Support Questions

Find answers, ask questions, and share your expertise

Http Error 500 KerberosName$NoMatchingRule

avatar
Explorer

Hi,

Since I kerberized my cluster I'm unable to access Solr UI.

When I go to Solr UI I get a "HTTP ERROR 500"

(For confidentiality reason I replaced username / DOMAIN / COM but imagine it exactly as joe@EXAMPLE.COM)

Problem accessing /solr/. Reason : Server Error
	Caused by: 
	org.apache.solr.common.SolrException: Error during request authentication
	[...]
	Caused by
	org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to <username>@<DOMAIN>.<COM>

Any hint ?

Thanks.

13 REPLIES 13

avatar
Guru

@Julian Blin I suppose it is complaining about a rule in auth_to_local config. You can use these two awesome links understand and get an example:

https://community.hortonworks.com/questions/42167/no-rules-applied-to-rangerlookup.html

https://community.hortonworks.com/questions/42167/no-rules-applied-to-rangerlookup.html

avatar

@Julian Blin

Maybe there is an issue with the auth-to-local rules used by SOLR. If you set them manually, check out this article on the auth-to-local rule syntax - Auth-to-local Rules Syntax.

avatar
Explorer

Hi @Shyam Sunder Rai and @Robert Levas , thanks for the answer !

I was also thinking it is a problem related to auth_to_local. That's why I added a new rule for solr :

RULE:[2:$1@$0](infra-solr@EXAMPLE.COM)s/.*/solr/

and restarted.

But nothing changes, I still got the 500 error.

How to be sure of the principal and regex to use in the rule ?

I tried to find an example for Solr rule but nothing on the Internet 😮

avatar

Do you have a rule like to following?

RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//

Also, do you have the following at the end?

DEFAULT

avatar
Explorer
RULE:[1:$1@$0](ambari-qa-cluster1@MY.PROD.EXAMPLE.COM)s/.*/ambari-qa/ 
RULE:[1:$1@$0](hbase-cluster1@MY.PROD.EXAMPLE.COM)s/.*/hbase/ 
RULE:[1:$1@$0](hdfs-cluster1@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ 
RULE:[1:$1@$0](spark-cluster1@MY.PROD.EXAMPLE.COM)s/.*/spark/ 
RULE:[1:$1@$0](zeppelin-cluster1@MY.PROD.EXAMPLE.COM)s/.*/zeppelin/ 
RULE:[1:$1@$0](.*@MY.PROD.EXAMPLE.COM)s/@.*// 
RULE:[2:$1@$0](amshbase@MY.PROD.EXAMPLE.COM)s/.*/ams/ 
RULE:[2:$1@$0](amszk@MY.PROD.EXAMPLE.COM)s/.*/ams/ 
RULE:[2:$1@$0](atlas@MY.PROD.EXAMPLE.COM)s/.*/atlas/ 
RULE:[2:$1@$0](dn@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](falcon@MY.PROD.EXAMPLE.COM)s/.*/falcon/ 
RULE:[2:$1@$0](hbase@MY.PROD.EXAMPLE.COM)s/.*/hbase/ 
RULE:[2:$1@$0](hive@MY.PROD.EXAMPLE.COM)s/.*/hive/ 
RULE:[2:$1@$0](jhs@MY.PROD.EXAMPLE.COM)s/.*/mapred/ 
RULE:[2:$1@$0](jn@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](knox@MY.PROD.EXAMPLE.COM)s/.*/knox/ 
RULE:[2:$1@$0](livy@MY.PROD.EXAMPLE.COM)s/.*/livy/ 
RULE:[2:$1@$0](nfs@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](nm@MY.PROD.EXAMPLE.COM)s/.*/yarn/ 
RULE:[2:$1@$0](nn@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](oozie@MY.PROD.EXAMPLE.COM)s/.*/oozie/ 
RULE:[2:$1@$0](rangeradmin@MY.PROD.EXAMPLE.COM)s/.*/ranger/ 
RULE:[2:$1@$0](rangertagsync@MY.PROD.EXAMPLE.COM)s/.*/rangertagsync/ 
RULE:[2:$1@$0](rangerusersync@MY.PROD.EXAMPLE.COM)s/.*/rangerusersync/ 
RULE:[2:$1@$0](rm@MY.PROD.EXAMPLE.COM)s/.*/yarn/ 
RULE:[2:$1@$0](yarn@MY.PROD.EXAMPLE.COM)s/.*/yarn/ 
RULE:[1:$1@$0](infra-solr@MY.PROD.EXAMPLE.COM)s/.*/solr/ 
RULE:[2:$1@$0](infra-solr@MY.PROD.EXAMPLE.COM)s/.*/solr/ 
DEFAULT

I added the last two before DEFAULT (that was already there).

It is still not working.

The rule you mentionned is already there.

Please note that my user name is username@EXAMPLE.COM whereas all principals name are @MY.PROD.EXAMPLE.COM


When I look into /etc/ambari-infra-solr/conf/security.json, I get :

{
  "authentication": {
    "class": "org.apache.solr.security.KerberosPlugin"
  },
  "authorization": {
    "class": "org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin",
    "user-role": {
      "infra-solr@MY.PROD.EXAMPLE.COM": "admin",
      "logsearch@MY.PROD.EXAMPLE.COM": ["logsearch_user", "ranger_admin_user", "dev"],
      "logfeeder@MY.PROD.EXAMPLE.COM": ["logfeeder_user", "dev"],
      "atlas@MY.PROD.EXAMPLE.COM": ["atlas_user", "ranger_audit_user", "dev"],
      "nn@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "hbase@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "hive@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "knox@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "kafka@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "rangerkms@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "storm-bdtest1@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "rm@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "nifi@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "rangeradmin@MY.PROD.EXAMPLE.COM": ["ranger_admin_user", "ranger_audit_user", "dev"]
    },
    "permissions": [
    {
      "name" : "collection-admin-read",
      "role" :null
    },
    {
      "name" : "collection-admin-edit",
      "role" : ["admin", "logsearch_user", "logfeeder_user", "atlas_user", "ranger_admin_user"]
    },
    {
      "name":"read",
      "role": "dev"
    },
    {
      "collection": ["hadoop_logs", "audit_logs", "history"],
      "role": ["admin", "logsearch_user", "logfeeder_user"],
      "name": "logsearch-manager",
      "path": "/*"
    },
    {
       "collection": ["vertex_index", "edge_index", "fulltext_index"],
       "role": ["admin", "atlas_user"],
       "name": "atlas-manager",
       "path": "/*"
    },
    {
       "collection": "ranger_audits",
       "role": ["admin", "ranger_admin_user", "ranger_audit_user"],
       "name": "ranger-manager",
       "path": "/*"
    }]
  }
}

avatar

Can you see what happens when you do the following? Maybe we can rule out Solr. Do you know if your Solr auth-to-local rules are the same as your Hadoop auth-to-local rules? The following will test using the auth-to-local rules set in core-site.xml:hadoop.security.auth_to_local:

hadoop org.apache.hadoop.security.HadoopKerberosName user@EXAMPLE.COM

avatar
Explorer

I don't know about the rules for Solr. The thing is that there was no rules for solr befor I added the two mentioned above.

The result of your command is :

$ hadoop org.apache.hadoop.security.HadoopKerberosName user@EXAMPLE.COM
18/01/23 15:28:10 INFO util.KerberosName: No auth_to_local rules applied to user@EXAMPLE.COM
Name: user@EXAMPLE.COM to user@EXAMPLE.COM

I also tried :

$ hadoop org.apache.hadoop.security.HadoopKerberosName user@MY.PROD.EXAMPLE.COM
Name: user@MY.PROD.EXAMPLE.COM to user

avatar

You have multiple realms involved. I guess I missed that point somewhere.

You need to add a specific rule to translate the trusted realm, EXAMPLE.COM. So you should add the following to the rule set:

RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//

You should also have (by default, from Ambari)

RULE:[1:$1@$0](.*@MY.PROD.EXAMPLE.COM)s/@.*//

Ambari should do this for you if you set the "Additional Realms" value to contain "EXAMPLE.COM".

I am not sure if you will need to manually update the auth-to-local rules for Solr.

avatar
Explorer

Thanks for your help, I will try this today and let you know asap if this has solved the issue.