Hoss Man created SOLR-10199:
-------------------------------
Summary: Solr's Kerberos functionaliy does not work in Java9 due
to dependency on hadoop's AuthenticationFilter which attempt access to JVM
protected classes
Key: SOLR-10199
URL: https://issues.apache.org/jira/browse/SOLR-10199
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Hoss Man
(discovered this while working on test improvements for SOLR-8052)
Our Kerberos based authn/authz features are all built on top of Hadoop's
{{AuthenticationFilter}} which in turn uses Hadoop's {{KerberosUtil}} -- but
this does not work on Java9/jigsaw JVMs because that class in turn attempts to
access {{sun.security.jgss.GSSUtil}} which is not exported by {{module
java.security.jgss}}
This means that Solr users who depend on Kerberos will not be able to upgrade
to Java9, even if they do not use any Hadoop specific features of Solr.
----
Example log messages...
{noformat}
[junit4] 2> 6833 WARN (qtp442059499-30) [ ]
o.a.h.s.a.s.AuthenticationFilter Authentication exception:
java.lang.IllegalAccessException: class
org.apache.hadoop.security.authentication.util.KerberosUtil cannot access class
sun.security.jgss.GSSUtil (in module java.security.jgss) because module
java.security.jgss does not export sun.security.jgss to unnamed module @4b38fe8b
[junit4] 2> 6841 WARN
(TEST-TestSolrCloudWithKerberosAlt.testBasics-seed#[95A583AF82D1EBBE]) [ ]
o.a.h.c.p.ResponseProcessCookies Invalid cookie header: "Set-Cookie:
hadoop.auth=; Path=/; Domain=127.0.0.1; Expires=Ara, 01-Sa-1970 00:00:00 GMT;
HttpOnly". Invalid 'expires' attribute: Ara, 01-Sa-1970 00:00:00 GMT
{noformat}
(NOTE: HADOOP-14115 is cause of malformed cookie expiration)
ultimately the client gets a 403 error (as seen in a testcase with patch from
SOLR-8052 applied and java9 assume commented out)...
{noformat}
[junit4] ERROR 7.10s | TestSolrCloudWithKerberosAlt.testBasics <<<
[junit4] > Throwable #1:
org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error
from server at http://127.0.0.1:34687/solr: Expected mime type
application/octet-stream but got text/html. <html>
[junit4] > <head>
[junit4] > <meta http-equiv="Content-Type"
content="text/html;charset=ISO-8859-1"/>
[junit4] > <title>Error 403 </title>
[junit4] > </head>
[junit4] > <body>
[junit4] > <h2>HTTP ERROR: 403</h2>
[junit4] > <p>Problem accessing /solr/admin/collections. Reason:
[junit4] > <pre> java.lang.IllegalAccessException: class
org.apache.hadoop.security.authentication.util.KerberosUtil cannot access class
sun.security.jgss.GSSUtil (in module java.security.jgss) because module
java.security.jgss does not export sun.security.jgss to unnamed module
@4b38fe8b</pre></p>
[junit4] > <hr /><a href="http://eclipse.org/jetty";>Powered by Jetty://
9.3.14.v20161028</a><hr/>
[junit4] > </body>
[junit4] > </html>
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
