Application security is the general practice of adding features or functionality to software to prevent a range of different threats. These include denial of service attacks and other cyber-attacks, and data breaches or data theft situations.
Solr, itself, has security frameworks for supporting authentication and authorization of users. Solr includes some plugins out of the box, and additional plugins can be developed using the authentication and authorization frameworks. Available out-of-the-box solution for both authentication and authorization APIs, allows to define users, roles and permissions.
Solr provides below options for authentication and authorization.
- Basic Authentication Plugin
- Rule-Based Authorization Plugin
- Kerberos Authentication Plugin
- Custom authentication or authorization plugin
Configuring User Access Control in Solr
In general, we should implement access control to a group of users with different permissions.
- The first group would be “admin” who would have access to each and everything in and around Solr.
- The second group would be “DevOps” which would have the same permissions as “admin” except cannot alter permissions for an existing group or add a new group altogether.
- The third group would be “dev” who have query access to all collections, neither write permissions nor read access to configurations of the collections.
Here we will be discussing about creating users and managing their roles and permissions to the system via Rule-Based Auth Plugin.
- The first step in utilizing Solr authorization/authentication is to upload the security.json file in Zookeeper using zkcli.sh.
Assuming solr directory to be SOLR_HOME, also make sure your security.json file is in the proper directory (here it is in root), and then run below command. This command will install your security.json in ZooKeeper and all your running nodes. It will also cause the Solr security framework to be enabled.
$SOLR_HOME/server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:9983 -cmd putfile /security.json security.json
Sample security.json
{
“authentication”:{
“class”:”solr.BasicAuthPlugin”,
“blockUnknown”:true,
“credentials”:{“solr”:”IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=”}
},
“authorization”:{
“class”:”solr.RuleBasedAuthorizationPlugin”,
“permissions”:[{“name”:”security-edit”, “role”:”admin”}]
“user-role”:{“solr”:”admin”}
}
}
Attributes in security.json
- Top-level attribute declarations: ‘authentication’ and ‘authorization’
- ‘class’ attribute defines the handler class for these APIs
- ‘credentials’ attribute contains the list of authorized users and their SHA-256 hashed passwords
- ‘permissions’ object and a list of user-roles, defined by username:role
Solr provide below APIs to manage users:
- Create user or update password of existing user
- curl — user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H ‘Content-type:application/json’ -d ‘{“set-user”: {“tom”:”tom123”}}
- Delete user
- curl — user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H ‘Content-type:application/json’ -d ‘{“delete-user”: [“tom”]}
- Set respective role to user
- curl –user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H ‘Content-type:application/json’ -d ‘{ “set-user-role”: {“tom” : “dev”}}’
- Setting the required permissions
- curl –user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H ‘Content-type:application/json’ -d ‘{ “set-permission”: {“name”: “collection-admin-read”, “role”:[“build”,”admin”,”dev”]}}’
- Get tom’s SHA-256 password hash
- curl –user solr:SolrRocks http://localhost:8983/solr/admin/authentication
… “authentication”:{
“class”:”solr.BasicAuthPlugin”,
“credentials”:{
“solr”:”IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0…”,
“tom”:”IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQ