You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Kevin Risden (JIRA)" <ji...@apache.org> on 2019/02/02 15:29:00 UTC
[jira] [Commented] (SOLR-10199) Solr's Kerberos functionality does
not work in Java9 due to dependency on hadoop's AuthenticationFilter which
attempt access to JVM protected classes
[ https://issues.apache.org/jira/browse/SOLR-10199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16759058#comment-16759058 ]
Kevin Risden commented on SOLR-10199:
-------------------------------------
I am going through and trying to see if these are still valid on master after SOLR-9515 - Hadoop 3 upgrade.
> Solr's Kerberos functionality does not work in Java9 due to dependency on hadoop's AuthenticationFilter which attempt access to JVM protected classes
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-10199
> URL: https://issues.apache.org/jira/browse/SOLR-10199
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Hadoop Integration
> Reporter: Hoss Man
> Assignee: Kevin Risden
> Priority: Major
> Labels: Java9
>
> (discovered this while working on test improvements for SOLR-8052)
> Our Kerberos based authn/authz features are all built on top of Hadoop's {{AuthenticationFilter}} which in turn uses Hadoop's {{KerberosUtil}} -- but this does not work on Java9/jigsaw JVMs because that class in turn attempts to access {{sun.security.jgss.GSSUtil}} which is not exported by {{module java.security.jgss}}
> This means that Solr users who depend on Kerberos will not be able to upgrade to Java9, even if they do not use any Hadoop specific features of Solr.
> ----
> Example log messages...
> {noformat}
> [junit4] 2> 6833 WARN (qtp442059499-30) [ ] o.a.h.s.a.s.AuthenticationFilter Authentication exception: java.lang.IllegalAccessException: class org.apache.hadoop.security.authentication.util.KerberosUtil cannot access class sun.security.jgss.GSSUtil (in module java.security.jgss) because module java.security.jgss does not export sun.security.jgss to unnamed module @4b38fe8b
> [junit4] 2> 6841 WARN (TEST-TestSolrCloudWithKerberosAlt.testBasics-seed#[95A583AF82D1EBBE]) [ ] o.a.h.c.p.ResponseProcessCookies Invalid cookie header: "Set-Cookie: hadoop.auth=; Path=/; Domain=127.0.0.1; Expires=Ara, 01-Sa-1970 00:00:00 GMT; HttpOnly". Invalid 'expires' attribute: Ara, 01-Sa-1970 00:00:00 GMT
> {noformat}
> (NOTE: HADOOP-14115 is cause of malformed cookie expiration)
> ultimately the client gets a 403 error (as seen in a testcase with patch from SOLR-8052 applied and java9 assume commented out)...
> {noformat}
> [junit4] ERROR 7.10s | TestSolrCloudWithKerberosAlt.testBasics <<<
> [junit4] > Throwable #1: org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error from server at http://127.0.0.1:34687/solr: Expected mime type application/octet-stream but got text/html. <html>
> [junit4] > <head>
> [junit4] > <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
> [junit4] > <title>Error 403 </title>
> [junit4] > </head>
> [junit4] > <body>
> [junit4] > <h2>HTTP ERROR: 403</h2>
> [junit4] > <p>Problem accessing /solr/admin/collections. Reason:
> [junit4] > <pre> java.lang.IllegalAccessException: class org.apache.hadoop.security.authentication.util.KerberosUtil cannot access class sun.security.jgss.GSSUtil (in module java.security.jgss) because module java.security.jgss does not export sun.security.jgss to unnamed module @4b38fe8b</pre></p>
> [junit4] > <hr /><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.3.14.v20161028</a><hr/>
> [junit4] > </body>
> [junit4] > </html>
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org