Hi,
I’m trying to dockerize Ranger and Solr in standalone mode for audit store, and I want Solr to be secure (with Kerberized authentication and authorization). I tried: Ranger 1.2.0 + Solr 6.6.6 Ranger 1.2.0 + Solr 8.0.0 Ranger 2.0.0 + Solr 8.0.0 (Ranger 2.0.0 is compiled from the master branch (8202ed4aed53ad93a21b27dcf83cdf7102678fa0)) I succeeded to open Solr UI with Firefox, and Hive-plugin-enabled HiveServer2 succeeded to log audits to Solr. However, Ranger Admin fails to query to Kerberized Solr. Especially, When I login Ranger Admin UI with an admin account, and go to Audit-Access, the following error message pops up: Error running solr query, please check solr configs. Error from server at https://indigo21:6083/solr/ranger_audits: Expected mime type application/octet-stream but got text/html. <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 401 Authentication required</title> </head> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing /solr/ranger_audits/select. Reason: <pre> Authentication required</pre></p> </body> </html> Then, Solr log gives the following error: (I think Ranger Admin tries to authenticate itself with ID/PW instead of Kerberos, but why?) 2019-05-01 14:52:19,629 [qtp380936215-17] WARN [ ] apache.hadoop.security.authentication.server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:338) - 'Authorization' does not start with 'Negotiate' : Basic Og== Here are my settings: ------------- install.properties for Ranger Admin ------------- … audit_solr_urls=https://indigo21:6083/solr/ranger_audits audit_solr_user= audit_solr_password= audit_solr_zookeepers= … spnego_principal=HTTP/indigo21@RED spnego_keytab=/opt/mr3-run/ranger/key/spnego.service.keytab.indigo21 token_valid=30 cookie_domain=indigo21 cookie_path=/ admin_principal=rangeradmin/indigo21@RED admin_keytab=/opt/mr3-run/ranger/key/rangeradmin.keytab lookup_principal=rangerlookup/indigo21@RED lookup_keytab=/opt/mr3-run/ranger/key/rangerlookup.keytab hadoop_conf=/opt/mr3-run/ranger/conf … ------------- /opt/mr3-run/ranger/conf/core-site.xml ------------- <configuration> <property> <name>hadoop.security.authentication</name> <value>kerberos</value> </property> </configuration> -------------------------- What am I missing? Is there any compatibility issue? Best regards, Junseung P.S. How can I log into Ranger Admin UI with Kerberos ticket? I found out I can log in with Kerberos ticket in some cases.
