Secure Solr By Changing The Default Username & Password

May 14, 2020

By Dan Cruickshank

Securing a Solr Instance

We're going to look at using two common Solr plugins - Basic Authentication & Rule-Based Authorization - to change the default solr administrator user to something more secure. Here's the plan:

  • Adding a new user
  • Assigning administrator permissions to the new user
  • Removing the original solr user

Additionally, we'll be performing these actions via API so that direct access to your Solr server is not required.

Using Security.json

The is the default security.json file referenced throughout the Solr's documentation. You probably have seen it in other posts already. You can download it here.

{
    "authentication":{ 
    "blockUnknown": true, 
    "class":"solr.BasicAuthPlugin",
    "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}, 
    "realm":"My Solr users", 
    "forwardCredentials": false 
    },
    "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "permissions":[{"name":"security-edit",
        "role":"admin"}], 
    "user-role":{"solr":"admin"} 
    }
}

This file creates the the default admin user and password pairing of solr:SolrRocks. It's presence triggers Solr to require authentication.

For this tutorial, the security.json file needs to find its way into your Solr home directory. When you start Solr, you can confirm this directory location on your Solr dashboard (see below).

FishStix: Solr home directory.

Those here from my FishStix: Setting up Solr for Sitecore post will already have security.json in their home directory.

Adding Your New User

With the command below, we're using the default admin user (solr) to create a new user (newuser) and set its password (newpass).

The same command is used to update existing user passwords:

 
curl --user solr:SolrRocks https://solrhostname/solr/admin/authentication 
 -H 'Content-type:application/json' -d '{"set-user": {"newuser" : "newpass" }}'

Make The New User An Administrator

Using the default admin user, we'll assign the new user (newuser) the role of admin.

 
curl --user solr:SolrRocks https://solrhostname/solr/admin/authorization 
 -H 'Content-type:application/json' -d '{"set-user-role" : { "newuser": ["admin"] } }' 

Make The New User An Administrator

Now we'll use our new admin user (newuser) to remove our old out-of-the-box admin user (solr).

 
curl --user newuser:newpass https://solrhostname/solr/admin/authentication 
 -H 'Content-type:application/json' -d  '{"delete-user": ["solr"]}'

Closing Thoughts

Solr supports many different forms of authentication including:

While this is not a definitive guide, it gives you 3 easy commands to get away from the dreaded default admin credentials of solr:SolrRocks and have a much more secure Solr instance. Thanks for reading!

Dan Headshot

Dan Cruickshank

President | Sitecore MVP x 11

Dan is the founder of Fishtank. He's a multi-time Sitecore MVP and Coveo MVP award winner. Outside of technology, he is widely considered to be a top 3 father (routinely receiving "Father of the Year" accolades from his family) and past his prime on the basketball court.