[SOLR-10199] Solr's Kerberos functionality does not work in Java9 due to dependency on hadoop's AuthenticationFilter which attempt access to JVM protected classes - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 8.1, 9.0
Component/s: Hadoop Integration
Labels:
- Java9

Description

(discovered this while working on test improvements for ~~SOLR-8052~~)

Our Kerberos based authn/authz features are all built on top of Hadoop's AuthenticationFilter which in turn uses Hadoop's KerberosUtil – but this does not work on Java9/jigsaw JVMs because that class in turn attempts to access sun.security.jgss.GSSUtil which is not exported by module java.security.jgss

This means that Solr users who depend on Kerberos will not be able to upgrade to Java9, even if they do not use any Hadoop specific features of Solr.

Example log messages...

   [junit4]   2> 6833 WARN  (qtp442059499-30) [    ] o.a.h.s.a.s.AuthenticationFilter Authentication exception: java.lang.IllegalAccessException: class org.apache.hadoop.security.authentication.util.KerberosUtil cannot access class sun.security.jgss.GSSUtil (in module java.security.jgss) because module java.security.jgss does not export sun.security.jgss to unnamed module @4b38fe8b
   [junit4]   2> 6841 WARN  (TEST-TestSolrCloudWithKerberosAlt.testBasics-seed#[95A583AF82D1EBBE]) [    ] o.a.h.c.p.ResponseProcessCookies Invalid cookie header: "Set-Cookie: hadoop.auth=; Path=/; Domain=127.0.0.1; Expires=Ara, 01-Sa-1970 00:00:00 GMT; HttpOnly". Invalid 'expires' attribute: Ara, 01-Sa-1970 00:00:00 GMT

(NOTE: HADOOP-14115 is cause of malformed cookie expiration)

ultimately the client gets a 403 error (as seen in a testcase with patch from ~~SOLR-8052~~ applied and java9 assume commented out)...

   [junit4] ERROR   7.10s | TestSolrCloudWithKerberosAlt.testBasics <<<
   [junit4]    > Throwable #1: org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error from server at http://127.0.0.1:34687/solr: Expected mime type application/octet-stream but got text/html. <html>
   [junit4]    > <head>
   [junit4]    > <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
   [junit4]    > <title>Error 403 </title>
   [junit4]    > </head>
   [junit4]    > <body>
   [junit4]    > <h2>HTTP ERROR: 403</h2>
   [junit4]    > <p>Problem accessing /solr/admin/collections. Reason:
   [junit4]    > <pre>    java.lang.IllegalAccessException: class org.apache.hadoop.security.authentication.util.KerberosUtil cannot access class sun.security.jgss.GSSUtil (in module java.security.jgss) because module java.security.jgss does not export sun.security.jgss to unnamed module @4b38fe8b</pre></p>
   [junit4]    > <hr /><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.3.14.v20161028</a><hr/>
   [junit4]    > </body>
   [junit4]    > </html>

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SOLR-10199.patch
02/Feb/19 15:48
3 kB
Kevin Risden

Issue Links

blocks

SOLR-8182 TestSolrCloudWithKerberosAlt fails consistently on JDK9

Closed

depends upon

HADOOP-10848 Cleanup calling of sun.security.krb5.Config

Resolved

SOLR-9515 Update to Hadoop 3

Closed

is blocked by

SOLR-10210 Solr features based on Hadoop that do not work on Java9

Closed

Is contained by

SOLR-12809 Document recommended Java/Solr combinations

Closed

is related to

SOLR-8052 Tests using MiniKDC do not work with Java 9 Jigsaw

Closed

(1 is related to)

Activity

People

Assignee:: Kevin Risden

Reporter:: Chris M. Hostetter

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 24/Feb/17 01:23

Updated:: 12/May/22 00:26

Resolved:: 02/Feb/19 17:05