Re: Ranger fails to query to Kerberized Solr

Wed, 01 May 2019 23:25:59 -0700 

Hi

Try adding solr JAAS config in the conf folder of ranger

 > cat ranger_solr_jaas.conf

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  useTicketCache=false
  keyTab="/opt/mr3-run/ranger/key/rangeradmin.keytab"
  principal="rangeradmin/indigo21@RED";
}

Thanks,
Ramesh

From: QQQ QQQ <j5hw...@gmail.com<mailto:j5hw...@gmail.com>>
Reply-To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" 
<user@ranger.apache.org<mailto:user@ranger.apache.org>>
Date: Wednesday, May 1, 2019 at 11:12 PM
To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" 
<user@ranger.apache.org<mailto:user@ranger.apache.org>>
Subject: Ranger fails to query to Kerberized Solr


Hi,



I'm trying to dockerize Ranger and Solr in standalone mode for audit store, and 
I want Solr to be secure (with Kerberized authentication and authorization).

I tried:

Ranger 1.2.0 + Solr 6.6.6

Ranger 1.2.0 + Solr 8.0.0

Ranger 2.0.0 + Solr 8.0.0 (Ranger 2.0.0 is compiled from the master branch 
(8202ed4aed53ad93a21b27dcf83cdf7102678fa0))



I succeeded to open Solr UI with Firefox, and Hive-plugin-enabled HiveServer2 
succeeded to log audits to Solr. However, Ranger Admin fails to query to 
Kerberized Solr.

Especially, When I login Ranger Admin UI with an admin account, and go to 
Audit-Access, the following error message pops up:



Error running solr query, please check solr configs. Error from server at 
https://indigo21:6083/solr/ranger_audits: Expected mime type 
application/octet-stream but got text/html. <html> <head> <meta 
http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 401 
Authentication required</title> </head> <body><h2>HTTP ERROR 401</h2> 
<p>Problem accessing /solr/ranger_audits/select. Reason: <pre> Authentication 
required</pre></p> </body> </html>



Then, Solr log gives the following error:

(I think Ranger Admin tries to authenticate itself with ID/PW instead of 
Kerberos, but why?)



2019-05-01 14:52:19,629 [qtp380936215-17] WARN  [   ] 
apache.hadoop.security.authentication.server.KerberosAuthenticationHandler 
(KerberosAuthenticationHandler.java:338) - 'Authorization' does not start with 
'Negotiate' :  Basic Og==



Here are my settings:

------------- install.properties for Ranger Admin -------------

...

audit_solr_urls=https://indigo21:6083/solr/ranger_audits

audit_solr_user=

audit_solr_password=

audit_solr_zookeepers=

...

spnego_principal=HTTP/indigo21@RED

spnego_keytab=/opt/mr3-run/ranger/key/spnego.service.keytab.indigo21

token_valid=30

cookie_domain=indigo21

cookie_path=/

admin_principal=rangeradmin/indigo21@RED

admin_keytab=/opt/mr3-run/ranger/key/rangeradmin.keytab

lookup_principal=rangerlookup/indigo21@RED

lookup_keytab=/opt/mr3-run/ranger/key/rangerlookup.keytab

hadoop_conf=/opt/mr3-run/ranger/conf

...



------------- /opt/mr3-run/ranger/conf/core-site.xml -------------

<configuration>

  <property>

    <name>hadoop.security.authentication</name>

    <value>kerberos</value>

  </property>

</configuration>

--------------------------



What am I missing? Is there any compatibility issue?



Best regards,

Junseung



P.S. How can I log into Ranger Admin UI with Kerberos ticket? I found out I can 
log in with Kerberos ticket in some cases.

Reply via email to