Understanding the Solr security framework - Lucene Solr Revolution 2015
2 likes1,850 views
Anshum Gupta presented on the Apache Solr security framework. He began with an introduction of himself and overview of Apache Lucene and Solr. The presentation then covered the need for security in Solr, available security options which include SSL, ZooKeeper ACLs, and authentication and authorization frameworks. Gupta discussed the authentication and authorization plugin architectures, available plugins like BasicAuth and Kerberos, and benefits of the security frameworks like enabling multi-tenant and access controlled features. He concluded with recommendations on writing custom plugins and next steps to improve Solr security.
Understanding the Solr security framework - Lucene Solr Revolution 2015
- 1. O C T O B E R 1 3 - 1 6 , 2 0 1 6 • A U S T I N , T X
- 2. Understanding the Solr security framework Anshum Gupta Senior Software Engineer, IBM Watson
- 3. 3 01 Who am I? • Anshum Gupta, Apache Lucene/Solr PMC member and committer, IBM Watson Search team. • Interested in search and related stuff. • Apache Lucene since 2006 and Solr since 2010. • Organizations I am or have been a part of:
- 4. 4 02 What is ? • Apache Lucene is a free open source information retrieval software library • Originally written in Java by Doug Cutting. • It is supported by the Apache Software Foundation and is released under the Apache Software License.
- 5. 5 03 What is ? • Solr (pronounced “solar”, not “solaar”) is an open source enterprise search platform • Written in Java, • For a while now, a part of the Apache Lucene project. • Search on Lucene & Resin (SoLR) • SolrCloud - Distributed feature set
- 6. 6 "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards." —Gene Spaford
- 7. 7 01 Apache Solr is the most widely-used search solution on the planet. Solr has tens of thousands of applications in production. You use everyday. 8,000,000+ Total downloads Solr is both established and growing. 250,000+ Monthly downloads 2,500+ Open Solr jobs and the largest community of developers.
- 8. 8 01 SolrCloud Logical Architecture Shard 1 (leader) Followers Shard 2 (leader) Followers ZooKeeper ZooKeeper instance Solr Instance
- 9. 9 01 SolrCloud - Physical Architecture ZooKeeper Node 1 Node 2 Load Balancer Client Client Client Client Client Client Client Client Client Lots Of Interaction Coins by Creative Stall from the Noun Project
- 10. 10 01 Why do we need it? • Multi-tenant systems • Access control • Solr resources • ZooKeeper • Authentication • Authorization • Until recently: Nothing out of the box. Only locked-in, third party!
- 11. 11 01 Solr security - available options • SSL support • ZooKeeper ACLs • Authentication framework • Authorization framework
- 12. 12 01 Security Framework Architecture Incoming Request Authenticate and attach metadata Authorize Process Request Error Servlet Filter Authentication Plugin Authorization Plugin Error Return Response with result
- 13. 13 01 Enabling a plugin • /security.json file in ZooKeeper • Contains security config • Custom plugins: More meta-data can be provided { "authentication" : { "class": “class.that.implements.authentication", "other_data" : "..." }, "authorization": { "class": “class.that.implements.authorization", "other_data" : "..." } }
- 14. 14 01 Authentication Framework Authentication Plugin Client side component Server side component Reconfigurer*Request Reconfigurer* Inter-node Requests Inter-node Requests Inter-node Requests
- 15. 15 01 Available Authentication Plugins • BasicAuth • Kerberos
- 16. 16 01 Kerberos Plugin • Prerequisites: • Enabled via /security.json before Solr instance starts • Each Solr node must have: • A Kerberos service principal and key tab file • Client principal and a corresponding keytab file. Can be the same as the service principal. • Recommendation: • Kerberized ZooKeeper • Start Solr with the correct host-specific parameters. Kerberized Solr Kerberized ZooKeeper Kerberos EnabledClient
- 17. 17 01 Authorization Plugins • Rule based authorization plugin • Apache Ranger plugin (external) • DIY!
- 18. 18 01 Rule based Authorization Plugin • Rule based permissions - stored in ZooKeeper • Editable using API • Auto-reload on update • Well known permissions eg: config-edit, collection-edit, security-edit SolrCloud Cluster ZooKeeper Ensemble
- 19. 19 Getting started with Basic Auth & Rule based plugin is easy! • Upload security.json • Add users and permissions using API calls! curl --user solr:SolrRocks http://localhost:8983/solr/ admin/authorization -H 'Content-type:application/ json' -d '{"set-permission" : {"name":"collection- admin-edit", "role":"admin"}}'
- 20. 20 01 Benefits of the frameworks • Secure operations in a multi-tenant setup • Allows for features that couldn’t be added due to lack of security e.g. registering handlers, and uploading configs via API calls.
- 21. 21 Writing your own plugin • Authentication • Extend AuthenticationPlugin • Optional: extend HttpClientInterceptorPlugin • Authorization • Implement AuthorizationPlugin • Optionally implement ConfigEditablePlugin
- 23. 23 01 "Security is not a product, but a process". —Bruce Schneier • Better inter-node communication standard • First-class support in SolrJ and bin scripts for basic auth. • More plugins!