...
- Install and configure MIT Kerberos. If you have ActiveDirectory in your environment, then you can use ActiveDirectory as your Kerberos KDC.
- Create principal "solr" in your KDC. You can make it host specific or headless
For MIT KDC, login as root on to server which has KDC and create the keytabs for user solr and HTTP
Code Block language bash # kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc -randkey solr@EXAMPLE.COM WARNING: no policy specified for solr@EXAMPLE.COM; defaulting to no policy Principal "solr@EXAMPLE.COM" created. kadmin.local: xst -k solr.keytab solr@EXAMPLE.COM Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:solr.keytab. Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:solr.keytab. Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:solr.keytab. Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:solr.keytab. Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:solr.keytab. Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:solr.keytab. kadmin.local: quit
The above example creates headless keytab for service user "solr". It is recommend to create keytab per host. If you wish to do that, then for each host where Solr is going to run, create a principal like above, except use the principal name with the host, e.g. addprinc -randkey solr/${HOST1}@EXAMPLE.COM. Replace ${HOST1} with the actual host names
You will also need another keytab for SPNEGO. This is used by Solr for authenticating HTTP request. Follow the above process, but replace solr with HTTP. E.g.
Code Block language bash # kadmin.local kadmin.local: addprinc -randkey HTTP@EXAMPLE.COM kadmin.local: xst -k HTTP.keytab HTTP@EXAMPLE.COM kadmin.local: quit
After the keytabs is created you need to copy them to all the hosts running Solr. And chown to solr and chmod to 400.
Code Block language bash # mkdir -p /etc/solr/conf # #scp both the keytab files to the above folder # chown solr:solr /etc/solr/conf/solr.keytab # chmod 400 /etc/solr/conf/solr.keytab # chown solr:solr /etc/solr/conf/HTTP.keytab # chmod 400 /etc/solr/conf/HTTP.keytab
...