Anshum Gupta presented on the Apache Solr security framework. He began with an introduction of himself and overview of Apache Lucene and Solr. The presentation then covered the need for security in Solr, available security options which include SSL, ZooKeeper ACLs, and authentication and authorization frameworks. Gupta discussed the authentication and authorization plugin architectures, available plugins like BasicAuth and Kerberos, and benefits of the security frameworks like enabling multi-tenant and access controlled features. He concluded with recommendations on writing custom plugins and next steps to improve Solr security.

1. O C T O B E R 1 3 - 1 6 , 2 0 1 6 • A U S T I N , T X

2. Understanding the Solr security framework
Anshum Gupta
Senior Software Engineer, IBM Watson

3. 3
01
Who am I?
• Anshum Gupta, Apache Lucene/Solr PMC member
and committer, IBM Watson Search team.
• Interested in search and related stuff.
• Apache Lucene since 2006 and Solr since 2010.
• Organizations I am or have been a part of:

4. 4
02
What is ?
• Apache Lucene is a free open source information
retrieval software library
• Originally written in Java by Doug Cutting.
• It is supported by the Apache Software Foundation
and is released under the Apache Software
License.

5. 5
03
What is ?
• Solr (pronounced “solar”, not “solaar”) is an open
source enterprise search platform
• Written in Java,
• For a while now, a part of the Apache Lucene
project.
• Search on Lucene & Resin (SoLR)
• SolrCloud - Distributed feature set

6. 6
"The only truly secure system is one that is powered off, cast
in a block of concrete and sealed in a lead-lined room with
armed guards." —Gene Spaford

7. 7
01
Apache Solr is the most widely-used search
solution on the planet.
Solr has tens of thousands of
applications in production.
You use everyday.
8,000,000+
Total downloads
Solr is both established
and growing.
250,000+
Monthly downloads
2,500+
Open Solr jobs and the largest
community of developers.

8. 8
01
SolrCloud Logical Architecture
Shard 1
(leader)
Followers
Shard 2
(leader)
Followers
ZooKeeper
ZooKeeper instance
Solr Instance

9. 9
01
SolrCloud - Physical Architecture
ZooKeeper
Node 1 Node 2
Load
Balancer
Client
Client
Client
Client
Client
Client
Client
Client
Client
Lots
Of
Interaction
Coins by Creative Stall from the Noun Project

10. 10
01
Why do we need it?
• Multi-tenant systems
• Access control
• Solr resources
• ZooKeeper
• Authentication
• Authorization
• Until recently: Nothing out of the box. Only locked-in, third
party!

11. 11
01
Solr security - available options
• SSL support
• ZooKeeper ACLs
• Authentication framework
• Authorization framework

12. 12
01
Security Framework Architecture
Incoming Request
Authenticate and
attach metadata Authorize Process Request
Error
Servlet Filter
Authentication Plugin
Authorization Plugin
Error
Return Response
with result

13. 13
01
Enabling a plugin
• /security.json file in
ZooKeeper
• Contains security
config
• Custom plugins: More
meta-data can be
provided
{
"authentication" : {
"class": “class.that.implements.authentication",
"other_data" : "..."
},
"authorization": {
"class": “class.that.implements.authorization",
"other_data" : "..."
}
}

14. 14
01
Authentication Framework
Authentication
Plugin
Client side component
Server side component
Reconfigurer*Request Reconfigurer*
Inter-node
Requests
Inter-node
Requests
Inter-node
Requests

15. 15
01
Available Authentication Plugins
• BasicAuth
• Kerberos

16. 16
01
Kerberos Plugin
• Prerequisites:
• Enabled via /security.json before Solr instance starts
• Each Solr node must have:
• A Kerberos service principal and key tab file
• Client principal and a corresponding keytab file. Can be the
same as the service principal.
• Recommendation:
• Kerberized ZooKeeper
• Start Solr with the correct host-specific parameters.
Kerberized
Solr
Kerberized
ZooKeeper
Kerberos
EnabledClient

17. 17
01
Authorization Plugins
• Rule based authorization plugin
• Apache Ranger plugin (external)
• DIY!

18. 18
01
Rule based Authorization Plugin
• Rule based permissions - stored in
ZooKeeper
• Editable using API
• Auto-reload on update
• Well known permissions eg:
config-edit, collection-edit,
security-edit
SolrCloud
Cluster
ZooKeeper
Ensemble

19. 19
Getting started with Basic Auth & Rule based plugin is easy!
• Upload security.json
• Add users and permissions using API calls!
curl --user solr:SolrRocks http://localhost:8983/solr/
admin/authorization -H 'Content-type:application/
json' -d '{"set-permission" : {"name":"collection-
admin-edit", "role":"admin"}}'

20. 20
01
Benefits of the frameworks
• Secure operations in a multi-tenant setup
• Allows for features that couldn’t be added due to
lack of security e.g. registering handlers, and
uploading configs via API calls.

21. 21
Writing your own plugin
• Authentication
• Extend AuthenticationPlugin
• Optional: extend HttpClientInterceptorPlugin
• Authorization
• Implement AuthorizationPlugin
• Optionally implement ConfigEditablePlugin

22. 22
01
The eco-system
HDFS
ZooKeeper
And more…

23. 23
01
"Security is not a product, but a process". —Bruce Schneier
• Better inter-node communication standard
• First-class support in SolrJ and bin scripts for basic
auth.
• More plugins!

24. 24
01
Connect@
http://www.twitter.com/anshumgupta
http://www.linkedin.com/in/anshumgupta/
anshum@apache.org
Love Solr? We are hiring!