[
https://issues.apache.org/jira/browse/SOLR-14261?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andras Salamon updated SOLR-14261:
----------------------------------
Attachment: SOLR-14261-01.patch
> Hadoop authentication with Kerberos error
> -----------------------------------------
>
> Key: SOLR-14261
> URL: https://issues.apache.org/jira/browse/SOLR-14261
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.4.1
> Reporter: Andras Salamon
> Priority: Major
> Attachments: SOLR-14261-01.patch
>
>
> We are trying to use Hadoop authentication with Kerberos in Solr 8.4.1 and
> encountered a problem. We’re using a Hadoop 3.1.1 based fork. We are using
> JDK8 so we fall back to HTTP/1.1 but also tested with JDK11 (HTTP/2) and we
> got the same error.
> We have already added a few upstream changes which are not yet committed
> (SOLR-9840) or committed only later (SOLR-11554).
> The important part of our security.json file is:
> {noformat}
> "authentication": {
> "class":
> "org.apache.solr.security.ConfigurableInternodeAuthHadoopPlugin",
> "sysPropPrefix": "solr.authentication.",
> "type": "multi-scheme",
> "clientBuilderFactory":
> "org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder",
> ...
> {noformat}
> When we try to add a document using curl we receive 401 error:
> {noformat}
> curl -k --negotiate -u :
> '[https://quasar-mdzaga-1.vpc.cloudera.com:8985/solr/test2/update]' -H
> 'Content-type:application/json' -d ' [ \{"id":"book3", "title":"book3title",
> "author":"author"} ]'\{ "responseHeader":{ "rf":2147483647,
> "status":401, "QTime":18}, "error":{ "metadata":[
> "error-class","org.apache.solr.update.processor.DistributedUpdateProcessor$DistributedUpdatesAsyncException",
>
> "root-error-class","org.apache.solr.update.processor.DistributedUpdateProcessor$DistributedUpdatesAsyncException"],
> "msg":"Async exception during distributed update: Error from server at
> [https://quasar-mdzaga-3.vpc.cloudera.com:8985/solr/test2_shard2_replica_n6/]:
> Authentication required\n\n\n\nrequest:
> [https://quasar-mdzaga-3.vpc.cloudera.com:8985/solr/test2_shard2_replica_n6/]";,
> "Code":401}}
> {noformat}
> We have debugged the problem and found that curl can send the information to
> the node, and the internode TOLEADER request fails, because we don’t answer
> to the 401 challenge that is part of the SPNEGO mechanism:
> {noformat}
> HTTP/1.1 401 Unauthorized access
> ...
> WWW-Authenticate: Negotiate
> Set-Cookie: hadoop.auth=; HttpOnly
> Cache-Control: must-revalidate,no-cache,no-store
> Content-Type: text/html;charset=iso-8859-1
> Content-Length: 287
> {noformat}
> Checking the code shows that
> [ConcurrentUpdateHttp2SolrClient|https://github.com/apache/lucene-solr/blob/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateHttp2SolrClient.java]
> calls
> [Http2SolrClient.initOutStream|https://github.com/apache/lucene-solr/blob/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java#L299]
> which creates an {{OutputStreamContentProvider}} where the value of the
> isReproducible flag is false and jetty’s
> [AuthenticationProtocolHandler|https://github.com/eclipse/jetty.project/blob/jetty-9.4.19.v20190610/jetty-client/src/main/java/org/eclipse/jetty/client/AuthenticationProtocolHandler.java#L192]
> will not continue the authentication in this case.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
