HDP 2.5 - Solr service restart via ambari overwrit...

vishal423 · ‎11-15-2016

On kerberos secured HDP 2.5 cluster, I have enabled ranger solr plugin for authorization following steps from this link and also cross checked with ranger wiki

Whenever I restart solr using ambari, I see security.json is getting overwritten with only authentication class settings. In service start logs, I do see an entry where it's reinserting security.json with authentication settings. Due to this, I have to manually re-execute zkcli script to re-insert authorization settings after every restart.

Before restart security.json content:

{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}

Ambari solr service start log:

2016-11-15 09:49:04,767 - Execute['export JAVA_HOME=/usr/jdk64/jdk1.8.0_77; /opt/lucidworks-hdpsearch/solr/server/scripts/cloud-scripts/zkcli.sh -zkhost xxx:2181 -cmd put /solr/security.json '{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}''] {'ignore_failures': True, 'user': 'solr'}

After restart security.json content:

{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}

I will really appreciate any pointer to fix this.

paul1 · ‎11-15-2016

@Vishal Mahajan - which Solr instance are you using? Your own Solr instance, or the Ambari Infra's Solr instance?

vishal423 · ‎11-16-2016

@Paul Codding, I am using Lucidworks powered HDP search that's complaint to HDP 2.5 (Installation link). Also, underlying OS is Centos 7

paul1 · ‎11-16-2016

@Vishal Mahajan - We can get this taken care of for you, and it will be easiest if you create a support case for this.

cesar_vera-bern · ‎03-01-2017

I have create an issue in solr-stak https://github.com/lucidworks/solr-stack/issues/9

However, there is a workaround:

please modify the "setup_solr_kerberos_auth.py" in ambari-server (and in all ambari-agent)

Please, change this line:

command +='\'{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}\''

with:

command +='\'{"authentication":{"class":"org.apache.solr.security.KerberosPlugin"},"authorization":{"class":"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}\''

location in ambari-server:

/var/lib/ambari-server/resources/mpacks/solr-ambari-mpack-${version}/common-services/SOLR/5.5.2/package/scripts/setup_solr_kerberos_auth.py

Where ${version} is the solr-stack version.

location in ambari-agent

./var/lib/ambari-agent/cache/common-services/SOLR/5.5.2/package/scripts/setup_solr_kerberos_auth.py

vishal423 · ‎03-02-2017

@Cesar Vera-Bernal, Thanks for providing workaround. After following above steps I noticed that solr zookeeper configurations are correctly preserved. However, custom authorization policies as specified in the ranger solr repository are not getting applied. If I recreate those policies again, then, everything works as expected(disable -> enable didn't help either). Please note this behavior was only observed against custom policies and not with default "all collection" policy.

HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings