SOLR-13371 improve security chapters in refguide (#635)

This commit is contained in:
Jan Høydahl 2019-06-10 23:46:22 +02:00 committed by GitHub
parent 010466ec04
commit 27b1c36994
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 68 additions and 33 deletions

View File

@ -449,6 +449,8 @@ Other Changes
* SOLR-13353: Add SolrCli AuthTool test (Kevin Risden)
* SOLR-13371: Re-structure and clarify Security chapters in Ref Guide (janhoy)
* SOLR-13363: Upgrade to ZooKeeper 3.4.14 (Erick Erickson)
* SOLR-12809: Document recommended Java/Solr combinations (Erick Erickson, Jan Høydahl et.al.)

View File

@ -16,7 +16,7 @@
// specific language governing permissions and limitations
// under the License.
Solr has the ability to log an audit trail of all events in the system.
Solr has the ability to log an audit trail of all HTTP requests entering the system.
Audit loggers are pluggable to suit any possible format or log destination.
[quote]

View File

@ -1,4 +1,4 @@
= Authentication and Authorization Plugins
= Configuring Authentication, Authorization and Audit Logging
:page-children: basic-authentication-plugin, hadoop-authentication-plugin, kerberos-authentication-plugin, rule-based-authorization-plugin, jwt-authentication-plugin
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
@ -17,17 +17,17 @@
// specific language governing permissions and limitations
// under the License.
Solr has security frameworks for supporting authentication and authorization of users. This allows for verifying a user's identity and for restricting access to resources in a Solr cluster.
Solr has security frameworks for supporting authentication, authorization and auditing of users. This allows for verifying a user's identity and for restricting access to resources in a Solr cluster.
Solr includes some plugins out of the box, and additional plugins can be developed using the authentication and authorization frameworks described below.
Solr includes some plugins out of the box, and additional plugins can be developed using the authentication, authorization and audit logging frameworks described below.
All authentication and authorization plugins can work with Solr whether they are running in SolrCloud mode or standalone mode. All authentication and authorization configuration, including users and permission rules, are stored in a file named `security.json`. When using Solr in standalone mode, this file must be in the `$SOLR_HOME` directory (usually `server/solr`). When using SolrCloud, this file must be located in ZooKeeper.
All authentication, authorization and audit logging plugins can work with Solr whether they are running in SolrCloud mode or standalone mode. All related configuration, including users and permission rules, are stored in a file named `security.json`. When using Solr in standalone mode, this file must be in the `$SOLR_HOME` directory (usually `server/solr`). When using SolrCloud, this file must be located in ZooKeeper.
The following section describes how to enable plugins with `security.json` and place them in the proper locations for your mode of operation.
== Enable Plugins with security.json
All of the information required to initialize either type of security plugin is stored in a `security.json` file. This file contains 2 sections, one each for authentication and authorization.
All of the information required to initialize either type of security plugin is stored in a `security.json` file. This file contains 3 sections, one each for authentication, authorization, and audit logging.
.Sample security.json
[source,json]
@ -38,6 +38,9 @@ All of the information required to initialize either type of security plugin is
},
"authorization": {
"class": "class.that.implements.authorization"
},
"auditlogging": {
"class": "class.that.implements.auditlogging"
}
}
----
@ -81,7 +84,7 @@ This example also defines `security.json` on the command line, but you can also
[WARNING]
====
Depending on the authentication and authorization plugin that you use, you may have user information stored in `security.json`. If so, we highly recommend that you implement access control in your ZooKeeper nodes. Information about how to enable this is available in the section <<zookeeper-access-control.adoc#zookeeper-access-control,ZooKeeper Access Control>>.
Whenever you use any security plugins and store `security.json` in ZooKeeper, we highly recommend that you implement access control in your ZooKeeper nodes. Information about how to enable this is available in the section <<zookeeper-access-control.adoc#zookeeper-access-control,ZooKeeper Access Control>>.
====
Once `security.json` has been uploaded to ZooKeeper, you should use the appropriate APIs for the plugins you're using to update it. You can edit it manually, but you must take care to remove any version data so it will be properly updated across all ZooKeeper nodes. The version data is found at the end of the `security.json` file, and will appear as the letter "v" followed by a number, such as `{"v":138}`.
@ -94,7 +97,8 @@ If you are using <<legacy-scaling-and-distribution.adoc#legacy-scaling-and-distr
You can use the authentication and authorization APIs, but if you are using the legacy scaling model, you will need to make the same API requests on each node separately. You can also edit `security.json` by hand if you prefer.
== Authentication Plugins
[#configuring-authentication]
== Authentication
Authentication plugins help in securing the endpoints of Solr by authenticating incoming requests. A custom plugin can be implemented by extending the AuthenticationPlugin class.
@ -103,7 +107,7 @@ An authentication plugin consists of two parts:
. Server-side component, which intercepts and authenticates incoming requests to Solr using a mechanism defined in the plugin, such as Kerberos, Basic Auth or others.
. Client-side component, i.e., an extension of `HttpClientConfigurer`, which enables a SolrJ client to make requests to a secure Solr instance using the authentication mechanism which the server understands.
=== Enabling a Plugin
=== Enabling an Authentication Plugin
* Specify the authentication plugin in `/security.json` as in this example:
+
@ -118,20 +122,16 @@ An authentication plugin consists of two parts:
* All of the content in the authentication block of `security.json` would be passed on as a map to the plugin during initialization.
* An authentication plugin can also be used with a standalone Solr instance by passing in `-DauthenticationPlugin=<plugin class name>` during startup.
=== Available Authentication Plugins
Currently available authentication plugins are:
Solr has the following implementations of authentication plugins:
* <<kerberos-authentication-plugin.adoc#kerberos-authentication-plugin,Kerberos Authentication Plugin>>
* <<basic-authentication-plugin.adoc#basic-authentication-plugin,Basic Authentication Plugin>>
* <<hadoop-authentication-plugin.adoc#hadoop-authentication-plugin,Hadoop Authentication Plugin>>
* <<jwt-authentication-plugin.adoc#jwt-authentication-plugin,JWT Authentication Plugin>>
include::securing-solr.adoc[tag=list-of-authentication-plugins]
[#configuring-authorization]
== Authorization
An authorization plugin can be written for Solr by extending the {solr-javadocs}/solr-core/org/apache/solr/security/AuthorizationPlugin.html[AuthorizationPlugin] interface.
=== Loading a Custom Plugin
=== Enabling an Authorization Plugin
* Make sure that the plugin implementation is in the classpath.
* The plugin can then be initialized by specifying the same in `security.json` in the following manner:
@ -152,11 +152,14 @@ All of the content in the `authorization` block of `security.json` would be pass
The authorization plugin is only supported in SolrCloud mode. Also, reloading the plugin isn't yet supported and requires a restart of the Solr installation (meaning, the JVM should be restarted, not simply a core reload).
====
=== Available Authorization Plugins
Currently available authorization plugins are:
Solr has one implementation of an authorization plugin:
include::securing-solr.adoc[tag=list-of-authorization-plugins]
* <<rule-based-authorization-plugin.adoc#rule-based-authorization-plugin,Rule-Based Authorization Plugin>>
[#configuring-audit-logging]
== Audit Logging
<<audit-logging.adoc#audit-logging,Audit logging>> plugins helps you keep an audit trail of events happening in your Solr cluster. Audit logging may e.g. ship data to an external audit service. A custom plugin can be implemented by extending the `AuditLoggerPlugin` class.
== Authenticating in the Admin UI

View File

@ -1,5 +1,5 @@
= Securing Solr
:page-children: authentication-and-authorization-plugins, enabling-ssl, audit-logging
:page-children: authentication-and-authorization-plugins, enabling-ssl, audit-logging, zookeeper-access-control
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
@ -17,18 +17,48 @@
// specific language governing permissions and limitations
// under the License.
When planning how to secure Solr, you should consider which of the available features or approaches are right for you.
* Authentication or authorization of users using:
** <<kerberos-authentication-plugin.adoc#kerberos-authentication-plugin,Kerberos Authentication Plugin>>
** <<basic-authentication-plugin.adoc#basic-authentication-plugin,Basic Authentication Plugin>>
** <<rule-based-authorization-plugin.adoc#rule-based-authorization-plugin,Rule-Based Authorization Plugin>>
** <<authentication-and-authorization-plugins.adoc#authentication-and-authorization-plugins,Custom authentication or authorization plugin>>
* <<enabling-ssl.adoc#enabling-ssl,Enabling SSL>>
* If using SolrCloud, <<zookeeper-access-control.adoc#zookeeper-access-control,ZooKeeper Access Control>>
* <<audit-logging.adoc#audit-logging,Audit logging>> for recording an audit trail
[WARNING]
====
No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access. Because of this, the project will not regard e.g., Admin UI XSS issues as security vulnerabilities. However, we still ask you to report such issues in JIRA.
====
When planning how to secure Solr, you should consider which of the available features or approaches are right for you:
== Encryption with TLS (SSL) Certificates
Ecrypting traffic to/from Solr and between Solr nodes prevents sensitive data to be leaked out on the network. TLS is also normally a requirement to prevent credential sniffing when using Authentication.
See the page <<enabling-ssl.adoc#enabling-ssl,Enabling TLS (SSL)>> for details.
== Authentication, Authorization and Audit Logging
See chapter <<authentication-and-authorization-plugins.adoc#authentication-and-authorization-plugins,Configuring Authentication, Authorization and Audit Logging plugins>> to learn how to work with the `security.json` file.
[#securing-solr-auth-plugins]
=== Authentication Plugins
Authentication makes sure you know the identity of your users. The authentication plugins shipping with Solr are:
// tag::list-of-authentication-plugins[]
* <<kerberos-authentication-plugin.adoc#kerberos-authentication-plugin,Kerberos Authentication Plugin>>
* <<basic-authentication-plugin.adoc#basic-authentication-plugin,Basic Authentication Plugin>>
* <<hadoop-authentication-plugin.adoc#hadoop-authentication-plugin,Hadoop Authentication Plugin>>
* <<jwt-authentication-plugin.adoc#jwt-authentication-plugin,JWT Authentication Plugin>>
// end::list-of-authentication-plugins[]
=== Authorization Plugins
Authorization makes sure that only users with the necessary roles/permissions can access any given resource. The authorization plugins shipping with Solr are:
// tag::list-of-authorization-plugins[]
* <<rule-based-authorization-plugin.adoc#rule-based-authorization-plugin,Rule-Based Authorization Plugin>>
// end::list-of-authorization-plugins[]
=== Audit Logging Plugins
Audit logging will record an audit trail of incoming reqests to your cluster, such as users being denied access to admin APIs. Learn more about audit logging and how to implement an audit logger plugin here in the <<audit-logging.adoc#audit-logging,Audit Logging>> chapter.
== Securing Zookeeper Traffic
Zookeeper is a central and important part of a SolrCloud cluster and understanding how to secure
its content is covered in the <<zookeeper-access-control.adoc#zookeeper-access-control,ZooKeeper Access Control>> page.

View File

@ -1,5 +1,5 @@
= SolrCloud Configuration and Parameters
:page-children: setting-up-an-external-zookeeper-ensemble, using-zookeeper-to-manage-configuration-files, zookeeper-access-control, collections-api, parameter-reference, command-line-utilities, solrcloud-with-legacy-configuration-files, configsets-api
:page-children: setting-up-an-external-zookeeper-ensemble, using-zookeeper-to-manage-configuration-files, collections-api, parameter-reference, command-line-utilities, solrcloud-with-legacy-configuration-files, configsets-api
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information