Certificate Authentication Plugin
Solr can support extracting the user principal out of the client’s certificate with the use of the CertAuthPlugin
.
Enable Certificate Authentication
For certificate authentication, the security.json
file must have an authentication
part which defines the class being used for authentication.
An example security.json
is shown below:
{
"authentication": {
"class":"solr.CertAuthPlugin"
}
}
json
Certificate Validation
Parts of certificate validation, including verifying the trust chain and peer hostname/ip address will be done by the web servlet container before the request ever reaches the authentication plugin. These checks are described in the Enabling SSL section.
This plugin provides no additional checking beyond what has been configured via SSL properties.
User Principal Extraction
This plugin will configure the user principal for the request based on the X500 subject present in the client certificate. Authorization plugins will need to accept and handle the full subject name, for example:
CN=Solr User,OU=Engineering,O=Example Inc.,C=US
text
A list of possible tags that can be present in the subject name is available in RFC-5280, Section 4.1.2.4. Values may have spaces, punctuation, and other characters.
It is best practice to verify the actual contents of certificates issued by your trusted certificate authority before configuring authorization based on the contents.
Using Certificate Auth with Clients (including SolrJ)
With certificate authentication enabled, all client requests must include a valid certificate. This is identical to the client requirements when using SSL.