Reply
Highlighted
New Contributor
Posts: 2
Registered: ‎06-22-2017
Accepted Solution

Unable to access secure collection using SolrJ

I have a spring-data-solr web service that was running fine before we enabled kerberos security on our cluster.

Below is the config portion of my code:

 

@Configuration
@EnableSolrRepositories(basePackages = { "org.nccourts.civil.repository" }, multicoreSupport = true)
public class IdentitySearchWsConfig {

@Value("${spring.data.solr.zk-host}")
private String zkHost;

@Bean
public CloudSolrClient solrClient() {
return new CloudSolrClient(zkHost);
}

@Bean
public SolrTemplate solrTemplate(CloudSolrClient solrClient) throws Exception {
solrClient.setDefaultCollection("party_name");
return new SolrTemplate(solrClient);
}

}

The way I start my webservice is as follows:

java -Djava.security.auth.login.config=/iapima/jaas.conf -jar  identity-search-hadoop-ws-dev-0.1.0-run.jar

 

Where the jaas.conf file points to my keytab file.

The web service runs without error, however, when I try to query my collection, I am getting the following error:

This request requires HTTP authentication.

 

Below is the full stack.  Any pointer or help is truly appreciated.

 

2017-07-11 17:18:04.109  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.Login               : successfully logged in.

2017-07-11 17:18:04.121  INFO 9592 --- [ourts.org:2181)] o.a.z.client.ZooKeeperSaslClient         : Client will use GSSAPI as SASL mechanism.

2017-07-11 17:18:04.126  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT refresh thread started.

2017-07-11 17:18:04.162  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT valid starting at:        Tue Jul 11 17:18:04 EDT 2017

2017-07-11 17:18:04.163  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT expires:                  Wed Jul 12 03:18:04 EDT 2017

2017-07-11 17:18:04.174  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT refresh sleeping until: Wed Jul 12 01:40:02 EDT 2017

2017-07-11 17:18:04.177  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.ClientCnxn          : Opening socket connection to server dwh-mst-prd01.stor.nccourts.org/10.91.61.101:2181. Will attempt

to SASL-authenticate using Login Context section 'Client'

2017-07-11 17:18:04.180  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.ClientCnxn          : Socket connection established to dwh-mst-prd01.stor.nccourts.org/10.91.61.101:2181, initiating sessi

on

2017-07-11 17:18:04.206  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.ClientCnxn          : Session establishment complete on server dwh-mst-prd01.stor.nccourts.org/10.91.61.101:2181, sessioni

d = 0x25cf03c44356219, negotiated timeout = 10000

2017-07-11 17:18:04.223  INFO 9592 --- [back-2-thread-1] o.a.solr.common.cloud.ConnectionManager  : Watcher org.apache.solr.common.cloud.ConnectionManager@7e722a25 name:ZooKeeperConnection Watcher:dwh

-mst-prd01.stor.nccourts.org,dwh-mst-prd03.stor.nccourts.org,dwh-mst-prd02.stor.nccourts.org:2181/solr got event WatchedEvent state:SyncConnected type:None path:null path:null type:None

2017-07-11 17:18:04.241  INFO 9592 --- [tp1110623531-19] o.a.solr.common.cloud.ConnectionManager  : Client is connected to ZooKeeper

2017-07-11 17:18:04.242  INFO 9592 --- [tp1110623531-19] o.apache.solr.common.cloud.SolrZkClient  : Using default ZkACLProvider

2017-07-11 17:18:04.248  INFO 9592 --- [tp1110623531-19] o.a.solr.common.cloud.ZkStateReader      : Updating cluster state from ZooKeeper...

2017-07-11 17:18:04.248  INFO 9592 --- [back-2-thread-1] o.a.solr.common.cloud.ConnectionManager  : Watcher org.apache.solr.common.cloud.ConnectionManager@7e722a25 name:ZooKeeperConnection Watcher:dwh

-mst-prd01.stor.nccourts.org,dwh-mst-prd03.stor.nccourts.org,dwh-mst-prd02.stor.nccourts.org:2181/solr got event WatchedEvent state:SaslAuthenticated type:None path:null path:null type:None

2017-07-11 17:18:04.654 ERROR 9592 --- [tp1110623531-19] o.a.s.client.solrj.impl.CloudSolrClient  : Request to collection party_name failed due to (401) org.apache.solr.client.solrj.impl.HttpSolrClien

t$RemoteSolrException: Error from server at https://dwh-mst-prd03.stor.nccourts.org:8985/solr/party_name: Expected mime type application/octet-stream but got text/html. <html><head><title>Apache Tomca

t/6.0.45 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-c

olor:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white

;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : b

lack;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - Authentication required</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Authentication

required</u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.45</h3></body></html>, retry? 0

Posts: 563
Topics: 3
Kudos: 79
Solutions: 50
Registered: ‎08-16-2016

Re: Unable to access secure collection using SolrJ

I don't know how you would do it but have you tried changing the HTTP header to use the type 'application/octet-stream'?

"Expected mime type application/octet-stream but got text/html"
Cloudera Employee
Posts: 175
Registered: ‎01-09-2014

Re: Unable to access secure collection using SolrJ

The error is indicating that its not authenticating properly via kerberos.

Did you update your code to use the Krb5HttpClientConfigurer?

https://cwiki.apache.org/confluence/display/solr/Kerberos+Authentication+Plugin

-pd
New Contributor
Posts: 2
Registered: ‎06-22-2017

Re: Unable to access secure collection using SolrJ

Adding this:
public IdentitySearchWsConfig() {
HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer());
}
To my config file solved the problem. Thanks
Announcements