[
https://issues.apache.org/jira/browse/SOLR-7950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14715574#comment-14715574
]
Gregory Chanan commented on SOLR-7950:
--------------------------------------
+1.
Patch looks good and thanks for the explanation. It sounds like from what
Ishan is saying there may be some more work integrating the HADOOP-12082 change
with Solr's own Basic Auth Plugin, but that can be done in another jira.
> Invalid auth scheme configuration of Http client when using Kerberos (SPNEGO)
> -----------------------------------------------------------------------------
>
> Key: SOLR-7950
> URL: https://issues.apache.org/jira/browse/SOLR-7950
> Project: Solr
> Issue Type: Bug
> Affects Versions: 4.10.3, Trunk
> Reporter: Hrishikesh Gadre
> Assignee: Gregory Chanan
> Attachments: solr-7950-v2.patch, solr-7950.patch
>
>
> When using kerberos authentication mechanism (SPNEGO auth scheme), the Apache
> Http client is incorrectly configured with *all* auth schemes (e.g. Basic,
> Digest, NTLM, Kerberos, Negotiate etc.) instead of just 'Negotiate'.
> This issue was identified after configuring Solr with both Basic + Negotiate
> authentication schemes simultaneously. The problem in this case is that Http
> client is configured with Kerberos credentials and the default (and
> incorrect) auth scheme configuration prefers Basic authentication over
> Kerberos. Since the basic authentication credentials are missing, the
> authentication and as a result the Http request fails. (I ran into this
> problem while creating a collection where there is an internal communication
> between Solr servers).
> The root cause for this issue is that, AbstractHttpClient::getAuthSchemes()
> API call prepares an AuthSchemeRegistry instance with all possible
> authentication schemes. Hence when we register the SPNEGO auth scheme in Solr
> codebase, it overrides the previous configuration for SPNEGO - but doesn't
> remove the other auth schemes from the client configuration. Please take a
> look at relevant code snippet.
> https://github.com/apache/lucene-solr/blob/trunk/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L80
> A trivial fix would be to prepare a new AuthSchemeRegistry instance
> configured with just SPENGO mechanism and set it in the HttpClient.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
