Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11981

Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Won't Fix
    • 5.5.5, 6.6.2, 7.2.1
    • None
    • security
    • None

    Description

      On secure env, when multiline (or space separated) kerberos name rules are used ( in solr.in), those values cannot be passed to .the start script properly. (using org.apache.solr.security.KerberosPlugin)

      Example:

      SOLR_JAAS_FILE=solr.jaas
SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
SOLR_KERB_PRINCIPAL=solr/myhost1.com@EXAMPLE.COM
SOLR_KERB_NAME_RULES="RULE:[1:$1@$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L RULE:[1:$1@$0](.*@PROD.EXAMPLE.NET)s/@.*///L RULE:[2:$1@$0](solr@ADMIN.EXAMPLE.NET)s/.*/solr/"

SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
SOLR_AUTHENTICATION_OPTS=" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST}" -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}

      that will cause:

      Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to solr/host.example@ADMIN.EXAMPLE.NET 
at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389) 
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler

      Reason for that (probably): in solr start script, there are multiple "${SOLR_OPTS[@]}-like (for auth props as well), which magically handle variables as arrays (separated by space or endlines).

      I have tried to add solr.kerberos.name.rules property directly to SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines there even with quotes or escape characters.

      With Ambari we faced this issue before: https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to patch the start script to use -Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES" directly where the scripts starts the java process

      You can close this jira invalid if there is a workaround for that issue or fixed already, if not, then my proposed solution to do something similar. (maybe there are better places where to put that variable)

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            oleewere Oliver Szabo
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment