Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Unable to access secure collection using SolrJ

avatar
New Contributor

I have a spring-data-solr web service that was running fine before we enabled kerberos security on our cluster.

Below is the config portion of my code:

 

@Configuration
@EnableSolrRepositories(basePackages = { "org.nccourts.civil.repository" }, multicoreSupport = true)
public class IdentitySearchWsConfig {

@Value("${spring.data.solr.zk-host}")
private String zkHost;

@Bean
public CloudSolrClient solrClient() {
return new CloudSolrClient(zkHost);
}

@Bean
public SolrTemplate solrTemplate(CloudSolrClient solrClient) throws Exception {
solrClient.setDefaultCollection("party_name");
return new SolrTemplate(solrClient);
}

}

The way I start my webservice is as follows:

java -Djava.security.auth.login.config=/iapima/jaas.conf -jar  identity-search-hadoop-ws-dev-0.1.0-run.jar

 

Where the jaas.conf file points to my keytab file.

The web service runs without error, however, when I try to query my collection, I am getting the following error:

This request requires HTTP authentication.

 

Below is the full stack.  Any pointer or help is truly appreciated.

 

2017-07-11 17:18:04.109  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.Login               : successfully logged in.

2017-07-11 17:18:04.121  INFO 9592 --- [ourts.org:2181)] o.a.z.client.ZooKeeperSaslClient         : Client will use GSSAPI as SASL mechanism.

2017-07-11 17:18:04.126  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT refresh thread started.

2017-07-11 17:18:04.162  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT valid starting at:        Tue Jul 11 17:18:04 EDT 2017

2017-07-11 17:18:04.163  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT expires:                  Wed Jul 12 03:18:04 EDT 2017

2017-07-11 17:18:04.174  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT refresh sleeping until: Wed Jul 12 01:40:02 EDT 2017

2017-07-11 17:18:04.177  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.ClientCnxn          : Opening socket connection to server dwh-mst-prd01.stor.nccourts.org/10.91.61.101:2181. Will attempt

to SASL-authenticate using Login Context section 'Client'

2017-07-11 17:18:04.180  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.ClientCnxn          : Socket connection established to dwh-mst-prd01.stor.nccourts.org/10.91.61.101:2181, initiating sessi

on

2017-07-11 17:18:04.206  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.ClientCnxn          : Session establishment complete on server dwh-mst-prd01.stor.nccourts.org/10.91.61.101:2181, sessioni

d = 0x25cf03c44356219, negotiated timeout = 10000

2017-07-11 17:18:04.223  INFO 9592 --- [back-2-thread-1] o.a.solr.common.cloud.ConnectionManager  : Watcher org.apache.solr.common.cloud.ConnectionManager@7e722a25 name:ZooKeeperConnection Watcher:dwh

-mst-prd01.stor.nccourts.org,dwh-mst-prd03.stor.nccourts.org,dwh-mst-prd02.stor.nccourts.org:2181/solr got event WatchedEvent state:SyncConnected type:None path:null path:null type:None

2017-07-11 17:18:04.241  INFO 9592 --- [tp1110623531-19] o.a.solr.common.cloud.ConnectionManager  : Client is connected to ZooKeeper

2017-07-11 17:18:04.242  INFO 9592 --- [tp1110623531-19] o.apache.solr.common.cloud.SolrZkClient  : Using default ZkACLProvider

2017-07-11 17:18:04.248  INFO 9592 --- [tp1110623531-19] o.a.solr.common.cloud.ZkStateReader      : Updating cluster state from ZooKeeper...

2017-07-11 17:18:04.248  INFO 9592 --- [back-2-thread-1] o.a.solr.common.cloud.ConnectionManager  : Watcher org.apache.solr.common.cloud.ConnectionManager@7e722a25 name:ZooKeeperConnection Watcher:dwh

-mst-prd01.stor.nccourts.org,dwh-mst-prd03.stor.nccourts.org,dwh-mst-prd02.stor.nccourts.org:2181/solr got event WatchedEvent state:SaslAuthenticated type:None path:null path:null type:None

2017-07-11 17:18:04.654 ERROR 9592 --- [tp1110623531-19] o.a.s.client.solrj.impl.CloudSolrClient  : Request to collection party_name failed due to (401) org.apache.solr.client.solrj.impl.HttpSolrClien

t$RemoteSolrException: Error from server at https://dwh-mst-prd03.stor.nccourts.org:8985/solr/party_name: Expected mime type application/octet-stream but got text/html. <html><head><title>Apache Tomca

t/6.0.45 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-c

olor:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white

;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : b

lack;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - Authentication required</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Authentication

required</u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.45</h3></body></html>, retry? 0

1 ACCEPTED SOLUTION

avatar
The error is indicating that its not authenticating properly via kerberos.

Did you update your code to use the Krb5HttpClientConfigurer?

https://cwiki.apache.org/confluence/display/solr/Kerberos+Authentication+Plugin

-pd

View solution in original post

5 REPLIES 5

avatar
Champion
I don't know how you would do it but have you tried changing the HTTP header to use the type 'application/octet-stream'?

"Expected mime type application/octet-stream but got text/html"

avatar
The error is indicating that its not authenticating properly via kerberos.

Did you update your code to use the Krb5HttpClientConfigurer?

https://cwiki.apache.org/confluence/display/solr/Kerberos+Authentication+Plugin

-pd

avatar
New Contributor
Adding this:
public IdentitySearchWsConfig() {
HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer());
}
To my config file solved the problem. Thanks

avatar
Rising Star

yes, that's the correct solution and you can look at this code example too.

 

import org.apache.solr.client.solrj.SolrServer;

import org.apache.solr.client.solrj.SolrServerException;

import org.apache.solr.common.SolrInputDocument;

//import org.apache.solr.client.solrj.impl.CommonsHttpSolrServer;

import org.apache.solr.client.solrj.impl.HttpSolrServer;

import org.apache.solr.client.solrj.impl.CloudSolrServer;

import org.apache.solr.client.solrj.response.QueryResponse;

import org.apache.solr.client.solrj.SolrQuery;

import org.apache.solr.client.solrj.*;

import org.apache.solr.common.SolrInputDocument;

import org.apache.solr.client.solrj.beans.Field;

import org.apache.solr.common.cloud.*;

import org.apache.solr.common.SolrDocumentList;

import org.apache.solr.common.params.ModifiableSolrParams;

import org.apache.solr.client.solrj.impl.*;

 

import javax.security.auth.callback.*;

import javax.security.auth.login.LoginContext;

import java.io.*;

import java.util.*;

import java.net.MalformedURLException;

 

public class SolrKerberosAuth {

public SolrKerberosAuth() {

 

}

 

 

public static void main(String[] args) throws SolrServerException, IOException {

 

HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer());

System.setProperty("java.security.auth.login.config",

"/home/user.name/jaas-client.conf <http://user.name/jaas-client.conf>");

HttpSolrServer server = new

HttpSolrServer("http://solr-host:8983/solr/solrtest");

 

 

SolrInputDocument doc = new SolrInputDocument();

doc.addField("id", "1111");

// doc.addField("source", "TestSource9");

 

try {

// server.ping();

server.add(doc);

} catch (SolrServerException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

}

}

 

}

 

javac -cp "/opt/cloudera/parcels/CDH/jars/*" SolrKerberosAuth.java

 

avatar
New Contributor

We are tryng the same thing. However when we execute our code, it asks for the Kereros Credentials. Is there anyway to authenticate solr user using Keytab files?