[
https://issues.apache.org/jira/browse/SOLR-10199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Risden updated SOLR-10199:
--------------------------------
Fix Version/s: 8.x
master (9.0)
> Solr's Kerberos functionality does not work in Java9 due to dependency on
> hadoop's AuthenticationFilter which attempt access to JVM protected classes
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-10199
> URL: https://issues.apache.org/jira/browse/SOLR-10199
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Hadoop Integration
> Reporter: Hoss Man
> Assignee: Kevin Risden
> Priority: Major
> Labels: Java9
> Fix For: master (9.0), 8.x
>
> Attachments: SOLR-10199.patch
>
>
> (discovered this while working on test improvements for SOLR-8052)
> Our Kerberos based authn/authz features are all built on top of Hadoop's
> {{AuthenticationFilter}} which in turn uses Hadoop's {{KerberosUtil}} -- but
> this does not work on Java9/jigsaw JVMs because that class in turn attempts
> to access {{sun.security.jgss.GSSUtil}} which is not exported by {{module
> java.security.jgss}}
> This means that Solr users who depend on Kerberos will not be able to upgrade
> to Java9, even if they do not use any Hadoop specific features of Solr.
> ----
> Example log messages...
> {noformat}
> [junit4] 2> 6833 WARN (qtp442059499-30) [ ]
> o.a.h.s.a.s.AuthenticationFilter Authentication exception:
> java.lang.IllegalAccessException: class
> org.apache.hadoop.security.authentication.util.KerberosUtil cannot access
> class sun.security.jgss.GSSUtil (in module java.security.jgss) because module
> java.security.jgss does not export sun.security.jgss to unnamed module
> @4b38fe8b
> [junit4] 2> 6841 WARN
> (TEST-TestSolrCloudWithKerberosAlt.testBasics-seed#[95A583AF82D1EBBE]) [ ]
> o.a.h.c.p.ResponseProcessCookies Invalid cookie header: "Set-Cookie:
> hadoop.auth=; Path=/; Domain=127.0.0.1; Expires=Ara, 01-Sa-1970 00:00:00 GMT;
> HttpOnly". Invalid 'expires' attribute: Ara, 01-Sa-1970 00:00:00 GMT
> {noformat}
> (NOTE: HADOOP-14115 is cause of malformed cookie expiration)
> ultimately the client gets a 403 error (as seen in a testcase with patch from
> SOLR-8052 applied and java9 assume commented out)...
> {noformat}
> [junit4] ERROR 7.10s | TestSolrCloudWithKerberosAlt.testBasics <<<
> [junit4] > Throwable #1:
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error
> from server at http://127.0.0.1:34687/solr: Expected mime type
> application/octet-stream but got text/html. <html>
> [junit4] > <head>
> [junit4] > <meta http-equiv="Content-Type"
> content="text/html;charset=ISO-8859-1"/>
> [junit4] > <title>Error 403 </title>
> [junit4] > </head>
> [junit4] > <body>
> [junit4] > <h2>HTTP ERROR: 403</h2>
> [junit4] > <p>Problem accessing /solr/admin/collections. Reason:
> [junit4] > <pre> java.lang.IllegalAccessException: class
> org.apache.hadoop.security.authentication.util.KerberosUtil cannot access
> class sun.security.jgss.GSSUtil (in module java.security.jgss) because module
> java.security.jgss does not export sun.security.jgss to unnamed module
> @4b38fe8b</pre></p>
> [junit4] > <hr /><a href="http://eclipse.org/jetty";>Powered by Jetty://
> 9.3.14.v20161028</a><hr/>
> [junit4] > </body>
> [junit4] > </html>
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
