Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

New Contributor

On kerberos secured HDP 2.5 cluster, I have enabled ranger solr plugin for authorization following steps from this link and also cross checked with ranger wiki

Whenever I restart solr using ambari, I see security.json is getting overwritten with only authentication class settings. In service start logs, I do see an entry where it's reinserting security.json with authentication settings. Due to this, I have to manually re-execute zkcli script to re-insert authorization settings after every restart.

Before restart security.json content:

{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}

Ambari solr service start log:

2016-11-15 09:49:04,767 - Execute['export JAVA_HOME=/usr/jdk64/jdk1.8.0_77; /opt/lucidworks-hdpsearch/solr/server/scripts/cloud-scripts/zkcli.sh -zkhost xxx:2181 -cmd put /solr/security.json '{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}''] {'ignore_failures': True, 'user': 'solr'}

After restart security.json content:

{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}

I will really appreciate any pointer to fix this.

5 REPLIES 5
Highlighted

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

Guru

@Vishal Mahajan - which Solr instance are you using? Your own Solr instance, or the Ambari Infra's Solr instance?

Highlighted

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

New Contributor

@Paul Codding, I am using Lucidworks powered HDP search that's complaint to HDP 2.5 (Installation link). Also, underlying OS is Centos 7

Highlighted

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

Guru

@Vishal Mahajan - We can get this taken care of for you, and it will be easiest if you create a support case for this.

Highlighted

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

New Contributor

I have create an issue in solr-stak https://github.com/lucidworks/solr-stack/issues/9

However, there is a workaround:

please modify the "setup_solr_kerberos_auth.py" in ambari-server (and in all ambari-agent)

Please, change this line:

command +='\'{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}\''

with:

command +='\'{"authentication":{"class":"org.apache.solr.security.KerberosPlugin"},"authorization":{"class":"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}\''

location in ambari-server:

/var/lib/ambari-server/resources/mpacks/solr-ambari-mpack-${version}/common-services/SOLR/5.5.2/package/scripts/setup_solr_kerberos_auth.py
Where ${version} is the solr-stack version.

location in ambari-agent

./var/lib/ambari-agent/cache/common-services/SOLR/5.5.2/package/scripts/setup_solr_kerberos_auth.py
Highlighted

Re: HDP 2.5 - Solr service restart via ambari overwrite security.json authorization settings

New Contributor

@Cesar Vera-Bernal, Thanks for providing workaround. After following above steps I noticed that solr zookeeper configurations are correctly preserved. However, custom authorization policies as specified in the ranger solr repository are not getting applied. If I recreate those policies again, then, everything works as expected(disable -> enable didn't help either). Please note this behavior was only observed against custom policies and not with default "all collection" policy.

Don't have an account?
Coming from Hortonworks? Activate your account here