安全配置 #

一、安全概述 #

1.1 安全层级 #

层级 说明
认证 身份验证
授权 权限控制
加密 传输加密
审计 操作日志

1.2 安全框架 #

Solr使用可插拔的安全框架:

  • Authentication Plugin(认证插件)
  • Authorization Plugin(授权插件)

二、认证配置 #

2.1 Basic认证 #

启用Basic认证

bash 
# 创建security.json
cat > security.json << 'EOF'
{
  "authentication": {
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "admin": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiWN3IcuJ2=",
      "user": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiWN3IcuJ2="
    }
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [
      {
        "name": "security-edit",
        "role": "admin"
      },
      {
        "name": "collection-admin-edit",
        "role": "admin"
      },
      {
        "name": "read",
        "role": "user"
      }
    ],
    "user-role": {
      "admin": ["admin"],
      "user": ["user"]
    }
  }
}
EOF

# 上传到ZooKeeper
bin/solr zk cp file:security.json zk:security.json -z localhost:9983

2.2 管理用户 #

添加用户

bash 
curl -u admin:password -X POST "http://localhost:8983/solr/admin/authentication" \
  -H "Content-Type: application/json" \
  -d '{
    "set-user": {
      "newuser": "newpassword"
    }
  }'

删除用户

bash 
curl -u admin:password -X POST "http://localhost:8983/solr/admin/authentication" \
  -H "Content-Type: application/json" \
  -d '{
    "delete-user": ["olduser"]
  }'

修改密码

bash 
curl -u admin:password -X POST "http://localhost:8983/solr/admin/authentication" \
  -H "Content-Type: application/json" \
  -d '{
    "set-user": {
      "admin": "newpassword"
    }
  }'

2.3 使用认证 #

bash 
# 使用认证访问
curl -u admin:password "http://localhost:8983/solr/mycore/select?q=*:*"

三、授权配置 #

3.1 权限类型 #

权限 说明
security-edit 安全配置编辑
security-read 安全配置读取
collection-admin-edit Collection管理
collection-admin-read Collection读取
core-admin-edit Core管理
core-admin-read Core读取
read 读取权限
update 更新权限
all 所有权限

3.2 配置权限 #

bash 
curl -u admin:password -X POST "http://localhost:8983/solr/admin/authorization" \
  -H "Content-Type: application/json" \
  -d '{
    "set-permission": {
      "name": "read",
      "role": "reader"
    }
  }'

3.3 配置角色 #

bash 
curl -u admin:password -X POST "http://localhost:8983/solr/admin/authorization" \
  -H "Content-Type: application/json" \
  -d '{
    "set-user-role": {
      "reader": ["read"]
    }
  }'

3.4 Collection级别权限 #

bash 
curl -u admin:password -X POST "http://localhost:8983/solr/admin/authorization" \
  -H "Content-Type: application/json" \
  -d '{
    "set-permission": {
      "name": "read",
      "collection": "mycollection",
      "role": "mycollection_reader"
    }
  }'

四、SSL/TLS配置 #

4.1 生成证书 #

bash 
# 生成密钥库
keytool -genkeypair -alias solr-ssl \
  -keyalg RSA -keysize 2048 \
  -storetype PKCS12 \
  -keystore solr-ssl.keystore.p12 \
  -storepass password \
  -keypass password \
  -validity 365 \
  -ext SAN=DNS:localhost,IP:127.0.0.1

# 导出证书
keytool -exportcert -alias solr-ssl \
  -keystore solr-ssl.keystore.p12 \
  -storepass password \
  -rfc -file solr-ssl.pem

# 导入到信任库
keytool -importcert -alias solr-ssl \
  -file solr-ssl.pem \
  -keystore solr-ssl.truststore.p12 \
  -storepass password -noprompt

4.2 配置Solr #

solr.in.sh

bash 
SOLR_SSL_ENABLED=true
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.p12
SOLR_SSL_KEY_STORE_PASSWORD=password
SOLR_SSL_TRUST_STORE=etc/solr-ssl.truststore.p12
SOLR_SSL_TRUST_STORE_PASSWORD=password
SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false
SOLR_SSL_CHECK_PEER_NAME=true

4.3 启动SSL #

bash 
bin/solr start -p 8984 -s example/cloud/node2/solr

4.4 访问HTTPS #

bash 
curl --cacert solr-ssl.pem -u admin:password "https://localhost:8983/solr/mycore/select?q=*:*"

五、IP过滤 #

5.1 配置IP白名单 #

xml 
<!-- solrconfig.xml -->
<requestHandler name="/select" class="solr.SearchHandler">
  <lst name="defaults">
    <str name="echoParams">explicit</str>
  </lst>
  <lst name="appends">
    <str name="ipWhiteList">192.168.1.0/24</str>
    <str name="ipWhiteList">10.0.0.0/8</str>
  </lst>
</requestHandler>

六、安全最佳实践 #

6.1 密码策略 #

  • 使用强密码
  • 定期更换密码
  • 使用密码管理器

6.2 最小权限原则 #

  • 只授予必要的权限
  • 使用角色管理权限
  • 定期审查权限

6.3 网络安全 #

  • 使用防火墙限制访问
  • 只开放必要端口
  • 使用VPN访问

6.4 审计日志 #

xml 
<updateHandler class="solr.DirectUpdateHandler2">
  <updateLog>
    <str name="dir">${solr.ulog.dir:}</str>
  </updateLog>
</updateHandler>

6.5 定期安全检查 #

  • 检查用户权限
  • 检查安全配置
  • 更新安全补丁

七、安全配置示例 #

7.1 完整security.json #

json 
{
  "authentication": {
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "admin": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiWN3IcuJ2="
    },
    "blockUnknown": true
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [
      {
        "name": "security-edit",
        "role": "admin"
      },
      {
        "name": "collection-admin-edit",
        "role": "admin"
      },
      {
        "name": "collection-admin-read",
        "role": "admin"
      },
      {
        "name": "read",
        "role": "reader"
      },
      {
        "name": "update",
        "role": "writer"
      }
    ],
    "user-role": {
      "admin": ["admin"],
      "reader": ["reader"],
      "writer": ["writer"]
    }
  }
}

八、总结 #

安全配置要点:

层级 配置
认证 Basic认证
授权 基于角色的权限
加密 SSL/TLS
网络 IP过滤、防火墙

最佳实践:

  • 启用认证授权
  • 使用SSL/TLS加密
  • 遵循最小权限原则
  • 定期安全审计

下一步,让我们学习备份恢复!

最后更新:2026-03-27