Support Questions

Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Http Error 500 KerberosName$NoMatchingRule

Explorer

Hi,

Since I kerberized my cluster I'm unable to access Solr UI.

When I go to Solr UI I get a "HTTP ERROR 500"

(For confidentiality reason I replaced username / DOMAIN / COM but imagine it exactly as joe@EXAMPLE.COM)

Problem accessing /solr/. Reason : Server Error
	Caused by: 
	org.apache.solr.common.SolrException: Error during request authentication
	[...]
	Caused by
	org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to <username>@<DOMAIN>.<COM>

Any hint ?

Thanks.

13 REPLIES 13

Guru

@Julian Blin I suppose it is complaining about a rule in auth_to_local config. You can use these two awesome links understand and get an example:

https://community.hortonworks.com/questions/42167/no-rules-applied-to-rangerlookup.html

https://community.hortonworks.com/questions/42167/no-rules-applied-to-rangerlookup.html

@Julian Blin

Maybe there is an issue with the auth-to-local rules used by SOLR. If you set them manually, check out this article on the auth-to-local rule syntax - Auth-to-local Rules Syntax.

Explorer

Hi @Shyam Sunder Rai and @Robert Levas , thanks for the answer !

I was also thinking it is a problem related to auth_to_local. That's why I added a new rule for solr :

RULE:[2:$1@$0](infra-solr@EXAMPLE.COM)s/.*/solr/

and restarted.

But nothing changes, I still got the 500 error.

How to be sure of the principal and regex to use in the rule ?

I tried to find an example for Solr rule but nothing on the Internet 😮

Do you have a rule like to following?

RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//

Also, do you have the following at the end?

DEFAULT

Explorer
RULE:[1:$1@$0](ambari-qa-cluster1@MY.PROD.EXAMPLE.COM)s/.*/ambari-qa/ 
RULE:[1:$1@$0](hbase-cluster1@MY.PROD.EXAMPLE.COM)s/.*/hbase/ 
RULE:[1:$1@$0](hdfs-cluster1@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ 
RULE:[1:$1@$0](spark-cluster1@MY.PROD.EXAMPLE.COM)s/.*/spark/ 
RULE:[1:$1@$0](zeppelin-cluster1@MY.PROD.EXAMPLE.COM)s/.*/zeppelin/ 
RULE:[1:$1@$0](.*@MY.PROD.EXAMPLE.COM)s/@.*// 
RULE:[2:$1@$0](amshbase@MY.PROD.EXAMPLE.COM)s/.*/ams/ 
RULE:[2:$1@$0](amszk@MY.PROD.EXAMPLE.COM)s/.*/ams/ 
RULE:[2:$1@$0](atlas@MY.PROD.EXAMPLE.COM)s/.*/atlas/ 
RULE:[2:$1@$0](dn@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](falcon@MY.PROD.EXAMPLE.COM)s/.*/falcon/ 
RULE:[2:$1@$0](hbase@MY.PROD.EXAMPLE.COM)s/.*/hbase/ 
RULE:[2:$1@$0](hive@MY.PROD.EXAMPLE.COM)s/.*/hive/ 
RULE:[2:$1@$0](jhs@MY.PROD.EXAMPLE.COM)s/.*/mapred/ 
RULE:[2:$1@$0](jn@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](knox@MY.PROD.EXAMPLE.COM)s/.*/knox/ 
RULE:[2:$1@$0](livy@MY.PROD.EXAMPLE.COM)s/.*/livy/ 
RULE:[2:$1@$0](nfs@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](nm@MY.PROD.EXAMPLE.COM)s/.*/yarn/ 
RULE:[2:$1@$0](nn@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](oozie@MY.PROD.EXAMPLE.COM)s/.*/oozie/ 
RULE:[2:$1@$0](rangeradmin@MY.PROD.EXAMPLE.COM)s/.*/ranger/ 
RULE:[2:$1@$0](rangertagsync@MY.PROD.EXAMPLE.COM)s/.*/rangertagsync/ 
RULE:[2:$1@$0](rangerusersync@MY.PROD.EXAMPLE.COM)s/.*/rangerusersync/ 
RULE:[2:$1@$0](rm@MY.PROD.EXAMPLE.COM)s/.*/yarn/ 
RULE:[2:$1@$0](yarn@MY.PROD.EXAMPLE.COM)s/.*/yarn/ 
RULE:[1:$1@$0](infra-solr@MY.PROD.EXAMPLE.COM)s/.*/solr/ 
RULE:[2:$1@$0](infra-solr@MY.PROD.EXAMPLE.COM)s/.*/solr/ 
DEFAULT

I added the last two before DEFAULT (that was already there).

It is still not working.

The rule you mentionned is already there.

Please note that my user name is username@EXAMPLE.COM whereas all principals name are @MY.PROD.EXAMPLE.COM


When I look into /etc/ambari-infra-solr/conf/security.json, I get :

{
  "authentication": {
    "class": "org.apache.solr.security.KerberosPlugin"
  },
  "authorization": {
    "class": "org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin",
    "user-role": {
      "infra-solr@MY.PROD.EXAMPLE.COM": "admin",
      "logsearch@MY.PROD.EXAMPLE.COM": ["logsearch_user", "ranger_admin_user", "dev"],
      "logfeeder@MY.PROD.EXAMPLE.COM": ["logfeeder_user", "dev"],
      "atlas@MY.PROD.EXAMPLE.COM": ["atlas_user", "ranger_audit_user", "dev"],
      "nn@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "hbase@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "hive@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "knox@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "kafka@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "rangerkms@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "storm-bdtest1@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "rm@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "nifi@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"],
      "rangeradmin@MY.PROD.EXAMPLE.COM": ["ranger_admin_user", "ranger_audit_user", "dev"]
    },
    "permissions": [
    {
      "name" : "collection-admin-read",
      "role" :null
    },
    {
      "name" : "collection-admin-edit",
      "role" : ["admin", "logsearch_user", "logfeeder_user", "atlas_user", "ranger_admin_user"]
    },
    {
      "name":"read",
      "role": "dev"
    },
    {
      "collection": ["hadoop_logs", "audit_logs", "history"],
      "role": ["admin", "logsearch_user", "logfeeder_user"],
      "name": "logsearch-manager",
      "path": "/*"
    },
    {
       "collection": ["vertex_index", "edge_index", "fulltext_index"],
       "role": ["admin", "atlas_user"],
       "name": "atlas-manager",
       "path": "/*"
    },
    {
       "collection": "ranger_audits",
       "role": ["admin", "ranger_admin_user", "ranger_audit_user"],
       "name": "ranger-manager",
       "path": "/*"
    }]
  }
}

Can you see what happens when you do the following? Maybe we can rule out Solr. Do you know if your Solr auth-to-local rules are the same as your Hadoop auth-to-local rules? The following will test using the auth-to-local rules set in core-site.xml:hadoop.security.auth_to_local:

hadoop org.apache.hadoop.security.HadoopKerberosName user@EXAMPLE.COM

Explorer

I don't know about the rules for Solr. The thing is that there was no rules for solr befor I added the two mentioned above.

The result of your command is :

$ hadoop org.apache.hadoop.security.HadoopKerberosName user@EXAMPLE.COM
18/01/23 15:28:10 INFO util.KerberosName: No auth_to_local rules applied to user@EXAMPLE.COM
Name: user@EXAMPLE.COM to user@EXAMPLE.COM

I also tried :

$ hadoop org.apache.hadoop.security.HadoopKerberosName user@MY.PROD.EXAMPLE.COM
Name: user@MY.PROD.EXAMPLE.COM to user

You have multiple realms involved. I guess I missed that point somewhere.

You need to add a specific rule to translate the trusted realm, EXAMPLE.COM. So you should add the following to the rule set:

RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//

You should also have (by default, from Ambari)

RULE:[1:$1@$0](.*@MY.PROD.EXAMPLE.COM)s/@.*//

Ambari should do this for you if you set the "Additional Realms" value to contain "EXAMPLE.COM".

I am not sure if you will need to manually update the auth-to-local rules for Solr.

Explorer

Thanks for your help, I will try this today and let you know asap if this has solved the issue.

Explorer

Hi @Robert Levas
We added the rule :

RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//

And now I am able to successfully work on the terminal :

$ hadoop org.apache.hadoop.security.HadoopKerberosName user@EXAMPLE.COM 

Name: user@EXAMPLE.COM to user

But I still can't access my Solr UI.

When I go to the UI, I get a pop-up asking me for authentication, I type my username and password and I still get :

HTTP ERROR 500
Problem accessing /solr/. Reason:
    Server Error
Caused by:
org.apache.solr.common.SolrException: Error during request authentication, 
	at org.apache.solr.servlet.SolrDispatchFilter.authenticateRequest(SolrDispatchFilter.java:319)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:222)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:208)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:499)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to user@EXAMPLE.COM
	at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:378)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:348)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:348)
	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:507)
	at org.apache.solr.security.KerberosFilter.doFilter(KerberosFilter.java:46)
	at org.apache.solr.security.KerberosPlugin.doAuthenticate(KerberosPlugin.java:144)
	at org.apache.solr.servlet.SolrDispatchFilter.authenticateRequest(SolrDispatchFilter.java:311)
	... 22 more
Caused by:
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to user@EXAMPLE.COM

@Julian Blin I am not familiar with Solr's configuration options. Where did you set this rule?

Maybe @Olivér Szabó, can chime in on helping to configure.

There looks to be a property for Solr that can be used for this. See https://lucene.apache.org/solr/guide/6_6/kerberos-authentication-plugin.html.

solr.kerberos.name.rules

Used to map Kerberos principals to short names. Default value is DEFAULT. Example of a name rule: RULE:[1:$1@$0](.*EXAMPLE.COM)s/@.*//

Cloudera Employee

@Julian Blin , I think you need to set 'infra-solr-env/infra_solr_kerberos_name_rules' property for using the rules for Solr,

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.