In a Kerberos enabled cluster, the Solr service uses the solr
principal by default. Changing the default principal and using custom principals is
supported. Principals can be configured on a service-wide level in Cloudera Manager with the
Kerberos Principal property.
- Ensure that you have the following privileges:
- SSH access to the cluster where you want to enable the custom
principal
- administrative privileges in Cloudera Manager
- HDFS super user access
- If the SunJCE cryptographic provider is removed to run the
zkcli.sh utility, you must set the
JDK_JAVA_OPTIONS environment variable. For
example,export FIPS_JAVA_ARGS
=
"-Dcom.safelogic.cryptocomply.fips.approved_only=true --add-modules=com.safelogic.cryptocomply.fips.core --add-modules=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-exports=java.base/sun.security.provider=bctls --module-path=/cdep/extra_jars -Djdk.tls.trustNameService=true -Dsun.security.krb5.disableReferrals=true -Djdk.tls.ephemeralDHKeySize=2048 -Dcom.sun.management.jmxremote.ssl.enabled.protocols=TLSv1.2,TLSv1.3 --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.zip=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-exports=java.base/sun.net.www.protocol.jar=ALL-UNNAMED --add-opens=java.base/sun.net.www.protocol.jar=ALL-UNNAMED --add-opens=java.base/sun.net.www.protocol.file=ALL-UNNAMED --add-exports=java.base/sun.net.www=ALL-UNNAMED --add-opens=java.base/sun.net.www=ALL-UNNAMED"
export JDK_JAVA_OPTIONS
=
"${JDK_JAVA_OPTIONS} ${FIPS_JAVA_ARGS}"
-
Stop the Solr service.
-
Disable ZooKeeper ACL checking temporarily.
-
In Cloudera Manager, navigate to .
-
Find the Java Configuration Options for ZooKeeper Server
property.
-
Add the following value:
-
Click Save Changes.
-
Restart the ZooKeeper service.
-
In Cloudera Manager, navigate to and find the Kerberos Principal
property.
-
Provide the custom Kerberos principal.
-
Click Save Changes.
-
Create a
jaas.conf file containing the following:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true
principal="[***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***]";
};
Replace
[***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***]
with your Kerberos principal and realm name.
-
Set the LOG4J_PROPS environment variable to a
log4j.properties file:
export LOG4J_PROPS=/etc/zookeeper/conf/log4j.properties
-
Set the
ZKCLI_JVM_FLAGS environment variable:
export ZKCLI_JVM_FLAGS="-Djava.security.auth.login.config=/path/to/jaas.conf \
-DzkACLProvider=org.apache.solr.common.cloud.SaslZkACLProvider \
-Droot.logger=INFO,console \
-Dsolr.authorization.superuser=[***CUSTOM_SOLR_KERBEROS_PRINCIPAL***]"
-
Authenticate as the
[***CUSTOM_SOLR_KERBEROS_PRINCIPAL***]:
kinit [***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***]
Replace
[***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***]
with your Kerberos principal and realm name.
-
Run the
zkcli.sh script as follows:
/opt/cloudera/parcels/CDH/lib/solr/bin/zkcli.sh -zkhost [***ZOOKEEPER_SERVER_HOSTNAME***]:[***ZOOKEEPER_SERVER_PORT***] -cmd updateacls /solr
Replace [***ZOOKEEPER_SERVER_HOSTNAME***] and
[***ZOOKEEPER_SERVER_PORT***] with the hostname and
port of a ZooKeeper server.
For
example:
/opt/cloudera/parcels/CDH/lib/solr/bin/zkcli.sh -zkhost zk01.example.com:2181 -cmd updateacls /solr
-
Check ACLs in Zookeeper:
zookeeper-client -server ${HOSTNAME}:2181 getAcl /solr
-
Change ownership of Solr’s HDFS Data Directory. Check the value in Cloudera
Manager under .
-
Execute the following command as the HDFS superuser:
hdfs dfs -chown -R [***CUSTOM_SOLR_KERBEROS_PRINCIPAL***] [***HDFS_DATA_DIRECTORY***]
-
Re-enable ZooKeeper ACL check.
-
In Cloudera Manager, navigate to .
-
Find the Java Configuration Options for ZooKeeper Server
property.
-
Remove the following value:
-
Click Save Changes.
-
Restart the ZooKeeper service.
