[
https://issues.apache.org/jira/browse/RANGER-2894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17195175#comment-17195175
]
Ramesh Mani commented on RANGER-2894:
-------------------------------------
[~mallniya] Basic auth is no supported for now. If you working on a basic auth
client, please provide a patch for the same. Also recommend way to to use SSL
also along with basic auth because of security concerns, for this its better to
use kerberos.
Following doc have kerberos configuration detailed.
https://community.cloudera.com/t5/Community-Articles/Securing-Solr-Collections-with-Ranger-Kerberos/ta-p/245519
> Plugins cannot interact with Solr with basic auth as audit targer
> -----------------------------------------------------------------
>
> Key: RANGER-2894
> URL: https://issues.apache.org/jira/browse/RANGER-2894
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 1.1.0, 2.0.0
> Reporter: Nikita Ilyushkin
> Priority: Major
>
> There seems to be a problem with audit to Solr with [basic
> authentication|https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html].
> With the simple Solr cloud setup with basic auth every plugin I tried (HDFS,
> YARN, HBase, Hive) failed to write audit to it with the similar errors:
> {code:java}
> 2020-06-25T19:39:35,248 ERROR
> [hiveServer2.async.batch_hiveServer2.async.batch.solr_destWriter]
> impl.CloudSolrClient: Request to collection [ranger_audits] failed due to
> (401) org.apache.solr.client.solrj.impl.H
> ttpSolrClient$RemoteSolrException: Error from server at
> http://nilyushkin-hadoop-dev-0.ru-central1.internal:8983/solr/ranger_audits_shard1_replica_n1:
> Expected mime type application/octet-stream but got text/htm
> l. <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 401 require authentication</title>
> </head>
> <body><h2>HTTP ERROR 401</h2>
> <p>Problem accessing /solr/ranger_audits_shard1_replica_n1/update. Reason:
> <pre> require authentication</pre></p>
> </body>
> </html>
> {code}
> tcpdump confirms that no auth headers are in requests.
> Content of ranger-<service_name>-audit.xml:
> {code:java}
> <property>
> <name>xasecure.audit.is.enabled</name>
> <value>true</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr</name>
> <value>true</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.urls</name>
> <value>http://fqdn:8983/solr/ranger_audits</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.user</name>
> <value>rangeraudit</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.password</name>
> <value>admin</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.zookeepers</name>
> <value>fqdn:2181/solr.server</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
> <value>/srv/audit_solr_spool</value>
> </property>
> {code}
> The same results with xasecure.audit.destination.solr.urls instead
> xasecure.audit.destination.solr.zookeepers.
> Ranger Admin on the other hand writes audit just fine with given credentials
> to the same Solr.
> Unsurprisingly, following Solr documentation (underlying solrj really) and
> adding:
> {code:java}
> -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory
> -Dbasicauth=rangeraudit:admin
> {code}
> to the audited daemon (like HiveServer2) solves the problem.
> I also haven't found setBasicAuthCredentials (the second method of auth
> solrj provides) in the plugin sources or packages, so I assume it's just not
> implemented or bugged.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
