{"version":"1.0","provider_name":"Aeologic Blog","provider_url":"https:\/\/www.aeologic.com\/blog","title":"Securing Solr - Ultimate Solr Guide - Aeologic Blog","type":"rich","width":600,"height":338,"html":"<blockquote class=\"wp-embedded-content\" data-secret=\"MWHTL18rx4\"><a href=\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/\">Securing Solr &#8211; Ultimate Solr Guide<\/a><\/blockquote><iframe sandbox=\"allow-scripts\" security=\"restricted\" src=\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/embed\/#?secret=MWHTL18rx4\" width=\"600\" height=\"338\" title=\"&#8220;Securing Solr &#8211; Ultimate Solr Guide&#8221; &#8212; Aeologic Blog\" data-secret=\"MWHTL18rx4\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" class=\"wp-embedded-content\"><\/iframe><script>\n\/*! This file is auto-generated *\/\n!function(d,l){\"use strict\";l.querySelector&&d.addEventListener&&\"undefined\"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!\/[^a-zA-Z0-9]\/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret=\"'+t.secret+'\"]'),o=l.querySelectorAll('blockquote[data-secret=\"'+t.secret+'\"]'),c=new RegExp(\"^https?:$\",\"i\"),i=0;i<o.length;i++)o[i].style.display=\"none\";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(\"style\"),\"height\"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):\"link\"===t.message&&(r=new URL(s.getAttribute(\"src\")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(\"message\",d.wp.receiveEmbedMessage,!1),l.addEventListener(\"DOMContentLoaded\",function(){for(var e,t,s=l.querySelectorAll(\"iframe.wp-embedded-content\"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(\"data-secret\"))||(t=Math.random().toString(36).substring(2,12),e.src+=\"#?secret=\"+t,e.setAttribute(\"data-secret\",t)),e.contentWindow.postMessage({message:\"ready\",secret:t},\"*\")},!1)))}(window,document);\n\/\/# sourceURL=https:\/\/www.aeologic.com\/blog\/wp-includes\/js\/wp-embed.min.js\n<\/script>\n","thumbnail_url":"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png","thumbnail_width":1080,"thumbnail_height":622,"description":"Hello Everyone! We are back with another interesting post on Solr. One of the crucial requirements while setting up a solr application is to provide selective access to various resources allocated on the solr instance. Put simply, we need a mechanism to handle who logs in to the server and no unintended party gets access to various resources. When planning how to secure Solr, one should consider which of the available features or approaches are right for them. There are following ways to authenticate the users: Kerberos Authentication Plugin: If you are using Kerberos to secure your network environment, the Kerberos authentication plugin can be used to secure a Solr cluster. This allows Solr to use a Kerberos service principal and keytab file to authenticate with ZooKeeper and between nodes of the Solr cluster (if applicable). Users of the Admin UI and all clients would also need to have a valid ticket before being able to use the UI or send requests to Solr. When setting up Solr to use Kerberos, configurations are put in place for Solr to use a\u00a0service principal, or a Kerberos username, which is registered with the Key Distribution Center (KDC) to authenticate requests. The configurations define the service principal name and the location of the keytab file that contains the credentials. The Solr authentication model uses a file called\u00a0security.json. If this file is created after an initial startup of Solr, a restart of each node of the system is required. Service Principals and Keytab Files Each Solr node must have a service principal registered with the Key Distribution Center (KDC). The Kerberos plugin uses SPNego to negotiate authentication. Using\u00a0HTTP\/host1@YOUR-DOMAIN.ORG, as an example of a service principal: HTTP\u00a0indicates the type of requests which this service principal will be used to authenticate. The\u00a0HTTP\/\u00a0in the service principal is a must for SPNego to work with requests to Solr over HTTP. host1 is the hostname of the machine hosting the Solr node. YOUR-DOMAIN.ORG is the organization-wide Kerberos realm. Multiple Solr nodes on the same host may have the same service principal since the hostname is common to them all. Along with the service principal, each Solr node needs a keytab file that should contain the credentials of the service principal used. A keytab file contains encrypted credentials to support passwordless logins while obtaining Kerberos tickets from the KDC. For each Solr node, the keytab file should be kept in a secure location and not shared with users of the cluster. Since a Solr cluster requires internode communication, each node must also be able to make Kerberos enabled requests to other nodes. By default, Solr uses the same service principal and keytab as a &#8216;client principal&#8217; for internode communication. Kerberized ZooKeeper When setting up a kerberized SolrCloud cluster, it is recommended to enable Kerberos security for ZooKeeper as well. In such a setup, the client principal used to authenticate requests with ZooKeeper can be shared for internode communication as well. This has the benefit of not needing to renew the ticket granting tickets (TGTs) separately, since the ZooKeeper client used by Solr takes care of this. To achieve this, a single JAAS configuration (with the app name as Client) can be used for the Kerberos plugin as well as for the ZooKeeper client. ZooKeeper Configuration If you are using a ZooKeeper that has already been configured to use Kerberos, you can skip the ZooKeeper-related steps shown here. Since ZooKeeper manages the communication between nodes in a SolrCloud cluster, it must also be able to authenticate with each node of the cluster. Configuration requires setting up a service principal for ZooKeeper, defining a JAAS configuration file and instructing ZooKeeper to use both of those items. Create security.json Create the\u00a0security.json\u00a0file. In SolrCloud mode, you can set up Solr to use the Kerberos plugin by uploading the\u00a0security.json\u00a0to ZooKeeper while you create it, as follows: If you are using Solr in standalone mode, you need to create the\u00a0security.json\u00a0file and put it in your\u00a0$SOLR_HOME\u00a0directory. Define a JAAS Configuration File The JAAS configuration file defines the properties to use for authentication, such as the service principal and the location of the keytab file. Other properties can also be set to ensure ticket caching and other features. The following example can be copied and modified slightly for your environment. The location of the file can be anywhere on the server, but it will be referenced when starting Solr so it must be readable on the filesystem. The JAAS file may contain multiple sections for different users, but each section must have a unique name so it can be uniquely referenced in each application. In the below example, we have created a JAAS configuration file with the name and path of\u00a0\/home\/foo\/jaas-client.conf. We will use this name and path when we define the Solr start parameters in the next section. Note that the client\u00a0principal\u00a0here is the same as the service principal. This will be used to authenticate internode requests and requests to ZooKeeper. Make sure to use the correct\u00a0principal\u00a0hostname and the\u00a0keyTab file path. The first line of this file defines the section name, which will be used with the\u00a0solr.kerberos.jaas.appname\u00a0parameter, defined below. The main properties we are concerned with are the\u00a0keyTab\u00a0and\u00a0principal properties, but there are others which may be required for your environment. For reference the ones in use in the above example are explained here: useKeyTab: this boolean property defines if we should use a keytab file (true, in this case). keyTab: the location and name of the keytab file for the principal this section of the JAAS configuration file is for. The path should be enclosed in double-quotes. storeKey: this boolean property allows the key to be stored in the private credentials of the user. useTicketCache: this boolean property allows the ticket to be obtained from the ticket cache. debug: this boolean property will output debug messages for help in troubleshooting. principal: the name of the service principal to be used. Solr Startup Parameters While starting up Solr, the following host-specific parameters need to be passed. These [&hellip;]"}