Re: [EXTERNAL] Re: putsolrcontentstream and kerberos
I'm running Oracle JDK 1.8.0_162 and NiFi should be using SolrJ 6.2.0 [1].
Not sure if it is worth trying to upgrade, but the 1.7.0 release
re-factored how the kerberos auth is handled for the Solr processors
so that it no longer relies on the JAAS configuration [2]. It's
possible that could resolve your issue, but hard to say.
[1]
https://github.com/apache/nifi/blob/rel/nifi-1.6.0/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/pom.xml#L26
[2] https://issues.apache.org/jira/browse/NIFI-5148
On Mon, Oct 15, 2018 at 1:00 PM Dan Caulfield wrote:
>
> Yes, curl works fine. Just out of curiosity, what version of java are you
> running? Does anyone know which version of SolrJ is using the the 1.6
> putsolrcontentstream?
>
> -Original Message-
> From: Bryan Bende [mailto:bbe...@gmail.com]
> Sent: Friday, October 12, 2018 2:08 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: putsolrcontentstream and kerberos
>
> I've only done it against Solr cloud, but I don't know a reason why it
> wouldn't work against standalone Solr.
>
> Nothing is jumping out at me as being wrong with your config. My JAAS config
> was the following:
>
> SolrJClient {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> keyTab="/Users/bbende/Projects/docker-kdc/krb5.keytab"
> storeKey=true
> useTicketCache=false
> debug=true
> principal="n...@solr.org";
> };
>
> Can you successfully access Solr from a curl command?
>
> curl --negotiate -u :
> "http://vmsol001.epg.nam.gm.com:8983/solr/collection1/select;
>
> Assuming you did a kinit first.
>
> On Fri, Oct 12, 2018 at 2:48 PM Dan Caulfield wrote:
> >
> > When attempting to use the putsolrcontentstream (Version 1.6.0) to load
> > json file into a Solr 6.3 cluster that requires Kerberos authentication.
> >
> >
> >
> > I have set the -D
> > java.security.auth.login.config=/disk-1/nifi/jaas/jaas.conf
> >
> >
> >
> > And the jass file looks like this -
> >
> > MicroServicesSolrClient {
> >
> > com.sun.security.auth.module.Krb5LoginModule required
> >
> > useKeyTab=true
> >
> > storeKey=true
> >
> > keyTab="/disk-1/nifi/keytabs/MSSolrClient"
> >
> > serviceName="solr"
> >
> > principal="mssolru...@x.gm.com";
> >
> > };
> >
> > GMASTSolrClient {
> >
> > com.sun.security.auth.module.Krb5LoginModule required
> >
> > useKeyTab=true
> >
> > storeKey=true
> >
> > useTicketCache=true
> >
> > debug=true
> >
> > keyTab="/disk-1/nifi/keytabs/GMSolrClient"
> >
> > serviceName="solr"
> >
> > principal="gmsolru...@x.gm.com";
> >
> > };
> >
> >
> >
> > The Processor is set to –
> >
> > Solr Type – Standard
> >
> > Solr Location - http://vmsol001.epg.nam.gm.com:8983/solr/collection1/
> >
> > Content Stream Path - /update/json/docs
> >
> > Content-Type – application/json
> >
> > JAAS Client App Name – GMASTSolrClient
> >
> >
> >
> > Does the 1.6 version of the PutSolrContentStream support Kerberos? We
> > are getting the 401 authentication error -
> >
> >
> >
> >
> >
> > 198730787914459,size=119100] to Solr due to
> > org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
> > Error from server at http://vmsol001.epg.nam.gm.com:8983/solr:
> > Expected mime type application/octet-stream but got text/html.
> >
> >
> >
> >
> >
> > Error 401 Authentication required
> >
> >
> >
> > HTTP ERROR 401
> >
> > Problem accessing /solr/select. Reason:
> >
> > Authentication required
> >
> >
> >
> >
> >
> > ; routing to failure:
> > org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
> > Error from server at http://vmsol001.epg.nam.gm.com:8983/solr:
> > Expected mime type application/octet-stream but got text/html.
> >
> >
> >
> >
> >
> > Error 401 Authentication required
> >
> >
> >
> > HTTP ERROR 401
> >
> > Problem accessing /solr/select. Reason:
> >
> > Authentication required
> >
> >
> >
> >
> >
> >
> >
> > org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
> > Error from server at http://vmsol001.epg.nam.gm.co
RE: [EXTERNAL] Re: putsolrcontentstream and kerberos
Yes, curl works fine. Just out of curiosity, what version of java are you
running? Does anyone know which version of SolrJ is using the the 1.6
putsolrcontentstream?
-Original Message-
From: Bryan Bende [mailto:bbe...@gmail.com]
Sent: Friday, October 12, 2018 2:08 PM
To: users@nifi.apache.org
Subject: [EXTERNAL] Re: putsolrcontentstream and kerberos
I've only done it against Solr cloud, but I don't know a reason why it wouldn't
work against standalone Solr.
Nothing is jumping out at me as being wrong with your config. My JAAS config
was the following:
SolrJClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/Users/bbende/Projects/docker-kdc/krb5.keytab"
storeKey=true
useTicketCache=false
debug=true
principal="n...@solr.org";
};
Can you successfully access Solr from a curl command?
curl --negotiate -u :
"http://vmsol001.epg.nam.gm.com:8983/solr/collection1/select;
Assuming you did a kinit first.
On Fri, Oct 12, 2018 at 2:48 PM Dan Caulfield wrote:
>
> When attempting to use the putsolrcontentstream (Version 1.6.0) to load json
> file into a Solr 6.3 cluster that requires Kerberos authentication.
>
>
>
> I have set the -D
> java.security.auth.login.config=/disk-1/nifi/jaas/jaas.conf
>
>
>
> And the jass file looks like this -
>
> MicroServicesSolrClient {
>
> com.sun.security.auth.module.Krb5LoginModule required
>
> useKeyTab=true
>
> storeKey=true
>
> keyTab="/disk-1/nifi/keytabs/MSSolrClient"
>
> serviceName="solr"
>
> principal="mssolru...@x.gm.com";
>
> };
>
> GMASTSolrClient {
>
> com.sun.security.auth.module.Krb5LoginModule required
>
> useKeyTab=true
>
> storeKey=true
>
> useTicketCache=true
>
> debug=true
>
> keyTab="/disk-1/nifi/keytabs/GMSolrClient"
>
> serviceName="solr"
>
> principal="gmsolru...@x.gm.com";
>
> };
>
>
>
> The Processor is set to –
>
> Solr Type – Standard
>
> Solr Location - http://vmsol001.epg.nam.gm.com:8983/solr/collection1/
>
> Content Stream Path - /update/json/docs
>
> Content-Type – application/json
>
> JAAS Client App Name – GMASTSolrClient
>
>
>
> Does the 1.6 version of the PutSolrContentStream support Kerberos? We
> are getting the 401 authentication error -
>
>
>
>
>
> 198730787914459,size=119100] to Solr due to
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
> Error from server at http://vmsol001.epg.nam.gm.com:8983/solr:
> Expected mime type application/octet-stream but got text/html.
>
>
>
>
>
> Error 401 Authentication required
>
>
>
> HTTP ERROR 401
>
> Problem accessing /solr/select. Reason:
>
> Authentication required
>
>
>
>
>
> ; routing to failure:
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
> Error from server at http://vmsol001.epg.nam.gm.com:8983/solr:
> Expected mime type application/octet-stream but got text/html.
>
>
>
>
>
> Error 401 Authentication required
>
>
>
> HTTP ERROR 401
>
> Problem accessing /solr/select. Reason:
>
> Authentication required
>
>
>
>
>
>
>
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
> Error from server at http://vmsol001.epg.nam.gm.com:8983/solr:
> Expected mime type application/octet-stream but got text/html.
>
>
>
>
>
> Error 401 Authentication required
>
>
>
> HTTP ERROR 401
>
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
> Error from server at http://vmsol001.epg.nam.gm.com:8983/solr:
> Expected mime type application/octet-stream but got text/html.
>
>
>
>
>
> Error 401 Authentication required
>
>
>
> HTTP ERROR 401
>
> Problem accessing /solr/select. Reason:
>
> Authentication required
>
>
>
>
>
>
>
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSol
> rClient.java:560)
>
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClien
> t.java:261)
>
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClien
> t.java:250)
>
> at
> org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:149)
>
> at
> org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:166)
>
> at
> org.apache.nifi.processors.solr.PutSolrContentStream$1.process(PutSolr
> ContentStream.java:242)
>
> at
> org.apache.nifi.con
