Thank you very much Just to be sure I am clear, I notice that Solr9.2 documentation has separate sections: * for Kerberos authentication (solr.apache.org/guide/solr/9_2/deployment-guide/kerberos-authentication-plugin.html) with its own startup parameters, its own example of security.json, and its own jaas-client.conf file, * and also for Hadoop authentication (solr.apache.org/guide/solr/9_2/deployment-guide/hadoop-authentication-plugin.html) with its own different startup parameters, its own different example of security.json, and no reference to any jaas-client.conf file
Am I correct in thinking that the documentation was accurate for previous versions of Solr, but that this distinction was inadvertently retained in the Solr 9 documentation? In any event, my current concern is a proof-of-concept question "is there an easy standard way to configure Solr to use Kerberos (keeping in mind that we will soon move to Solr 10)"; and it sound like the answer to the question is "no" Thank you again for clarifying -----Original Message----- From: Gus Heck <[email protected]> Sent: Monday, February 9, 2026 8:58 PM To: [email protected] Subject: [EXTERNAL] Re: Where to find KerberosPlugin in Solr 9.2 Before you invest a whole lot of effort into kerberos setup, please be aware that Kerberos authentication was a feature riding on top of hadoop integration, and few if any contributors used it. AFAIK nobody currently active really knows how to maintain it, so it is going away in 10.x See https://issues.apache.org/jira/browse/SOLR-17540 - a user survey was conducted, and this was discussed on user and dev lists, but nobody voiced support for the Hadoop integration. Until a new contribution brings it back, you will need to maintain and support the Kerberos authentication plugin code yourself in Solr 10+ The good news is it's open source so you or anyone else is free to keep using or modifying it as you wish (if able). Soon, I expect to explore creating a second authorization plugin based on Apache Shiro, and there *were* at one time kerberos/SPEGNOS plugins for that in apache Aurora (but now it's in the attic). It also looks like that at some point Zepplin has been configuring Shiro with kerberos: https://zeppelin.apache.org/docs/0.9.0/setup/security/shiro_authentication.html#http-spnego-authentication. So maybe some of that can be leveraged somehow, although it also seems to be based on Hadoop Auth. I don't think bringing back a Solr dependency on HadoopAuth is going to fly. It was a serious drag on our time, and held us back due to its numerous dependency CVEs and slow dependency evolution. I have very little contact with Windows/Kerberos, but if Kerberos SPEGNO is useful to anyone in the community, we certainly encourage them to participate in discussions and contribute code or knowledge about Kerberos (which most if not all of the active committers lack). -Gus On Fri, Feb 6, 2026 at 11:18 AM Oakley, Craig (NIH/NLM/NCBI) [C] via users < [email protected]> wrote: > I am trying to get Kerberos to work with Solr 9.2 > > After following the instructions of > https://solr.apache.org/guide/solr/9_2/deployment-guide/kerberos-authentication-plugin.html > the instance was not restarting, complaining > "org.apache.solr.common.SolrException: Error loading class > 'solr.KerberosPlugin'" and "ClassNotFoundException: solr.KerberosPlugin": I > searched under solr-9.2.1/modules for files which sounded as though they > might relate to Kerberos, and so added hadoop_auth to SOLR_MODULES: that > allows Solr to run without errors, but it does not allow me to do anything > (complaining "GSSException: Failure unspecified at GSS-API level (Mechanism > level: Invalid argument (400) - Cannot find key of appropriate type to > decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96)"; I then noticed a > separate section of the documentation for Hadoop Authentication with a > different security.json (and no requirements for specifying JAAS config > files nor keytab files): I tried that security.json (with & without JAAS > config files and/or keytab files), but continue to get similar GSSException > errors. > > Running "jar tvf" for all the jar files under all of solr-9.2.1, nothing > seems to have solr.KerberosPlugin; I don't know whether finding a solution > to this SolrException would solve the problem (without Hadoop) or if you > may have other suggestions > > Craig Oakley > Contract Worker (Other) > National Library of Medicine > National Institutes of Health > Building 45, room 6AS37D-57 > 301-496-6175 > [email protected]<mailto:[email protected]> > > -- http://www.needhamsoftware.com/ (work) https://a.co/d/b2sZLD9 (my fantasy fiction book) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and are confident the content is safe.
