Apache SolrCloud Kerberos Configuration

By | March 4, 2017

I’ve been working on securing Apache SolrCloud with kerberos. This includes configuring Zookeeper. So after struggling and lots of searching I came up with a working kerberized solution for SolrCloud, with Zookeeper, and Apache Ranger for Authorization. First I tried to secure a standalone Solr instance by updating to the Solr 6x branch which is a SNAPSHOT specifically for this JIRA https://issues.apache.org/jira/browse/SOLR-9481. But this JIRA does not work Apache Ranger Solr Plugin as the Apache Ranger Solr Plugin only works with Collections and not Cores. So this automatically pushed me over to SolrCloud specifically sin I wanted to use the Apache Ranger Solr Plugin.

  • Utilize the setup_solr.sh from my github.com/solr_config_scripts. This is a custom script to setup SolrCloud after installation it sets permissions and copies configuration files into place. This script also install libxml2 for xmllint package if it’s not installed as xmllint is used by create_collection.sh and zkcli.sh to grab some additional configuration parameters to simplify life.
  • Create solr@EXAMPLE.COM kerberos principals in the local KDC being used for your Hadoop cluster.
    • [root@solrhost1 solr]# kinit gsenia/admin Password for gsenia/admin@EXAMPLE.COM:
    • [root@solrhost1 solr_server]# kadmin
    • Authenticating as principal gsenia/admin@EXAMPLE.COM with password.
    • Password for gsenia/admin@EXAMPLE.COM:
    • kadmin: addprinc -randkey solr@EXAMPLE.COM
    • WARNING: no policy specified for solr@EXAMPLE.COM; defaulting to no policy Principal “solr@EXMAPLE.COM”
    • created.
    • kadmin: xst -k /etc/security/keytabs/solr.headless.keytab solr@EXAMPLE.COM
    • Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab
    • WRFILE:/etc/security/keytabs/solr.headless.keytab
    • Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/solr.headless.keytab
    • Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/solr.headless.keytab
    • kadmin: quit
    • [root@solrhost1 solr]# chown -R 400 /etc/security/keytabs/solr.headless.keytab
    • [root@solrhost1 solr_server]# chown -R solr:hadoop /etc/security/keytabs/solr.headless.keytab
    • [root@solrhost1 solr]# chmod -R 400 /etc/security/keytabs/solr.headless.keytab
  • Create Initial Zookeeper zNode for SolrCloud – Note this should be /solr
    • hbase zkcli
      • setAcl /solr world:anyone:r,sasl:solr:cdrwa
      • create /solr “solr”
  • Startup Solr Service via systemctl
    • systemctl start solr-server
  • Configure Ranger Solr Plugin
    • Update Ranger Solr Plugin install.properties
    • vi /usr/hdp/2.5.3.9-3/ranger-solr-plugin/install.properties
      • Update: COMPONENT_INSTALL_DIR_NAME=/app/solr/server
      • Update: POLICY_MGR_URL=http://rangerpolicyserver.example.com:6080
      • Update: REPOSITORY_NAME=solr
    • Run enable_solr_plugin.sh
      • export JAVA_HOME=/usr/jdk64/jdk1.8.0_102/ ; ./enable-solr-plugin.sh
    • Create Solr Access Manager in Ranger Admin Interface http://ranger.example.com
  • Configure and update Solr security.json
    • This will enable Authorization ACLs
      • su – solr
      • cd /app/solr/server
      • ./zkcli.sh -cmd putfile /security.json source/security.json
  • Restart Solr Service via systemctl
    • systemctl restart solr-server

The following github project contains the scripts and configuration files used to make this work: https://github.com/gss2002/solr_configs_scripts