[ https://issues.apache.org/jira/browse/SOLR-14261?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andras Salamon updated SOLR-14261: ---------------------------------- Attachment: SOLR-14261-01.patch > Hadoop authentication with Kerberos error > ----------------------------------------- > > Key: SOLR-14261 > URL: https://issues.apache.org/jira/browse/SOLR-14261 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Affects Versions: 8.4.1 > Reporter: Andras Salamon > Priority: Major > Attachments: SOLR-14261-01.patch > > > We are trying to use Hadoop authentication with Kerberos in Solr 8.4.1 and > encountered a problem. We’re using a Hadoop 3.1.1 based fork. We are using > JDK8 so we fall back to HTTP/1.1 but also tested with JDK11 (HTTP/2) and we > got the same error. > We have already added a few upstream changes which are not yet committed > (SOLR-9840) or committed only later (SOLR-11554). > The important part of our security.json file is: > {noformat} > "authentication": { > "class": > "org.apache.solr.security.ConfigurableInternodeAuthHadoopPlugin", > "sysPropPrefix": "solr.authentication.", > "type": "multi-scheme", > "clientBuilderFactory": > "org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder", > ... > {noformat} > When we try to add a document using curl we receive 401 error: > {noformat} > curl -k --negotiate -u : > '[https://quasar-mdzaga-1.vpc.cloudera.com:8985/solr/test2/update]' -H > 'Content-type:application/json' -d ' [ \{"id":"book3", "title":"book3title", > "author":"author"} ]'\{ "responseHeader":{ "rf":2147483647, > "status":401, "QTime":18}, "error":{ "metadata":[ > "error-class","org.apache.solr.update.processor.DistributedUpdateProcessor$DistributedUpdatesAsyncException", > > "root-error-class","org.apache.solr.update.processor.DistributedUpdateProcessor$DistributedUpdatesAsyncException"], > "msg":"Async exception during distributed update: Error from server at > [https://quasar-mdzaga-3.vpc.cloudera.com:8985/solr/test2_shard2_replica_n6/]: > Authentication required\n\n\n\nrequest: > [https://quasar-mdzaga-3.vpc.cloudera.com:8985/solr/test2_shard2_replica_n6/]", > "Code":401}} > {noformat} > We have debugged the problem and found that curl can send the information to > the node, and the internode TOLEADER request fails, because we don’t answer > to the 401 challenge that is part of the SPNEGO mechanism: > {noformat} > HTTP/1.1 401 Unauthorized access > ... > WWW-Authenticate: Negotiate > Set-Cookie: hadoop.auth=; HttpOnly > Cache-Control: must-revalidate,no-cache,no-store > Content-Type: text/html;charset=iso-8859-1 > Content-Length: 287 > {noformat} > Checking the code shows that > [ConcurrentUpdateHttp2SolrClient|https://github.com/apache/lucene-solr/blob/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateHttp2SolrClient.java] > calls > [Http2SolrClient.initOutStream|https://github.com/apache/lucene-solr/blob/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java#L299] > which creates an {{OutputStreamContentProvider}} where the value of the > isReproducible flag is false and jetty’s > [AuthenticationProtocolHandler|https://github.com/eclipse/jetty.project/blob/jetty-9.4.19.v20190610/jetty-client/src/main/java/org/eclipse/jetty/client/AuthenticationProtocolHandler.java#L192] > will not continue the authentication in this case. > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org