[jira] [Updated] (SOLR-11981) Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Updated] (SOLR-11981) Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS

JIRA jira@apache.org

     [ https://issues.apache.org/jira/browse/SOLR-11981?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Olivér Szabó updated SOLR-11981:
--------------------------------
    Description:
On secure env, when multiline (or space separated) kerberos name rules are used ( in solr.in),  those values cannot be passed to .the start script properly. (using {{org.apache.solr.security.KerberosPlugin}})

Example:
{code:java}
SOLR_JAAS_FILE=solr.jaas
SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
SOLR_KERB_PRINCIPAL=solr/[hidden email]
SOLR_KERB_NAME_RULES="RULE:[1:\$1@\$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L RULE:[1:\$1@\$0](.*@PROD.EXAMPLE.NET)s/@.*///L RULE:[2:$1@$0]([hidden email])s/.*/solr/"

SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
SOLR_AUTHENTICATION_OPTS=" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST}" -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}
{code}

that will cause:
{code:java}
Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to solr/[hidden email]
at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
{code}

Reason for that (probably): in solr start script, there are multiple {{"${SOLR_OPTS[@]}}}-like (for auth props as well), which magically handle variables as arrays (separated by space or endlines).

I have tried to add {{solr.kerberos.name.rules}} property directly to SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines there even with quotes or escape characters.

With Ambari we faced this issue before: https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to patch the start script to use {{-Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES"}} directly where the scripts starts the java process

You can close this jira invalid if there is a workaround for that issue or fixed already, if not, then my proposed solution to do something similar. (maybe there are better places where to put that variable)


  was:
On secure env, when multiline (or space separated) kerberos name rules are used ( in solr.in),  those values cannot be passed properly. (using {{org.apache.solr.security.KerberosPlugin}})

Example:
{code:java}
SOLR_JAAS_FILE=solr.jaas
SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
SOLR_KERB_PRINCIPAL=solr/[hidden email]
SOLR_KERB_NAME_RULES="RULE:[1:\$1@\$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L RULE:[1:\$1@\$0](.*@PROD.EXAMPLE.NET)s/@.*///L RULE:[2:$1@$0]([hidden email])s/.*/solr/"

SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
SOLR_AUTHENTICATION_OPTS=" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST}" -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}
{code}

that will cause:
{code:java}
Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to solr/[hidden email]
at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
{code}

Reason for that (probably): in solr start script, there are multiple {{"${SOLR_OPTS[@]}}}-like (for auth props as well), which magically handle variables as arrays (separated by space or endlines).

I have tried to add {{solr.kerberos.name.rules}} property directly to SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines there even with quotes or escape characters.

With Ambari we faced this issue before: https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to patch the start script to use {{-Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES"}} directly where the scripts starts the java process

You can close this jira invalid if there is a workaround for that issue or fixed already, if not, then my proposed solution to do something similar. (maybe there are better places where to put that variable)



> Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS
> ----------------------------------------------------------------------------
>
>                 Key: SOLR-11981
>                 URL: https://issues.apache.org/jira/browse/SOLR-11981
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public)
>          Components: security
>    Affects Versions: 5.5.5, 6.6.2, 7.2.1
>            Reporter: Olivér Szabó
>            Priority: Major
>
> On secure env, when multiline (or space separated) kerberos name rules are used ( in solr.in),  those values cannot be passed to .the start script properly. (using {{org.apache.solr.security.KerberosPlugin}})
> Example:
> {code:java}
> SOLR_JAAS_FILE=solr.jaas
> SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
> SOLR_KERB_PRINCIPAL=solr/[hidden email]
> SOLR_KERB_NAME_RULES="RULE:[1:\$1@\$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L RULE:[1:\$1@\$0](.*@PROD.EXAMPLE.NET)s/@.*///L RULE:[2:$1@$0]([hidden email])s/.*/solr/"
> SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
> SOLR_AUTHENTICATION_OPTS=" -DauthenticationPlugin=org.apache.solr.security.KerberosPlugin -Djava.security.auth.login.config=$SOLR_JAAS_FILE -Dsolr.kerberos.principal=${SOLR_KERB_PRINCIPAL} -Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST}" -Dsolr.kerberos.name.rules=${SOLR_KERB_NAME_RULES}
> {code}
> that will cause:
> {code:java}
> Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to solr/[hidden email]
> at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
> {code}
> Reason for that (probably): in solr start script, there are multiple {{"${SOLR_OPTS[@]}}}-like (for auth props as well), which magically handle variables as arrays (separated by space or endlines).
> I have tried to add {{solr.kerberos.name.rules}} property directly to SOLR_OPTS instead of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines there even with quotes or escape characters.
> With Ambari we faced this issue before: https://issues.apache.org/jira/browse/AMBARI-18898, the quick solution was to patch the start script to use {{-Dsolr.kerberos.name.rules="$SOLR_KERB_NAME_RULES"}} directly where the scripts starts the java process
> You can close this jira invalid if there is a workaround for that issue or fixed already, if not, then my proposed solution to do something similar. (maybe there are better places where to put that variable)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]