You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ct...@apache.org on 2018/11/15 06:36:38 UTC
lucene-solr:branch_7_6: SOLR-12497: Add documentation for Hadoop
credential provider-based keystore/truststore
Repository: lucene-solr
Updated Branches:
refs/heads/branch_7_6 033fa9d05 -> 0f7339499
SOLR-12497: Add documentation for Hadoop credential provider-based keystore/truststore
Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/0f733949
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/0f733949
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/0f733949
Branch: refs/heads/branch_7_6
Commit: 0f73394995bd8abde2b18dbaa9c228ab72fb79e2
Parents: 033fa9d
Author: Cassandra Targett <ct...@apache.org>
Authored: Wed Nov 14 18:44:02 2018 -0600
Committer: Cassandra Targett <ct...@apache.org>
Committed: Thu Nov 15 00:36:31 2018 -0600
----------------------------------------------------------------------
solr/CHANGES.txt | 3 ++
solr/bin/solr.in.cmd | 1 +
solr/bin/solr.in.sh | 1 +
solr/solr-ref-guide/src/css/ref-guide.css | 4 +-
solr/solr-ref-guide/src/enabling-ssl.adoc | 72 +++++++++++++++++++++++++-
5 files changed, 77 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/0f733949/solr/CHANGES.txt
----------------------------------------------------------------------
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index b48bc34..23df7c6 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -144,6 +144,9 @@ Other Changes
* SOLR-12600: Fix parameter names in Solr JSON documentation (Alexandre Rafalovitch)
+* SOLR-12497: Add documentation to use Hadoop credential provider-based keystore/trustsore.
+(Mano Kovacs, Cassandra Targett)
+
Bug Fixes
----------------------
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/0f733949/solr/bin/solr.in.cmd
----------------------------------------------------------------------
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
index 86ad708..4b86d25 100755
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@@ -135,6 +135,7 @@ REM * javax.net.ssl.keyStorePassword
REM * javax.net.ssl.trustStorePassword
REM More info: https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html
REM set SOLR_HADOOP_CREDENTIAL_PROVIDER_PATH=localjceks://file/home/solr/hadoop-credential-provider.jceks
+REM set SOLR_OPTS=" -Dsolr.ssl.credential.provider.chain=hadoop"
REM Settings for authentication
REM Please configure only one of SOLR_AUTHENTICATION_CLIENT_BUILDER or SOLR_AUTH_TYPE parameters
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/0f733949/solr/bin/solr.in.sh
----------------------------------------------------------------------
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index 9b15bea..af1cd7a 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -152,6 +152,7 @@
# * javax.net.ssl.trustStorePassword
# More info: https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/CredentialProviderAPI.html
#SOLR_HADOOP_CREDENTIAL_PROVIDER_PATH=localjceks://file/home/solr/hadoop-credential-provider.jceks
+#SOLR_OPTS=" -Dsolr.ssl.credential.provider.chain=hadoop"
# Settings for authentication
# Please configure only one of SOLR_AUTHENTICATION_CLIENT_BUILDER or SOLR_AUTH_TYPE parameters
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/0f733949/solr/solr-ref-guide/src/css/ref-guide.css
----------------------------------------------------------------------
diff --git a/solr/solr-ref-guide/src/css/ref-guide.css b/solr/solr-ref-guide/src/css/ref-guide.css
index a8224a9..1005ab9 100644
--- a/solr/solr-ref-guide/src/css/ref-guide.css
+++ b/solr/solr-ref-guide/src/css/ref-guide.css
@@ -447,7 +447,6 @@ p.lead
.exampleblock > .title,
.hdlist > .title,
.imageblock > .title,
-.imageblock > figcaption,
.listingblock > .title,
.literalblock > .title,
.olist > .title,
@@ -460,7 +459,8 @@ p.lead
.ulist > .title,
.verseblock > .title,
.videoblock > .title,
-table.tableblock > .title
+table.tableblock > .title,
+figcaption
{
margin-top: 0;
margin-bottom: .25em;
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/0f733949/solr/solr-ref-guide/src/enabling-ssl.adoc
----------------------------------------------------------------------
diff --git a/solr/solr-ref-guide/src/enabling-ssl.adoc b/solr/solr-ref-guide/src/enabling-ssl.adoc
index 96262bd..cfb2da9 100644
--- a/solr/solr-ref-guide/src/enabling-ssl.adoc
+++ b/solr/solr-ref-guide/src/enabling-ssl.adoc
@@ -133,17 +133,85 @@ set SOLR_SSL_TRUST_STORE_TYPE=JKS
Start Solr using the command shown below; by default clients will not be required to authenticate:
-.*nix command
+[.dynamic-tabs]
+--
+[example.tab-pane#single-unix]
+====
+[.tab-label]**nix Command*
[source,bash]
----
bin/solr -p 8984
----
+====
-.Windows command
+[example.tab-pane#single-windows]
+====
+[.tab-label]*Windows Command*
[source,text]
----
bin\solr.cmd -p 8984
----
+====
+--
+
+== Password Distribution via Hadoop Credential Store
+
+Solr supports reading keystore and truststore passwords from Hadoop credential store. This approach can be beneficial
+if password rotation and distribution is already handled by credential stores.
+
+Hadoop credential store can be used with Solr using the following two steps.
+
+=== Provide a Hadoop Credential Store
+Create a Hadoop credstore file and define the entries below with the actual keystore passwords.
+
+[source,text]
+----
+solr.jetty.keystore.password
+solr.jetty.truststore.password
+javax.net.ssl.keyStorePassword
+javax.net.ssl.trustStorePassword
+----
+
+Note that if the `javax.net.ssl.\*` configurations are not set, they will fallback to the corresponding `solr.jetty.*` configurations.
+
+=== Configure Solr to use Hadoop Credential Store
+
+Solr needs requires three parameters to be configured in order to use the credential store file for keystore passwords.
+
+`solr.ssl.credential.provider.chain`::
+The credential provider chain. This should be set to `hadoop`.
+
+`SOLR_HADOOP_CREDENTIAL_PROVIDER_PATH`::
+The path to the credential store file.
+
+`HADOOP_CREDSTORE_PASSWORD`::
+The password to the credential store.
+
+[.dynamic-tabs]
+--
+[example.tab-pane#credstore-unix]
+====
+[.tab-label]**nix Example*
+[source,text]
+----
+SOLR_OPTS=" -Dsolr.ssl.credential.provider.chain=hadoop"
+SOLR_HADOOP_CREDENTIAL_PROVIDER_PATH=localjceks://file/home/solr/hadoop-credential-provider.jceks
+HADOOP_CREDSTORE_PASSWORD="credStorePass123"
+----
+====
+
+[example.tab-pane#credstore-windows]
+=====
+[.tab-label]*Windows Example*
+[source,text]
+----
+set SOLR_OPTS=" -Dsolr.ssl.credential.provider.chain=hadoop"
+set SOLR_HADOOP_CREDENTIAL_PROVIDER_PATH=localjceks://file/home/solr/hadoop-credential-provider.jceks
+set HADOOP_CREDSTORE_PASSWORD="credStorePass123"
+----
+=====
+--
+
== SSL with SolrCloud