Securing a Solr cluster

DSE Search data is completely or partially secured by using DataStax Enterprise security features.

DataStax Enterprise supports secure enterprise search using Apache Solr 4.3 and Lucene. The security table summarizes the security features of DSE Search/Solr and other integrated components. DSE Search data is completely or partially secured by using DataStax Enterprise security features:

• Object permission management

  Access to Solr documents, excluding cached data, can be limited to users who have been granted access permissions. Permission management also secures tables used to store Solr data.

• Transparent data encryption

  Data at rest in Cassandra tables, excluding cached and Solr-indexed data, can be encrypted. Encryption occurs on the Cassandra side and impacts performance slightly.

• Client-to-node encryption

  You can encrypt HTTP access to Solr data and internal, node-to-node Solr communication using SSL. Enable SSL node-to-node encryption on the Solr node by setting encryption options in the dse.yaml file as described in Client-to-node encryption.

• Kerberos authentication

  You can authenticate DSE Search users through Kerberos authentication using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). To use the SolrJ API against DSE Search clusters with Kerberos authentication, client applications should use the SolrJ-Auth library and the DataStax Enterprise SolrJ component as described in the solrj-auth-README.md file.

You can also use HTTP Basic Authentication, but this is not recommended.

HTTP Basic Authentication

When you enable Cassandra's internal authentication by specifying authenticator: org.apache.cassandra.auth.PasswordAuthenticator in cassandra.yaml, clients must use HTTP Basic Authentication to provide credentials to Solr services. Due to the stateless nature of HTTP Basic Authentication, this can have a significant performance impact as the authentication process must be executed on each HTTP request. For this reason, DataStax does not recommend using internal authentication on DSE Search clusters in production. To secure DSE Search in production, enable DataStax Enterprise Kerberos authentication.

To configure DSE Search to use Cassandra's internal authentication, follow this configuration procedure:

1. Comment AllowAllAuthenticator and uncomment the PasswordAuthenticator in cassandra.yaml to enable HTTP Basic authentication for Solr.

   #authenticator: org.apache.cassandra.auth.AllowAllAuthenticator
   authenticator: org.apache.cassandra.auth.PasswordAuthenticator
   #authenticator: com.datastax.bdp.cassandra.auth.PasswordAuthenticator
   #authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator

2. Configure the replication strategy for the system_auth keyspace.
3. Start the server.
4. Open a browser, and go to the service web page. For example, assuming you ran the wikipedia demo, go to http://localhost:8983/demos/wikipedia/.

   The browser asks you for a Cassandra username and password.