Embed Size (px)
Citation preview
Introduction to Security in Apache SolrAnshum Gupta
Lucidworks
• Anshum Gupta, Apache Lucene/Solr PMC member and committer, Lucidworks Employee.
• Interested in search and related stuff.
• Apache Lucene since 2006 and Solr since 2010.
• Organizations I am or have been a part of:
Who am I?
• Apache Lucene is a free open source information retrieval software library
• Originally written in Java by Doug Cutting.
• It is supported by the Apache Software Foundation and is released under the Apache Software License.
What is ?
• Solr (pronounced “solar”, not “solaar”) is an open source enterprise search platform
• Written in Java,
• For a while now, a part of the Apache Lucene project.
• Search on Lucene & Resin (SoLR)
• SolrCloud - Distributed feature set
What is ?
Apache Solr is the most widely-used search solution on the planet.
Solr has tens of thousands of applications in production.
You use everyday.
8,000,000+Total downloads
Solr is both established and growing.
250,000+Monthly downloads
2,500+Open Solr jobs and the largest
community of developers.
SolrCloud Logical Architecture
Shard 1 (leader)
Followers
Shard 2 (leader)
Followers
ZooKeeperZooKeeper instance
Solr Instance
SolrCloud - Physical Architecture
ZooKeeper
Node 1 Node 2
LoadBalancer
Client
Client
Client
Client
Client
Client
Client
Client
Client
Lots
Of
Interaction
Coins by Creative Stall from the Noun Project
• Multi-tenant systems
• Access control
• Solr resources
• ZooKeeper
• Authentication
• Authorization
• Existing: Nothing out of the box. Only locked-in, third party!
Need for security
• SSL support
• ZooKeeper ACLs
• Authentication framework
• Authorization framework
Security in Solr
Security Framework Architecture
Incoming RequestAuthenticate andattach metadata Authorize Process Request
Error
Servlet Filter
Authentication PluginAuthorization Plugin
Error
Return Responsewith result
Enabling a plugin
• /security.json file in ZooKeeper
• Contains security config
• Custom plugins: More meta-data can be provided
{
"authentication" : {
"class": “class.that.implements.authentication",
"other_data" : "..."
},
"authorization": {
"class": “class.that.implements.authorization",
"other_data" : "..."
}
}
Authentication Framework
Authentication Plugin
Client side componentServer side component
ReconfigurerRequest ReconfigurerInter-nodeRequests
Inter-nodeRequests
Inter-nodeRequests
Available Authentication Plugins
• Kerberos
• BasicAuth - WIP
Kerberos Plugin
• Prerequisites:
• Enabled via /security.json before Solr instance starts
• Each Solr node must have:
• A Kerberos service principal and key tab file
• Client principal and a corresponding keytab file. Can be the same as the service principal.
• Recommendation:
• Kerberized ZooKeeper
• Start Solr with the correct host-specific parameters.
Kerberized Solr
Kerberized ZooKeeper
KerberosEnabled C
lient
Authorization Plugin
• Nothing available out of the box
• Apache Ranger plugin
• It’s easy to create one!
• Rule based
• Rules stay in ZooKeeper
• Editable using API
• Well known permissions
• Coming soon
• More details: SOLR-7692
Basic Authorization Plugin {
"authorization": {
"class": "solr.ZKAuthorization",
"roles" : {
"admin" : ["john"]
"guest" : ["john", "david","pete"]
}.
"permissions": {
"collection-edit": {
"role": "admin"
},
"coreadmin":{
"role":"admin"
},
"config-edit": {
//all collections
"role": "admin",
"method":"POST"
},
The eco-system
HDFS
ZooKeeper
And more…
Coins by Creative Stall from the Noun Project
Benefits of the frameworks
• Secure operations in a multi-tenant setup
• Integrate with the entire eco-system
• Allows for features that couldn’t be added due to lack of security e.g. uploading configs via API calls.
What’s next?
• Authentication plugin support for BasicAuth
• Basic rule based authorization plugin using ZooKeeper
• More plugins!
The largest Lucene/Solr conference in the world
OCT 13 - 16, 2015 AUSTIN, TX
For more details visit: http://lucenerevolution.org
Connect @
http://www.twitter.com/anshumgupta
http://www.linkedin.com/in/anshumgupta/
