Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-10199

Solr's Kerberos functionality does not work in Java9 due to dependency on hadoop's AuthenticationFilter which attempt access to JVM protected classes

    XMLWordPrintableJSON

    Details

      Description

      (discovered this while working on test improvements for SOLR-8052)

      Our Kerberos based authn/authz features are all built on top of Hadoop's AuthenticationFilter which in turn uses Hadoop's KerberosUtil – but this does not work on Java9/jigsaw JVMs because that class in turn attempts to access sun.security.jgss.GSSUtil which is not exported by module java.security.jgss

      This means that Solr users who depend on Kerberos will not be able to upgrade to Java9, even if they do not use any Hadoop specific features of Solr.


      Example log messages...

         [junit4]   2> 6833 WARN  (qtp442059499-30) [    ] o.a.h.s.a.s.AuthenticationFilter Authentication exception: java.lang.IllegalAccessException: class org.apache.hadoop.security.authentication.util.KerberosUtil cannot access class sun.security.jgss.GSSUtil (in module java.security.jgss) because module java.security.jgss does not export sun.security.jgss to unnamed module @4b38fe8b
         [junit4]   2> 6841 WARN  (TEST-TestSolrCloudWithKerberosAlt.testBasics-seed#[95A583AF82D1EBBE]) [    ] o.a.h.c.p.ResponseProcessCookies Invalid cookie header: "Set-Cookie: hadoop.auth=; Path=/; Domain=127.0.0.1; Expires=Ara, 01-Sa-1970 00:00:00 GMT; HttpOnly". Invalid 'expires' attribute: Ara, 01-Sa-1970 00:00:00 GMT
      

      (NOTE: HADOOP-14115 is cause of malformed cookie expiration)

      ultimately the client gets a 403 error (as seen in a testcase with patch from SOLR-8052 applied and java9 assume commented out)...

         [junit4] ERROR   7.10s | TestSolrCloudWithKerberosAlt.testBasics <<<
         [junit4]    > Throwable #1: org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error from server at http://127.0.0.1:34687/solr: Expected mime type application/octet-stream but got text/html. <html>
         [junit4]    > <head>
         [junit4]    > <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
         [junit4]    > <title>Error 403 </title>
         [junit4]    > </head>
         [junit4]    > <body>
         [junit4]    > <h2>HTTP ERROR: 403</h2>
         [junit4]    > <p>Problem accessing /solr/admin/collections. Reason:
         [junit4]    > <pre>    java.lang.IllegalAccessException: class org.apache.hadoop.security.authentication.util.KerberosUtil cannot access class sun.security.jgss.GSSUtil (in module java.security.jgss) because module java.security.jgss does not export sun.security.jgss to unnamed module @4b38fe8b</pre></p>
         [junit4]    > <hr /><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.3.14.v20161028</a><hr/>
         [junit4]    > </body>
         [junit4]    > </html>
      

        Attachments

        1. SOLR-10199.patch
          3 kB
          Kevin Risden

          Issue Links

            Activity

              People

              • Assignee:
                krisden Kevin Risden
                Reporter:
                hossman Chris M. Hostetter
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: