Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
Description
(discovered this while working on test improvements for SOLR-8052)
Our Kerberos based authn/authz features are all built on top of Hadoop's AuthenticationFilter which in turn uses Hadoop's KerberosUtil – but this does not work on Java9/jigsaw JVMs because that class in turn attempts to access sun.security.jgss.GSSUtil which is not exported by module java.security.jgss
This means that Solr users who depend on Kerberos will not be able to upgrade to Java9, even if they do not use any Hadoop specific features of Solr.
Example log messages...
[junit4] 2> 6833 WARN (qtp442059499-30) [ ] o.a.h.s.a.s.AuthenticationFilter Authentication exception: java.lang.IllegalAccessException: class org.apache.hadoop.security.authentication.util.KerberosUtil cannot access class sun.security.jgss.GSSUtil (in module java.security.jgss) because module java.security.jgss does not export sun.security.jgss to unnamed module @4b38fe8b [junit4] 2> 6841 WARN (TEST-TestSolrCloudWithKerberosAlt.testBasics-seed#[95A583AF82D1EBBE]) [ ] o.a.h.c.p.ResponseProcessCookies Invalid cookie header: "Set-Cookie: hadoop.auth=; Path=/; Domain=127.0.0.1; Expires=Ara, 01-Sa-1970 00:00:00 GMT; HttpOnly". Invalid 'expires' attribute: Ara, 01-Sa-1970 00:00:00 GMT
(NOTE: HADOOP-14115 is cause of malformed cookie expiration)
ultimately the client gets a 403 error (as seen in a testcase with patch from SOLR-8052 applied and java9 assume commented out)...
[junit4] ERROR 7.10s | TestSolrCloudWithKerberosAlt.testBasics <<< [junit4] > Throwable #1: org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error from server at http://127.0.0.1:34687/solr: Expected mime type application/octet-stream but got text/html. <html> [junit4] > <head> [junit4] > <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/> [junit4] > <title>Error 403 </title> [junit4] > </head> [junit4] > <body> [junit4] > <h2>HTTP ERROR: 403</h2> [junit4] > <p>Problem accessing /solr/admin/collections. Reason: [junit4] > <pre> java.lang.IllegalAccessException: class org.apache.hadoop.security.authentication.util.KerberosUtil cannot access class sun.security.jgss.GSSUtil (in module java.security.jgss) because module java.security.jgss does not export sun.security.jgss to unnamed module @4b38fe8b</pre></p> [junit4] > <hr /><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.3.14.v20161028</a><hr/> [junit4] > </body> [junit4] > </html>
Attachments
Attachments
Issue Links
- blocks
-
SOLR-8182 TestSolrCloudWithKerberosAlt fails consistently on JDK9
- Closed
- depends upon
-
HADOOP-10848 Cleanup calling of sun.security.krb5.Config
- Resolved
-
SOLR-9515 Update to Hadoop 3
- Closed
- is blocked by
-
SOLR-10210 Solr features based on Hadoop that do not work on Java9
- Closed
- Is contained by
-
SOLR-12809 Document recommended Java/Solr combinations
- Closed
- is related to
-
SOLR-8052 Tests using MiniKDC do not work with Java 9 Jigsaw
- Closed