Support Questions

Find answers, ask questions, and share your expertise

On an unkerborized cluster, how can I get ranger solr to work? Can I get solr ranger working without kerberos?

avatar
Contributor

Hi,

Trying to enable Ranger audit through solr on a non-kerborized cluster.

Not able to get the audits written to Solr.

Is kerborization a must for Solr Ranger to work?

How can I get it working?

1 ACCEPTED SOLUTION

avatar

Yes you need Kerberos for Ranger to manage Solr.

See also

https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html

(Updated)

Or are you referring to Solr Auditing for Ranger. In that case you do not need Kerberos.

For Solr Audit see the following:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/solr_ranger_... and

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/audit_to_sol...

If you did the necessary install and Solr audits are not showing, I had a case where I did a ps -ef | ranger and it was running under the wrong uid. I had to kill it first and then restart from Ambari to get the Solr audits to work.

View solution in original post

7 REPLIES 7

avatar

Yes you need Kerberos for Ranger to manage Solr.

See also

https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html

(Updated)

Or are you referring to Solr Auditing for Ranger. In that case you do not need Kerberos.

For Solr Audit see the following:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/solr_ranger_... and

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/audit_to_sol...

If you did the necessary install and Solr audits are not showing, I had a case where I did a ps -ef | ranger and it was running under the wrong uid. I had to kill it first and then restart from Ambari to get the Solr audits to work.

avatar
Contributor

Ok, thank you for the response. For enabling Solr Audit, can you give me the link?

Are you talking about the link --

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/solr_ranger_...

and then the link below:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/audit_to_sol...

?

If so, after performing the steps mentioned in the above, I do not see any thing in the Ranger Audit - "Access" tab. Is that the expected behavior?

avatar

I recommend doing the Solr Standalone. I have always had an issue with Solr Cloud for Ranger Auditing.

Are you sure in Advanced ranger-admin-site everything is set appropriately?

If you are using the HDFS or Hive plug in did you turn Auri to Solr on?

1924-screen-shot-2016-02-08-at-22940-pm.png

avatar
Contributor

Yes, I have set up the SolrCloud following the document link that I pasted earlier. And then in the Ambari Ranger configuration, enabled SolrAudit ("Audit to Solr" ie. xasecure.audit.destination.solr).

The configuration set to

ranger.audit.solr.urls = http://solr_host:6083/solr/ranger_audits

But once, I enabled SolrCloud ie. (is_SolrCloud_enabled) , then the property changed to be

ranger.audit.solr.urls = solr_host:2181/ranger_audits

Is this the correct behavior? I have the other properties as you mentioned.

Can I just have just SolrAudit ("Audit to Solr") enabled, and not have solrCloud?

avatar
Guru

@Ancil McBarnett: I also have requirement where i want to secure solr with Ranger but I don't have kerberos env. So is it possible to secure with Rnager without kerberos ?

avatar
Super Guru
@Saurabh Kuma

@Madhavi Amirneni

Let me try to explain how security works from a high level and why Ranger without Kerberos is useless.

Kerberos is what is used by many applications to authenticate a user. That is, to verify that the user is exactly who he says he is. Ranger is used as a next step in security. That is once you know, let's say a user name Alex is actually 'Alex', then does Alex have permissions to view a particular set of data. That is the job of Ranger. It enforces policies for users who have been authenticated.

Authentication of whether a user is actually who he says he is, is done by Kerberos. Without Kerberos you don't even know, if Alex is actually Alex. That's why there is no point in trying to enforce using Ranger a policy that Alex cannot access certain datasets or doing an audit on what Alex did when he logged in. Without Kerberos you are not even sure, was it really Alex, when someone named Alex logged in. Authorization and audit are pretty much useless at that point and that's why you need a Kerberized cluster before you enable authorization/auditing using Ranger.

avatar
Guru

Thanks @mqureshi. I understood your point and agree kerberos is always best option to secure cluster. But I am looking an alternative which I can use to secure solr like knox with ranger or something else. So do we have any alternative ?