Talk given at airbnb HQ in San Francisco on July 8th, 2015 at the Downtown SF Apache Lucene/Solr meetup.
This talk covers an overview of both, the authentication and authorization frameworks in Apache Solr, and how they work together. It also provides an overview of existing plugins and how to enable them to restrict user access to resources within Solr.
3. • Anshum Gupta, Apache Lucene/Solr PMC member
and committer, Lucidworks Employee.
• Interested in search and related stuff.
• Apache Lucene since 2006 and Solr since 2010.
• Organizations I am or have been a part of:
Who am I?
4. • Apache Lucene is a free open source information
retrieval software library
• Originally written in Java by Doug Cutting.
• It is supported by the Apache Software Foundation
and is released under the Apache Software
License.
What is ?
5. • Solr (pronounced “solar”, not “solaar”) is an open
source enterprise search platform
• Written in Java,
• For a while now, a part of the Apache Lucene
project.
• Search on Lucene & Resin (SoLR)
• SolrCloud - Distributed feature set
What is ?
6. Apache Solr is the most widely-used search
solution on the planet.
Solr has tens of thousands of
applications in production.
You use everyday.
8,000,000+
Total downloads
Solr is both established
and growing.
250,000+
Monthly downloads
2,500+
Open Solr jobs and the largest
community of developers.
8. SolrCloud - Physical Architecture
ZooKeeper
Node 1 Node 2
Load
Balancer
Client
Client
Client
Client
Client
Client
Client
Client
Client
Lots
Of
Interaction
Coins by Creative Stall from the Noun Project
9. • Multi-tenant systems
• Access control
• Solr resources
• ZooKeeper
• Authentication
• Authorization
• Existing: Nothing out of the box. Only locked-in, third party!
Need for security
10. • SSL support
• ZooKeeper ACLs
• Authentication framework
• Authorization framework
Security in Solr
11. Security Framework Architecture
Incoming Request
Authenticate and
attach metadata Authorize Process Request
Error
Servlet Filter
Authentication Plugin
Authorization Plugin
Error
Return Response
with result
12. Enabling a plugin
• /security.json file in
ZooKeeper
• Contains security
config
• Custom plugins: More
meta-data can be
provided
{
"authentication" : {
"class": “class.that.implements.authentication",
"other_data" : "..."
},
"authorization": {
"class": “class.that.implements.authorization",
"other_data" : "..."
}
}
15. Kerberos Plugin
• Prerequisites:
• Enabled via /security.json before Solr instance starts
• Each Solr node must have:
• A Kerberos service principal and key tab file
• Client principal and a corresponding keytab file. Can be the
same as the service principal.
• Recommendation:
• Kerberized ZooKeeper
• Start Solr with the correct host-specific parameters.
Kerberized
Solr
Kerberized
ZooKeeper
Kerberos
EnabledClient
19. Benefits of the frameworks
• Secure operations in a multi-tenant setup
• Integrate with the entire eco-system
• Allows for features that couldn’t be added due to
lack of security e.g. uploading configs via API calls.
20. What’s next?
• Authentication plugin support for BasicAuth
• Basic rule based authorization plugin using
ZooKeeper
• More plugins!
21. The largest Lucene/Solr conference in the world
OCT 13 - 16, 2015 AUSTIN, TX
For more details visit:
http://lucenerevolution.org