question Re: Securing Solr with Ranger ERROR 500 in Archives of Support Questions (Read Only)

Securing Solr with Ranger ERROR 500

397403564 — Tue, 25 Oct 2016 16:12:42 GMT

my solr can working normal.when i use the security.json like this

{
    "authentication": {
        "class": "solr.BasicAuthPlugin",
        "blockUnknown": true,
        "credentials": {
            "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw="
        }
    },
    "authorization": {
        "class": "solr.RuleBasedAuthorizationPlugin"
    }
}

but when i Securing Solr Collections with Ranger as below:

{
    "authentication": {
        "class": "solr.BasicAuthPlugin",
        "credentials": {
            "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw="
        }
    },
    "authorization": {
        "class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"
    }
}

solr-plugin can show in ranger-audit-plugin. But solr cant work when i open http://localhost:8983/solr/

HTTP ERROR 500
Problem accessing /solr/. Reason:
    {trace=java.lang.NullPointerException
	at org.apache.solr.servlet.HttpSolrCall$2.toString(HttpSolrCall.java:1020)
	at java.lang.String.valueOf(String.java:2849)
	at java.lang.StringBuilder.append(StringBuilder.java:128)
	at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:227)
	at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:128)
	at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:420)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:225)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:183)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:499)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
	at java.lang.Thread.run(Thread.java:745)
,code=500}
Powered by Jetty://

Re: Securing Solr with Ranger ERROR 500

jstraub — Tue, 25 Oct 2016 16:50:44 GMT

Did you enable the Ranger Solr Plugin using the enable-ranger-plugin.sh script? What version of Solr and Ranger is this?

You might want to enable the Ranger Plugin again and make sure that all ranger jars/xmls have been copied to .../solr/server/solr-webapp/webapp/WEB-INF/classes and .../solr/server/solr-webapp/webapp/WEB-INF/libs

(Validate the paths, not sure if they are 100% correct)

Re: Securing Solr with Ranger ERROR 500

vsuvagia — Tue, 25 Oct 2016 17:02:56 GMT

@Fang Heart, are you trying to enable Ranger solr plugin under non secured environment i.e non-kerberised env ?, Ranger Solr plugin is supported to work under kerberized environments. You can follow the steps described here to enable Ranger Solr plugin.

Re: Securing Solr with Ranger ERROR 500

397403564 — Tue, 25 Oct 2016 17:05:13 GMT

i use solr-5.5.0 ranger0.6.2 .i have enable the Ranger Plugin again.and copy from solr-plugin/lib、solr-plugin/lib/solr-plugin/lib/ranger-solr-plugin-impl、solr-plugin/install/lib all jar to .../solr/server/solr-webapp/webapp/WEB-INF/libs. and solr-plugin/install/solr-plugin/install/enable all xml to .../solr/server/solr-webapp/webapp/WEB-INF/classes. And restarted the solr but nothing changed.

Re: Securing Solr with Ranger ERROR 500

397403564 — Tue, 25 Oct 2016 17:09:06 GMT

if ranger no authorization with ranger,my solr can work normal but it can't show plugin in ranger.

Re: Securing Solr with Ranger ERROR 500

vsuvagia — Tue, 25 Oct 2016 17:18:31 GMT

@Fang Heart

You can follow the steps mentioned in https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5.0+Installation#ApacheRanger0.5.0Installation-EnablingRangerSolrPlugin

Re: Securing Solr with Ranger ERROR 500

jstraub — Tue, 25 Oct 2016 17:20:56 GMT

Sorry I probably should have been more explicit, the ranger plugin script will copy all jars and xmls to the locations I mentioned above, you dont have to copy anything on your own. Can you run an "ls -al" on the two directories and post the result?

Also can you upload the Ranger xml files inside the "classes" directory?

How does your solr.in.sh look like?

Re: Securing Solr with Ranger ERROR 500

397403564 — Tue, 25 Oct 2016 17:20:56 GMT

this is what I did, so i'm confused.

Re: Securing Solr with Ranger ERROR 500

vsuvagia — Tue, 25 Oct 2016 17:46:24 GMT

@Fang Heart, did you install kerberos ?

Re: Securing Solr with Ranger ERROR 500

397403564 — Tue, 25 Oct 2016 17:57:49 GMT

no.it's needed?

Re: Securing Solr with Ranger ERROR 500

vsuvagia — Tue, 25 Oct 2016 18:09:44 GMT

@Fang Heart , yes Kerberos is needed and Solr should be configured in cloud mode you can follow the instructions for installing and configuring solr in cloud mode here

Re: Securing Solr with Ranger ERROR 500

397403564 — Tue, 25 Oct 2016 20:36:10 GMT

yes,the ranger plugin script will copy jars and xmls to the locations you mentioned above.I also copy some manually to make sure all is in it.

and the "classes"

-rwxr--r-- 1 root root 2270 Oct 25 18:14 ranger-policymgr-ssl.xml
-rw-r--r-- 1 root root   69 Oct 25 18:14 ranger-security.xml
-rwxr--r-- 1 root root 9668 Oct 25 18:14 ranger-solr-audit.xml
-rwxr--r-- 1 root root 2913 Oct 25 18:14 ranger-solr-security.xml

the "lib"

antlr4-runtime-4.5.1-1.jar            httpclient-4.4.1.jar                 lucene-queryparser-5.5.0.jar
asm-5.0.4.jar                         httpcore-4.4.1.jar                   lucene-sandbox-5.5.0.jar
asm-commons-5.0.4.jar                 httpmime-4.4.1.jar                   lucene-spatial-5.5.0.jar
commons-cli-1.2.jar                   jackson-core-2.5.4.jar               lucene-suggest-5.5.0.jar
commons-codec-1.10.jar                jackson-core-asl-1.9.13.jar          mysql-connector-java-5.1.38-bin.jar
commons-collections-3.2.1.jar         jackson-dataformat-smile-2.5.4.jar   noggit-0.6.jar
commons-collections-3.2.2.jar         jackson-jaxrs-1.8.3.jar              org.restlet-2.3.0.jar
commons-configuration-1.10.jar        jackson-jaxrs-1.9.13.jar             org.restlet.ext.servlet-2.3.0.jar
commons-configuration-1.6.jar         jackson-mapper-asl-1.9.13.jar        protobuf-java-2.5.0.jar
commons-exec-1.3.jar                  jackson-xc-1.8.3.jar                 ranger-plugin-classloader-0.6.2-SNAPSHOT.jar
commons-fileupload-1.2.1.jar          javax.persistence-2.1.0.jar          ranger-plugins-audit-0.6.2-SNAPSHOT.jar
commons-io-2.4.jar                    jcl-over-slf4j-1.7.7.jar             ranger-plugins-common-0.6.2-SNAPSHOT.jar
commons-lang-2.6.jar                  jersey-bundle-1.17.1.jar             ranger-plugins-cred-0.6.2-SNAPSHOT.jar
commons-logging-1.2.jar               joda-time-2.2.jar                    ranger-plugins-installer-0.6.2-SNAPSHOT.jar
concurrentlinkedhashmap-lru-1.2.jar   jul-to-slf4j-1.7.7.jar               ranger-solr-plugin-0.6.2-SNAPSHOT.jar
credentialbuilder-0.6.2-SNAPSHOT.jar  log4j-1.2.17.jar                     ranger-solr-plugin-impl
dom4j-1.6.1.jar                       lucene-analyzers-common-5.5.0.jar    ranger-solr-plugin-shim-0.6.2-SNAPSHOT.jar
eclipselink-2.5.2.jar                 lucene-analyzers-kuromoji-5.5.0.jar  slf4j-api-1.7.5.jar
gson-2.2.4.jar                        lucene-analyzers-phonetic-5.5.0.jar  slf4j-api-1.7.7.jar
guava-11.0.2.jar                      lucene-backward-codecs-5.5.0.jar     slf4j-log4j12-1.7.7.jar
guava-14.0.1.jar                      lucene-codecs-5.5.0.jar              solr-core-5.5.0.jar
hadoop-annotations-2.6.0.jar          lucene-core-5.5.0.jar                solr-solrj-5.5.0.jar
hadoop-auth-2.6.0.jar                 lucene-expressions-5.5.0.jar         spatial4j-0.5.jar
hadoop-auth-2.7.1.jar                 lucene-grouping-5.5.0.jar            stax2-api-3.1.4.jar
hadoop-common-2.6.0.jar               lucene-highlighter-5.5.0.jar         t-digest-3.1.jar
hadoop-common-2.7.1.jar               lucene-join-5.5.0.jar                woodstox-core-asl-4.4.1.jar
hadoop-hdfs-2.6.0.jar                 lucene-memory-5.5.0.jar              zookeeper-3.4.6.jar
hppc-0.7.1.jar                        lucene-misc-5.5.0.jar
htrace-core-3.0.4.jar                 lucene-queries-5.5.0.jar

my solr.in.sh

SOLR_JAVA_MEM=('-Xms512m' '-Xmx512m')


# Enable verbose GC logging
GC_LOG_OPTS="-verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails \
-XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime"


# These GC settings have shown to work well for a number of common Solr workloads
GC_TUNE="-XX:NewRatio=3 \
-XX:SurvivorRatio=4 \
-XX:TargetSurvivorRatio=90 \
-XX:MaxTenuringThreshold=8 \
-XX:+UseConcMarkSweepGC \
-XX:+UseParNewGC \
-XX:ConcGCThreads=4 -XX:ParallelGCThreads=4 \
-XX:+CMSScavengeBeforeRemark \
-XX:PretenureSizeThreshold=64m \
-XX:+UseCMSInitiatingOccupancyOnly \
-XX:CMSInitiatingOccupancyFraction=50 \
-XX:CMSMaxAbortablePrecleanTime=6000 \
-XX:+CMSParallelRemarkEnabled \
-XX:+ParallelRefProcEnabled"


SOLR_PID_DIR=/opt/solr_8001
SOLR_HOME=/opt/solr_8001/data
LOG4J_PROPS=/opt/solr_8001/log4j.xml
SOLR_LOGS_DIR=/opt/solr_8001/logs
ZK_HOST="192.168.91.161:2181,192.168.91.162:2181,192.168.91.163:2181"
SOLR_PORT=8983
SOLR_MODE=solrcloud


SOLR_ZK_CREDS_AND_ACLS="-DzkDigestUsername=admin -DzkDigestPassword=admin"
SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"

Re: Securing Solr with Ranger ERROR 500

jstraub — Wed, 26 Oct 2016 10:40:27 GMT

I assume your solr instance is running under the solr-user? If yes, make sure all the ranger files and the directory "classes" is owned by that user.

Does that Solr Home directory exist, "/opt/solr_8001/data" ? Also is it owned by the user that is running the solr instances?

Re: Securing Solr with Ranger ERROR 500

397403564 — Wed, 26 Oct 2016 23:00:23 GMT

i have see your article

https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html#comment-46380

i have some question :

1 .if kerbores is needed for solr-plugin.

2.which user your use in solr ,and what user you write in ranger-solr-service.

3.which commond you use to start solrcloud.

Re: Securing Solr with Ranger ERROR 500

397403564 — Thu, 27 Oct 2016 15:50:05 GMT

Hello,i install the kerbeos it can work normal .but i want kown if we can Test Connectioncan show successly in ranger , if we can ,what i should do?

Re: Securing Solr with Ranger ERROR 500

jstraub — Mon, 31 Oct 2016 11:48:58 GMT

@Fang Heart

1.I think you can use Ranger Solr Plugin without Kerberos, however kerberos provides the authentication layer and therefore an additional layer of security.

2.Solr itself runs under the solr user, however the users that are allowed to access and manage your solr collections is totally up to you. You can define separate policies for each Solr Collection in Ranger and assign permissions to groups or users

3.Usually, I configure my Solr instances in a way that allows me to use "service solr start" to start my solr cloud. In order to make this work, you have to make sure ZK_HOST is defined in your solr config (solr.in.sh)

Re: Securing Solr with Ranger ERROR 500

jstraub — Mon, 31 Oct 2016 11:51:55 GMT

@Fang Heart

In order to test the connection between the Ranger Solr Plugin and the Ranger service, you can login to the Ranger Admin UI and go to Audit -> Plugins. This will show a list of synchronizations between the Ranger Plugin and Ranger service. You can also check /etc/ranger/<repository name>/policycache/.... and check the timestamp of the policycache json.

Re: Securing Solr with Ranger ERROR 500

vergari — Tue, 22 May 2018 23:15:28 GMT

Hello @Jonas Straub,

sorry for reopening this old topic, but I'm getting the same error.

In my case, cluster is kerberized. I'm using HDP 2.6.0.3 with Ambari 2.5.0.3 and Solr 5.5 installed via Mpack. Solr authentication via SPNEGO is working fine, but when I tried to enable the ranger plugin for solr I'm getting a strange behavior, because if I configure log4j for INFO I'm getting 403 error (but ranger policies are well configured and I can see the ranger cache updated locally on the solr node), while if I set log4j to log DEBUG information I'm getting a 500 error from solr server. Looking at the source code of solr and ranger-solr it seems that ranger plugin is unable to obtain the AuthorizationContext, in fact I can see these lines in the log:

2018-05-22 13:03:17,703 [qtp537548559-18 - /solr/] DEBUG [   ] org.apache.solr.servlet.HttpSolrCall (HttpSolrCall.java:316) - no handler or core retrieved for /, follow through...
2018-05-22 13:03:17,703 [qtp537548559-18 - /solr/] DEBUG [   ] org.apache.solr.servlet.HttpSolrCall (HttpSolrCall.java:499) - PkiAuthenticationPlugin says authorization required : true
2018-05-22 13:03:17,704 [qtp537548559-18 - /solr/] DEBUG [   ] org.apache.solr.servlet.HttpSolrCall (HttpSolrCall.java:421) - AuthorizationContext : [FAILED toString()]
....
2018-05-22 13:03:17,717 [qtp537548559-18 - /solr/] ERROR [   ] org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer (RangerSolrAuthorizer.java:288) - Error getting request context!!!
java.lang.NullPointerException
        at org.apache.solr.servlet.HttpSolrCall$2.getParams(HttpSolrCall.java:953)
        at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.logAuthorizationConext(RangerSolrAuthorizer.java:279)
        at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:165)
        at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:128)
        at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:422)

Since this version of Ambari does not support the ranger solr plugin, I had to manually edit the setup_solr_kerberos_auth.py script, adding "authorization":{"class":"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}, so my current security.json file on zookeeper is the following:

{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class":"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}

apart of that, I followed the instructions provided here and the repo on ranger is working.

Is it a missing configuration or maybe a bug? Exact versions I using are the following:

ranger-solr-plugin-0.7.0.2.6.0.3-8.el6.noarch
ranger_2_6_0_3_8-solr-plugin-0.7.0.2.6.0.3-8.x86_64

lucidworks-hdpsearch-2.6-100.noarch

Thanks,

Davide