[jira] [Created] (SOLR-11981) Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Created] (SOLR-11981) Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS

JIRA jira@apache.org
Olivér Szabó created SOLR-11981:

             Summary: Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS
                 Key: SOLR-11981
                 URL: https://issues.apache.org/jira/browse/SOLR-11981
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
          Components: security
    Affects Versions: 6.6.2, 5.5.5, 7.2.1
            Reporter: Olivér Szabó

On secure env, when multiline (or space separated) kerberos name rules are used ( in solr.in),  those values cannot be passed properly. (using {{org.apache.solr.security.KerberosPlugin}})

SOLR_KERB_PRINCIPAL=solr/[hidden email]
SOLR_KERB_NAME_RULES="RULE:[1:\$1@\$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L RULE:[1:\$1@\$0](.*@PROD.EXAMPLE.NET)s/@.*///L RULE:[2:$1@$0]([hidden email])s/.*/solr/"

SOLR_AUTHENTICATION_OPTS=" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST}" -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}

that will cause:
Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to solr/[hidden email]
at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler

Reason for that (probably): in solr start script, there are multiple {{"${SOLR_OPTS[@]}}}-like (for auth props as well), which magically handle variables as arrays (separated by space or endlines).

I have tried to add {{solr.kerberos.name.rules}} property directly to SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines there even with quotes or escape characters.

With Ambari we faced this issue before: https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to patch the start script to use {{-Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES"}} directly where the scripts starts the java process

You can close this jira invalid if there is a workaround for that issue or fixed already, if not, then my proposed solution to do something similar. (maybe there are better places where to put that variable)

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]