[
https://issues.apache.org/jira/browse/SOLR-11981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16376686#comment-16376686
]
Amrit Sarkar commented on SOLR-11981:
-------------------------------------
[~oleewere], thanks for listing the workaround. How exactly are you passing the
parameter? If 'not with -a option'? Looking forward to this minor doubt
clearance.
> Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS
> ----------------------------------------------------------------------------
>
> Key: SOLR-11981
> URL: https://issues.apache.org/jira/browse/SOLR-11981
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Affects Versions: 5.5.5, 6.6.2, 7.2.1
> Reporter: Olivér Szabó
> Priority: Major
>
> On secure env, when multiline (or space separated) kerberos name rules are
> used ( in solr.in), those values cannot be passed to .the start script
> properly. (using {{org.apache.solr.security.KerberosPlugin}})
> Example:
> {code:java}
> SOLR_JAAS_FILE=solr.jaas
> SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
> SOLR_KERB_PRINCIPAL=solr/[email protected]
> SOLR_KERB_NAME_RULES="RULE:[1:$1@$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L
> RULE:[1:$1@$0](.*@PROD.EXAMPLE.NET)s/@.*///L
> RULE:[2:$1@$0]([email protected])s/.*/solr/"
> SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
> SOLR_AUTHENTICATION_OPTS="
> -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin
> -Djava.security.auth.login.config=$SOLR_JAAS_FILE
> -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL}
> -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB}
> -Dsolr.kerberos.cookie.domain=${SOLR_HOST}"
> -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}
> {code}
> that will cause:
> {code:java}
> Caused by:
> org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule:
> No rules applied to solr/[email protected]
> at
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
>
> at
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
> {code}
> Reason for that (probably): in solr start script, there are multiple
> {{"${SOLR_OPTS[@]}}}-like (for auth props as well), which magically handle
> variables as arrays (separated by space or endlines).
> I have tried to add {{solr.kerberos.name.rules}} property directly to
> SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using
> spaces/newlines there even with quotes or escape characters.
> With Ambari we faced this issue before:
> https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to
> patch the start script to use
> {{-Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES"}} directly where the
> scripts starts the java process
> You can close this jira invalid if there is a workaround for that issue or
> fixed already, if not, then my proposed solution to do something similar.
> (maybe there are better places where to put that variable)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
