Apache Solr is a full text search engine that is built on Apache Lucene. One of the questions I’ve been asked about in the past is LDAP support for Apache Solr authentication. While there are commercial additions that add LDAP support like Lucidworks Fusion, Apache Solr doesn’t have an LDAP authentication plugin out of the box. Lets explore what the current state of authentication is with Apache Solr.
Apache Solr 5.2 released with a pluggable authentication module from SOLR-7274. This paved the way for future authentication implementations such as
BasicAuth (SOLR-7692) and Kerberos (SOLR-7468). In Apache Solr 6.1, delegation token support (SOLR-9200) was added to the Kerberos authentication plugin. Apache Solr 6.4 added a significant feature for hooking the Hadoop authentication framework directly into Solr as an authentication plugin (SOLR-9513). There haven’t been much more work on authentication plugins lately. Some work is being done to add a JWT authentication plugin currently (SOLR-12121). Each Solr authentication plugin provides additional capabilities for authenticating to Solr.
The Hadoop authentication framework provides additional capabilities since it has added backends. The backends currently include Kerberos, AltKerberos, LDAP, SignerSecretProvider, and Multi-scheme. Each can be configured to support varying needs for authentication.
Apache Solr 6.4+ supports the Hadoop authentication framework due to the work of SOLR-9513. The Apache Solr reference guide provides guidance on how to use the Hadoop Authentication Plugin. All the necessary configuration parameters can be passed down to the Hadoop authentication framework. As more backends are added to the Hadoop authentication framework, Apache Solr just needs to upgrade the Hadoop depdendency to gain support.
LDAP support for the Hadoop authentication framework was added in Hadoop 2.8.0 (HADOOP-12082). Sadly, the Hadoop dependency for Apache Solr 7.5 is only on 2.7.4. This means that when you try to configure the HadoopAuthenticationPlugin` with LDAP, you will get the following error:
Error initializing org.apache.solr.security.HadoopAuthPlugin:
javax.servlet.ServletException: java.lang.ClassNotFoundException: ldap
Note: I don’t recommend doing this outside of experimenting and seeing what is possible.
I put together a simple test project that “manually” replaces the Hadoop 2.7.4 jars with 2.9.1 jars. This was designed to test if it is possible to configure the Solr
HadoopAuthenticationPlugin with LDAP. I was able to configure Solr using the following
security.json file to use the Hadoop 2.9.1 LDAP backend.
With this configuration and the Hadoop 2.9.1 jars, Apache Solr was protected by LDAP. There should be more testing done to see how this plays with multiple nodes and other types of integration required. The Hadoop authentication framework has limited support for LDAP but it should be usable for some usecases.
Apache Solr, as of 7.5, is currently limited as to what support it has for the Hadoop authentication framework. This is due to the depenency on Apache Hadoop 2.7.4. When the Hadoop dependency is updated (SOLR-9515) in Apache Solr, there will be at least some initial support for LDAP integration out of the box with Solr.