Support Questions

Find answers, ask questions, and share your expertise

Http Error 500 KerberosName$NoMatchingRule

avatar
Explorer

Hi,

Since I kerberized my cluster I'm unable to access Solr UI.

When I go to Solr UI I get a "HTTP ERROR 500"

(For confidentiality reason I replaced username / DOMAIN / COM but imagine it exactly as joe@EXAMPLE.COM)

Problem accessing /solr/. Reason : Server Error
	Caused by: 
	org.apache.solr.common.SolrException: Error during request authentication
	[...]
	Caused by
	org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to <username>@<DOMAIN>.<COM>

Any hint ?

Thanks.

13 REPLIES 13

avatar
Explorer

Hi @Robert Levas
We added the rule :

RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//

And now I am able to successfully work on the terminal :

$ hadoop org.apache.hadoop.security.HadoopKerberosName user@EXAMPLE.COM 

Name: user@EXAMPLE.COM to user

But I still can't access my Solr UI.

When I go to the UI, I get a pop-up asking me for authentication, I type my username and password and I still get :

HTTP ERROR 500
Problem accessing /solr/. Reason:
    Server Error
Caused by:
org.apache.solr.common.SolrException: Error during request authentication, 
	at org.apache.solr.servlet.SolrDispatchFilter.authenticateRequest(SolrDispatchFilter.java:319)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:222)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:208)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:499)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to user@EXAMPLE.COM
	at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:378)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:348)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:348)
	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:507)
	at org.apache.solr.security.KerberosFilter.doFilter(KerberosFilter.java:46)
	at org.apache.solr.security.KerberosPlugin.doAuthenticate(KerberosPlugin.java:144)
	at org.apache.solr.servlet.SolrDispatchFilter.authenticateRequest(SolrDispatchFilter.java:311)
	... 22 more
Caused by:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to user@EXAMPLE.COM

avatar

@Julian Blin I am not familiar with Solr's configuration options. Where did you set this rule?

Maybe @Olivér Szabó, can chime in on helping to configure.

avatar

There looks to be a property for Solr that can be used for this. See https://lucene.apache.org/solr/guide/6_6/kerberos-authentication-plugin.html.

solr.kerberos.name.rules

Used to map Kerberos principals to short names. Default value is DEFAULT. Example of a name rule: RULE:[1:$1@$0](.*EXAMPLE.COM)s/@.*//

avatar
Contributor

@Julian Blin , I think you need to set 'infra-solr-env/infra_solr_kerberos_name_rules' property for using the rules for Solr,