You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Andras Salamon (Jira)" <ji...@apache.org> on 2020/02/13 16:03:00 UTC

[jira] [Commented] (SOLR-14261) Hadoop authentication with Kerberos error

    [ https://issues.apache.org/jira/browse/SOLR-14261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036328#comment-17036328 ] 

Andras Salamon commented on SOLR-14261:
---------------------------------------

If we send a simple successfully authenticated message before Http2SolrClient.initOutStream in ConcurrentUpdateHttp2SolrClient the authentication works correctly. Not only for the simple message but also for the upcoming requests.

The attached patch sends an OPTIONS request in ConcurrentUpdateHttp2SolrClient before stream initialization.

I was working together with [~warper] on the patch.

 

> Hadoop authentication with Kerberos error
> -----------------------------------------
>
>                 Key: SOLR-14261
>                 URL: https://issues.apache.org/jira/browse/SOLR-14261
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.4.1
>            Reporter: Andras Salamon
>            Priority: Major
>         Attachments: SOLR-14261-01.patch
>
>
> We are trying to use Hadoop authentication with Kerberos in Solr 8.4.1 and encountered a problem. We’re using a Hadoop 3.1.1 based fork. We are using JDK8 so we fall back to HTTP/1.1 but also tested with JDK11 (HTTP/2) and we got the same error.
> We have already added a few upstream changes which are not yet committed (SOLR-9840) or committed only later (SOLR-11554).
> The important part of our security.json file is:
> {noformat}
> "authentication": {
>         "class": "org.apache.solr.security.ConfigurableInternodeAuthHadoopPlugin",
>         "sysPropPrefix": "solr.authentication.",
>         "type": "multi-scheme",
>         "clientBuilderFactory": "org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder",
> ...
> {noformat}
> When we try to add a document using curl we receive 401 error:
> {noformat}
> curl -k --negotiate -u : '[https://quasar-mdzaga-1.vpc.cloudera.com:8985/solr/test2/update]' -H 'Content-type:application/json' -d ' [ \{"id":"book3", "title":"book3title", "author":"author"} ]'\{  "responseHeader":{    "rf":2147483647,    "status":401,    "QTime":18},  "error":{    "metadata":[      "error-class","org.apache.solr.update.processor.DistributedUpdateProcessor$DistributedUpdatesAsyncException",      "root-error-class","org.apache.solr.update.processor.DistributedUpdateProcessor$DistributedUpdatesAsyncException"],    "msg":"Async exception during distributed update: Error from server at [https://quasar-mdzaga-3.vpc.cloudera.com:8985/solr/test2_shard2_replica_n6/]: Authentication required\n\n\n\nrequest: [https://quasar-mdzaga-3.vpc.cloudera.com:8985/solr/test2_shard2_replica_n6/]",    "Code":401}}
> {noformat}
> We have debugged the problem and found that curl can send the information to the node, and the internode TOLEADER request fails, because we don’t answer to the 401 challenge that is part of the SPNEGO mechanism:
> {noformat}
> HTTP/1.1 401 Unauthorized access
> ...
> WWW-Authenticate: Negotiate
> Set-Cookie: hadoop.auth=; HttpOnly
> Cache-Control: must-revalidate,no-cache,no-store
> Content-Type: text/html;charset=iso-8859-1
> Content-Length: 287
> {noformat}
> Checking the code shows that [ConcurrentUpdateHttp2SolrClient|https://github.com/apache/lucene-solr/blob/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateHttp2SolrClient.java] calls [Http2SolrClient.initOutStream|https://github.com/apache/lucene-solr/blob/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java#L299] which creates an {{OutputStreamContentProvider}} where the value of the isReproducible flag is false and jetty’s [AuthenticationProtocolHandler|https://github.com/eclipse/jetty.project/blob/jetty-9.4.19.v20190610/jetty-client/src/main/java/org/eclipse/jetty/client/AuthenticationProtocolHandler.java#L192] will not continue the authentication in this case.
>   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org