You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Everly Okorji <ev...@gmail.com> on 2018/06/18 21:57:32 UTC

Configuring SolrJ for Kerberized Environments

Hi,

So, for context, I have very little experience with Kerberos. The
environment has SolrCloud configured, and I am using SolrJ libraries from
Solr 7.0.0 and attempting to set up my application to be able to make Solr
requests when Kerberos is enabled. Specifically, I am making a request to
add solr fields to my schema. The same request is successful when Kerberos
is not enabled. Also, note that I am able to

I went over the documentation which looks to be outdated - at least the *Using
SolrJ with a Kerberized Solr* section - as it references a removed class
*Krb5HttpClientConfigurer*. I tried to use the *Krb5HttpClientBuilder*
class to simulate the behavior, but it seems that my configuration is
incomplete or incorrect, as I have gotten a number of errors depending on
what was tried:

- I attempted to use the Krb5HttpClientBuilder to replicate the behavior,
but I kept getting an error with following cause when the request is made:
Caused by: org.apache.http.client.NonRepeatableRequestException: Cannot
retry request with a non-repeatable request entity.
    at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:225)
    at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
    at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
    ... 38 more


Based on this, I included a line to allow for preemptive authentication by
setting the following before configuring the builder:
HttpClientUtil.addRequestInterceptor(new PreemptiveAuth(new
SPNegoScheme()));

Based on this new configuration, I are now seeing a checksum failure error:
Caused by:
org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error
from server at http://<host>/solr/pantheon: Expected mime type
application/octet-stream but got text/html. <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 403 GSSException: Failure unspecified at GSS-API level
(Mechanism level: Checksum failed)</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /solr/pantheon/schema. Reason:
<pre>    GSSException: Failure unspecified at GSS-API level (Mechanism
level: Checksum failed)</pre></p><hr><i><small>Powered by
Jetty://</small></i><hr/>

</body>
</html>

    at
org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:591)
    at
org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:253)
    at
org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:242)
    at
org.apache.solr.client.solrj.impl.LBHttpSolrClient.doRequest(LBHttpSolrClient.java:483)
    at
org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(LBHttpSolrClient.java:436)
    ... 31 more

I understand that the GSS API is responsible for actually fetcing the
Kerberos ticket for a client, and then authenticating and authorizing my
application to talk to the solr server. I'm just not sure if the
application is pulling the correct credentials or where exactly this
failure is happening, if it is related to my configuration or if I am just
using an untested approach.

This is what my jaas config file looks like. According to the docs, I first
tried with just the *Client* configuration, and then I added the
*SolrJClient* config to see if that helped. No change in behavior.
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=true
debug=true
keyTab="<my_keytab_location>"
principal="<my_principal>";
};

SolrJClient {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="<my_keytab_location>"
  storeKey=true
  useTicketCache=true
  debug=true
  principal="<my_principal>";
};

Random facts to note, including some of the many things I tried:
- I tried setting my jaas config useTicketCache=false, same error.
- The system property java.security.auth.login.config is set to point to
the jaas config for the application.
- The solr parameter PROP_FOLLOW_REDIRECTS is set to false.
- Zookeeper is used. I tried using the solr url instead of a zkUrl when
building the CloudSolrClient, no luck there either.


Could this also be a problem with my principals or jaas configuration? More
specifically, what are the correct steps to follow on SolrJ 7.0.0 on a
kerberized environment? If I have that and cann follow step-by-step, at
least I know where things fail. At the moment, I'm running around in
circles and not sure what I'm looking for. A lot of StackOverflow questions
were looked at and tried, but either I'm stepping on my own toes or my
issue seems to be unique. Hopefully someone can spot something I missed.


Regards,
Everly