Support Questions
Find answers, ask questions, and share your expertise

HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

New Contributor

On kerberos secured HDP 2.5 cluster, I have enabled ranger solr plugin for authorization following steps from this link and also cross checked with ranger wiki

Whenever I restart solr using ambari, I see security.json is getting overwritten with only authentication class settings. In service start logs, I do see an entry where it's reinserting security.json with authentication settings. Due to this, I have to manually re-execute zkcli script to re-insert authorization settings after every restart.

Before restart security.json content:

{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}

Ambari solr service start log:

2016-11-15 09:49:04,767 - Execute['export JAVA_HOME=/usr/jdk64/jdk1.8.0_77; /opt/lucidworks-hdpsearch/solr/server/scripts/cloud-scripts/zkcli.sh -zkhost xxx:2181 -cmd put /solr/security.json '{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}''] {'ignore_failures': True, 'user': 'solr'}

After restart security.json content:

{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}

I will really appreciate any pointer to fix this.

5 REPLIES 5
Highlighted

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

@Vishal Mahajan - which Solr instance are you using? Your own Solr instance, or the Ambari Infra's Solr instance?

Highlighted

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

New Contributor

@Paul Codding, I am using Lucidworks powered HDP search that's complaint to HDP 2.5 (Installation link). Also, underlying OS is Centos 7

Highlighted

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

@Vishal Mahajan - We can get this taken care of for you, and it will be easiest if you create a support case for this.

Highlighted

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

New Contributor

I have create an issue in solr-stak https://github.com/lucidworks/solr-stack/issues/9

However, there is a workaround:

please modify the "setup_solr_kerberos_auth.py" in ambari-server (and in all ambari-agent)

Please, change this line:

command +='\'{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}\''

with:

command +='\'{"authentication":{"class":"org.apache.solr.security.KerberosPlugin"},"authorization":{"class":"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}\''

location in ambari-server:

/var/lib/ambari-server/resources/mpacks/solr-ambari-mpack-${version}/common-services/SOLR/5.5.2/package/scripts/setup_solr_kerberos_auth.py
Where ${version} is the solr-stack version.

location in ambari-agent

./var/lib/ambari-agent/cache/common-services/SOLR/5.5.2/package/scripts/setup_solr_kerberos_auth.py
Highlighted

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

New Contributor

@Cesar Vera-Bernal, Thanks for providing workaround. After following above steps I noticed that solr zookeeper configurations are correctly preserved. However, custom authorization policies as specified in the ranger solr repository are not getting applied. If I recreate those policies again, then, everything works as expected(disable -> enable didn't help either). Please note this behavior was only observed against custom policies and not with default "all collection" policy.