Handles initializing Solr with custom helpers to support Kerberos authentication & SSL encryption. These helpers must be setup before Solr creates any HTTPClient objects, so the initXXX
methods should be called as early as possible during application initialization. Additionally, once Solr has been initialized, subsequent calls to either initXXX
method will have no effect.
This library must be used with the DSE specific SolrJ component. Both jars are shipped as part of the DSE distro, and the SolrJ library should be used as a drop in replacement for the regular Apache library in client applications which want to access secured DSE search services using SolrJ.
Use the SolrHttpClientInitializer class to configure SolrJ with a SpnegoAuthenticator, a plugin which is used internally by every instance of HttpSolrServer. It performs authentication using SPNEGO/GSSAPI/Kerberos and additionally caches authentication tokens on a per-host basis. Optionally, all HTTP requests performed as part of the SPNEGO protocol can be carried out using secure connections if an SSLContext is supplied. To use the Kerberos credentials a keytab file, both the file and the Principal must be supplied. If neither is supplied, then credentials from the local Kerberos ticket cache will be used. Supplying either a keytab or Principal, but not both is not supported and will result in an error.
SolrHttpClientInitializer.initAuthentication(new AuthenticationOptions());
SolrHttpClientInitializer.initAuthentication(
new AuthenticationOptions()
.withPrincipal(new KerberosPrincipal("user@REALM"))
.withKeytab(new File("/path/to/keytab")));
HTTP requests during the SPNEGO protocol negotiation will be encrypted and use a specific X509HostnameVerifier - the very lax version supplied by HTTPClient
SolrHttpClientInitializer.initAuthentication(
new AuthenticationOptions()
.withPrincipal(new KerberosPrincipal("user@REALM"))
.withKeytab(new File("/path/to/keytab"))
.withSSLContext(SSLContext.getDefault())
.withHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER));
Hostnames will be verified using the system default X509HostnameVerifier
SolrHttpClientInitializer.initEncryption(
new EncryptionOptions()
.withSSLContext(SSLContext.getDefault()));
Hostnames will be verified using the specified X509HostnameVerifier
SolrHttpClientInitializer.initEncryption(
new EncryptionOptions()
.withSSLContext(SSLContext.getDefault())
.withHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER));
The solrj-auth-examples subproject contains a working demo which can be run from the command line using maven. It assumes a secured running DSE search node is running.
solrj-auth-examples$ mvn exec:java -Durl=https://example.host:8983/solr/wiki.solr -Dprincipal=user@REALM -Dkeytab=/home/user/test.keytab -Dtruststore=/home/user/truststore.jks -Dtruststore_pwd=cassandra -Dkeystore=/home/user/keystore.jks -Dkeystore_pwd=cassandra