janusgraph
janusgraph copied to clipboard
JanusGraph
Add support for Solr authentication
Currently Janus graph requires index Solr backend to be unsecured to work. In some usage scenarios (e.g. production) it is unacceptable.
It is desirable to add support for any of the standard security mechanisms offered by Solr e.g.:
-
SSL client side authentication (preferred) https://lucene.apache.org/solr/guide/7_2/enabling-ssl.html#index-a-document-using-cloudsolrclient
-
HTTP basic auth with user/password (basic) https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html#using-basic-auth-with-solrj
My organization needs this for production and will provide a patch shortly.
For anyone stuck, providing values for the java system properties listed in this example at the Solr docs might be a viable workaround:
System.setProperty("javax.net.ssl.keyStore", "/path/to/solr-ssl.keystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
System.setProperty("javax.net.ssl.trustStore", "/path/to/solr-ssl.keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "secret");
Note these properties would have to apply to the host JVM of the CloudSolrClient used by JanusGraph.
I still believe it would be best for JanusGraph to provide documented config options for Solr rather than having users attempt the workaround.
@callajd Hello, just being in the same situation than you when this issue was open.
is there any pr merged to solve this issue ?
@porunov @FlorianHockmann @li-boxuan @farodin91
Hi~ Based on CVE CVE-2020-13957, CVE-2021-44228 and CVE-2021-45046 , we need to update solr to version 8.11.
So that we need to add authentication to solr like solr.BasicAuthPlugin. I think it will be an increasingly urgent problem.
Does our community have a plan to support this?
Specific configurations such as:
graph.index.search.solr.username=solr
graph.index.search.solr.password=solr
@cdmikechen
Solr was already updated to 8.11 on master in #2958 which will be released in version 1.0.0. We could probably also update it on branch 0.6 so it can be released earlier with the next 0.6 release. If you want, you can contribute a PR for this. That would of course be very welcome.
Apart from the update, authentication is of course an important feature also for the Solr backend. I guess nobody implemented it yet because we probably simply don't have many contributors who are using Solr. So, again, a contribution from someone who is interested in this feature would be really welcome. If someone wants to contribute but needs help to get started, then feel free to ask, either here directly, or on Discord or on our janusgraph-dev mailing list.
Regarding the specific CVEs that you mentioned:
CVE-2020-13957
The link you provided already mentions:
Unaffected Versions
Apache Solr version >= 8.6.3
So, JanusGraph isn't affected as it uses 8.9 already by default since version 0.6.0.
CVE-2021-44228
This is the Log4j2 vulnerability. We published an announcement for this CVE where the recommendation for Solr is simply to update your Solr installation. JanusGraph only uses the Solr driver in its janusgraph-solr index backend, but you need to install Solr on your own to which JanusGraph can then connect. So, you can also update your Solr installation on your own.
CVE-2021-45046
Solr doesn't seem to be affected by this as they describe here:
Solr is not vulnerable to the followup CVE-2021-45046 and CVE-2021-45105. A listing of these and other CVEs with some justifications are listed in Solr's wiki: https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools
