Versions Compared

Old Version 2

changes.mady.by.user Bosco

Saved on

compared with

New Version 3

changes.mady.by.user Bosco

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Install and configure MIT Kerberos. If you have ActiveDirectory in your environment, then you can use ActiveDirectory as your Kerberos KDC.
  • Create principal "solr" in your KDC. You can make it host specific or headless

    • For MIT KDC, login as root on to server which has KDC and create the keytabs for user solr and HTTP

      Code Block
      languagebash
      # kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  addprinc -randkey solr@EXAMPLE.COM
WARNING: no policy specified for solr@EXAMPLE.COM; defaulting to no policy
Principal "solr@EXAMPLE.COM" created.
kadmin.local:  xst -k solr.keytab solr@EXAMPLE.COM
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:solr.keytab.
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:solr.keytab.
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:solr.keytab.
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:solr.keytab.
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:solr.keytab.
Entry for principal solr@EXAMPLE.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:solr.keytab.
kadmin.local:  quit

    • The above example creates headless keytab for service user "solr". It is recommend to create keytab per host. If you wish to do that, then for each host where Solr is going to run, create a principal like above, except use the principal name with the host, e.g. addprinc -randkey solr/${HOST1}@EXAMPLE.COM. Replace ${HOST1} with the actual host names

    • You will also need another keytab for SPNEGO. This is used by Solr for authenticating HTTP request. Follow the above process, but replace solr with HTTP. E.g.

      Code Block
      languagebash
      # kadmin.local
kadmin.local:  addprinc -randkey HTTP@EXAMPLE.COM
kadmin.local:  xst -k HTTP.keytab HTTP@EXAMPLE.COM
kadmin.local:  quit

    • After the keytabs is created you need to copy them to all the hosts running Solr. And chown to solr and chmod to 400.

      Code Block
      languagebash
      # mkdir -p /etc/solr/conf
# #scp both the keytab files to the above folder
# chown solr:solr /etc/solr/conf/solr.keytab
# chmod 400 /etc/solr/conf/solr.keytab
# chown solr:solr /etc/solr/conf/HTTP.keytab
# chmod 400 /etc/solr/conf/HTTP.keytab

...