Beyond Firewalls: How Basic Auth Can Protect Your SolrCloud

If you use Apache SolrCloud you shouldn’t rely only on firewalls to shield both Zookeeper and the Solr Admin UI from the outside worlds. Firewall rules simply aren’t a sufficient path to securing a SolrCloud cluster because firewall rules often change for a variety of reasons. And usually not great ones. Case in point when administrators from disparate groups open ports that were previously closed because either a new application (or a new perimeter defense system for managing those rules) came online. 

The other reason firewall rules are simply not enough is the person wishing to take down SolrCloud could be in your network. The correct approach to securing a SolrCloud cluster is to implement one of the many authentication plugins available in open source for securing Solr, in addition to network defense. 

Securing With Basic Authentication

The simplest path to securing your SolrCloud cluster is the Basic Authentication plugin, also known as Basic Auth, but it has some gotchas. In fact, conventional wisdom is that Basic Auth is not secure as credentials are sent as cleartext and can be vulnerable to packet sniffing. However, if that connection is secured using TLS/SSL then it is as secure as other methods that use encryption.

In this blog post covering my presentation at Activate 2019, the Search and AI conference, I will introduce a backward-incompatible change I added to Solr 9 to add even more security to Basic Auth — and what it means for your users. 

Basic Auth, like the Kerberos and JWT plugins, is configured in the security.json file. This file is stored in Zookeeper like most configuration files in the SolrCloud world. The file informs SolrCloud which authentication class to invoke, who has what permissions, and whether or not the authentication defined in the file should actually be enforced. 

That’s right, even if you “enable” the Basic Auth plugin by simply adding the class to the security.json, authentication will not be invoked in versions before the unreleased version 9.0 where I made the contribution until you add the parameter “blockUnknown” and set it to “true” because that parameter defaults to “false”. Most users set the parameter appropriately, but let’s jump into the anatomy of the file to ensure that you set it up correctly in your cluster. 

A fully-baked and blocking  unauthorized users–security.json looks like this when enabling BasicAuth:

{
   "authentication":{
       "blockUnknown”:true,
       "class":"solr.BasicAuthPlugin",
       "credentials":{
          "solr":"orwp2Ghgj39lmnrZOTm7Qtre1VqHFDfwAEzr0ApbN3Y= 
Ju5osoAqOX8iafhWpPP01E5P+sg8tK8tHON7rCYZRRw="
       }
   },
   "authorization":{
      "class":"solr.RuleBasedAuthorizationPlugin",
      "user-role":{
         "solr":"admin"
      },
      "permissions":[
         {
            "name":"security-edit",
            "role":"admin"
          }
      ]
   }
}

How to Curl Basic Auth and the zkCLI

To quickly test if you have security enabled you can run:
curl http://localhost:8983/solr/admin/authentication

curl http://localhost:8983/solr/admin/authorization
To put a security.json file in Zookeeper, use the Zookeeper CLI (ZKcli):

server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:9983 -cmd putfile /security.json security.json

In Solr 9, if you have Basic Auth enabled but do not have any users configured, Solr will return a server error because all unauthenticated requests made against the API will be blocked. That will interrupt some developers’ workflow who were accustomed to setting up users for Basic Auth after first enabling the plugin. 

Most advanced users will say, an SSH tunnel to Solr Administrative capabilities is the best way to go in production development tiers. I agree with them. However, for many users, that’s not even an option. For others, it’s overkill. Basic Auth was designed to be exactly what it is called, “basic.” In that way, it may be protecting some of the most vulnerable users on the internet. That’s why I made it better. 

Here’s a link to the JIRA: https://issues.apache.org/jira/browse/SOLR-1364

And

Here’s a video of my talk at Activate:

Here’s a video on how to get Basic Auth set up in seven minutes: 

 

You Might Also Like

How an electronics giant meets engineers where they are, with 44 million products in catalog

Meet Mohammad Mahboob: A search platform director navigating 44 million products across...

Read More

Build custom AI agents without writing a single line of code? Yep, we did that.

Finally, a low-code AI platform (really, no code) that lets the people...

Read More

How a B2B distribution giant uses smart search to navigate inflation, tariffs, and 10,000+ daily queries

Meet Ryan Finley: A 17-year search veteran who's turning enterprise search into...

Read More

Quick Links