[ 
https://issues.apache.org/jira/browse/SOLR-11981?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Olivér Szabó updated SOLR-11981:
--------------------------------
    Description: 
On secure env, when multiline (or space separated) kerberos name rules are used 
( in solr.in),  those values cannot be passed to .the start script properly. 
(using {{org.apache.solr.security.KerberosPlugin}})

Example:
{code:java}
SOLR_JAAS_FILE=solr.jaas
SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
SOLR_KERB_PRINCIPAL=solr/myhost1....@example.com
SOLR_KERB_NAME_RULES="RULE:[1:\$1@\$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L 
RULE:[1:\$1@\$0](.*@PROD.EXAMPLE.NET)s/@.*///L 
RULE:[2:$1@$0](s...@admin.example.net)s/.*/solr/"

SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
SOLR_AUTHENTICATION_OPTS=" 
-DauthenticationPlugin=org.apache.solr.security.KerberosPlugin 
-Djava.security.auth.login.config=$SOLR_JAAS_FILE 
-Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} 
-Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} 
-Dsolr.kerberos.cookie.domain=${SOLR_HOST}" 
-Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}
{code}

that will cause:
{code:java}
Caused by: 
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No 
rules applied to solr/host.exam...@admin.example.net 
at 
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
 
at 
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
{code}

Reason for that (probably): in solr start script, there are multiple 
{{"${SOLR_OPTS[@]}}}-like (for auth props as well), which magically handle 
variables as arrays (separated by space or endlines).

I have tried to add {{solr.kerberos.name.rules}} property directly to SOLR_OPTS 
instead of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines 
there even with quotes or escape characters.

With Ambari we faced this issue before: 
https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to 
patch the start script to use 
{{-Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES"}} directly where the 
scripts starts the java process

You can close this jira invalid if there is a workaround for that issue or 
fixed already, if not, then my proposed solution to do something similar. 
(maybe there are better places where to put that variable)


  was:
On secure env, when multiline (or space separated) kerberos name rules are used 
( in solr.in),  those values cannot be passed properly. (using 
{{org.apache.solr.security.KerberosPlugin}})

Example:
{code:java}
SOLR_JAAS_FILE=solr.jaas
SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
SOLR_KERB_PRINCIPAL=solr/myhost1....@example.com
SOLR_KERB_NAME_RULES="RULE:[1:\$1@\$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L 
RULE:[1:\$1@\$0](.*@PROD.EXAMPLE.NET)s/@.*///L 
RULE:[2:$1@$0](s...@admin.example.net)s/.*/solr/"

SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
SOLR_AUTHENTICATION_OPTS=" 
-DauthenticationPlugin=org.apache.solr.security.KerberosPlugin 
-Djava.security.auth.login.config=$SOLR_JAAS_FILE 
-Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} 
-Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} 
-Dsolr.kerberos.cookie.domain=${SOLR_HOST}" 
-Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}
{code}

that will cause:
{code:java}
Caused by: 
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No 
rules applied to solr/host.exam...@admin.example.net 
at 
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
 
at 
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
{code}

Reason for that (probably): in solr start script, there are multiple 
{{"${SOLR_OPTS[@]}}}-like (for auth props as well), which magically handle 
variables as arrays (separated by space or endlines).

I have tried to add {{solr.kerberos.name.rules}} property directly to SOLR_OPTS 
instead of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines 
there even with quotes or escape characters.

With Ambari we faced this issue before: 
https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to 
patch the start script to use 
{{-Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES"}} directly where the 
scripts starts the java process

You can close this jira invalid if there is a workaround for that issue or 
fixed already, if not, then my proposed solution to do something similar. 
(maybe there are better places where to put that variable)



> Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS
> ----------------------------------------------------------------------------
>
>                 Key: SOLR-11981
>                 URL: https://issues.apache.org/jira/browse/SOLR-11981
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>    Affects Versions: 5.5.5, 6.6.2, 7.2.1
>            Reporter: Olivér Szabó
>            Priority: Major
>
> On secure env, when multiline (or space separated) kerberos name rules are 
> used ( in solr.in),  those values cannot be passed to .the start script 
> properly. (using {{org.apache.solr.security.KerberosPlugin}})
> Example:
> {code:java}
> SOLR_JAAS_FILE=solr.jaas
> SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
> SOLR_KERB_PRINCIPAL=solr/myhost1....@example.com
> SOLR_KERB_NAME_RULES="RULE:[1:\$1@\$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L 
> RULE:[1:\$1@\$0](.*@PROD.EXAMPLE.NET)s/@.*///L 
> RULE:[2:$1@$0](s...@admin.example.net)s/.*/solr/"
> SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
> SOLR_AUTHENTICATION_OPTS=" 
> -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin 
> -Djava.security.auth.login.config=$SOLR_JAAS_FILE 
> -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} 
> -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} 
> -Dsolr.kerberos.cookie.domain=${SOLR_HOST}" 
> -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}
> {code}
> that will cause:
> {code:java}
> Caused by: 
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: 
> No rules applied to solr/host.exam...@admin.example.net 
> at 
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
>  
> at 
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
> {code}
> Reason for that (probably): in solr start script, there are multiple 
> {{"${SOLR_OPTS[@]}}}-like (for auth props as well), which magically handle 
> variables as arrays (separated by space or endlines).
> I have tried to add {{solr.kerberos.name.rules}} property directly to 
> SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using 
> spaces/newlines there even with quotes or escape characters.
> With Ambari we faced this issue before: 
> https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to 
> patch the start script to use 
> {{-Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES"}} directly where the 
> scripts starts the java process
> You can close this jira invalid if there is a workaround for that issue or 
> fixed already, if not, then my proposed solution to do something similar. 
> (maybe there are better places where to put that variable)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to