Reply
New Contributor
Posts: 2
Registered: ‎06-22-2017
Accepted Solution

Unable to access secure collection using SolrJ

I have a spring-data-solr web service that was running fine before we enabled kerberos security on our cluster.

Below is the config portion of my code:

 

@Configuration
@EnableSolrRepositories(basePackages = { "org.nccourts.civil.repository" }, multicoreSupport = true)
public class IdentitySearchWsConfig {

@Value("${spring.data.solr.zk-host}")
private String zkHost;

@Bean
public CloudSolrClient solrClient() {
return new CloudSolrClient(zkHost);
}

@Bean
public SolrTemplate solrTemplate(CloudSolrClient solrClient) throws Exception {
solrClient.setDefaultCollection("party_name");
return new SolrTemplate(solrClient);
}

}

The way I start my webservice is as follows:

java -Djava.security.auth.login.config=/iapima/jaas.conf -jar  identity-search-hadoop-ws-dev-0.1.0-run.jar

 

Where the jaas.conf file points to my keytab file.

The web service runs without error, however, when I try to query my collection, I am getting the following error:

This request requires HTTP authentication.

 

Below is the full stack.  Any pointer or help is truly appreciated.

 

2017-07-11 17:18:04.109  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.Login               : successfully logged in.

2017-07-11 17:18:04.121  INFO 9592 --- [ourts.org:2181)] o.a.z.client.ZooKeeperSaslClient         : Client will use GSSAPI as SASL mechanism.

2017-07-11 17:18:04.126  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT refresh thread started.

2017-07-11 17:18:04.162  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT valid starting at:        Tue Jul 11 17:18:04 EDT 2017

2017-07-11 17:18:04.163  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT expires:                  Wed Jul 12 03:18:04 EDT 2017

2017-07-11 17:18:04.174  INFO 9592 --- [      Thread-21] org.apache.zookeeper.Login               : TGT refresh sleeping until: Wed Jul 12 01:40:02 EDT 2017

2017-07-11 17:18:04.177  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.ClientCnxn          : Opening socket connection to server dwh-mst-prd01.stor.nccourts.org/10.91.61.101:2181. Will attempt

to SASL-authenticate using Login Context section 'Client'

2017-07-11 17:18:04.180  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.ClientCnxn          : Socket connection established to dwh-mst-prd01.stor.nccourts.org/10.91.61.101:2181, initiating sessi

on

2017-07-11 17:18:04.206  INFO 9592 --- [ourts.org:2181)] org.apache.zookeeper.ClientCnxn          : Session establishment complete on server dwh-mst-prd01.stor.nccourts.org/10.91.61.101:2181, sessioni

d = 0x25cf03c44356219, negotiated timeout = 10000

2017-07-11 17:18:04.223  INFO 9592 --- [back-2-thread-1] o.a.solr.common.cloud.ConnectionManager  : Watcher org.apache.solr.common.cloud.ConnectionManager@7e722a25 name:ZooKeeperConnection Watcher:dwh

-mst-prd01.stor.nccourts.org,dwh-mst-prd03.stor.nccourts.org,dwh-mst-prd02.stor.nccourts.org:2181/solr got event WatchedEvent state:SyncConnected type:None path:null path:null type:None

2017-07-11 17:18:04.241  INFO 9592 --- [tp1110623531-19] o.a.solr.common.cloud.ConnectionManager  : Client is connected to ZooKeeper

2017-07-11 17:18:04.242  INFO 9592 --- [tp1110623531-19] o.apache.solr.common.cloud.SolrZkClient  : Using default ZkACLProvider

2017-07-11 17:18:04.248  INFO 9592 --- [tp1110623531-19] o.a.solr.common.cloud.ZkStateReader      : Updating cluster state from ZooKeeper...

2017-07-11 17:18:04.248  INFO 9592 --- [back-2-thread-1] o.a.solr.common.cloud.ConnectionManager  : Watcher org.apache.solr.common.cloud.ConnectionManager@7e722a25 name:ZooKeeperConnection Watcher:dwh

-mst-prd01.stor.nccourts.org,dwh-mst-prd03.stor.nccourts.org,dwh-mst-prd02.stor.nccourts.org:2181/solr got event WatchedEvent state:SaslAuthenticated type:None path:null path:null type:None

2017-07-11 17:18:04.654 ERROR 9592 --- [tp1110623531-19] o.a.s.client.solrj.impl.CloudSolrClient  : Request to collection party_name failed due to (401) org.apache.solr.client.solrj.impl.HttpSolrClien

t$RemoteSolrException: Error from server at https://dwh-mst-prd03.stor.nccourts.org:8985/solr/party_name: Expected mime type application/octet-stream but got text/html. <html><head><title>Apache Tomca

t/6.0.45 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-c

olor:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white

;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : b

lack;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - Authentication required</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Authentication

required</u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.45</h3></body></html>, retry? 0

Posts: 642
Topics: 3
Kudos: 103
Solutions: 67
Registered: ‎08-16-2016

Re: Unable to access secure collection using SolrJ

I don't know how you would do it but have you tried changing the HTTP header to use the type 'application/octet-stream'?

"Expected mime type application/octet-stream but got text/html"
Cloudera Employee
Posts: 198
Registered: ‎01-09-2014

Re: Unable to access secure collection using SolrJ

The error is indicating that its not authenticating properly via kerberos.

Did you update your code to use the Krb5HttpClientConfigurer?

https://cwiki.apache.org/confluence/display/solr/Kerberos+Authentication+Plugin

-pd
New Contributor
Posts: 2
Registered: ‎06-22-2017

Re: Unable to access secure collection using SolrJ

Adding this:
public IdentitySearchWsConfig() {
HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer());
}
To my config file solved the problem. Thanks
Highlighted
Cloudera Employee
Posts: 25
Registered: ‎08-22-2014

Re: Unable to access secure collection using SolrJ

yes, that's the correct solution and you can look at this code example too.

 

import org.apache.solr.client.solrj.SolrServer;

import org.apache.solr.client.solrj.SolrServerException;

import org.apache.solr.common.SolrInputDocument;

//import org.apache.solr.client.solrj.impl.CommonsHttpSolrServer;

import org.apache.solr.client.solrj.impl.HttpSolrServer;

import org.apache.solr.client.solrj.impl.CloudSolrServer;

import org.apache.solr.client.solrj.response.QueryResponse;

import org.apache.solr.client.solrj.SolrQuery;

import org.apache.solr.client.solrj.*;

import org.apache.solr.common.SolrInputDocument;

import org.apache.solr.client.solrj.beans.Field;

import org.apache.solr.common.cloud.*;

import org.apache.solr.common.SolrDocumentList;

import org.apache.solr.common.params.ModifiableSolrParams;

import org.apache.solr.client.solrj.impl.*;

 

import javax.security.auth.callback.*;

import javax.security.auth.login.LoginContext;

import java.io.*;

import java.util.*;

import java.net.MalformedURLException;

 

public class SolrKerberosAuth {

public SolrKerberosAuth() {

 

}

 

 

public static void main(String[] args) throws SolrServerException, IOException {

 

HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer());

System.setProperty("java.security.auth.login.config",

"/home/user.name/jaas-client.conf <http://user.name/jaas-client.conf>");

HttpSolrServer server = new

HttpSolrServer("http://solr-host:8983/solr/solrtest");

 

 

SolrInputDocument doc = new SolrInputDocument();

doc.addField("id", "1111");

// doc.addField("source", "TestSource9");

 

try {

// server.ping();

server.add(doc);

} catch (SolrServerException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

}

}

 

}

 

javac -cp "/opt/cloudera/parcels/CDH/jars/*" SolrKerberosAuth.java

 

Announcements