Securing a Solr Instance
We're going to look at using two common Solr plugins - Basic Authentication & Rule-Based Authorization - to change the default solr administrator user to something more secure. Here's the plan:
- Adding a new user
- Assigning administrator permissions to the new user
- Removing the original solr user
Additionally, we'll be performing these actions via API so that direct access to your Solr server is not required.
Using Security.json
The is the default security.json file referenced throughout the Solr's documentation. You probably have seen it in other posts already. You can download it here.
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="},
"realm":"My Solr users",
"forwardCredentials": false
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit",
"role":"admin"}],
"user-role":{"solr":"admin"}
}
}
This file creates the the default admin user and password pairing of solr:SolrRocks. It's presence triggers Solr to require authentication.
For this tutorial, the security.json file needs to find its way into your Solr home directory. When you start Solr, you can confirm this directory location on your Solr dashboard (see below).
Those here from my FishStix: Setting up Solr for Sitecore post will already have security.json in their home directory.
Adding Your New User
With the command below, we're using the default admin user (solr) to create a new user (newuser) and set its password (newpass).
The same command is used to update existing user passwords:
curl --user solr:SolrRocks https://solrhostname/solr/admin/authentication
-H 'Content-type:application/json' -d '{"set-user": {"newuser" : "newpass" }}'
Make The New User An Administrator
Using the default admin user, we'll assign the new user (newuser) the role of admin.
curl --user solr:SolrRocks https://solrhostname/solr/admin/authorization
-H 'Content-type:application/json' -d '{"set-user-role" : { "newuser": ["admin"] } }'
Make The New User An Administrator
Now we'll use our new admin user (newuser) to remove our old out-of-the-box admin user (solr).
curl --user newuser:newpass https://solrhostname/solr/admin/authentication
-H 'Content-type:application/json' -d '{"delete-user": ["solr"]}'
Closing Thoughts
Solr supports many different forms of authentication including:
- Basic Authentication (Used)
- Hadoop Authentication
- Kerberos Authentication
- Rule-Based Authorization (Used)
- JWT Authenticaion (Cool!)
While this is not a definitive guide, it gives you 3 easy commands to get away from the dreaded default admin credentials of solr:SolrRocks and have a much more secure Solr instance. Thanks for reading!
