O C T O B E R 1 1 - 1 4 , 2 0 1 6 • B O S T O N , M A

State of Solr Security 2016Ishan ChattopadhyayaEngineer, Lucidworks

Typical Solr Deployments

Solr

Solr

Solr

Zookeeper

User

Application

22/10/16

History of Solr security

● "First and foremost, Solr does not concern itself with security either at the document level or the communication level. It is strongly recommended that the application server containing Solr be firewalled such the only clients with access to Solr are your own."

22/10/16

History of Solr security

● Servlet container based security● SOLR-4470 patch for internode communication

22/10/16

What do we mean by security?

● Restricting access to trusted users● Restricting trusted users to only allow access to certain set of

operations/actions as per their role● Security against eavesdroppers of network packets● Document level security● Field level security● Storage level security● Securing Zookeeper● Remote code execution

Solr

Solr

Solr

Zookeeper

User

Application

22/10/16

SSL

● Introduced in Solr 4.2 (standalone), Solr 4.7 (cloud)● Basic steps:

– Generate/obtain a certificate– Convert to PEM format using OpenSSL tools– Add the passwords, paths to keystore file to bin/solr.in.sh– Set a cluster property “urlScheme” to https in ZK– Start Solr

● Might need “haveged” on Vms● ZooKeeper does not support SSL● Reference: https://cwiki.apache.org/confluence/display/solr/Enabling+SSL

22/10/16

Authentication framework

● Introduced in Solr 5.2 (SOLR-7274)● Only supported with SolrCloud● Out of the box implementations:

– Kerberos authentication– Basic authentication

22/10/16

Kerberos authentication

● Introduced in Solr 5.2 (SOLR-7468)● Based on hadoop-auth library● Only supported with SolrCloud● Uses Kerberos authentication for internode

communication● Reference:

https://cwiki.apache.org/confluence/display/solr/Kerberos+Authentication+Plugin

22/10/16

Kerberos authentication

● Basic steps:– Choose service principals, client principals (e.g.

HTTP/<host>@REALM or zookeeper/<host>@REALM or user@REALM)

– Generate keytab files for all Solr, ZK nodes– Start ZK in Kerberized mode– Create a security.json file with authc plugin as KerberosPlugin– Create JAAS config files for every Solr host, specify their path in

bin/solr.in.sh– Start Solr

22/10/16

Kerberos: Delegation tokens

● Introduced in Solr 6.2● Based on hadoop-auth library● Reduce load on KDC● Complementary to Kerberos plugin

– Supports operations:– RENEW, GET, CANCEL

22/10/16

Basic authentication

● Introduced in Solr 5.3● Provides an API endpoint to manage user credentials● Salted passwords stored in ZK● Warning: (a) passwords are sent in cleartext, (b)

/security.json in ZK must be write protected

22/10/16

Basic authentication

● Basic steps– Setup ZK with security.json specifying (a) authc plugin as

BasicAuthPlugin, (b) a default admin user/password hash

– Start Solr– Use /admin/authentication endpoint to add/delete

userscurl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json'-d '{"set-user": {"tom" : "TomIsCool", "harry":"HarrysSecret"}}'

22/10/16

PKI Authentication

● Introduced in Solr 5.3● Used only for internode communication● Based on public key infrastructure (shared + secret

keys)● Any authentication plugin can disable it:

– implements HttpClientInterceptorPlugin

22/10/16

Custom authentication plugin

public class MyAuthcPlugin extends AuthenticationPlugin {

@Override

public void close() throws IOException {}

@Override

public void init(Map<String,Object> pluginConfig) {}

@Override

public boolean doAuthenticate(ServletRequest request, ServletResponse response, FilterChain filterChain)

throws Exception {

return false;

}

}

22/10/16

Authorization framework

● Introduced in Solr 5.2● Only supported in SolrCloud● Out of the box implementation:

– RuleBasedAuthorizationPlugin

22/10/16

Rule-based Authorization plugin

● Introduced in Solr 5.3● Supports users and roles● Provides an API endpoint to manage users/roles● Has preconfigured permissions:

– security (security-read, security-edit), schema, config, core-admin, collection-admin, update, read, all

● Reference: https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin

22/10/16

Rule Based Authorization plugin

● Basic use:– Adding user to a role:

curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{ "set-user-role": {"tom":

["admin","dev"}}'– Adding permission for a role:

curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{"set-permission" : {"name":"update", "role":"dev"}}'

22/10/16

Ranger plugin

22/10/16

Ranger plugin

● Reference: https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html

● Source: https://github.com/apache/incubator-ranger/tree/master/ranger-solr-plugin-shim

22/10/16

Custom authorization plugin

public class MyAuthzPlugin implements AuthorizationPlugin {

@Override

public void close() throws IOException {}

@Override

public AuthorizationResponse authorize(AuthorizationContext context) {

return null;

}

@Override

public void init(Map<String,Object> initInfo) {}

}

22/10/16

Custom authorization plugin

public abstract class AuthorizationContext {

public abstract SolrParams getParams() ;

public abstract Principal getUserPrincipal() ;

public abstract String getHttpHeader(String header);

public abstract Enumeration getHeaderNames();

public abstract String getRemoteAddr();

public abstract String getRemoteHost();

public abstract List<CollectionRequest> getCollectionRequests() ;

public abstract RequestType getRequestType();

public abstract String getResource();

public abstract String getHttpMethod();

public enum RequestType {READ, WRITE, ADMIN, UNKNOWN}

public abstract Object getHandler();

}

22/10/16

Storage level security

● Encrypting the index (LUCENE-6966, Renauld Delbru)● Encrypting the index (Credeon/Hitachi) [https://psg.hitachi-

solutions.com/credeon/secure-full-text-search]● Secure HDFS

– Basic steps:● bin/solr start -c -Dsolr.directoryFactory=HdfsDirectoryFactory -Dsolr.lock.type=hdfs -Dsolr.hdfs.home=hdfs://host:port/path

– Reference: https://cwiki.apache.org/confluence/display/solr/Running+Solr+on+HDFS

22/10/16

Zookeeper ACL

● Used to protect znodes created by Solr● Permissions:

– CREATE, READ, WRITE, DELETE, ADMIN● Out of the box implementations:

– VMParamsAllAndReadonlyDigestZkACLProvider● Read only user● User with full access

22/10/16

Custom code

● Uploading JAR files● Use config API to use request handlers from jar files● -Denable.runtime.lib=true or sign your jar files● Reference:

http://home.apache.org/~ctargett/RefGuidePOC/jekyll-full/adding-custom-plugins-in-solrcloud-mode.html

22/10/16

Document and Field level security

● No out of the box support

22/10/16

General guidelines

● Plan security strategy early● Use a firewall around Solr and Zookeeper● Enable SSL● Choose authentication and authorization strategy● Secure confidential data stored in ZK with ACLs

22/10/16

Future

● Better tools to configure a cluster for security● More authorization plugins: document/field level security, sentry integration (SOLR-9578, SENTRY-1478)● Consider separating out authc/authz plugins from solr-core into separate module● Remove dependency on httpclient● Avoid ZK exposure (SOLR-9057)● ZK should use SSL (SOLR-8342, ZOOKEEPER-235, Zookeeper 3.5.1-alpha)● BasicAuth to support standalone more (SOLR-9481)● ZK ACL passwords as startup params is insecure (SOLR-8756)● Secure impersonation (SOLR-9324)● Improve documentation● New UI doesn't work with Kerberos (SOLR-9516)● Improve test framework