You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Nikita Ilyushkin (Jira)" <ji...@apache.org> on 2020/07/03 21:48:00 UTC

[jira] [Created] (RANGER-2894) Plugins cannot interact with Solr with basic auth as audit targer

Nikita Ilyushkin created RANGER-2894:
----------------------------------------

             Summary: Plugins cannot interact with Solr with basic auth as audit targer
                 Key: RANGER-2894
                 URL: https://issues.apache.org/jira/browse/RANGER-2894
             Project: Ranger
          Issue Type: Bug
          Components: plugins
    Affects Versions: 2.0.0, 1.1.0
            Reporter: Nikita Ilyushkin


There seems to be a problem with audit to Solr with [basic authentication|https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html].
 With the simple Solr cloud setup with basic auth every plugin I tried (HDFS, YARN, HBase, Hive) failed to write audit to it with the similar errors:
{code:java}
2020-06-25T19:39:35,248 ERROR [hiveServer2.async.batch_hiveServer2.async.batch.solr_destWriter] impl.CloudSolrClient: Request to collection [ranger_audits] failed due to (401) org.apache.solr.client.solrj.impl.H
ttpSolrClient$RemoteSolrException: Error from server at http://nilyushkin-hadoop-dev-0.ru-central1.internal:8983/solr/ranger_audits_shard1_replica_n1: Expected mime type application/octet-stream but got text/htm
l. <html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 401 require authentication</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/ranger_audits_shard1_replica_n1/update. Reason:
<pre>    require authentication</pre></p>
</body>
</html>
{code}
tcpdump confirms that no auth headers are in requests.
 Content of ranger-<service_name>-audit.xml:
{code:java}
    <property>
        <name>xasecure.audit.is.enabled</name>
        <value>true</value>
    </property>
    <property>
        <name>xasecure.audit.destination.solr</name>
        <value>true</value>
    </property>
    <property>
        <name>xasecure.audit.destination.solr.urls</name>
        <value>http://fqdn:8983/solr/ranger_audits</value>
    </property>
    <property>
        <name>xasecure.audit.destination.solr.user</name>
        <value>rangeraudit</value>
    </property>
    <property>
        <name>xasecure.audit.destination.solr.password</name>
        <value>admin</value>
    </property>
    <property>
        <name>xasecure.audit.destination.solr.zookeepers</name>
        <value>fqdn:2181/solr.server</value>
    </property>
    <property>
        <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
        <value>/srv/audit_solr_spool</value>
    </property>
{code}
The same results with xasecure.audit.destination.solr.urls instead xasecure.audit.destination.solr.zookeepers.

Ranger Admin on the other hand writes audit just fine with given credentials to the same Solr.


 Unsurprisingly, following Solr documentation (underlying solrj really) and adding:
{code:java}
-Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory -Dbasicauth=rangeraudit:admin
{code}
to the audited daemon (like HiveServer2) solves the problem.
 I also haven't found setBasicAuthCredentials (the second method of auth solrj provides) in the plugin sources or packages, so I assume it's just not implemented or bugged.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)