Enabling document level security

Ranger allows you to configure document level security for individual Solr collections.

By default, Ranger authorization works on collection level. You can enable document level authorization of view operations for individual collections (all other operations, such as update, can only be controlled on collection level). This requires updating the solrconfig.xml file belonging to the particular collection. For the authorization to work on existing collections, you need to update the collection as well, by adding the ranger_auth parameter with an appropriate value to individual documents. The easiest way to do so is reindexing the collection.
Disable Ranger authorization before you start this procedure.
  1. SSH to a host where a Solr instance is running.
  2. Kinit with Solr keytab.
  3. Create a docAuthz.json file, with the following content:
    cat /tmp/docAuthz.json
    {
      "add-searchcomponent":{
        "name": "queryDocAuthorization",
        "class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer",
        "enabled": "true",
        "rangerAuthField": "ranger_auth",
        "allRolesToken": "*"
      }
    }
    This defines the logic that SearchHandler uses to perform queries for users.
  4. Run the following command to update searchComponent in solrconfig.xml:
    curl -ikv --negotiate -u : -X POST -H 'Content-type:application/json' http://[***SOLR_HOST***]:[***SOLR_PORT***]/solr/[***COLLECTION_NAME***]/config -d "@/tmp/docAuthz.json"
  5. Create a requestHandler.json file, with the following content:
    cat /tmp/requestHandler.json:
    {
      "update-requesthandler": {
          "name": "/select",
          "class": "solr.SearchHandler"
          "first-components": [ "queryDocAuthorization" ]
      }
    }
  6. Run the following command to update requestHandler:
    curl -ikv --negotiate -u : -X POST -H 'Content-type:application/json' http://[***SOLR_HOST***]:[***SOLR_PORT***]/solr/[***COLLECTION_NAME***]/config -d "@/tmp/requestHandler.json"
  7. Run the following command to update requestParsers:
    curl -ikv --negotiate -u : -X POST -H 'Content-type:application/json' http://[***SOLR_HOST***]:[***SOLR_PORT***]/solr/[***COLLECTION_NAME***]/config -d '{"set-property": {"requestDispatcher.requestParsers.addHttpRequestToContext": true}}'
Enable Ranger authorization and restart the Solr service.