Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-5148

Solr processors failing to authenticate against Kerberized Solr

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.6.0
    • 1.7.0
    • None
    • None

    Description

      It appears that with the new default value of "useSubjectCredsOnly=true" in NiFi's bootstrap.conf that this can cause an issue for the Solr processors when talking to a kerberized Solr.

      The SolrJ client code that we are using specifically calls this out as being problematic:

      https://github.com/apache/lucene-solr/blob/branch_6x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L75-L88

      We should refactor the kerberos approach in the Solr processors to resolve this issue and make general improvements. We should be performing a JAAS login and wrapping calls in Subject.doAs, and we should try and move away from the system level JAAS property and leverage the new keytab controller service.

       

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. SOLR-13726 Krb5HttpClientBuilder avoid setting javax.security.auth.useSubjectCredsOnly

          • Major - Major loss of function.
          • Open
          links to

          Web Link GitHub Pull Request #2674

          Activity

            People

              bbende Bryan Bende
              bbende Bryan Bende
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: