Authentication for Solr delegating to Active Directory

[Shawn Heisey <ap...@elyograg.org>]

I finally have a good grasp of exactly how rule based authorization in 
Solr works.  It's exceptionally flexible once you figure it out.

I've been trying to figure out whether there is any way to use Active 
Directory for authentication in Solr, and if so, how in the world I 
would manage mapping those users to Solr's authorization roles.

I found a page that explains how to use JWT authentication to talk to 
Azure AD, but I suspect that won't work with on-prem AD.  Also, the page 
says absolutely nothing about authorization.  I do not know whether the 
AD in this environment I'm working in is Azure or not.  I have asked, 
but the answer hasn't come yet.

One mailing list thread I saw talks about possibly doing LDAP or 
Kerberos, but doesn't say how to do it, and also says nothing about 
authorization.

So I'm asking the question again, since I haven't found answers yet.

Can Solr use Active Directory for authentication?  If it can, how do I 
set it up?  What options are there for mapping users in AD to Solr's 
authorization roles?  If I can work out how to do it, I will see about 
writing up instructions for the ref guide.

Thanks,
Shawn

Re: Authentication for Solr delegating to Active Directory

[Kevin Risden <kr...@apache.org>]

I answered this on the LDAP thread, but copying here for completeness.

I think its possible with
https://solr.apache.org/guide/solr/latest/deployment-guide/hadoop-authentication-plugin.html

Specifically under "LDAP Configuration" -
https://hadoop.apache.org/docs/stable/hadoop-auth/Configuration.html

It is not exactly laid out in a simple way, but I think all the pieces are
there to configure it.

As a side note, you should also be able to use Kerberos/SPNEGO as an option
with Active Directory if you have Kerberos setup on the Linux node.

Be aware of https://issues.apache.org/jira/browse/SOLR-16240


Kevin Risden


On Wed, Mar 22, 2023 at 11:57 PM Shawn Heisey <el...@elyograg.org> wrote:

> On 3/22/2023 6:56 PM, dmitri maziuk wrote:
> > Looks like someone did it:
> >
> https://stackoverflow.com/questions/17730950/jetty-jaas-and-active-directory-authentication-only
> >
> > On-prem AD is really just LDAP+SSL but I know next to nothing about
> > jetty so I would be tempted to put it behind an apache or nginx proxy
> > and off-load the auth to it. Those are well documented.
>
> I want to use Solr's authorization capability, so I don't think
> configuring auth in Jetty is what I want at all.  Same goes for any kind
> of proxy layer.  I could probably teach a proxy how to do the
> authorization I want, but I really don't want to reinvent the wheel that
> has already been built into Solr.  It would be a TON of work.
>
> Thanks,
> Shawn
>

Re: Authentication for Solr delegating to Active Directory

[Shawn Heisey <el...@elyograg.org>]

On 3/22/2023 6:56 PM, dmitri maziuk wrote:
> Looks like someone did it: 
> https://stackoverflow.com/questions/17730950/jetty-jaas-and-active-directory-authentication-only
> 
> On-prem AD is really just LDAP+SSL but I know next to nothing about 
> jetty so I would be tempted to put it behind an apache or nginx proxy 
> and off-load the auth to it. Those are well documented.

I want to use Solr's authorization capability, so I don't think 
configuring auth in Jetty is what I want at all.  Same goes for any kind 
of proxy layer.  I could probably teach a proxy how to do the 
authorization I want, but I really don't want to reinvent the wheel that 
has already been built into Solr.  It would be a TON of work.

Thanks,
Shawn

Re: Authentication for Solr delegating to Active Directory

[dmitri maziuk <dm...@gmail.com>]

On 2023-03-22 7:24 PM, Shawn Heisey wrote:
> I finally have a good grasp of exactly how rule based authorization in 
> Solr works.  It's exceptionally flexible once you figure it out.
> 
> I've been trying to figure out whether there is any way to use Active 
> Directory for authentication in Solr, and if so, how in the world I 
> would manage mapping those users to Solr's authorization roles.

Looks like someone did it: 
https://stackoverflow.com/questions/17730950/jetty-jaas-and-active-directory-authentication-only

On-prem AD is really just LDAP+SSL but I know next to nothing about 
jetty so I would be tempted to put it behind an apache or nginx proxy 
and off-load the auth to it. Those are well documented.

my $.02
Dima