You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Shawn Heisey <ap...@elyograg.org> on 2023/03/23 00:24:09 UTC
Authentication for Solr delegating to Active Directory
I finally have a good grasp of exactly how rule based authorization in
Solr works. It's exceptionally flexible once you figure it out.
I've been trying to figure out whether there is any way to use Active
Directory for authentication in Solr, and if so, how in the world I
would manage mapping those users to Solr's authorization roles.
I found a page that explains how to use JWT authentication to talk to
Azure AD, but I suspect that won't work with on-prem AD. Also, the page
says absolutely nothing about authorization. I do not know whether the
AD in this environment I'm working in is Azure or not. I have asked,
but the answer hasn't come yet.
One mailing list thread I saw talks about possibly doing LDAP or
Kerberos, but doesn't say how to do it, and also says nothing about
authorization.
So I'm asking the question again, since I haven't found answers yet.
Can Solr use Active Directory for authentication? If it can, how do I
set it up? What options are there for mapping users in AD to Solr's
authorization roles? If I can work out how to do it, I will see about
writing up instructions for the ref guide.
Thanks,
Shawn
Re: Authentication for Solr delegating to Active Directory
Posted by Kevin Risden <kr...@apache.org>.
I answered this on the LDAP thread, but copying here for completeness.
I think its possible with
https://solr.apache.org/guide/solr/latest/deployment-guide/hadoop-authentication-plugin.html
Specifically under "LDAP Configuration" -
https://hadoop.apache.org/docs/stable/hadoop-auth/Configuration.html
It is not exactly laid out in a simple way, but I think all the pieces are
there to configure it.
As a side note, you should also be able to use Kerberos/SPNEGO as an option
with Active Directory if you have Kerberos setup on the Linux node.
Be aware of https://issues.apache.org/jira/browse/SOLR-16240
Kevin Risden
On Wed, Mar 22, 2023 at 11:57 PM Shawn Heisey <el...@elyograg.org> wrote:
> On 3/22/2023 6:56 PM, dmitri maziuk wrote:
> > Looks like someone did it:
> >
> https://stackoverflow.com/questions/17730950/jetty-jaas-and-active-directory-authentication-only
> >
> > On-prem AD is really just LDAP+SSL but I know next to nothing about
> > jetty so I would be tempted to put it behind an apache or nginx proxy
> > and off-load the auth to it. Those are well documented.
>
> I want to use Solr's authorization capability, so I don't think
> configuring auth in Jetty is what I want at all. Same goes for any kind
> of proxy layer. I could probably teach a proxy how to do the
> authorization I want, but I really don't want to reinvent the wheel that
> has already been built into Solr. It would be a TON of work.
>
> Thanks,
> Shawn
>
Re: Authentication for Solr delegating to Active Directory
Posted by Shawn Heisey <el...@elyograg.org>.
On 3/22/2023 6:56 PM, dmitri maziuk wrote:
> Looks like someone did it:
> https://stackoverflow.com/questions/17730950/jetty-jaas-and-active-directory-authentication-only
>
> On-prem AD is really just LDAP+SSL but I know next to nothing about
> jetty so I would be tempted to put it behind an apache or nginx proxy
> and off-load the auth to it. Those are well documented.
I want to use Solr's authorization capability, so I don't think
configuring auth in Jetty is what I want at all. Same goes for any kind
of proxy layer. I could probably teach a proxy how to do the
authorization I want, but I really don't want to reinvent the wheel that
has already been built into Solr. It would be a TON of work.
Thanks,
Shawn
Re: Authentication for Solr delegating to Active Directory
Posted by dmitri maziuk <dm...@gmail.com>.
On 2023-03-22 7:24 PM, Shawn Heisey wrote:
> I finally have a good grasp of exactly how rule based authorization in
> Solr works. It's exceptionally flexible once you figure it out.
>
> I've been trying to figure out whether there is any way to use Active
> Directory for authentication in Solr, and if so, how in the world I
> would manage mapping those users to Solr's authorization roles.
Looks like someone did it:
https://stackoverflow.com/questions/17730950/jetty-jaas-and-active-directory-authentication-only
On-prem AD is really just LDAP+SSL but I know next to nothing about
jetty so I would be tempted to put it behind an apache or nginx proxy
and off-load the auth to it. Those are well documented.
my $.02
Dima