hbase-indexer CLI

    Certain hbase-indexer CLI commands such as replication-status attempt to read ZooKeeper hosts owned by HBase. To successfully use these commands in Solr in a secure environment, specify a JAAS configuration file with the HBase principal in the HBASE_INDEXER_OPTS environment variable. For example, you might issue a command such as the following:

    HBASE_INDEXER_OPTS="-Djava.security.auth.login.config=/home/user/hbase-jaas.conf" \
    hbase-indexer replication-status