- \n
- If you are using Kerberos to secure your network environment, the Kerberos authentication plugin can be used to secure a Solr cluster. This allows Solr to use a Kerberos service principal and keytab file to authenticate with ZooKeeper and between nodes of the Solr cluster (if applicable). Users of the Admin UI and all clients would also need to have a valid ticket before being able to use the UI or send requests to Solr.<\/li>\n
- When setting up Solr to use Kerberos, configurations are put in place for Solr to use a\u00a0service principal<\/em>, or a Kerberos username, which is registered with the Key Distribution Center (KDC) to authenticate requests. The configurations define the service principal name and the location of the keytab file that contains the credentials.<\/li>\n
- The Solr authentication model uses a file called\u00a0
security.json<\/code>. If this file is created after an initial startup of Solr, a restart of each node of the system is required.<\/li>\n- \n
Service Principals and Keytab Files<\/h3>\n
\nEach Solr node must have a service principal registered with the Key Distribution Center (KDC). The Kerberos plugin uses SPNego to negotiate authentication.<\/p>\n<\/div>\n
\nUsing\u00a0
HTTP\/host1@YOUR-DOMAIN.ORG<\/code>, as an example of a service principal:<\/p>\n<\/div>\n\n- \n
HTTP<\/code>\u00a0indicates the type of requests which this service principal will be used to authenticate. The\u00a0HTTP\/<\/code>\u00a0in the service principal is a must for SPNego to work with requests to Solr over HTTP.<\/li>\nhost1<\/code> is the hostname of the machine hosting the Solr node.<\/li>\nYOUR-DOMAIN.ORG<\/code> is the organization-wide Kerberos realm.<\/li>\n<\/ul>\n<\/div>\n\nMultiple Solr nodes on the same host may have the same service principal since the hostname is common to them all.<\/p>\n<\/div>\n
\nAlong with the service principal, each Solr node needs a keytab file that should contain the credentials of the service principal used. A keytab file contains encrypted credentials to support passwordless logins while obtaining Kerberos tickets from the KDC. For each Solr node, the keytab file should be kept in a secure location and not shared with users of the cluster.<\/p>\n<\/div>\n
\nSince a Solr cluster requires internode communication, each node must also be able to make Kerberos enabled requests to other nodes. By default, Solr uses the same service principal and keytab as a ‘client principal’ for internode communication.<\/p>\n
Kerberized ZooKeeper<\/h3>\n
\nWhen setting up a kerberized SolrCloud cluster, it is recommended to enable Kerberos security for ZooKeeper as well.<\/p>\n<\/div>\n
\nIn such a setup, the client principal used to authenticate requests with ZooKeeper can be shared for internode communication as well. This has the benefit of not needing to renew the ticket granting tickets (TGTs) separately, since the ZooKeeper client used by Solr takes care of this. To achieve this, a single JAAS configuration (with the app name as Client) can be used for the Kerberos plugin as well as for the ZooKeeper client.<\/p>\n
ZooKeeper Configuration<\/h3>\n
\nIf you are using a ZooKeeper that has already been configured to use Kerberos, you can skip the ZooKeeper-related steps shown here.<\/p>\n<\/div>\n
\nSince ZooKeeper manages the communication between nodes in a SolrCloud cluster, it must also be able to authenticate with each node of the cluster. Configuration requires setting up a service principal for ZooKeeper, defining a JAAS configuration file and instructing ZooKeeper to use both of those items.<\/p>\n
Create security.json<\/h3>\n
\nCreate the\u00a0
security.json<\/code>\u00a0file.<\/p>\n<\/div>\n\nIn SolrCloud mode, you can set up Solr to use the Kerberos plugin by uploading the\u00a0
security.json<\/code>\u00a0to ZooKeeper while you create it, as follows:<\/p>\n![\"\"](\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/carbon-14.png\")
<\/p>\nIf you are using Solr in standalone mode, you need to create the\u00a0
security.json<\/code>\u00a0file and put it in your\u00a0$SOLR_HOME<\/code>\u00a0directory.<\/p>\nDefine a JAAS Configuration File<\/h3>\n
\nThe JAAS configuration file defines the properties to use for authentication, such as the service principal and the location of the keytab file. Other properties can also be set to ensure ticket caching and other features.<\/p>\n<\/div>\n
\nThe following example can be copied and modified slightly for your environment. The location of the file can be anywhere on the server, but it will be referenced when starting Solr so it must be readable on the filesystem. The JAAS file may contain multiple sections for different users, but each section must have a unique name so it can be uniquely referenced in each application.<\/p>\n<\/div>\n
\nIn the below example, we have created a JAAS configuration file with the name and path of\u00a0
\/home\/foo\/jaas-client.conf<\/code>. We will use this name and path when we define the Solr start parameters in the next section. Note that the client\u00a0principal<\/code>\u00a0here is the same as the service principal. This will be used to authenticate internode requests and requests to ZooKeeper. Make sure to use the correct\u00a0principal<\/code>\u00a0hostname and the\u00a0keyTab<\/code> file path.<\/p>\n![\"\"](\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/carbon-15.png\")
<\/p>\n\nThe first line of this file defines the section name, which will be used with the\u00a0
solr.kerberos.jaas.appname<\/code>\u00a0parameter, defined below.<\/p>\n<\/div>\n\nThe main properties we are concerned with are the\u00a0
keyTab<\/code>\u00a0and\u00a0principal<\/code> properties, but there are others which may be required for your environment.<\/p>\n\n\nFor reference the ones in use in the above example are explained here:<\/p>\n<\/div>\n
\n- \n
useKeyTab<\/code>: this boolean property defines if we should use a keytab file (true, in this case).<\/li>\nkeyTab<\/code>: the location and name of the keytab file for the principal this section of the JAAS configuration file is for. The path should be enclosed in double-quotes.<\/li>\nstoreKey<\/code>: this boolean property allows the key to be stored in the private credentials of the user.<\/li>\nuseTicketCache<\/code>: this boolean property allows the ticket to be obtained from the ticket cache.<\/li>\ndebug<\/code>: this boolean property will output debug messages for help in troubleshooting.<\/li>\nprincipal<\/code>: the name of the service principal to be used.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\nSolr Startup Parameters<\/h3>\n
\nWhile starting up Solr, the following host-specific parameters need to be passed. These parameters can be passed at the command line with the\u00a0
bin\/solr<\/code> start command or defined in\u00a0bin\/solr.in.sh<\/code>\u00a0or\u00a0bin\/solr.in.cmd<\/code>\u00a0as appropriate for your operating system.<\/p>\n\n- \n
solr.kerberos.name.rules<\/code><\/dt>\n- Used to map Kerberos principals to short names. Default value is\u00a0
DEFAULT<\/code>. Example of a name rule:\u00a0RULE:[1:$1@$0](.*EXAMPLE.COM)s\/@.*\/\/<\/code>.<\/dd>\nsolr.kerberos.cookie.domain<\/code><\/dt>\n- Used to issue cookies and should have the hostname of the Solr node. This parameter is required.<\/dd>\n
solr.kerberos.cookie.portaware<\/code><\/dt>\n- When set to\u00a0
true<\/code>, cookies are differentiated based on host and port, as opposed to standard cookies which are not port aware. This should be set if more than one Solr node is hosted on the same host. The default is\u00a0false<\/code>.<\/dd>\nsolr.kerberos.principal<\/code><\/dt>\n- The service principal. This parameter is required.<\/dd>\n
solr.kerberos.keytab<\/code><\/dt>\n- Keytab file path containing service principal credentials. This parameter is required.<\/dd>\n
solr.kerberos.jaas.appname<\/code><\/dt>\n- The app name (section name) within the JAAS configuration file which is required for internode communication. Default is\u00a0
Client<\/code>, which is used for ZooKeeper authentication as well. If different users are used for ZooKeeper and Solr, they will need to have separate sections in the JAAS configuration file.<\/dd>\njava.security.auth.login.config<\/code><\/dt>\n- Path to the JAAS configuration file for configuring a Solr client for internode communication. This parameter is required.<\/dd>\n<\/dl>\n<\/div>\n
\nHere is an example that could be added to\u00a0
bin\/solr.in.sh<\/code>. Make sure to change this example to use the right hostname and the keytab file path.<\/p>\n![\"\"](\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/carbon-16.png\")
<\/p>\nUsing Delegation Tokens<\/h3>\n
\nThe Kerberos plugin can be configured to use delegation tokens, which allow an application to reuse the authentication of an end-user or another application.<\/p>\n<\/div>\n
\nThere are a few use cases for Solr where this might be helpful:<\/p>\n<\/div>\n
\n- \n
- Using distributed clients (such as MapReduce) where each client may not have access to the user\u2019s credentials.<\/li>\n
- When load on the Kerberos server is high. Delegation tokens can reduce the load because they do not access the server after the first request.<\/li>\n
- If requests or permissions need to be delegated to another user.<\/li>\n<\/ul>\n<\/div>\n\n
To enable delegation tokens, several parameters must be defined. These parameters can be passed at the command line with the\u00a0
bin\/solr<\/code> start command.<\/p>\n\n\n- \n
solr.kerberos.delegation.token.enabled<\/code><\/dt>\n- This is\u00a0
false<\/code>\u00a0by default, set to\u00a0true<\/code>\u00a0to enable delegation tokens. This parameter is required if you want to enable tokens.<\/dd>\nsolr.kerberos.delegation.token.kind<\/code><\/dt>\n- The type of delegation tokens. By default this is\u00a0
solr-dt<\/code>. Likely this does not need to change. No other option is available at this time.<\/dd>\nsolr.kerberos.delegation.token.validity<\/code><\/dt>\n- Time, in seconds, for which delegation tokens are valid. The default is 36000 seconds.<\/dd>\n
solr.kerberos.delegation.token.signer.secret.provider<\/code><\/dt>\n- Where delegation token information is stored internally. The default is\u00a0
zookeeper<\/code>\u00a0which must be the location for delegation tokens to work across Solr servers (when running in SolrCloud mode). No other option is available at this time.<\/dd>\nsolr.kerberos.delegation.token.signer.secret.provider.zookeper.path<\/code><\/dt>\n- The ZooKeeper path where the secret provider information is stored. This is in the form of the path + \/security\/token. The path can include the chroot or the chroot can be omitted if you are not using it. This example includes the chroot:\u00a0
server1:9983,server2:9983,server3:9983\/solr\/security\/token<\/code>.<\/dd>\nsolr.kerberos.delegation.token.secret.manager.znode.working.path<\/code><\/dt>\n- The ZooKeeper path where token information is stored. This is in the form of the path + \/security\/zkdtsm. The path can include the chroot or the chroot can be omitted if you are not using it. This example includes the chroot:\u00a0
server1:9983,server2:9983,server3:9983\/solr\/security\/zkdtsm<\/code>.<\/p>\nStart Solr<\/h3>\n
\nOnce the configuration is complete, you can start Solr with the\u00a0
bin\/solr<\/code>\u00a0script, as in the example below, which is for users in SolrCloud mode only. This example assumes you modified\u00a0bin\/solr.in.sh<\/code>\u00a0or\u00a0bin\/solr.in.cmd<\/code>, with the proper values, but if you did not, you would pass the system parameters along with the start command. Note you also need to customize the\u00a0-z<\/code>\u00a0property as appropriate for the location of your ZooKeeper nodes.<\/p>\n![\"\"](\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/carbon-17.png\")
<\/p>\n<\/div>\n<\/dd>\n<\/dl>\n<\/div>\n<\/div>\n\nUsing SolrJ with a Kerberized Solr<\/h2>\n
<\/p>\n
\n\nTo use Kerberos authentication in a SolrJ application, you need the following two lines before you create a SolrClient:<\/p>\n
![\"\"](\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/carbon-18.png\")
<\/p>\nYou need to specify a Kerberos service principal for the client and a corresponding keytab in the JAAS client configuration file above. This principle should be different from the service principal we created for Solr.<\/p>\n
![\"\"](\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/carbon-19.png\")
<\/p>\nDelegation Tokens with SolrJ<\/h3>\n
\nDelegation tokens are also supported with SolrJ, in the following ways:<\/p>\n<\/div>\n
\n- \n
DelegationTokenRequest<\/code>\u00a0and\u00a0DelegationTokenResponse<\/code>\u00a0can be used to get, cancel, and renew delegation tokens.<\/li>\nHttpSolrClient.Builder<\/code>\u00a0includes a\u00a0withDelegationToken<\/code>\u00a0function for creating an HttpSolrClient that uses a delegation token to authenticate.<\/li>\n<\/ul>\n<\/div>\n\nSample code to get a delegation token:<\/p>\n
![\"\"](\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/carbon-20.png\")
<\/p>\nTo create a\u00a0
HttpSolrClient<\/code>\u00a0that uses delegation tokens:<\/p>\n![\"\"](\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/carbon-21.png\")
<\/p>\nTo create a\u00a0
CloudSolrClient<\/code>\u00a0that uses delegation tokens:<\/p>\n![\"\"](\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/carbon-22.png\")
<\/p>\nSo, this is it about securing solr. We will be back with another post on solr very soon.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Hello Everyone! We are back with another interesting post on Solr. One of the crucial requirements while setting up a solr application is to provide selective access to various resources allocated on the solr instance. Put simply, we need a mechanism to handle who logs in to the server and no unintended party gets access to various resources. When planning how to secure Solr, one should consider which of the available features or approaches are right for them. There are following ways to authenticate the users: Kerberos Authentication Plugin: If you are using Kerberos to secure your network environment, the Kerberos authentication plugin can be used to secure a Solr cluster. This allows Solr to use a Kerberos service principal and keytab file to authenticate with ZooKeeper and between nodes of the Solr cluster (if applicable). Users of the Admin UI and all clients would also need to have a valid ticket before being able to use the UI or send requests to Solr. When setting up Solr to use Kerberos, configurations are put in place for Solr to use a\u00a0service principal, or a Kerberos username, which is registered with the Key Distribution Center (KDC) to authenticate requests. The configurations define the service principal name and the location of the keytab file that contains the credentials. The Solr authentication model uses a file called\u00a0security.json. If this file is created after an initial startup of Solr, a restart of each node of the system is required. Service Principals and Keytab Files Each Solr node must have a service principal registered with the Key Distribution Center (KDC). The Kerberos plugin uses SPNego to negotiate authentication. Using\u00a0HTTP\/host1@YOUR-DOMAIN.ORG, as an example of a service principal: HTTP\u00a0indicates the type of requests which this service principal will be used to authenticate. The\u00a0HTTP\/\u00a0in the service principal is a must for SPNego to work with requests to Solr over HTTP. host1 is the hostname of the machine hosting the Solr node. YOUR-DOMAIN.ORG is the organization-wide Kerberos realm. Multiple Solr nodes on the same host may have the same service principal since the hostname is common to them all. Along with the service principal, each Solr node needs a keytab file that should contain the credentials of the service principal used. A keytab file contains encrypted credentials to support passwordless logins while obtaining Kerberos tickets from the KDC. For each Solr node, the keytab file should be kept in a secure location and not shared with users of the cluster. Since a Solr cluster requires internode communication, each node must also be able to make Kerberos enabled requests to other nodes. By default, Solr uses the same service principal and keytab as a ‘client principal’ for internode communication. Kerberized ZooKeeper When setting up a kerberized SolrCloud cluster, it is recommended to enable Kerberos security for ZooKeeper as well. In such a setup, the client principal used to authenticate requests with ZooKeeper can be shared for internode communication as well. This has the benefit of not needing to renew the ticket granting tickets (TGTs) separately, since the ZooKeeper client used by Solr takes care of this. To achieve this, a single JAAS configuration (with the app name as Client) can be used for the Kerberos plugin as well as for the ZooKeeper client. ZooKeeper Configuration If you are using a ZooKeeper that has already been configured to use Kerberos, you can skip the ZooKeeper-related steps shown here. Since ZooKeeper manages the communication between nodes in a SolrCloud cluster, it must also be able to authenticate with each node of the cluster. Configuration requires setting up a service principal for ZooKeeper, defining a JAAS configuration file and instructing ZooKeeper to use both of those items. Create security.json Create the\u00a0security.json\u00a0file. In SolrCloud mode, you can set up Solr to use the Kerberos plugin by uploading the\u00a0security.json\u00a0to ZooKeeper while you create it, as follows: If you are using Solr in standalone mode, you need to create the\u00a0security.json\u00a0file and put it in your\u00a0$SOLR_HOME\u00a0directory. Define a JAAS Configuration File The JAAS configuration file defines the properties to use for authentication, such as the service principal and the location of the keytab file. Other properties can also be set to ensure ticket caching and other features. The following example can be copied and modified slightly for your environment. The location of the file can be anywhere on the server, but it will be referenced when starting Solr so it must be readable on the filesystem. The JAAS file may contain multiple sections for different users, but each section must have a unique name so it can be uniquely referenced in each application. In the below example, we have created a JAAS configuration file with the name and path of\u00a0\/home\/foo\/jaas-client.conf. We will use this name and path when we define the Solr start parameters in the next section. Note that the client\u00a0principal\u00a0here is the same as the service principal. This will be used to authenticate internode requests and requests to ZooKeeper. Make sure to use the correct\u00a0principal\u00a0hostname and the\u00a0keyTab file path. The first line of this file defines the section name, which will be used with the\u00a0solr.kerberos.jaas.appname\u00a0parameter, defined below. The main properties we are concerned with are the\u00a0keyTab\u00a0and\u00a0principal properties, but there are others which may be required for your environment. For reference the ones in use in the above example are explained here: useKeyTab: this boolean property defines if we should use a keytab file (true, in this case). keyTab: the location and name of the keytab file for the principal this section of the JAAS configuration file is for. The path should be enclosed in double-quotes. storeKey: this boolean property allows the key to be stored in the private credentials of the user. useTicketCache: this boolean property allows the ticket to be obtained from the ticket cache. debug: this boolean property will output debug messages for help in troubleshooting. principal: the name of the service principal to be used. Solr Startup Parameters While starting up Solr, the following host-specific parameters need to be passed. These […]<\/p>\n","protected":false},"author":3,"featured_media":559,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[41],"tags":[78,80,79],"class_list":["post-543","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-solr","tag-kerberos","tag-kerberos-authentication","tag-solr-authentication"],"yoast_head":"\n
Securing Solr - Ultimate Solr Guide - Aeologic Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing Solr - Ultimate Solr Guide - Aeologic Blog\" \/>\n<meta property=\"og:description\" content=\"Hello Everyone! We are back with another interesting post on Solr. One of the crucial requirements while setting up a solr application is to provide selective access to various resources allocated on the solr instance. Put simply, we need a mechanism to handle who logs in to the server and no unintended party gets access to various resources. When planning how to secure Solr, one should consider which of the available features or approaches are right for them. There are following ways to authenticate the users: Kerberos Authentication Plugin: If you are using Kerberos to secure your network environment, the Kerberos authentication plugin can be used to secure a Solr cluster. This allows Solr to use a Kerberos service principal and keytab file to authenticate with ZooKeeper and between nodes of the Solr cluster (if applicable). Users of the Admin UI and all clients would also need to have a valid ticket before being able to use the UI or send requests to Solr. When setting up Solr to use Kerberos, configurations are put in place for Solr to use a\u00a0service principal, or a Kerberos username, which is registered with the Key Distribution Center (KDC) to authenticate requests. The configurations define the service principal name and the location of the keytab file that contains the credentials. The Solr authentication model uses a file called\u00a0security.json. If this file is created after an initial startup of Solr, a restart of each node of the system is required. Service Principals and Keytab Files Each Solr node must have a service principal registered with the Key Distribution Center (KDC). The Kerberos plugin uses SPNego to negotiate authentication. Using\u00a0HTTP\/host1@YOUR-DOMAIN.ORG, as an example of a service principal: HTTP\u00a0indicates the type of requests which this service principal will be used to authenticate. The\u00a0HTTP\/\u00a0in the service principal is a must for SPNego to work with requests to Solr over HTTP. host1 is the hostname of the machine hosting the Solr node. YOUR-DOMAIN.ORG is the organization-wide Kerberos realm. Multiple Solr nodes on the same host may have the same service principal since the hostname is common to them all. Along with the service principal, each Solr node needs a keytab file that should contain the credentials of the service principal used. A keytab file contains encrypted credentials to support passwordless logins while obtaining Kerberos tickets from the KDC. For each Solr node, the keytab file should be kept in a secure location and not shared with users of the cluster. Since a Solr cluster requires internode communication, each node must also be able to make Kerberos enabled requests to other nodes. By default, Solr uses the same service principal and keytab as a ‘client principal’ for internode communication. Kerberized ZooKeeper When setting up a kerberized SolrCloud cluster, it is recommended to enable Kerberos security for ZooKeeper as well. In such a setup, the client principal used to authenticate requests with ZooKeeper can be shared for internode communication as well. This has the benefit of not needing to renew the ticket granting tickets (TGTs) separately, since the ZooKeeper client used by Solr takes care of this. To achieve this, a single JAAS configuration (with the app name as Client) can be used for the Kerberos plugin as well as for the ZooKeeper client. ZooKeeper Configuration If you are using a ZooKeeper that has already been configured to use Kerberos, you can skip the ZooKeeper-related steps shown here. Since ZooKeeper manages the communication between nodes in a SolrCloud cluster, it must also be able to authenticate with each node of the cluster. Configuration requires setting up a service principal for ZooKeeper, defining a JAAS configuration file and instructing ZooKeeper to use both of those items. Create security.json Create the\u00a0security.json\u00a0file. In SolrCloud mode, you can set up Solr to use the Kerberos plugin by uploading the\u00a0security.json\u00a0to ZooKeeper while you create it, as follows: If you are using Solr in standalone mode, you need to create the\u00a0security.json\u00a0file and put it in your\u00a0$SOLR_HOME\u00a0directory. Define a JAAS Configuration File The JAAS configuration file defines the properties to use for authentication, such as the service principal and the location of the keytab file. Other properties can also be set to ensure ticket caching and other features. The following example can be copied and modified slightly for your environment. The location of the file can be anywhere on the server, but it will be referenced when starting Solr so it must be readable on the filesystem. The JAAS file may contain multiple sections for different users, but each section must have a unique name so it can be uniquely referenced in each application. In the below example, we have created a JAAS configuration file with the name and path of\u00a0\/home\/foo\/jaas-client.conf. We will use this name and path when we define the Solr start parameters in the next section. Note that the client\u00a0principal\u00a0here is the same as the service principal. This will be used to authenticate internode requests and requests to ZooKeeper. Make sure to use the correct\u00a0principal\u00a0hostname and the\u00a0keyTab file path. The first line of this file defines the section name, which will be used with the\u00a0solr.kerberos.jaas.appname\u00a0parameter, defined below. The main properties we are concerned with are the\u00a0keyTab\u00a0and\u00a0principal properties, but there are others which may be required for your environment. For reference the ones in use in the above example are explained here: useKeyTab: this boolean property defines if we should use a keytab file (true, in this case). keyTab: the location and name of the keytab file for the principal this section of the JAAS configuration file is for. The path should be enclosed in double-quotes. storeKey: this boolean property allows the key to be stored in the private credentials of the user. useTicketCache: this boolean property allows the ticket to be obtained from the ticket cache. debug: this boolean property will output debug messages for help in troubleshooting. principal: the name of the service principal to be used. Solr Startup Parameters While starting up Solr, the following host-specific parameters need to be passed. These […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/\" \/>\n<meta property=\"og:site_name\" content=\"Aeologic Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/AeoLogicTech\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-02-13T17:17:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-03-18T08:11:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1080\" \/>\n\t<meta property=\"og:image:height\" content=\"622\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Manoj Kumar\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@aeologictech\" \/>\n<meta name=\"twitter:site\" content=\"@aeologictech\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Manoj Kumar\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/\"},\"author\":{\"name\":\"Manoj Kumar\",\"@id\":\"https:\/\/www.aeologic.com\/blog\/#\/schema\/person\/13549984ba8e5f441cc733ed20d7daa4\"},\"headline\":\"Securing Solr – Ultimate Solr Guide\",\"datePublished\":\"2020-02-13T17:17:43+00:00\",\"dateModified\":\"2020-03-18T08:11:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/\"},\"wordCount\":1714,\"publisher\":{\"@id\":\"https:\/\/www.aeologic.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png\",\"keywords\":[\"kerberos\",\"kerberos authentication\",\"solr authentication\"],\"articleSection\":[\"Solr\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/\",\"url\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/\",\"name\":\"Securing Solr - Ultimate Solr Guide - Aeologic Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.aeologic.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png\",\"datePublished\":\"2020-02-13T17:17:43+00:00\",\"dateModified\":\"2020-03-18T08:11:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#primaryimage\",\"url\":\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png\",\"contentUrl\":\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png\",\"width\":1080,\"height\":622},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aeologic.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securing Solr – Ultimate Solr Guide\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aeologic.com\/blog\/#website\",\"url\":\"https:\/\/www.aeologic.com\/blog\/\",\"name\":\"Aeologic Blog\",\"description\":\"Aeologic\",\"publisher\":{\"@id\":\"https:\/\/www.aeologic.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aeologic.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.aeologic.com\/blog\/#organization\",\"name\":\"AeoLogic Technologies\",\"url\":\"https:\/\/www.aeologic.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.aeologic.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2022\/05\/new-logo-aeo.jpg\",\"contentUrl\":\"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2022\/05\/new-logo-aeo.jpg\",\"width\":385,\"height\":162,\"caption\":\"AeoLogic Technologies\"},\"image\":{\"@id\":\"https:\/\/www.aeologic.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/AeoLogicTech\/\",\"https:\/\/x.com\/aeologictech\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aeologic.com\/blog\/#\/schema\/person\/13549984ba8e5f441cc733ed20d7daa4\",\"name\":\"Manoj Kumar\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.aeologic.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/24ce77602da5eb5715d74a95733f6c7548e2af73f5a493f9bc0bf55f611d025e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/24ce77602da5eb5715d74a95733f6c7548e2af73f5a493f9bc0bf55f611d025e?s=96&d=mm&r=g\",\"caption\":\"Manoj Kumar\"},\"description\":\"Manoj Kumar is a seasoned Digital Marketing Manager and passionate Tech Blogger with deep expertise in SEO, AI trends, and emerging digital technologies. He writes about innovative solutions that drive growth and transformation across industry. Featured on - YOURSTORY | TECHSLING | ELEARNINGINDUSTRY | DATASCIENCECENTRAL | TIMESOFINDIA | MEDIUM | DATAFLOQ\",\"sameAs\":[\"https:\/\/www.aeologic.com\/\",\"https:\/\/www.linkedin.com\/in\/manoj-kumar-rajput\/\"],\"url\":\"https:\/\/www.aeologic.com\/blog\/author\/manoj\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Securing Solr - Ultimate Solr Guide - Aeologic Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/","og_locale":"en_US","og_type":"article","og_title":"Securing Solr - Ultimate Solr Guide - Aeologic Blog","og_description":"Hello Everyone! We are back with another interesting post on Solr. One of the crucial requirements while setting up a solr application is to provide selective access to various resources allocated on the solr instance. Put simply, we need a mechanism to handle who logs in to the server and no unintended party gets access to various resources. When planning how to secure Solr, one should consider which of the available features or approaches are right for them. There are following ways to authenticate the users: Kerberos Authentication Plugin: If you are using Kerberos to secure your network environment, the Kerberos authentication plugin can be used to secure a Solr cluster. This allows Solr to use a Kerberos service principal and keytab file to authenticate with ZooKeeper and between nodes of the Solr cluster (if applicable). Users of the Admin UI and all clients would also need to have a valid ticket before being able to use the UI or send requests to Solr. When setting up Solr to use Kerberos, configurations are put in place for Solr to use a\u00a0service principal, or a Kerberos username, which is registered with the Key Distribution Center (KDC) to authenticate requests. The configurations define the service principal name and the location of the keytab file that contains the credentials. The Solr authentication model uses a file called\u00a0security.json. If this file is created after an initial startup of Solr, a restart of each node of the system is required. Service Principals and Keytab Files Each Solr node must have a service principal registered with the Key Distribution Center (KDC). The Kerberos plugin uses SPNego to negotiate authentication. Using\u00a0HTTP\/host1@YOUR-DOMAIN.ORG, as an example of a service principal: HTTP\u00a0indicates the type of requests which this service principal will be used to authenticate. The\u00a0HTTP\/\u00a0in the service principal is a must for SPNego to work with requests to Solr over HTTP. host1 is the hostname of the machine hosting the Solr node. YOUR-DOMAIN.ORG is the organization-wide Kerberos realm. Multiple Solr nodes on the same host may have the same service principal since the hostname is common to them all. Along with the service principal, each Solr node needs a keytab file that should contain the credentials of the service principal used. A keytab file contains encrypted credentials to support passwordless logins while obtaining Kerberos tickets from the KDC. For each Solr node, the keytab file should be kept in a secure location and not shared with users of the cluster. Since a Solr cluster requires internode communication, each node must also be able to make Kerberos enabled requests to other nodes. By default, Solr uses the same service principal and keytab as a ‘client principal’ for internode communication. Kerberized ZooKeeper When setting up a kerberized SolrCloud cluster, it is recommended to enable Kerberos security for ZooKeeper as well. In such a setup, the client principal used to authenticate requests with ZooKeeper can be shared for internode communication as well. This has the benefit of not needing to renew the ticket granting tickets (TGTs) separately, since the ZooKeeper client used by Solr takes care of this. To achieve this, a single JAAS configuration (with the app name as Client) can be used for the Kerberos plugin as well as for the ZooKeeper client. ZooKeeper Configuration If you are using a ZooKeeper that has already been configured to use Kerberos, you can skip the ZooKeeper-related steps shown here. Since ZooKeeper manages the communication between nodes in a SolrCloud cluster, it must also be able to authenticate with each node of the cluster. Configuration requires setting up a service principal for ZooKeeper, defining a JAAS configuration file and instructing ZooKeeper to use both of those items. Create security.json Create the\u00a0security.json\u00a0file. In SolrCloud mode, you can set up Solr to use the Kerberos plugin by uploading the\u00a0security.json\u00a0to ZooKeeper while you create it, as follows: If you are using Solr in standalone mode, you need to create the\u00a0security.json\u00a0file and put it in your\u00a0$SOLR_HOME\u00a0directory. Define a JAAS Configuration File The JAAS configuration file defines the properties to use for authentication, such as the service principal and the location of the keytab file. Other properties can also be set to ensure ticket caching and other features. The following example can be copied and modified slightly for your environment. The location of the file can be anywhere on the server, but it will be referenced when starting Solr so it must be readable on the filesystem. The JAAS file may contain multiple sections for different users, but each section must have a unique name so it can be uniquely referenced in each application. In the below example, we have created a JAAS configuration file with the name and path of\u00a0\/home\/foo\/jaas-client.conf. We will use this name and path when we define the Solr start parameters in the next section. Note that the client\u00a0principal\u00a0here is the same as the service principal. This will be used to authenticate internode requests and requests to ZooKeeper. Make sure to use the correct\u00a0principal\u00a0hostname and the\u00a0keyTab file path. The first line of this file defines the section name, which will be used with the\u00a0solr.kerberos.jaas.appname\u00a0parameter, defined below. The main properties we are concerned with are the\u00a0keyTab\u00a0and\u00a0principal properties, but there are others which may be required for your environment. For reference the ones in use in the above example are explained here: useKeyTab: this boolean property defines if we should use a keytab file (true, in this case). keyTab: the location and name of the keytab file for the principal this section of the JAAS configuration file is for. The path should be enclosed in double-quotes. storeKey: this boolean property allows the key to be stored in the private credentials of the user. useTicketCache: this boolean property allows the ticket to be obtained from the ticket cache. debug: this boolean property will output debug messages for help in troubleshooting. principal: the name of the service principal to be used. Solr Startup Parameters While starting up Solr, the following host-specific parameters need to be passed. These […]","og_url":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/","og_site_name":"Aeologic Blog","article_publisher":"https:\/\/www.facebook.com\/AeoLogicTech\/","article_published_time":"2020-02-13T17:17:43+00:00","article_modified_time":"2020-03-18T08:11:39+00:00","og_image":[{"width":1080,"height":622,"url":"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png","type":"image\/png"}],"author":"Manoj Kumar","twitter_card":"summary_large_image","twitter_creator":"@aeologictech","twitter_site":"@aeologictech","twitter_misc":{"Written by":"Manoj Kumar","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#article","isPartOf":{"@id":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/"},"author":{"name":"Manoj Kumar","@id":"https:\/\/www.aeologic.com\/blog\/#\/schema\/person\/13549984ba8e5f441cc733ed20d7daa4"},"headline":"Securing Solr – Ultimate Solr Guide","datePublished":"2020-02-13T17:17:43+00:00","dateModified":"2020-03-18T08:11:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/"},"wordCount":1714,"publisher":{"@id":"https:\/\/www.aeologic.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#primaryimage"},"thumbnailUrl":"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png","keywords":["kerberos","kerberos authentication","solr authentication"],"articleSection":["Solr"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/","url":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/","name":"Securing Solr - Ultimate Solr Guide - Aeologic Blog","isPartOf":{"@id":"https:\/\/www.aeologic.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#primaryimage"},"image":{"@id":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#primaryimage"},"thumbnailUrl":"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png","datePublished":"2020-02-13T17:17:43+00:00","dateModified":"2020-03-18T08:11:39+00:00","breadcrumb":{"@id":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#primaryimage","url":"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png","contentUrl":"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2020\/02\/Securing-Solr.png","width":1080,"height":622},{"@type":"BreadcrumbList","@id":"https:\/\/www.aeologic.com\/blog\/ultimate-solr-guide-9-securing-solr-instance\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aeologic.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Securing Solr – Ultimate Solr Guide"}]},{"@type":"WebSite","@id":"https:\/\/www.aeologic.com\/blog\/#website","url":"https:\/\/www.aeologic.com\/blog\/","name":"Aeologic Blog","description":"Aeologic","publisher":{"@id":"https:\/\/www.aeologic.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aeologic.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.aeologic.com\/blog\/#organization","name":"AeoLogic Technologies","url":"https:\/\/www.aeologic.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.aeologic.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2022\/05\/new-logo-aeo.jpg","contentUrl":"https:\/\/www.aeologic.com\/blog\/wp-content\/uploads\/2022\/05\/new-logo-aeo.jpg","width":385,"height":162,"caption":"AeoLogic Technologies"},"image":{"@id":"https:\/\/www.aeologic.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/AeoLogicTech\/","https:\/\/x.com\/aeologictech"]},{"@type":"Person","@id":"https:\/\/www.aeologic.com\/blog\/#\/schema\/person\/13549984ba8e5f441cc733ed20d7daa4","name":"Manoj Kumar","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.aeologic.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/24ce77602da5eb5715d74a95733f6c7548e2af73f5a493f9bc0bf55f611d025e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/24ce77602da5eb5715d74a95733f6c7548e2af73f5a493f9bc0bf55f611d025e?s=96&d=mm&r=g","caption":"Manoj Kumar"},"description":"Manoj Kumar is a seasoned Digital Marketing Manager and passionate Tech Blogger with deep expertise in SEO, AI trends, and emerging digital technologies. He writes about innovative solutions that drive growth and transformation across industry. Featured on - YOURSTORY | TECHSLING | ELEARNINGINDUSTRY | DATASCIENCECENTRAL | TIMESOFINDIA | MEDIUM | DATAFLOQ","sameAs":["https:\/\/www.aeologic.com\/","https:\/\/www.linkedin.com\/in\/manoj-kumar-rajput\/"],"url":"https:\/\/www.aeologic.com\/blog\/author\/manoj\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aeologic.com\/blog\/wp-json\/wp\/v2\/posts\/543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aeologic.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aeologic.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aeologic.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aeologic.com\/blog\/wp-json\/wp\/v2\/comments?post=543"}],"version-history":[{"count":0,"href":"https:\/\/www.aeologic.com\/blog\/wp-json\/wp\/v2\/posts\/543\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aeologic.com\/blog\/wp-json\/wp\/v2\/media\/559"}],"wp:attachment":[{"href":"https:\/\/www.aeologic.com\/blog\/wp-json\/wp\/v2\/media?parent=543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aeologic.com\/blog\/wp-json\/wp\/v2\/categories?post=543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aeologic.com\/blog\/wp-json\/wp\/v2\/tags?post=543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- This is\u00a0
- Used to map Kerberos principals to short names. Default value is\u00a0
- The Solr authentication model uses a file called\u00a0