Andras Salamon created SOLR-14261:

             Summary: Hadoop authentication with Kerberos error
                 Key: SOLR-14261
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
    Affects Versions: 8.4.1
            Reporter: Andras Salamon

We are trying to use Hadoop authentication with Kerberos in Solr 8.4.1 and 
encountered a problem. We’re using a Hadoop 3.1.1 based fork. We are using JDK8 
so we fall back to HTTP/1.1 but also tested with JDK11 (HTTP/2) and we got the 
same error.

We have already added a few upstream changes which are not yet committed 
(SOLR-9840) or committed only later (SOLR-11554).

The important part of our security.json file is:
"authentication": {
        "sysPropPrefix": "solr.authentication.",
        "type": "multi-scheme",
When we try to add a document using curl we receive 401 error:
curl -k --negotiate -u : 
'[]' -H 
'Content-type:application/json' -d ' [ \{"id":"book3", "title":"book3title", 
"author":"author"} ]'\{  "responseHeader":{    "rf":2147483647,    
"status":401,    "QTime":18},  "error":{    "metadata":[      
    "msg":"Async exception during distributed update: Error from server at 
Authentication required\n\n\n\nrequest: 
We have debugged the problem and found that curl can send the information to 
the node, and the internode TOLEADER request fails, because we don’t answer to 
the 401 challenge that is part of the SPNEGO mechanism:
HTTP/1.1 401 Unauthorized access
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; HttpOnly
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 287
Checking the code shows that 
 which creates an {{OutputStreamContentProvider}} where the value of the 
isReproducible flag is false and jetty’s 
 will not continue the authentication in this case.

This message was sent by Atlassian Jira

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to