You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Alexandre Rafalovitch (JIRA)" <ji...@apache.org> on 2016/08/09 14:40:20 UTC
[jira] [Commented] (SOLR-6556) User from trusted kerberos realm
can't access admin console
[ https://issues.apache.org/jira/browse/SOLR-6556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15413630#comment-15413630 ]
Alexandre Rafalovitch commented on SOLR-6556:
---------------------------------------------
This is a two year old issue and all the components have been upgraded. Is it still reproducible on the latest Solr/Hadoop?
> User from trusted kerberos realm can't access admin console
> ------------------------------------------------------------
>
> Key: SOLR-6556
> URL: https://issues.apache.org/jira/browse/SOLR-6556
> Project: Solr
> Issue Type: Bug
> Components: web gui
> Affects Versions: 4.4
> Environment: CDH5.1.2 + Kerberos + Sentry
> Reporter: Andrejs Dubovskis
> Priority: Minor
>
> SOLR security configured accordingly [this document|http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH5/latest/CDH5-Security-Guide/cdh5sg_search_security.html]
> User from primary realm (used by Hadoop cluster itself) can access the console, but user from trusted realm can't.
> {code}
> Sep 24, 2014 9:30:13 AM org.apache.catalina.core.StandardWrapperValve invoke
> SEVERE: Servlet.service() for servlet LoadAdminUI threw exception
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to admin@TRUSTED.REALM
> at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:359)
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:329)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:329)
> at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:349)
> at org.apache.solr.servlet.SolrHadoopAuthenticationFilter.doFilter(SolrHadoopAuthenticationFilter.java:148)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.solr.servlet.HostnameFilter.doFilter(HostnameFilter.java:86)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> Required kerberos auth_to_local rules are defined in hadoop/core-site.xml file and was added to /etc/krb5.conf as well.
> Another CDH components (for example, Impala) use these rules and allow access for users from trusted domain.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org