Olivér Szabó commented on SOLR-11981:

I found a workaround for that issue:
The property {{-Dsolr.kerberos.name.rules}} can be used directly with bin/solr 
script (!!! - ant not with {{-a}} option), im closing that issue now as wont 
fix, but probably it would be useful to document that to not define 
{{solr.kerberos.name.rules}} with {{SOLR_AUTHENTICATION_OPTS}} if you multiple 
kerberos rules are used.

> Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS
> ----------------------------------------------------------------------------
>                 Key: SOLR-11981
>                 URL: https://issues.apache.org/jira/browse/SOLR-11981
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>    Affects Versions: 5.5.5, 6.6.2, 7.2.1
>            Reporter: Olivér Szabó
>            Priority: Major
> On secure env, when multiline (or space separated) kerberos name rules are 
> used ( in solr.in),  those values cannot be passed to .the start script 
> properly. (using {{org.apache.solr.security.KerberosPlugin}})
> Example:
> {code:java}
> SOLR_JAAS_FILE=solr.jaas
> SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
> SOLR_KERB_PRINCIPAL=solr/myhost1....@example.com
> RULE:[1:$1@$0](.*@PROD.EXAMPLE.NET)s/@.*///L 
> RULE:[2:$1@$0](s...@admin.example.net)s/.*/solr/"
> SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
> -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin 
> -Djava.security.auth.login.config=$SOLR_JAAS_FILE 
> -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} 
> -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} 
> -Dsolr.kerberos.cookie.domain=${SOLR_HOST}" 
> -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}
> {code}
> that will cause:
> {code:java}
> Caused by: 
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: 
> No rules applied to solr/host.exam...@admin.example.net 
> at 
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
> at 
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
> {code}
> Reason for that (probably): in solr start script, there are multiple 
> {{"${SOLR_OPTS[@]}}}-like (for auth props as well), which magically handle 
> variables as arrays (separated by space or endlines).
> I have tried to add {{solr.kerberos.name.rules}} property directly to 
> SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using 
> spaces/newlines there even with quotes or escape characters.
> With Ambari we faced this issue before: 
> https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to 
> patch the start script to use 
> {{-Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES"}} directly where the 
> scripts starts the java process
> You can close this jira invalid if there is a workaround for that issue or 
> fixed already, if not, then my proposed solution to do something similar. 
> (maybe there are better places where to put that variable)

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to