[
https://issues.apache.org/jira/browse/SOLR-8894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15210192#comment-15210192
]
Ishan Chattopadhyaya edited comment on SOLR-8894 at 3/24/16 1:17 PM:
---------------------------------------------------------------------
If we cannot find a workaround for this, I suggest that instead of writing
custom TGT renewal code, we drop support for standalone users in the kerberos
authentication plugin.
Currently, for SolrCloud, the TGT renewals can be taken care of by the zk
client (if Solr nodes are connected to kerberized zk using the same zk client
principal as its service principal for the kerberos authentication plugin) [0].
An alternative way is to use the ticket cache, and use kinit from the command
line to renew the ticket, perhaps using a cronjob. If the latter is not working
for standalone for some reason, which is what I believe you have tried and you
find that it is not working, we should rather drop support for standalone users
altogether. In such a case, a user interested in using kerberos authentication
with standalone solr could use a forked version of the plugin from a separate
repository and add the ticket renewal support and use the plugin.
What do you think, [~anshumg], [~noble.paul]?
[0] - https://issues.apache.org/jira/browse/ZOOKEEPER-1181
was (Author: ichattopadhyaya):
If we cannot find a workaround for this, I suggest that instead of writing
custom TGT renewal code, we drop support for standalone users in the kerberos
authentication plugin.
Currently, for SolrCloud, the TGT renewals can be taken care of by the zk
client (if Solr nodes are connected to kerberized zk using the same zk client
principal as its service principal for the kerberos authentication plugin) [0].
An alternative way is to use the ticket cache, and use kinit from the command
line. If the latter is not working for standalone for some reason, which is
what I believe you have tried and you find that it is not working, we should
rather drop support for standalone users altogether. In such a case, a user
interested in using kerberos authentication with standalone solr could use a
forked version of the plugin from a separate repository and add the ticket
renewal support and use the plugin.
What do you think, [~anshumg], [~noble.paul]?
[0] - https://issues.apache.org/jira/browse/ZOOKEEPER-1181
> Support automatic kerberos ticket renewals in standalone Solr
> -------------------------------------------------------------
>
> Key: SOLR-8894
> URL: https://issues.apache.org/jira/browse/SOLR-8894
> Project: Solr
> Issue Type: Bug
> Reporter: Varun Thacker
>
> Currently in standalone Solr mode , tickets are not renewed automatically. So
> once a ticket expires one has to restart the solr node for it to renew the
> ticket.
> We should support automatic ticket renewals in standalone solr as we do
> currently in cloud mode.
> There is no workaround for this other than to restart Solr.
> If we manually do a kinit ( so that we can set a cron to do future kinit's )
> and then start Solr , Solr doesn't start up correctly. Steps we tried for the
> workaround:
> - Specify useKeyTab=false in the JAAS fle and then manually do a kinit and
> then start solr. So fails to start in this case and throws an error like this
> {code}
> ERROR - 2016-03-14 20:07:03.505; [ ] org.apache.solr.common.SolrException;
> null:org.apache.solr.common.SolrException: Error initializing kerberos
> authentication plugin: javax.servlet.ServletException:
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> javax.security.auth.login.LoginException: No key to store
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
