Community Articles

Summary

Using Apache Solr as the indexing and search engine for Metron requires the Metron REST service to perform queries to multple collections. If the Ranger plugin is active there is currently a gotcha ( = Ranger Solr plugin bug). If you don't want to give the Metron user full access to all Solr collections here is a workaround.

The Problem

• 2+ Solr collections that are being queried: metaalert, cef,.... (and other parser collections):
• 1 user: metron
• 1 Ranger policy: user: "metron", access type: "Read", "Write", collections: "metaalert", "cef"

Query of metaalert collection returns content of metaalert collection as expected and logs event successfully in Ranger audit.

curl -k --negotiate -u : "http://solr_url:solr_port/solr/metaalert/search?q=*"

Query of cef collection returns content of cef collection as expected and logs it successfully in Ranger audit.

curl -k --negotiate -u : "http://solr_url:solr_port/solr/cef/search?q=*"

Query of metaalert and cef will return a "403 Unauthorized request". This is what the Metron REST server does:

curl -k --negotiate -u : "http://solr_url:solr_port/solr/metaalert/select?q=*&collections=metaalert,cef"

In Ranger audit we now see 3 lines:

• user: metron, resource: metaalert,cef, Result: Denied
• user: metron, resource: metaalert, Result: Allowed
• user: metron, resource: cef, Result: Allowed

Expectation would be that query is successfull!

Workaround(s)

• One workaround would be to give metron access to all collections: "*" . We usually don't want that on clusters, that are being used by other use cases.
• Another workaround would be to give metron access to "*metaalert*" collection.