[jira] [Commented] (SOLR-14261) Hadoop authentication with Kerberos error

Thu, 13 Feb 2020 08:47:12 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-14261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036347#comment-17036347
 ] 

Lucene/Solr QA commented on SOLR-14261:
---------------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
|| || || || {color:brown} Prechecks {color} ||
| {color:red}-1{color} | {color:red} test4tests {color} | {color:red}  0m  
0s{color} | {color:red} The patch doesn't appear to include any new or modified 
tests. Please justify why no new tests are needed for this patch. Also please 
list what manual steps were performed to verify this patch. {color} |
|| || || || {color:brown} master Compile Tests {color} ||
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 
48s{color} | {color:green} master passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 
51s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green}  0m 
51s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} Release audit (RAT) {color} | 
{color:green}  0m 51s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} Check forbidden APIs {color} | 
{color:green}  0m 51s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} Validate source patterns {color} | 
{color:green}  0m 51s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:red}-1{color} | {color:red} unit {color} | {color:red}  5m 44s{color} 
| {color:red} solrj in the patch failed. {color} |
| {color:black}{color} | {color:black} {color} | {color:black}  9m 25s{color} | 
{color:black} {color} |
\\
\\
|| Reason || Tests ||
| Failed junit tests | 
solr.client.solrj.impl.ConcurrentUpdateHttp2SolrClientTest |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Issue | SOLR-14261 |
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12993393/SOLR-14261-01.patch |
| Optional Tests |  compile  javac  unit  ratsources  checkforbiddenapis  
validatesourcepatterns  |
| uname | Linux lucene1-us-west 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 
10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | ant |
| Personality | 
/home/jenkins/jenkins-slave/workspace/PreCommit-SOLR-Build/sourcedir/dev-tools/test-patch/lucene-solr-yetus-personality.sh
 |
| git revision | master / dcf448efeb9 |
| ant | version: Apache Ant(TM) version 1.10.5 compiled on March 28 2019 |
| Default Java | LTS |
| unit | 
https://builds.apache.org/job/PreCommit-SOLR-Build/682/artifact/out/patch-unit-solr_solrj.txt
 |
|  Test Results | 
https://builds.apache.org/job/PreCommit-SOLR-Build/682/testReport/ |
| modules | C: solr/solrj U: solr/solrj |
| Console output | 
https://builds.apache.org/job/PreCommit-SOLR-Build/682/console |
| Powered by | Apache Yetus 0.7.0   http://yetus.apache.org |


This message was automatically generated.



> Hadoop authentication with Kerberos error
> -----------------------------------------
>
>                 Key: SOLR-14261
>                 URL: https://issues.apache.org/jira/browse/SOLR-14261
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.4.1
>            Reporter: Andras Salamon
>            Priority: Major
>         Attachments: SOLR-14261-01.patch
>
>
> We are trying to use Hadoop authentication with Kerberos in Solr 8.4.1 and 
> encountered a problem. We’re using a Hadoop 3.1.1 based fork. We are using 
> JDK8 so we fall back to HTTP/1.1 but also tested with JDK11 (HTTP/2) and we 
> got the same error.
> We have already added a few upstream changes which are not yet committed 
> (SOLR-9840) or committed only later (SOLR-11554).
> The important part of our security.json file is:
> {noformat}
> "authentication": {
>         "class": 
> "org.apache.solr.security.ConfigurableInternodeAuthHadoopPlugin",
>         "sysPropPrefix": "solr.authentication.",
>         "type": "multi-scheme",
>         "clientBuilderFactory": 
> "org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder",
> ...
> {noformat}
> When we try to add a document using curl we receive 401 error:
> {noformat}
> curl -k --negotiate -u : 
> '[https://quasar-mdzaga-1.vpc.cloudera.com:8985/solr/test2/update]' -H 
> 'Content-type:application/json' -d ' [ \{"id":"book3", "title":"book3title", 
> "author":"author"} ]'\{  "responseHeader":{    "rf":2147483647,    
> "status":401,    "QTime":18},  "error":{    "metadata":[      
> "error-class","org.apache.solr.update.processor.DistributedUpdateProcessor$DistributedUpdatesAsyncException",
>       
> "root-error-class","org.apache.solr.update.processor.DistributedUpdateProcessor$DistributedUpdatesAsyncException"],
>     "msg":"Async exception during distributed update: Error from server at 
> [https://quasar-mdzaga-3.vpc.cloudera.com:8985/solr/test2_shard2_replica_n6/]:
>  Authentication required\n\n\n\nrequest: 
> [https://quasar-mdzaga-3.vpc.cloudera.com:8985/solr/test2_shard2_replica_n6/]";,
>     "Code":401}}
> {noformat}
> We have debugged the problem and found that curl can send the information to 
> the node, and the internode TOLEADER request fails, because we don’t answer 
> to the 401 challenge that is part of the SPNEGO mechanism:
> {noformat}
> HTTP/1.1 401 Unauthorized access
> ...
> WWW-Authenticate: Negotiate
> Set-Cookie: hadoop.auth=; HttpOnly
> Cache-Control: must-revalidate,no-cache,no-store
> Content-Type: text/html;charset=iso-8859-1
> Content-Length: 287
> {noformat}
> Checking the code shows that 
> [ConcurrentUpdateHttp2SolrClient|https://github.com/apache/lucene-solr/blob/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateHttp2SolrClient.java]
>  calls 
> [Http2SolrClient.initOutStream|https://github.com/apache/lucene-solr/blob/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java#L299]
>  which creates an {{OutputStreamContentProvider}} where the value of the 
> isReproducible flag is false and jetty’s 
> [AuthenticationProtocolHandler|https://github.com/eclipse/jetty.project/blob/jetty-9.4.19.v20190610/jetty-client/src/main/java/org/eclipse/jetty/client/AuthenticationProtocolHandler.java#L192]
>  will not continue the authentication in this case.
>   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to