Upload
lucidworks
View
238
Download
0
Embed Size (px)
Citation preview
O C T O B E R 1 1 - 1 4 , 2 0 1 6 • B O S T O N , M A
State of Solr Security 2016Ishan ChattopadhyayaEngineer, Lucidworks
Typical Solr Deployments
Solr
Solr
Solr
Zookeeper
User
Application
22/10/16
History of Solr security
● "First and foremost, Solr does not concern itself with security either at the document level or the communication level. It is strongly recommended that the application server containing Solr be firewalled such the only clients with access to Solr are your own."
22/10/16
History of Solr security
● Servlet container based security● SOLR-4470 patch for internode communication
22/10/16
What do we mean by security?
● Restricting access to trusted users● Restricting trusted users to only allow access to certain set of
operations/actions as per their role● Security against eavesdroppers of network packets● Document level security● Field level security● Storage level security● Securing Zookeeper● Remote code execution
Solr
Solr
Solr
Zookeeper
User
Application
22/10/16
SSL
● Introduced in Solr 4.2 (standalone), Solr 4.7 (cloud)● Basic steps:
– Generate/obtain a certificate– Convert to PEM format using OpenSSL tools– Add the passwords, paths to keystore file to bin/solr.in.sh– Set a cluster property “urlScheme” to https in ZK– Start Solr
● Might need “haveged” on Vms● ZooKeeper does not support SSL● Reference: https://cwiki.apache.org/confluence/display/solr/Enabling+SSL
22/10/16
Authentication framework
● Introduced in Solr 5.2 (SOLR-7274)● Only supported with SolrCloud● Out of the box implementations:
– Kerberos authentication– Basic authentication
22/10/16
Kerberos authentication
● Introduced in Solr 5.2 (SOLR-7468)● Based on hadoop-auth library● Only supported with SolrCloud● Uses Kerberos authentication for internode
communication● Reference:
https://cwiki.apache.org/confluence/display/solr/Kerberos+Authentication+Plugin
22/10/16
Kerberos authentication
● Basic steps:– Choose service principals, client principals (e.g.
HTTP/<host>@REALM or zookeeper/<host>@REALM or user@REALM)
– Generate keytab files for all Solr, ZK nodes– Start ZK in Kerberized mode– Create a security.json file with authc plugin as KerberosPlugin– Create JAAS config files for every Solr host, specify their path in
bin/solr.in.sh– Start Solr
22/10/16
Kerberos: Delegation tokens
● Introduced in Solr 6.2● Based on hadoop-auth library● Reduce load on KDC● Complementary to Kerberos plugin
– Supports operations:– RENEW, GET, CANCEL
22/10/16
Basic authentication
● Introduced in Solr 5.3● Provides an API endpoint to manage user credentials● Salted passwords stored in ZK● Warning: (a) passwords are sent in cleartext, (b)
/security.json in ZK must be write protected
22/10/16
Basic authentication
● Basic steps– Setup ZK with security.json specifying (a) authc plugin as
BasicAuthPlugin, (b) a default admin user/password hash
– Start Solr– Use /admin/authentication endpoint to add/delete
userscurl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json'-d '{"set-user": {"tom" : "TomIsCool", "harry":"HarrysSecret"}}'
22/10/16
PKI Authentication
● Introduced in Solr 5.3● Used only for internode communication● Based on public key infrastructure (shared + secret
keys)● Any authentication plugin can disable it:
– implements HttpClientInterceptorPlugin
22/10/16
Custom authentication plugin
public class MyAuthcPlugin extends AuthenticationPlugin {
@Override
public void close() throws IOException {}
@Override
public void init(Map<String,Object> pluginConfig) {}
@Override
public boolean doAuthenticate(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws Exception {
return false;
}
}
22/10/16
Authorization framework
● Introduced in Solr 5.2● Only supported in SolrCloud● Out of the box implementation:
– RuleBasedAuthorizationPlugin
22/10/16
Rule-based Authorization plugin
● Introduced in Solr 5.3● Supports users and roles● Provides an API endpoint to manage users/roles● Has preconfigured permissions:
– security (security-read, security-edit), schema, config, core-admin, collection-admin, update, read, all
● Reference: https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin
22/10/16
Rule Based Authorization plugin
● Basic use:– Adding user to a role:
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{ "set-user-role": {"tom":
["admin","dev"}}'– Adding permission for a role:
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{"set-permission" : {"name":"update", "role":"dev"}}'
22/10/16
Ranger plugin
22/10/16
Ranger plugin
● Reference: https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html
● Source: https://github.com/apache/incubator-ranger/tree/master/ranger-solr-plugin-shim
22/10/16
Custom authorization plugin
public class MyAuthzPlugin implements AuthorizationPlugin {
@Override
public void close() throws IOException {}
@Override
public AuthorizationResponse authorize(AuthorizationContext context) {
return null;
}
@Override
public void init(Map<String,Object> initInfo) {}
}
22/10/16
Custom authorization plugin
public abstract class AuthorizationContext {
public abstract SolrParams getParams() ;
public abstract Principal getUserPrincipal() ;
public abstract String getHttpHeader(String header);
public abstract Enumeration getHeaderNames();
public abstract String getRemoteAddr();
public abstract String getRemoteHost();
public abstract List<CollectionRequest> getCollectionRequests() ;
public abstract RequestType getRequestType();
public abstract String getResource();
public abstract String getHttpMethod();
public enum RequestType {READ, WRITE, ADMIN, UNKNOWN}
public abstract Object getHandler();
}
22/10/16
Storage level security
● Encrypting the index (LUCENE-6966, Renauld Delbru)● Encrypting the index (Credeon/Hitachi) [https://psg.hitachi-
solutions.com/credeon/secure-full-text-search]● Secure HDFS
– Basic steps:● bin/solr start -c -Dsolr.directoryFactory=HdfsDirectoryFactory -Dsolr.lock.type=hdfs -Dsolr.hdfs.home=hdfs://host:port/path
– Reference: https://cwiki.apache.org/confluence/display/solr/Running+Solr+on+HDFS
22/10/16
Zookeeper ACL
● Used to protect znodes created by Solr● Permissions:
– CREATE, READ, WRITE, DELETE, ADMIN● Out of the box implementations:
– VMParamsAllAndReadonlyDigestZkACLProvider● Read only user● User with full access
22/10/16
Custom code
● Uploading JAR files● Use config API to use request handlers from jar files● -Denable.runtime.lib=true or sign your jar files● Reference:
http://home.apache.org/~ctargett/RefGuidePOC/jekyll-full/adding-custom-plugins-in-solrcloud-mode.html
22/10/16
Document and Field level security
● No out of the box support
22/10/16
General guidelines
● Plan security strategy early● Use a firewall around Solr and Zookeeper● Enable SSL● Choose authentication and authorization strategy● Secure confidential data stored in ZK with ACLs
22/10/16
Future
● Better tools to configure a cluster for security● More authorization plugins: document/field level security, sentry integration (SOLR-9578, SENTRY-1478)● Consider separating out authc/authz plugins from solr-core into separate module● Remove dependency on httpclient● Avoid ZK exposure (SOLR-9057)● ZK should use SSL (SOLR-8342, ZOOKEEPER-235, Zookeeper 3.5.1-alpha)● BasicAuth to support standalone more (SOLR-9481)● ZK ACL passwords as startup params is insecure (SOLR-8756)● Secure impersonation (SOLR-9324)● Improve documentation● New UI doesn't work with Kerberos (SOLR-9516)● Improve test framework