You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Jörn Franke <jo...@gmail.com> on 2020/07/16 18:06:49 UTC

Cannot read ZK Kerberos conf when enabling java security manager on 8.6

Hallo,

I am using Solr 8.6.0.
When activating the Java security manager then Solr cannot use anymore the jaas-client conf specified via java.security.auth.login.conf with Zookeeper. We have configured Kerberos authentication for Zookeeper. 
When disabling java security manager it works perfectly fine.

The exact error message is : „No JAAS configuration section named 'Client' was found“. Somehow it seems that the Java security manager blocks access to that file .
The directory for the file is in the -Dsolr.allowPaths 
 Could this be a bug or is it a misconfiguration?


Thank you.

Best regards

Re: Cannot read ZK Kerberos conf when enabling java security manager on 8.6

Posted by Jörn Franke <jo...@gmail.com>.

Jira created 

> Am 21.07.2020 um 10:28 schrieb Ishan Chattopadhyaya <ic...@gmail.com>:
> 
> I think this warrants a JIRA. To work around this issue for now, you can
> use an environment variable SOLR_SECURITY_MANAGER_ENABLED=false before
> starting Solr.
> 
>> On Thu, Jul 16, 2020 at 11:58 PM Jörn Franke <jo...@gmail.com> wrote:
>> 
>> The solution would be probably a policy file shipped with Solr that allows
>> the ZK jar to create a logincontext. I suggest that Solr ships it otherwise
>> one would need to adapt it for every Solr update manually to include the
>> version of the ZK jar.
>> 
>>> On Thu, Jul 16, 2020 at 8:15 PM Jörn Franke <jo...@gmail.com> wrote:
>>> 
>>> I believe it is a bug in Solr because we need to create a policy to allow
>>> creating a login context:
>>> See here chapter "Running the Code with a Security Manager"
>>> 
>>> 
>> http://www.informatik.hs-furtwangen.de/doku/java/j2sdk-1_4_1-doc/guide/security/jaas/tutorials/LoginConfigFile.html
>>> 
>>> Please confirm and I will create a JIRA issue for Solr
>>> 
>>> On Thu, Jul 16, 2020 at 8:06 PM Jörn Franke <jo...@gmail.com>
>> wrote:
>>> 
>>>> Hallo,
>>>> 
>>>> I am using Solr 8.6.0.
>>>> When activating the Java security manager then Solr cannot use anymore
>>>> the jaas-client conf specified via java.security.auth.login.conf with
>>>> Zookeeper. We have configured Kerberos authentication for Zookeeper.
>>>> When disabling java security manager it works perfectly fine.
>>>> 
>>>> The exact error message is : „No JAAS configuration section named
>>>> 'Client' was found“. Somehow it seems that the Java security manager
>> blocks
>>>> access to that file .
>>>> The directory for the file is in the -Dsolr.allowPaths
>>>> Could this be a bug or is it a misconfiguration?
>>>> 
>>>> 
>>>> Thank you.
>>>> 
>>>> Best regards
>>> 
>>> 
>>

Re: Cannot read ZK Kerberos conf when enabling java security manager on 8.6

Posted by Ishan Chattopadhyaya <ic...@gmail.com>.

I think this warrants a JIRA. To work around this issue for now, you can
use an environment variable SOLR_SECURITY_MANAGER_ENABLED=false before
starting Solr.

On Thu, Jul 16, 2020 at 11:58 PM Jörn Franke <jo...@gmail.com> wrote:

> The solution would be probably a policy file shipped with Solr that allows
> the ZK jar to create a logincontext. I suggest that Solr ships it otherwise
> one would need to adapt it for every Solr update manually to include the
> version of the ZK jar.
>
> On Thu, Jul 16, 2020 at 8:15 PM Jörn Franke <jo...@gmail.com> wrote:
>
> > I believe it is a bug in Solr because we need to create a policy to allow
> > creating a login context:
> > See here chapter "Running the Code with a Security Manager"
> >
> >
> http://www.informatik.hs-furtwangen.de/doku/java/j2sdk-1_4_1-doc/guide/security/jaas/tutorials/LoginConfigFile.html
> >
> > Please confirm and I will create a JIRA issue for Solr
> >
> > On Thu, Jul 16, 2020 at 8:06 PM Jörn Franke <jo...@gmail.com>
> wrote:
> >
> >> Hallo,
> >>
> >> I am using Solr 8.6.0.
> >> When activating the Java security manager then Solr cannot use anymore
> >> the jaas-client conf specified via java.security.auth.login.conf with
> >> Zookeeper. We have configured Kerberos authentication for Zookeeper.
> >> When disabling java security manager it works perfectly fine.
> >>
> >> The exact error message is : „No JAAS configuration section named
> >> 'Client' was found“. Somehow it seems that the Java security manager
> blocks
> >> access to that file .
> >> The directory for the file is in the -Dsolr.allowPaths
> >>  Could this be a bug or is it a misconfiguration?
> >>
> >>
> >> Thank you.
> >>
> >> Best regards
> >
> >
>

Re: Cannot read ZK Kerberos conf when enabling java security manager on 8.6

Posted by Jörn Franke <jo...@gmail.com>.

The solution would be probably a policy file shipped with Solr that allows
the ZK jar to create a logincontext. I suggest that Solr ships it otherwise
one would need to adapt it for every Solr update manually to include the
version of the ZK jar.

On Thu, Jul 16, 2020 at 8:15 PM Jörn Franke <jo...@gmail.com> wrote:

> I believe it is a bug in Solr because we need to create a policy to allow
> creating a login context:
> See here chapter "Running the Code with a Security Manager"
>
> http://www.informatik.hs-furtwangen.de/doku/java/j2sdk-1_4_1-doc/guide/security/jaas/tutorials/LoginConfigFile.html
>
> Please confirm and I will create a JIRA issue for Solr
>
> On Thu, Jul 16, 2020 at 8:06 PM Jörn Franke <jo...@gmail.com> wrote:
>
>> Hallo,
>>
>> I am using Solr 8.6.0.
>> When activating the Java security manager then Solr cannot use anymore
>> the jaas-client conf specified via java.security.auth.login.conf with
>> Zookeeper. We have configured Kerberos authentication for Zookeeper.
>> When disabling java security manager it works perfectly fine.
>>
>> The exact error message is : „No JAAS configuration section named
>> 'Client' was found“. Somehow it seems that the Java security manager blocks
>> access to that file .
>> The directory for the file is in the -Dsolr.allowPaths
>>  Could this be a bug or is it a misconfiguration?
>>
>>
>> Thank you.
>>
>> Best regards
>
>

Re: Cannot read ZK Kerberos conf when enabling java security manager on 8.6

Posted by Jörn Franke <jo...@gmail.com>.

I believe it is a bug in Solr because we need to create a policy to allow
creating a login context:
See here chapter "Running the Code with a Security Manager"
http://www.informatik.hs-furtwangen.de/doku/java/j2sdk-1_4_1-doc/guide/security/jaas/tutorials/LoginConfigFile.html

Please confirm and I will create a JIRA issue for Solr

On Thu, Jul 16, 2020 at 8:06 PM Jörn Franke <jo...@gmail.com> wrote:

> Hallo,
>
> I am using Solr 8.6.0.
> When activating the Java security manager then Solr cannot use anymore the
> jaas-client conf specified via java.security.auth.login.conf with
> Zookeeper. We have configured Kerberos authentication for Zookeeper.
> When disabling java security manager it works perfectly fine.
>
> The exact error message is : „No JAAS configuration section named 'Client'
> was found“. Somehow it seems that the Java security manager blocks access
> to that file .
> The directory for the file is in the -Dsolr.allowPaths
>  Could this be a bug or is it a misconfiguration?
>
>
> Thank you.
>
> Best regards