Repeat this process on all Solr server hosts:

1. Create a Solr service user principal using the syntax: solr/solr01.example.com@EXAMPLE.COM. This principal is used to authenticate with the Hadoop cluster. Replace solr01.example.com with the Solr server host, and EXAMPLE.COM with your Kerberos realm.

   $ kadmin
   kadmin: addprinc -randkey solr/solr01.example.com@EXAMPLE.COM

2. Create a HTTP service user principal using the syntax: HTTP/solr01.example.com@EXAMPLE.COM. This principal is used to authenticate user requests coming to the Solr web-services. Replace solr01.example.com with the Solr server host, and EXAMPLE.COM with your Kerberos realm.

   kadmin: addprinc -randkey HTTP/solr01.example.com@EXAMPLE.COM

     Note:

   The HTTP/ component of the HTTP service user principal must be upper case as shown in the syntax and example above.

3. Create keytab files with both principals.

   kadmin: xst -norandkey -k solr.keytab solr/solr01.example.com \
   HTTP/solr01.example.com

4. Test that credentials in the merged keytab file work. For example:

   $ klist -e -k -t solr.keytab

5. Copy the solr.keytab file to the Solr configuration directory. The owner of the solr.keytab file should be the solr user and the file should have owner-only read permissions.

Repeat this process on all Solr server hosts:

1. Ensure that the following properties appear in /etc/default/solr or /opt/cloudera/parcels/CDH-*/etc/default/solr and that they are uncommented. Modify these properties to match your environment. The relevant properties to be uncommented and modified are:

   SOLR_AUTHENTICATION_TYPE=kerberos
   SOLR_AUTHENTICATION_SIMPLE_ALLOW_ANON=true
   SOLR_AUTHENTICATION_KERBEROS_KEYTAB=/etc/solr/conf/solr.keytab
   SOLR_AUTHENTICATION_KERBEROS_PRINCIPAL=HTTP/localhost@LOCALHOST
   SOLR_AUTHENTICATION_KERBEROS_NAME_RULES=DEFAULT
   SOLR_AUTHENTICATION_JAAS_CONF=/etc/solr/conf/jaas.conf

     Note: Modify the values for these properties to match your environment. For example, the SOLR_AUTHENTICATION_KERBEROS_PRINCIPAL=HTTP/localhost@LOCALHOST must include the principal instance and Kerberos realm for your environment. That is often different from localhost@LOCALHOST.
2. Set hadoop.security.auth_to_local to match the value specified by SOLR_AUTHENTICATION_KERBEROS_NAME_RULES in /etc/default/solr or /opt/cloudera/parcels/CDH-*/etc/default/solr.
     Note: For information on how to configure the rules, see Mapping Kerberos Principals to Short Names. For additional information on using Solr with HDFS, see Configuring Solr for Use with HDFS.
3. If using applications that use the solrj library, set up the Java Authentication and Authorization Service (JAAS).
   1. Create a jaas.conf file in the Solr configuration directory containing the following settings. This file and its location must match the SOLR_AUTHENTICATION_JAAS_CONF value. Make sure that you substitute a value for principal that matches your particular environment.

      Client {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        useTicketCache=false
        keyTab="/etc/solr/conf/solr.keytab"
        principal="solr/fully.qualified.domain.name@<YOUR-REALM>";
      };

You can configure LDAP-based authentication using Cloudera Manager at the Solr service level.

1. Go to the Solr service.
2. Click the Configuration tab.
3. Select Scope > Solr
4. Select Category > Security
5. Select Enable LDAP.
6. Enter the LDAP URI in the LDAP URI property.
7. Configure only one of following mutually exclusive parameters:
   • LDAP BaseDN: Replaces the username with a "distinguished name" (DN) of the form: uid=userid,ldap_baseDN. Typically used for OpenLDAP server installation.

   -OR-

   • LDAP Domain: Replaces the username with a string username@ldap_domain. Typically used for Active Directory server installation.

To enable LDAP authentication using the command line, configure the following environment variables in /etc/default/solr:

SOLR_AUTHENTICATION_HTTP_SCHEMES=Negotiate,Basic
SOLR_AUTHENTICATION_HTTP_DELEGATION_MGMT_SCHEMES=Negotiate
SOLR_AUTHENTICATION_HTTP_BASIC_HANDLER=ldap
SOLR_AUTHENTICATION_HTTP_NEGOTIATE_HANDLER=kerberos
SOLR_AUTHENTICATION_LDAP_PROVIDER_URL=ldap://www.example.com

# Specify value for only one of SOLR_AUTHENTICATION_LDAP_BASE_DN or SOLR_AUTHENTICATION_LDAP_BIND_DOMAIN property.
SOLR_AUTHENTICATION_LDAP_BASE_DN=ou=Users,dc=example,dc=com
# SOLR_AUTHENTICATION_LDAP_BIND_DOMAIN=
# Required when using ‘Start TLS’ extension
# SOLR_AUTHENTICATION_LDAP_ENABLE_START_TLS=false

You can secure communications using LDAP-based encryption.

To avoid sending credentials over the wire in clear-text, you must configure a secure connection between both the client and Solr, and between Solr and the LDAP server. The secure connection could use SSL or TLS.

Secure LDAP connections through SSL:

For SSL-enabled LDAP connections, specify a prefix of ldaps:// instead of ldap://. Also, the default port for SSL-enabled LDAP connections is 636 instead of 389.

Secure LDAP connections through TLS:

TLS, the successor to the SSL protocol, is supported by most modern LDAP servers. Unlike SSL connections, TLS connections can be made on the same server port as non-TLS connections. You can enable xxx using Cloudera Manager.

1. Go to the Solr service.
2. Click the Configuration tab.
3. Select Scope > Solr
4. Select Category > Security
5. Select Enable LDAP TLS.
6. Import the LDAP server security certificate in the Solr Trust Store file:
   1. Enter the location for the Solr Trust Store File in Solr TLS/SSL Certificate Trust Store File.
   2. Enter the password for the Solr Trust Store File in Solr TLS/SSL Certificate Trust Store Password.

Some HTTP clients such as curl or the Apache Http Java client must be configured to use a particular scheme. For example:

• curl tool supports using Kerberos or username/password authentication. Kerberos is activated using the --negotiate flag and username/password based authentication is activated using the --basic and -u flags.
• Apache HttpClient library can be configured to use specific authentication scheme. For more information, see the HTTP authentication chapter of Apache's HttpClient Tutorial.

Typically, web browsers automatically choose a preferred authentication scheme. For more information, see the HTTP authentication topic in The Chromium Projects.

To use LDAP authentication with Solr Java clients, HttpClientConfigurer needs to configured for Solr. This can either be done programmatically or using Java system properties.

For example, programmatic initialization might appear as:

SampleSolrClient.java

import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.client.solrj.impl.PreemptiveBasicAuthConfigurer;
import org.apache.solr.common.params.ModifiableSolrParams;

/**
 * This method initializes the Solr client to use LDAP authentication
 * This configuration is applicable to all Solr clients.
 * @param ldapUserName LDAP user name
 * @param ldapPassword  LDAP user password
 */
public static void initialize(String ldapUserName, String ldapPassword) {
  HttpClientUtil.setConfigurer(new PreemptiveBasicAuthConfigurer());
  ModifiableSolrParams params = new ModifiableSolrParams();
  params.set(HttpClientUtil.PROP_BASIC_AUTH_USER, ldapUserName);
  params.set(HttpClientUtil.PROP_BASIC_AUTH_PASS, ldapPassword);
  // Configure the JVM default parameters.
  PreemptiveBasicAuthConfigurer.setDefaultSolrParams(params);
}

For configuration using system properties, configure the following system properties:

For example, the entry in ldap-credentials.properties might appear as:

ldap-credentials.properties

httpBasicAuthUser=user1
httpBasicAuthPassword=passwd