You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@solr.apache.org by jr...@tutanota.com.INVALID on 2021/09/01 20:48:46 UTC

How to get rid of this Warning "WARN (qtp1533985074-57) [ ] o.a.h.s.a.u.KerberosName auth_to_local rule mechanism not set.Using default of hadoop"

Hello everybody, this is my first time asking for support here. I normally search in the web and look in the forums list but I don't know how to do it here, I am very clumsy with mailing list, so If this post is duplicated or someone else has asked this question before I would appreciate if you point me where to look.

I configured Solr authentication this guide:

https://solr.apache.org/guide/8_9/kerberos-authentication-plugin.html

Everything is working OK, I just receive this warning message so often:

2021-09-01 20:29:46.789 WARN  (qtp1533985074-61) [   ] o.a.h.s.a.u.KerberosName auth_to_local rule mechanism not set.Using default of hadoop

I don't know what to do to get rid of this. I personally want to make a right configuration in the right file instead of just disabling the warning.

I just configured the "solr.kerberos.name <http://solr.kerberos.name>.rules" in the solr.in.sh <http://solr.in.sh> but it seems to be ignored.  I don't know if I have to make an extra configuration in the FreeIPA or maybe I am missing another configuration file. As I understand this warning should be if I use HDFS or Hadoop Authentication but this is not the case.

This is the content of my solr.in.sh <http://solr.in.sh> file:

SOLR_PID_DIR="/opt/var/solr"
SOLR_HOME="/opt/var/solr/data"
LOG4J_PROPS="/opt/var/solr/log4j2.xml"
SOLR_LOGS_DIR="/opt/var/solr/logs"
SOLR_PORT="8983"
SOLR_HEAP="6g"
SOLR_HOST="sa3secglbsolr01.a3sec.local"
ZK_HOST="sa3secglbzkpt01.a3sec.local:2181,sa3secglbzkpt02.a3sec.local:2181,sa3secglbzkpt03.a3sec.local:2181/solr"

# Settings for ZK ACL
SOLR_ZK_CREDS_AND_ACLS="-DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider \
  -DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider \
  -DzkDigestUsername=admin-user -DzkDigestPassword=anypassword \
  -DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=anypassword"
SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"

# Enables HTTPS. It is implicitly true if you set SOLR_SSL_KEY_STORE. Use this config
# to enable https module with custom jetty configuration.
SOLR_SSL_ENABLED=true
# Uncomment to set SSL-related system properties
# Be sure to update the paths to the correct keystore for your environment
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.p12
SOLR_SSL_KEY_STORE_PASSWORD=<Anypassword>
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.p12
SOLR_SSL_TRUST_STORE_PASSWORD=<Anypassword>
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
# this to false can be useful to disable these checks when re-using a certificate on many hosts
SOLR_SSL_CHECK_PEER_NAME=true

KERBEROS_RULE="RULE:[1:\$1@\$0](.*A3SEC.LOCAL)s/@.*//"
SOLR_AUTH_TYPE="kerberos"
SOLR_AUTHENTICATION_OPTS="-Djava.security <http://Djava.security>.auth.login.config=/home/debian/jaas-client.conf -Dsolr.kerberos.cookie.domain=sa3secglbsolr01.a3sec.local -Dsolr.kerberos.cookie.portaware=true -Dsolr.kerberos.principal=HTTP/sa3secglbsolr01.a3sec.local@A3SEC.LOCAL -Dsolr.kerberos.keytab=/home/debian/sa3secglbsolr01.keytab -Dsolr.kerberos.name <http://Dsolr.kerberos.name>.rules=$KERBEROS_RULE"

In the worst case, is there a way to disable that specific Warning?

Best regards.

Re: How to get rid of this Warning "WARN (qtp1533985074-57) [ ] o.a.h.s.a.u.KerberosName auth_to_local rule mechanism not set.Using default of hadoop"

Posted by jr...@tutanota.com.INVALID.

Hello again, firstable, thanks to Chriss and Shawn for your replies. I opened the jira ticket:

https://issues.apache.org/jira/browse/SOLR-15617
At the moment I disabled the warning in the log4j2.xml 

Thanks for everything.



Sep 2, 2021, 00:21 by hossman_lucene@fucit.org:

>
> : Everything is working OK, I just receive this warning message so often:
> : 
> : 2021-09-01 20:29:46.789 WARN  (qtp1533985074-61) [   ] o.a.h.s.a.u.KerberosName auth_to_local rule mechanism not set.Using default of hadoop
>
>  ...
>
> : file. As I understand this warning should be if I use HDFS or Hadoop 
> : Authentication but this is not the case.
>
> IIUC, the Solr KerberosPlugin uses hadoop Kerberos utility classes 
> under the covers, even when you aren't explicitly using hadoop based 
> authentication ... i gather that one/some of those utilities make 
> assumptions about how they are being used.
>
> I don't know that there is anything you personally can change about how 
> solr is configured to prevent this WARN from happening ... from poking 
> around the KerberosName.java code, i gather that somewhere in the Solr 
> KerberosPlugin lifecycle, solr should be calling 
> KerberosName.setRuleMechanism(...) (or calling some other hadoop kerberos 
> helper util in such a way that it calls that method)
>
> Can you please file a jira pointing out this warning and this email 
> thread? ... in the meantime i think the only thing you can do is disable 
> the WARN level from the KerberosName logger in your log4j config.
>
>
> -Hoss
> http://www.lucidworks.com/
>

Re: How to get rid of this Warning "WARN (qtp1533985074-57) [ ] o.a.h.s.a.u.KerberosName auth_to_local rule mechanism not set.Using default of hadoop"

Posted by Chris Hostetter <ho...@fucit.org>.

: Everything is working OK, I just receive this warning message so often:
: 
: 2021-09-01 20:29:46.789 WARN  (qtp1533985074-61) [   ] o.a.h.s.a.u.KerberosName auth_to_local rule mechanism not set.Using default of hadoop

	...

: file. As I understand this warning should be if I use HDFS or Hadoop 
: Authentication but this is not the case.

IIUC, the Solr KerberosPlugin uses hadoop Kerberos utility classes 
under the covers, even when you aren't explicitly using hadoop based 
authentication ... i gather that one/some of those utilities make 
assumptions about how they are being used.

I don't know that there is anything you personally can change about how 
solr is configured to prevent this WARN from happening ... from poking 
around the KerberosName.java code, i gather that somewhere in the Solr 
KerberosPlugin lifecycle, solr should be calling 
KerberosName.setRuleMechanism(...) (or calling some other hadoop kerberos 
helper util in such a way that it calls that method)

Can you please file a jira pointing out this warning and this email 
thread? ... in the meantime i think the only thing you can do is disable 
the WARN level from the KerberosName logger in your log4j config.


-Hoss
http://www.lucidworks.com/

Re: How to get rid of this Warning "WARN (qtp1533985074-57) [ ] o.a.h.s.a.u.KerberosName auth_to_local rule mechanism not set.Using default of hadoop"

Posted by Shawn Heisey <ap...@elyograg.org>.

On 9/1/2021 2:48 PM, jrballesteros05@tutanota.com.INVALID wrote:
> Everything is working OK, I just receive this warning message so often:
>
> 2021-09-01 20:29:46.789 WARN  (qtp1533985074-61) [   ] o.a.h.s.a.u.KerberosName auth_to_local rule mechanism not set.Using default of hadoop
<snip>
> As I understand this warning should be if I use HDFS or Hadoop Authentication but this is not the case.

Since you're not using HDFS, you don't need logs from hadoop.  In your 
log4j2.xml file, you probably have this line in the <Loggers> Section:

     <Logger name="org.apache.hadoop" level="warn"/>

If you simply change "warn" to "off" on that line, that should suppress 
all logging from hadoop classes, and give you the results you're after.

If you don't have that line, download the latest Solr and find 
log4j2.xml in the archive, see how it is constructed, and then adjust 
your own log4j2.xml accordingly.

We really should track down why a hadoop class is getting involved when 
you are not using HDFS, but that's probably going to take a lot of 
effort and I don't even know where to begin.

(note that if you are running a Solr version before 7.4, your config 
will not be in log4j2.xml, it will probably be in log4j.properties ... 
and if you're running a REALLY old version, then the log config could be 
in an unknown location.)

Thanks,
Shawn