Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11981

Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 5.5.5, 6.6.2, 7.2.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      On secure env, when multiline (or space separated) kerberos name rules are used ( in solr.in), those values cannot be passed to .the start script properly. (using org.apache.solr.security.KerberosPlugin)

      Example:

      SOLR_JAAS_FILE=solr.jaas
      SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
      SOLR_KERB_PRINCIPAL=solr/myhost1.com@EXAMPLE.COM
      SOLR_KERB_NAME_RULES="RULE:[1:$1@$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L RULE:[1:$1@$0](.*@PROD.EXAMPLE.NET)s/@.*///L RULE:[2:$1@$0](solr@ADMIN.EXAMPLE.NET)s/.*/solr/"
      
      SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
      SOLR_AUTHENTICATION_OPTS=" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST}" -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}
      

      that will cause:

      Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to solr/host.example@ADMIN.EXAMPLE.NET 
      at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389) 
      at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
      

      Reason for that (probably): in solr start script, there are multiple "${SOLR_OPTS[@]}-like (for auth props as well), which magically handle variables as arrays (separated by space or endlines).

      I have tried to add solr.kerberos.name.rules property directly to SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines there even with quotes or escape characters.

      With Ambari we faced this issue before: https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to patch the start script to use -Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES" directly where the scripts starts the java process

      You can close this jira invalid if there is a workaround for that issue or fixed already, if not, then my proposed solution to do something similar. (maybe there are better places where to put that variable)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              oleewere Oliver Szabo
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: