[
https://issues.apache.org/jira/browse/SOLR-7950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hrishikesh Gadre updated SOLR-7950:
-----------------------------------
Description:
When using kerberos authentication mechanism (SPNEGO auth scheme), the Apache
Http client is incorrectly configured with *all* auth schemes (e.g. Basic,
Digest, NTLM, Kerberos, Negotiate etc.) instead of just 'Negotiate'.
This issue was identified after configuring Solr with both Basic + Negotiate
authentication schemes simultaneously. The problem in this case is that Http
client is configured with Kerberos credentials and the default (and incorrect)
auth scheme configuration prefers Basic authentication over Kerberos. Since the
basic authentication credentials are missing, the authentication and as a
result the Http request fails. (I ran into this problem while creating a
collection where there is an internal communication between Solr servers).
The root cause for this issue is that, AbstractHttpClient::getAuthSchemes() API
call prepares an AuthSchemeRegistry instance with all possible authentication
schemes. Hence when we register the SPNEGO auth scheme in Solr codebase, it
overrides the previous configuration for SPNEGO - but doesn't remove the other
auth schemes from the client configuration. Please take a look at relevant code
snippet.
https://github.com/apache/lucene-solr/blob/trunk/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L80
A trivial fix would be to prepare a new AuthSchemeRegistry instance configured
with just SPENGO mechanism and set it in the HttpClient.
was:
When using kerberos authentication mechanism (SPNEGO auth scheme), the Apache
Http client is incorrectly configured with *all* auth schemes (e.g. Basic,
Digest, NTLM, Kerberos, Negotiate etc.) instead of just 'Negotiate'.
This issue was identified after configuring Solr with both Basic + Negotiate
authentication schemes simultaneously. The problem in this case is that Http
client is configured with Kerberos credentials and the default (and incorrect)
auth scheme configuration prefers Basic authentication over Kerberos. Since the
basic authentication credentials are missing, the authentication and as a
result the Http request fails. (I ran into this problem while creating a
collection where there is an internal communication between Solr servers).
The root cause for this issue is that, AbstractHttpClient::getAuthSchemes() API
call prepares an AuthSchemeRegistry instance with all possible authentication
schemes. Hence when we register the SPNEGO auth scheme in Solr codebase, it
overrides the previous configuration for SPNEGO - but doesn't remove the other
auth schemes from the client configuration. Please take a look at relevant code
snippet.
https://github.com/apache/lucene-solr/blob/trunk/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L80
A trivial fix would be prepare a new AuthSchemeRegistry instance configured
with just SPENGO mechanism and set it in the HttpClient.
> Invalid auth scheme configuration of Http client when using Kerberos (SPNEGO)
> -----------------------------------------------------------------------------
>
> Key: SOLR-7950
> URL: https://issues.apache.org/jira/browse/SOLR-7950
> Project: Solr
> Issue Type: Bug
> Affects Versions: 4.10.3, Trunk
> Reporter: Hrishikesh Gadre
>
> When using kerberos authentication mechanism (SPNEGO auth scheme), the Apache
> Http client is incorrectly configured with *all* auth schemes (e.g. Basic,
> Digest, NTLM, Kerberos, Negotiate etc.) instead of just 'Negotiate'.
> This issue was identified after configuring Solr with both Basic + Negotiate
> authentication schemes simultaneously. The problem in this case is that Http
> client is configured with Kerberos credentials and the default (and
> incorrect) auth scheme configuration prefers Basic authentication over
> Kerberos. Since the basic authentication credentials are missing, the
> authentication and as a result the Http request fails. (I ran into this
> problem while creating a collection where there is an internal communication
> between Solr servers).
> The root cause for this issue is that, AbstractHttpClient::getAuthSchemes()
> API call prepares an AuthSchemeRegistry instance with all possible
> authentication schemes. Hence when we register the SPNEGO auth scheme in Solr
> codebase, it overrides the previous configuration for SPNEGO - but doesn't
> remove the other auth schemes from the client configuration. Please take a
> look at relevant code snippet.
> https://github.com/apache/lucene-solr/blob/trunk/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L80
> A trivial fix would be to prepare a new AuthSchemeRegistry instance
> configured with just SPENGO mechanism and set it in the HttpClient.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
