You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Jiayi Liu (Jira)" <ji...@apache.org> on 2023/03/28 12:56:00 UTC
[jira] [Commented] (RANGER-2894) Plugins cannot interact with Solr with basic auth as audit targer
[ https://issues.apache.org/jira/browse/RANGER-2894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17705984#comment-17705984 ]
Jiayi Liu commented on RANGER-2894:
-----------------------------------
[~rmani] Hi, I solved this problem by using System.setProperty to set solr.httpclient.builder.factory and basicauth in SolrAuditDestination. Do you think it's ok to do this? I can submit a PR, thanks.
> Plugins cannot interact with Solr with basic auth as audit targer
> -----------------------------------------------------------------
>
> Key: RANGER-2894
> URL: https://issues.apache.org/jira/browse/RANGER-2894
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 1.1.0, 2.0.0
> Reporter: Nikita Ilyushkin
> Priority: Major
>
> There seems to be a problem with audit to Solr with [basic authentication|https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html].
> With the simple Solr cloud setup with basic auth every plugin I tried (HDFS, YARN, HBase, Hive) failed to write audit to it with the similar errors:
> {code:java}
> 2020-06-25T19:39:35,248 ERROR [hiveServer2.async.batch_hiveServer2.async.batch.solr_destWriter] impl.CloudSolrClient: Request to collection [ranger_audits] failed due to (401) org.apache.solr.client.solrj.impl.H
> ttpSolrClient$RemoteSolrException: Error from server at http://nilyushkin-hadoop-dev-0.ru-central1.internal:8983/solr/ranger_audits_shard1_replica_n1: Expected mime type application/octet-stream but got text/htm
> l. <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 401 require authentication</title>
> </head>
> <body><h2>HTTP ERROR 401</h2>
> <p>Problem accessing /solr/ranger_audits_shard1_replica_n1/update. Reason:
> <pre> require authentication</pre></p>
> </body>
> </html>
> {code}
> tcpdump confirms that no auth headers are in requests.
> Content of ranger-<service_name>-audit.xml:
> {code:java}
> <property>
> <name>xasecure.audit.is.enabled</name>
> <value>true</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr</name>
> <value>true</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.urls</name>
> <value>http://fqdn:8983/solr/ranger_audits</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.user</name>
> <value>rangeraudit</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.password</name>
> <value>admin</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.zookeepers</name>
> <value>fqdn:2181/solr.server</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
> <value>/srv/audit_solr_spool</value>
> </property>
> {code}
> The same results with xasecure.audit.destination.solr.urls instead xasecure.audit.destination.solr.zookeepers.
> Ranger Admin on the other hand writes audit just fine with given credentials to the same Solr.
> Unsurprisingly, following Solr documentation (underlying solrj really) and adding:
> {code:java}
> -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory -Dbasicauth=rangeraudit:admin
> {code}
> to the audited daemon (like HiveServer2) solves the problem.
> I also haven't found setBasicAuthCredentials (the second method of auth solrj provides) in the plugin sources or packages, so I assume it's just not implemented or bugged.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)