[ https://issues.apache.org/jira/browse/SOLR-11981?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Olivér Szabó resolved SOLR-11981. --------------------------------- Resolution: Won't Fix > Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS > ---------------------------------------------------------------------------- > > Key: SOLR-11981 > URL: https://issues.apache.org/jira/browse/SOLR-11981 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: security > Affects Versions: 5.5.5, 6.6.2, 7.2.1 > Reporter: Olivér Szabó > Priority: Major > > On secure env, when multiline (or space separated) kerberos name rules are > used ( in solr.in), those values cannot be passed to .the start script > properly. (using {{org.apache.solr.security.KerberosPlugin}}) > Example: > {code:java} > SOLR_JAAS_FILE=solr.jaas > SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab > SOLR_KERB_PRINCIPAL=solr/myhost1....@example.com > SOLR_KERB_NAME_RULES="RULE:[1:$1@$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L > RULE:[1:$1@$0](.*@PROD.EXAMPLE.NET)s/@.*///L > RULE:[2:$1@$0](s...@admin.example.net)s/.*/solr/" > SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer" > SOLR_AUTHENTICATION_OPTS=" > -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin > -Djava.security.auth.login.config=$SOLR_JAAS_FILE > -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} > -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} > -Dsolr.kerberos.cookie.domain=${SOLR_HOST}" > -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES} > {code} > that will cause: > {code:java} > Caused by: > org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: > No rules applied to solr/host.exam...@admin.example.net > at > org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389) > > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler > {code} > Reason for that (probably): in solr start script, there are multiple > {{"${SOLR_OPTS[@]}}}-like (for auth props as well), which magically handle > variables as arrays (separated by space or endlines). > I have tried to add {{solr.kerberos.name.rules}} property directly to > SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using > spaces/newlines there even with quotes or escape characters. > With Ambari we faced this issue before: > https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to > patch the start script to use > {{-Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES"}} directly where the > scripts starts the java process > You can close this jira invalid if there is a workaround for that issue or > fixed already, if not, then my proposed solution to do something similar. > (maybe there are better places where to put that variable) -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org