Solr Forward Authentication Plugin

A simple forward authentication plugin for Solr. Forward authentication moves the authentication process out of Solr into a reverse proxy like Traefik or Nginx running in front of Solr.

After authentication, the authenticated user is sent to Solr via a HTTP header. This plugins lets Solr accept this header and set the authenticated user accordingly.

How to use the plugin

Before using the plugin, please be familiar with Solr authentication and authorization.

To use the plugin, drop the release jar into the library directory of your Solr installation.

Configure authentication & authorization

To activate authentication & authorization, place a security.json in your Zookeeper root.

To activate forward authentication in Solr, use the ForwardAuthPlugin class as authentication class.

The httpUserHeader is an optional configuration.

{
    "authentication": {
        "class": "cool.solr.security.ForwardAuthPlugin",
        "httpUserHeader": "X-Forwarded-User"
    },
    "authorization": {
        "class": "cool.solr.security.DefaultRuleBasedAuthorizationPlugin",
        "defaultRole": "admin",
        "permissions": [
            {
                "name": "all",
                "role": "admin"
            }
        ]
    }
}

For authorization, the DefaultRuleBasedAuthorizationPlugin extends the RuleBasedAuthorizationPlugin by assigning users without an explicit user-role mapping a defaultRole.

Example

The examples folder contains a simple Docker Compose ensemble. From inside the directory, launch the Solr/Zookeeper ensemble:

$ docker-compose up

# Test connectivity (should return 200 OK)
$ curl -s "http://localhost:8983/api/node/system" | jq .security
{
  "tls": false
}

# Activate security
$ docker exec -it solr solr zk cp file:/opt/solr/server/solr/security.json zk:/security.json -z zookeeper:2181

# Test security (should return no data as we are not authorized)
$ curl "http://localhost:8983/api/node/system"

# Fake forward authentication (should return 200)
$ curl -sH "X-Forwarded-User: alice" "http://localhost:8983/api/node/system" \
    | jq .security
{
  "authenticationPlugin": "cool.solr.security.ForwardAuthPlugin",
  "authorizationPlugin": "cool.solr.security.DefaultRuleBasedAuthorizationPlugin",
  "username": "alice",
  "roles": [
    "admin"
  ],
  "tls": false
}

Building the project

This should install the current version into your local repository

$ ./mvn clean verify

License

This project is licensed under the Apache License, Version 2.