Cloudera Search Authentication

This section describes how to configure Solr to enable authentication.

When authentication is enabled, only specified hosts and users can connect to Solr. Authentication also verifies that clients connect to legitimate servers. This feature prevents spoofing such as impersonation and man-in-the-middle attacks. Search supports Kerberos and LDAP authentication.

Cloudera Search supports a variety of combinations of authentication protocols:
Authentication Protocol Combinations
Solr Authentication Use Case
No authentication Insecure cluster
Kerberos only The Hadoop cluster has Kerberos turned on and every user (or client) connecting to Solr has a Kerberos principal.
Kerberos and LDAP The Hadoop cluster has Kerberos turned on. External Solr users (or clients) do not have Kerberos principals but do have identities in the LDAP server. Client authentication using LDAP requires that Kerberos is enabled for the cluster. Using LDAP alone is not supported.

Once you are finished setting up authentication, configure Sentry authorization. Authorization involves specifying which resources can be accessed by particular users when they connect through Search. For more information, see Configuring Sentry Authorization for Cloudera Search.

Enabling Kerberos Authentication for Cloudera Search

Solr supports Kerberos authentication. All necessary packages are installed when you install Search. To enable Kerberos, see Configuring Authentication in Cloudera Manager.

Enabling LDAP Authentication for Cloudera Search

Before continuing, make sure that you have completed the steps in Enabling Kerberos Authentication for Cloudera Search. Solr supports LDAP authentication for external Solr client including:

  • Command-line tools
  • curl
  • Web browsers
  • Solr Java clients

In some cases, Solr does not support LDAP authentication. Use Kerberos authentication instead in these cases. Solr does not support LDAP authentication with:

  • Search indexing components including the MapReduce indexer, Lily HBase indexer, or Flume.
  • Solr internal requests such as those for replication or querying.
  • Hadoop delegation token management requests such as GETDELEGATIONTOKEN or RENEWDELEGATIONTOKEN.

Configuring LDAP Authentication for Cloudera Search

You can configure LDAP-based authentication using Cloudera Manager at the Solr service level.

  1. Go to the Solr service.
  2. Click the Configuration tab.
  3. Select Scope > Solr
  4. Select Category > Security
  5. Select Enable LDAP.
  6. Enter the LDAP URI in the LDAP URI property.
  7. Configure only one of following mutually exclusive parameters:
    • LDAP BaseDN: Replaces the username with a "distinguished name" (DN) of the form: uid=userid,ldap_baseDN. Typically used for OpenLDAP server installation.

    -OR-

    • Active Directory Domain: Replaces the username with a string username@ldap_domain. Typically used for Active Directory server installation.

Securing LDAP Connections

You can secure communications using LDAP-based encryption.

To avoid sending credentials over the wire in clear-text, you must configure a secure connection between both the client and Solr, and between Solr and the LDAP server. The secure connection could use SSL or TLS.

Secure LDAP connections through SSL:

For SSL-enabled LDAP connections, specify a prefix of ldaps:// instead of ldap://. Also, the default port for SSL-enabled LDAP connections is 636 instead of 389.

Secure LDAP connections through TLS:

TLS, the successor to the SSL protocol, is supported by most modern LDAP servers. Unlike SSL connections, TLS connections can be made on the same server port as non-TLS connections. You can enable xxx using Cloudera Manager.

  1. Go to the Solr service.
  2. Click the Configuration tab.
  3. Select Scope > Solr
  4. Select Category > Security
  5. Select Enable LDAP TLS.
  6. Import the LDAP server security certificate in the Solr Trust Store file:
    1. Enter the location for the Solr Trust Store File in Solr TLS/SSL Certificate Trust Store File.
    2. Enter the password for the Solr Trust Store File in Solr TLS/SSL Certificate Trust Store Password.