DEV Community

Kevin Risden
Kevin Risden

Posted on • Originally published at risdenk.github.io on

Apache Solr - Hadoop Authentication Plugin - LDAP

Overview

Apache Solr is a full text search engine that is built on Apache Lucene. One of the questions I’ve been asked about in the past is LDAP support for Apache Solr authentication. While there are commercial additions that add LDAP support like Lucidworks Fusion, Apache Solr doesn’t have an LDAP authentication plugin out of the box. Lets explore what the current state of authentication is with Apache Solr.

Apache Solr and Authentication

Apache Solr 5.2 released with a pluggable authentication module from SOLR-7274. This paved the way for future authentication implementations such as BasicAuth (SOLR-7692) and Kerberos (SOLR-7468). In Apache Solr 6.1, delegation token support (SOLR-9200) was added to the Kerberos authentication plugin. Apache Solr 6.4 added a significant feature for hooking the Hadoop authentication framework directly into Solr as an authentication plugin (SOLR-9513). There haven’t been much more work on authentication plugins lately. Some work is being done to add a JWT authentication plugin currently (SOLR-12121). Each Solr authentication plugin provides additional capabilities for authenticating to Solr.

Hadoop Authentication, LDAP, and Apache Solr

Hadoop Authentication Framework Overview

The Hadoop authentication framework provides additional capabilities since it has added backends. The backends currently include Kerberos, AltKerberos, LDAP, SignerSecretProvider, and Multi-scheme. Each can be configured to support varying needs for authentication.

Apache Solr and Hadoop Authentication Framework

Apache Solr 6.4+ supports the Hadoop authentication framework due to the work of SOLR-9513. The Apache Solr reference guide provides guidance on how to use the Hadoop Authentication Plugin. All the necessary configuration parameters can be passed down to the Hadoop authentication framework. As more backends are added to the Hadoop authentication framework, Apache Solr just needs to upgrade the Hadoop depdendency to gain support.

Apache Solr 7.5 and LDAP

LDAP support for the Hadoop authentication framework was added in Hadoop 2.8.0 (HADOOP-12082). Sadly, the Hadoop dependency for Apache Solr 7.5 is only on 2.7.4. This means that when you try to configure the HadoopAuthenticationPlugin` with LDAP, you will get the following error:

`
Error initializing org.apache.solr.security.HadoopAuthPlugin:
javax.servlet.ServletException: java.lang.ClassNotFoundException: ldap

`

Manually Upgrading the Apache Solr Hadoop Dependency

Note: I don’t recommend doing this outside of experimenting and seeing what is possible.

I put together a simple test project that “manually” replaces the Hadoop 2.7.4 jars with 2.9.1 jars. This was designed to test if it is possible to configure the Solr HadoopAuthenticationPlugin with LDAP. I was able to configure Solr using the following security.json file to use the Hadoop 2.9.1 LDAP backend.

`
{
"authentication": {
"class": "solr.HadoopAuthPlugin",
"sysPropPrefix": "solr.",
"type": "ldap",
"authConfigs": [
"ldap.providerurl",
"ldap.basedn",
"ldap.enablestarttls"
],
"defaultConfigs": {
"ldap.providerurl": "ldap://ldap",
"ldap.basedn": "dc=example,dc=org",
"ldap.enablestarttls": "false"
}
}
}

`

With this configuration and the Hadoop 2.9.1 jars, Apache Solr was protected by LDAP. There should be more testing done to see how this plays with multiple nodes and other types of integration required. The Hadoop authentication framework has limited support for LDAP but it should be usable for some usecases.

Conclusion

Apache Solr, as of 7.5, is currently limited as to what support it has for the Hadoop authentication framework. This is due to the depenency on Apache Hadoop 2.7.4. When the Hadoop dependency is updated (SOLR-9515) in Apache Solr, there will be at least some initial support for LDAP integration out of the box with Solr.

References

Top comments (0)