Created on 02-14-2018 08:50 AM - edited 09-16-2022 05:51 AM
Does anyone out there have an example of Java code that can connect to a Cloudra SOLR collection (under zookeeper) that uses Kerberos and the correct SASL parameters? Googling brings up some suggestions and some not ready for prime time classes. I'm looking for connection code, not a Morphlines example.
Thanks, Rick
Created 03-15-2018 09:02 AM
I got this to work as follows (but there's a twist when dealing with Eclipse from Windows):
System.setProperty("javax.net.ssl.trustStorePassword","xxxxxx");
System.setProperty("java.security.auth.login.config", "C:\\my_jaas.conf");
String zkHosts = "zookeeper1.com:2181,zookeeper2.ghp.com:2181,zookeeper3.ghp.com:2181/solr";
Krb5HttpClientBuilder krbBuild = new Krb5HttpClientBuilder();
SolrHttpClientBuilder kb = krbBuild.getBuilder();
HttpClientUtil.setHttpClientBuilder(kb);
CloudSolrClient solrServer = new CloudSolrClient.Builder().withZkHost(zkHosts).build();
String collectionName = "test_col";
solrServer.setDefaultCollection(collectionName);
solrServer.connect();
SolrQuery parameters = new SolrQuery();
parameters.set("q", "*:*");
try {
solrServer.commit();
QueryResponse response = solrServer.query(parameters);
for (SolrDocument solrDocument : response.getResults()) {
System.out.println(" " + solrDocument.toString());
}
krbBuild.close();
solrServer.close();
} catch (SolrServerException | IOException e) {
e.printStackTrace();
}
If you are working from a Windows Environment and Windows is generating your TGT Kerberos keys and Kerberos is hooked into AD (that is, not using MIT Kerberos), then you need to update the registry as follows (thanks to Cloudera Systems Engineer Tom Roach):
On windows, to use your kerberos tickets from AD in your Java program, you need to setup this Windows registry.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTgtSessionKey
Value Type: REG_DWORD
Value: 0x01
jaas.conf:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true
principal="myuser@MYDOMAIN.COM";
};
Created 02-23-2018 08:56 AM
Hi Rick,
Did you find this info in Cloudera Search documentation - does this help?
https://www.cloudera.com/documentation/enterprise/latest/topics/search_using_kerberos.html
Nick
Created 02-23-2018 08:59 AM
Created 03-15-2018 09:02 AM
I got this to work as follows (but there's a twist when dealing with Eclipse from Windows):
System.setProperty("javax.net.ssl.trustStorePassword","xxxxxx");
System.setProperty("java.security.auth.login.config", "C:\\my_jaas.conf");
String zkHosts = "zookeeper1.com:2181,zookeeper2.ghp.com:2181,zookeeper3.ghp.com:2181/solr";
Krb5HttpClientBuilder krbBuild = new Krb5HttpClientBuilder();
SolrHttpClientBuilder kb = krbBuild.getBuilder();
HttpClientUtil.setHttpClientBuilder(kb);
CloudSolrClient solrServer = new CloudSolrClient.Builder().withZkHost(zkHosts).build();
String collectionName = "test_col";
solrServer.setDefaultCollection(collectionName);
solrServer.connect();
SolrQuery parameters = new SolrQuery();
parameters.set("q", "*:*");
try {
solrServer.commit();
QueryResponse response = solrServer.query(parameters);
for (SolrDocument solrDocument : response.getResults()) {
System.out.println(" " + solrDocument.toString());
}
krbBuild.close();
solrServer.close();
} catch (SolrServerException | IOException e) {
e.printStackTrace();
}
If you are working from a Windows Environment and Windows is generating your TGT Kerberos keys and Kerberos is hooked into AD (that is, not using MIT Kerberos), then you need to update the registry as follows (thanks to Cloudera Systems Engineer Tom Roach):
On windows, to use your kerberos tickets from AD in your Java program, you need to setup this Windows registry.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: AllowTgtSessionKey
Value Type: REG_DWORD
Value: 0x01
jaas.conf:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true
principal="myuser@MYDOMAIN.COM";
};