Using Kerberos with Cloudera Search
The process of enabling Solr clients to authenticate with a secure Solr is specific to the client. This section demonstrates:
- Using Kerberos with curl
- Using Kerberos with solrctl
- Configuring a jaas.conf File
- Using Kerberos with Flume Morphline Solr Sink
Secure Solr requires that the CDH components that it interacts with are also secure. Secure Solr interacts with HDFS, ZooKeeper and optionally HBase, MapReduce, and Flume.
Using Kerberos with curl
You can use Kerberos authentication with clients such as curl. To use curl, begin by acquiring valid Kerberos credentials and then run the desired command. For example, you might use commands similar to the following:
kinit jdoe@EXAMPLE.COM
curl --negotiate -u foo:bar http://solrserver:8983/solr/
curl --negotiate -u : http://solrserver:8983/solr/
Using Kerberos with solrctl
If you are using solrctl to manage your deployment in an environment that requires Kerberos authentication, you must have valid Kerberos credentials, which you can obtain using the kinit command. For example:
kinit jdoe@EXAMPLE.COM
For more information about solrctl, see solrctl Reference.
Configuring a jaas.conf File
Some applications, such as those using the SolrJ library, require a Java Authentication and Authorization Service (JAAS) configuration file. You can use a file name other than jaas.conf.
Creating a JAAS configuration file:
- If you are authenticating using kinit to obtain credentials, you can configure the client to use your credential cache by creating a jaas.conf file with the following contents:
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false useTicketCache=true principal="<user>@EXAMPLE.COM"; };
Replace <user> with your username, and EXAMPLE.COM with your Kerberos realm. - If you want the client application to authenticate using a keytab, modify jaas-client.conf as follows:
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/path/to/user.keytab" storeKey=true useTicketCache=false principal="<user>@EXAMPLE.COM"; };
Replace /path/to/user.keytab with the keytab file you want to use and <user>@EXAMPLE.COM with the principal in the keytab. If you are using a service principal that includes the hostname, make sure that it is included in the jaas.conf file (for example, solr/solr01.example.com@EXAMPLE.COM).
Using the JAAS configuration file:
- Command line
Set the property when invoking the program. For example, if you were using a jar, you might use:
java -Djava.security.auth.login.config=/home/user/jaas.conf -jar app.jar
- Java applications
Set the Java system property java.security.auth.login.config. For example, if the JAAS configuration file is located on the filesystem as /home/user/jaas-client.conf. The Java system property java.security.auth.login.config must be set to point to this file. Setting a Java system property can be done programmatically, for example using a call such as:
System.setProperty("java.security.auth.login.config", "/home/user/jaas.conf");
- MapReduceIndexerTool
The MapReduceIndexerTool uses SolrJ to pass the JAAS configuration file. Using the MapReduceIndexerTool in a secure environment requires the use of the HADOOP_OPTS variable to specify the JAAS configuration file. For example, you might issue a command such as the following:
HADOOP_OPTS="-Djava.security.auth.login.config=/home/user/jaas.conf" \ hadoop jar MapReduceIndexerTool
- hbase-indexer command
Certain hbase-indexer CLI commands such as replication-status attempt to read ZooKeeper hosts owned by HBase. To successfully use these commands in Solr in a secure environment, specify a JAAS configuration file with the HBase principal in the HBASE_INDEXER_OPTS environment variable. For example, you might issue a command such as the following:
HBASE_INDEXER_OPTS="-Djava.security.auth.login.config=/home/user/hbase-jaas.conf" \ hbase-indexer replication-status
Using Kerberos with Flume Morphline Solr Sink
Repeat this process on all Flume hosts:
- If you have not created a keytab file, do so now at /etc/flume-ng/conf/flume.keytab. This file should contain the service principal flume/<fully.qualified.domain.name>@<YOUR-REALM>. See Flume Authentication for more information.
- Create a JAAS configuration file for flume at /etc/flume-ng/conf/jaas-client.conf. The file should appear as follows:
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true useTicketCache=false keyTab="/etc/flume-ng/conf/flume.keytab" principal="flume/<fully.qualified.domain.name>@<YOUR-REALM>"; };
- Add the flume JAAS configuration to the JAVA_OPTS in /etc/flume-ng/conf/flume-env.sh. For example, you might change:
JAVA_OPTS="-Xmx500m"
to:JAVA_OPTS="-Xmx500m -Djava.security.auth.login.config=/etc/flume-ng/conf/jaas-client.conf"
<< Configuring Impala Delegation for Hue and BI Tools | ©2016 Cloudera, Inc. All rights reserved | Spark Authentication >> |
Terms and Conditions Privacy Policy |