You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/05/03 21:27:00 UTC
[jira] [Commented] (NIFI-5148) Solr processors failing to
authenticate against Kerberized Solr
[ https://issues.apache.org/jira/browse/NIFI-5148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16463088#comment-16463088 ]
ASF GitHub Bot commented on NIFI-5148:
--------------------------------------
GitHub user bbende opened a pull request:
https://github.com/apache/nifi/pull/2674
NIFI-5148 Refactoring Kerberos auth for Solr processors
- Created resuable KeytabUser and KeytabConfiguration in nifi-security-utils
- Refactored Solr processors to use a KeytabControllerService and no longer rely on JAAS system property
- Wrapped all calls in SolrProcessor onTrigger in a doAs when kerberos is enabled
Thank you for submitting a contribution to Apache NiFi.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [ ] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [ ] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [ ] Has your PR been rebased against the latest commit within the target branch (typically master)?
- [ ] Is your initial contribution a single, squashed commit?
### For code changes:
- [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
- [ ] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/bbende/nifi solr-kerberos-refactor
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/2674.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2674
----
commit d5332ae4e3a958027becb2f41c0da594dab0f7a5
Author: Bryan Bende <bb...@...>
Date: 2018-05-02T20:17:05Z
NIFI-5148 Refactoring Kerberos auth for Solr processors
- Created resuable KeytabUser and KeytabConfiguration in nifi-security-utils
- Refactored Solr processors to use a KeytabControllerService and no longer rely on JAAS system property
- Wrapped all calls in SolrProcessor onTrigger in a doAs when kerberos is enabled
----
> Solr processors failing to authenticate against Kerberized Solr
> ---------------------------------------------------------------
>
> Key: NIFI-5148
> URL: https://issues.apache.org/jira/browse/NIFI-5148
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.6.0
> Reporter: Bryan Bende
> Assignee: Bryan Bende
> Priority: Major
>
> It appears that with the new default value of "useSubjectCredsOnly=true" in NiFi's bootstrap.conf that this can cause an issue for the Solr processors when talking to a kerberized Solr.
> The SolrJ client code that we are using specifically calls this out as being problematic:
> [https://github.com/apache/lucene-solr/blob/branch_6x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L75-L88]
> We should refactor the kerberos approach in the Solr processors to resolve this issue and make general improvements. We should be performing a JAAS login and wrapping calls in Subject.doAs, and we should try and move away from the system level JAAS property and leverage the new keytab controller service.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)