Created 11-15-2016 03:28 PM
On kerberos secured HDP 2.5 cluster, I have enabled ranger solr plugin for authorization following steps from this link and also cross checked with ranger wiki
Whenever I restart solr using ambari, I see security.json is getting overwritten with only authentication class settings. In service start logs, I do see an entry where it's reinserting security.json with authentication settings. Due to this, I have to manually re-execute zkcli script to re-insert authorization settings after every restart.
Before restart security.json content:
{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}
Ambari solr service start log:
2016-11-15 09:49:04,767 - Execute['export JAVA_HOME=/usr/jdk64/jdk1.8.0_77; /opt/lucidworks-hdpsearch/solr/server/scripts/cloud-scripts/zkcli.sh -zkhost xxx:2181 -cmd put /solr/security.json '{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}''] {'ignore_failures': True, 'user': 'solr'}
After restart security.json content:
{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}
I will really appreciate any pointer to fix this.
Created 11-15-2016 03:30 PM
@Vishal Mahajan - which Solr instance are you using? Your own Solr instance, or the Ambari Infra's Solr instance?
Created 11-16-2016 06:19 AM
@Paul Codding, I am using Lucidworks powered HDP search that's complaint to HDP 2.5 (Installation link). Also, underlying OS is Centos 7
Created 11-16-2016 04:56 PM
@Vishal Mahajan - We can get this taken care of for you, and it will be easiest if you create a support case for this.
Created 03-01-2017 07:43 PM
I have create an issue in solr-stak https://github.com/lucidworks/solr-stack/issues/9
However, there is a workaround:
please modify the "setup_solr_kerberos_auth.py" in ambari-server (and in all ambari-agent)
Please, change this line:
command +='\'{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}\''
with:
command +='\'{"authentication":{"class":"org.apache.solr.security.KerberosPlugin"},"authorization":{"class":"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}\''
location in ambari-server:
/var/lib/ambari-server/resources/mpacks/solr-ambari-mpack-${version}/common-services/SOLR/5.5.2/package/scripts/setup_solr_kerberos_auth.pyWhere ${version} is the solr-stack version.
location in ambari-agent
./var/lib/ambari-agent/cache/common-services/SOLR/5.5.2/package/scripts/setup_solr_kerberos_auth.py
Created 03-02-2017 12:39 PM
@Cesar Vera-Bernal, Thanks for providing workaround. After following above steps I noticed that solr zookeeper configurations are correctly preserved. However, custom authorization policies as specified in the ranger solr repository are not getting applied. If I recreate those policies again, then, everything works as expected(disable -> enable didn't help either). Please note this behavior was only observed against custom policies and not with default "all collection" policy.