Configuring custom Kerberos principals for Solr

In a Kerberos enabled cluster, the Solr service uses the solr principal by default. Changing the default principal and using custom principals is supported. Principals can be configured on a service-wide level in Cloudera Manager with the Kerberos Principal property.

Make sure you have the following privileges:

  • SSH access to the cluster where you want to enable the custom principal
  • administrative privileges in Cloudera Manager
  • HDFS super user access
  1. Stop the Solr service.
  2. Disable ZooKeeper ACL checking temporarily.
    1. In Cloudera Manager, navigate to ZooKeeper > Configuration.
    2. Find the Java Configuration Options for ZooKeeper Server property.
    3. Add the following value:
      -Dzookeeper.skipACL=yes
    4. Click Save Changes.
    5. Restart the ZooKeeper service.
  3. In Cloudera Manager, navigate to Clusters > Solr service > Configuration and find the Kerberos Principal property.
  4. Provide the custom Kerberos principal.
  5. Click Save Changes.
  6. Create a jaas.conf file containing the following:
    Client {
               com.sun.security.auth.module.Krb5LoginModule required
               useKeyTab=false
               useTicketCache=true
               principal="[***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***]";
               };
    

    Replace [***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***] with your Kerberos principal and realm name.

  7. Set the LOG4J_PROPS environment variable to a log4j.properties file:
    export LOG4J_PROPS=/etc/zookeeper/conf/log4j.properties
  8. Set the ZKCLI_JVM_FLAGS environment variable:
    export ZKCLI_JVM_FLAGS="-Djava.security.auth.login.config=/path/to/jaas.conf \ 
    -DzkACLProvider=org.apache.solr.common.cloud.SaslZkACLProvider \ 
    -Droot.logger=INFO,console \
    -Dsolr.authorization.superuser=[***CUSTOM_SOLR_KERBEROS_PRINCIPAL***]"
  9. Authenticate as the [***CUSTOM_SOLR_KERBEROS_PRINCIPAL***]:
    kinit [***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***]

    Replace [***CUSTOM_SOLR_KERBEROS_PRINCIPAL@KERBEROS_REALM_NAME***] with your Kerberos principal and realm name.

  10. Run the zkcli.sh script as follows:
    /opt/cloudera/parcels/CDH/lib/solr/bin/zkcli.sh -zkhost [***ZOOKEEPER_SERVER_HOSTNAME***]:[***ZOOKEEPER_SERVER_PORT***] -cmd updateacls /solr

    Replace [***ZOOKEEPER_SERVER_HOSTNAME***] and [***ZOOKEEPER_SERVER_PORT***] with the hostname and port of a ZooKeeper server.

    For example:
    /opt/cloudera/parcels/CDH/lib/solr/bin/zkcli.sh -zkhost zk01.example.com:2181 -cmd updateacls /solr
  11. Check ACLs in Zookeeper:
    zookeeper-client -server ${HOSTNAME}:2181 getAcl /solr
  12. Change ownership of Solr’s HDFS Data Directory. Check the value in Cloudera Manager under Solr > Configuration > HDFS Data Directory.
  13. Execute the following command as the HDFS superuser:
    hdfs dfs -chown -R [***CUSTOM_SOLR_KERBEROS_PRINCIPAL***] [***HDFS_DATA_DIRECTORY***]
  14. Re-enable ZooKeeper ACL check.
    1. In Cloudera Manager, navigate to ZooKeeper > Configuration.
    2. Find the Java Configuration Options for ZooKeeper Server property.
    3. Remove the following value:
      -Dzookeeper.skipACL=yes
    4. Click Save Changes.
    5. Restart the ZooKeeper service.