Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
5.5.5, 6.6.2, 7.2.1
-
None
-
None
Description
On secure env, when multiline (or space separated) kerberos name rules are used ( in solr.in), those values cannot be passed to .the start script properly. (using org.apache.solr.security.KerberosPlugin)
Example:
SOLR_JAAS_FILE=solr.jaas SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab SOLR_KERB_PRINCIPAL=solr/myhost1.com@EXAMPLE.COM SOLR_KERB_NAME_RULES="RULE:[1:$1@$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L RULE:[1:$1@$0](.*@PROD.EXAMPLE.NET)s/@.*///L RULE:[2:$1@$0](solr@ADMIN.EXAMPLE.NET)s/.*/solr/" SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer" SOLR_AUTHENTICATION_OPTS=" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST}" -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}
that will cause:
Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to solr/host.example@ADMIN.EXAMPLE.NET at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
Reason for that (probably): in solr start script, there are multiple "${SOLR_OPTS[@]}-like (for auth props as well), which magically handle variables as arrays (separated by space or endlines).
I have tried to add solr.kerberos.name.rules property directly to SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines there even with quotes or escape characters.
With Ambari we faced this issue before: https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to patch the start script to use -Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES" directly where the scripts starts the java process
You can close this jira invalid if there is a workaround for that issue or fixed already, if not, then my proposed solution to do something similar. (maybe there are better places where to put that variable)