Support Questions

Find answers, ask questions, and share your expertise

Java Code example to connect to SOLR using Kerberos and SASL

avatar
New Contributor

Does anyone out there have an example of Java code that can connect to a Cloudra SOLR collection (under zookeeper) that uses Kerberos and the correct SASL parameters?   Googling brings up some suggestions and some not ready for prime time classes.  I'm looking for connection code, not a Morphlines example.

 

Thanks,  Rick

1 ACCEPTED SOLUTION

avatar
New Contributor

I got this to work as follows (but there's a twist when dealing with Eclipse from Windows):

 

System.setProperty("javax.net.ssl.trustStorePassword","xxxxxx");
System.setProperty("java.security.auth.login.config", "C:\\my_jaas.conf");
String zkHosts = "zookeeper1.com:2181,zookeeper2.ghp.com:2181,zookeeper3.ghp.com:2181/solr";

Krb5HttpClientBuilder krbBuild = new Krb5HttpClientBuilder();
SolrHttpClientBuilder kb = krbBuild.getBuilder();
HttpClientUtil.setHttpClientBuilder(kb);
CloudSolrClient solrServer = new CloudSolrClient.Builder().withZkHost(zkHosts).build();

String collectionName = "test_col";
solrServer.setDefaultCollection(collectionName);
solrServer.connect();

SolrQuery parameters = new SolrQuery();
parameters.set("q", "*:*");
try {
solrServer.commit();
QueryResponse response = solrServer.query(parameters);
for (SolrDocument solrDocument : response.getResults()) {
System.out.println(" " + solrDocument.toString());
}
krbBuild.close();
solrServer.close();
} catch (SolrServerException | IOException e) {
e.printStackTrace();
}

 

If you are working from a Windows Environment and Windows is generating your TGT Kerberos keys and Kerberos is hooked into AD (that is, not using MIT Kerberos), then you need to update the registry as follows (thanks to Cloudera Systems Engineer Tom Roach):

 

On windows, to use your kerberos tickets from AD in your Java program, you need to setup this Windows registry.

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: AllowTgtSessionKey

Value Type: REG_DWORD

Value: 0x01

 

jaas.conf:

Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true
principal="myuser@MYDOMAIN.COM";
};

View solution in original post

3 REPLIES 3

avatar
Expert Contributor

Hi Rick,

 

Did you find this info in Cloudera Search documentation - does this help?

 

https://www.cloudera.com/documentation/enterprise/latest/topics/search_using_kerberos.html

 

Nick

avatar
Expert Contributor

avatar
New Contributor

I got this to work as follows (but there's a twist when dealing with Eclipse from Windows):

 

System.setProperty("javax.net.ssl.trustStorePassword","xxxxxx");
System.setProperty("java.security.auth.login.config", "C:\\my_jaas.conf");
String zkHosts = "zookeeper1.com:2181,zookeeper2.ghp.com:2181,zookeeper3.ghp.com:2181/solr";

Krb5HttpClientBuilder krbBuild = new Krb5HttpClientBuilder();
SolrHttpClientBuilder kb = krbBuild.getBuilder();
HttpClientUtil.setHttpClientBuilder(kb);
CloudSolrClient solrServer = new CloudSolrClient.Builder().withZkHost(zkHosts).build();

String collectionName = "test_col";
solrServer.setDefaultCollection(collectionName);
solrServer.connect();

SolrQuery parameters = new SolrQuery();
parameters.set("q", "*:*");
try {
solrServer.commit();
QueryResponse response = solrServer.query(parameters);
for (SolrDocument solrDocument : response.getResults()) {
System.out.println(" " + solrDocument.toString());
}
krbBuild.close();
solrServer.close();
} catch (SolrServerException | IOException e) {
e.printStackTrace();
}

 

If you are working from a Windows Environment and Windows is generating your TGT Kerberos keys and Kerberos is hooked into AD (that is, not using MIT Kerberos), then you need to update the registry as follows (thanks to Cloudera Systems Engineer Tom Roach):

 

On windows, to use your kerberos tickets from AD in your Java program, you need to setup this Windows registry.

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: AllowTgtSessionKey

Value Type: REG_DWORD

Value: 0x01

 

jaas.conf:

Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true
principal="myuser@MYDOMAIN.COM";
};