Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-9518

Kerberos Delegation Tokens doesn't work without a chrooted ZK

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.3, 7.0
    • Component/s: None
    • Security Level: Public (Default Security Level. Issues are Public)
    • Labels:
      None

      Description

      Starting up Solr 6.2.0 (with delegation tokens enabled) that doesn't have a chrooted ZK, I see the following in the startup logs:

      2016-09-15 07:08:22.453 ERROR (main) [   ] o.a.s.s.SolrDispatchFilter Could not start Solr. Check solr/home property and the logs
      2016-09-15 07:08:22.477 ERROR (main) [   ] o.a.s.c.SolrCore null:java.lang.StringIndexOutOfBoundsException: String index out of range: -1
              at java.lang.String.substring(String.java:1927)
              at org.apache.solr.security.KerberosPlugin.init(KerberosPlugin.java:138)
              at org.apache.solr.core.CoreContainer.initializeAuthenticationPlugin(CoreContainer.java:316)
              at org.apache.solr.core.CoreContainer.load(CoreContainer.java:442)
              at org.apache.solr.servlet.SolrDispatchFilter.createCoreContainer(SolrDispatchFilter.java:158)
              at org.apache.solr.servlet.SolrDispatchFilter.init(SolrDispatchFilter.java:134)
              at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:137)
              at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:856)
              at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:348)
              at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1379)
              at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1341)
              at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:772)
              at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:261)
              at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:517)
              at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
              at org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:41)
              at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:188)
              at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:499)
              at org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:147)
              at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:180)
      at org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(WebAppProvider.java:458)
      at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:64)
      at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:610)
      at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:529)
      

      To me, it seems that adding a check for the presence of a chrooted ZK, and, calculating the relative ZK path only if it exists should suffice. I'll add a patch for this shortly.

      1. SOLR-9518.patch
        4 kB
        Ishan Chattopadhyaya
      2. SOLR-9518.patch
        3 kB
        Ishan Chattopadhyaya
      3. SOLR-9518.patch
        3 kB
        Ishan Chattopadhyaya
      4. SOLR-9518-6x.patch
        4 kB
        Ishan Chattopadhyaya

        Activity

        Hide
        ichattopadhyaya Ishan Chattopadhyaya added a comment -

        Here's a patch addressing the issue. I'll confirm that this works after a complete end-to-end testing.

        Show
        ichattopadhyaya Ishan Chattopadhyaya added a comment - Here's a patch addressing the issue. I'll confirm that this works after a complete end-to-end testing.
        Hide
        ichattopadhyaya Ishan Chattopadhyaya added a comment -

        Updating patch for master.

        Show
        ichattopadhyaya Ishan Chattopadhyaya added a comment - Updating patch for master.
        Hide
        ichattopadhyaya Ishan Chattopadhyaya added a comment -

        I tested this patch end to end for a ZK setup that doesn't use chroot and it works fine now.
        Gregory Chanan, can you please review?

        Show
        ichattopadhyaya Ishan Chattopadhyaya added a comment - I tested this patch end to end for a ZK setup that doesn't use chroot and it works fine now. Gregory Chanan , can you please review?
        Hide
        ichattopadhyaya Ishan Chattopadhyaya added a comment -

        Noble Paul, can you please review?

        Show
        ichattopadhyaya Ishan Chattopadhyaya added a comment - Noble Paul , can you please review?
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 9b49c72dbc4d27a3160b34b5e38e095ca85daa6f in lucene-solr's branch refs/heads/master from Noble Paul
        [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=9b49c72 ]

        SOLR-9518: Kerberos Delegation Tokens don't work without a chrooted ZK

        Show
        jira-bot ASF subversion and git services added a comment - Commit 9b49c72dbc4d27a3160b34b5e38e095ca85daa6f in lucene-solr's branch refs/heads/master from Noble Paul [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=9b49c72 ] SOLR-9518 : Kerberos Delegation Tokens don't work without a chrooted ZK
        Hide
        ichattopadhyaya Ishan Chattopadhyaya added a comment -

        Thanks Noble. Here's the patch for branch_6x.

        Show
        ichattopadhyaya Ishan Chattopadhyaya added a comment - Thanks Noble. Here's the patch for branch_6x.
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit a973ca1752fccecee8db7d2a7a09ded7159e4c58 in lucene-solr's branch refs/heads/branch_6x from Noble Paul
        [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=a973ca1 ]

        SOLR-9518: Kerberos Delegation Tokens don't work without a chrooted ZK

        Show
        jira-bot ASF subversion and git services added a comment - Commit a973ca1752fccecee8db7d2a7a09ded7159e4c58 in lucene-solr's branch refs/heads/branch_6x from Noble Paul [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=a973ca1 ] SOLR-9518 : Kerberos Delegation Tokens don't work without a chrooted ZK
        Hide
        erickerickson Erick Erickson added a comment -

        Noble PaulIshan Chattopadhyaya can we close this ticket? The code's been committed....

        Show
        erickerickson Erick Erickson added a comment - Noble Paul Ishan Chattopadhyaya can we close this ticket? The code's been committed....
        Hide
        shalinmangar Shalin Shekhar Mangar added a comment -

        Closing after 6.3.0 release.

        Show
        shalinmangar Shalin Shekhar Mangar added a comment - Closing after 6.3.0 release.

          People

          • Assignee:
            noble.paul Noble Paul
            Reporter:
            ichattopadhyaya Ishan Chattopadhyaya
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development