Created 10-25-2016 09:12 AM
my solr can working normal.when i use the security.json like this
{ "authentication": { "class": "solr.BasicAuthPlugin", "blockUnknown": true, "credentials": { "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw=" } }, "authorization": { "class": "solr.RuleBasedAuthorizationPlugin" } }
but when i Securing Solr Collections with Ranger as below:
{ "authentication": { "class": "solr.BasicAuthPlugin", "credentials": { "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw=" } }, "authorization": { "class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer" } }
solr-plugin can show in ranger-audit-plugin. But solr cant work when i open http://localhost:8983/solr/
HTTP ERROR 500 Problem accessing /solr/. Reason: {trace=java.lang.NullPointerException at org.apache.solr.servlet.HttpSolrCall$2.toString(HttpSolrCall.java:1020) at java.lang.String.valueOf(String.java:2849) at java.lang.StringBuilder.append(StringBuilder.java:128) at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:227) at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:128) at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:420) at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:225) at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:183) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745) ,code=500} Powered by Jetty://
Created 10-25-2016 09:50 AM
Did you enable the Ranger Solr Plugin using the enable-ranger-plugin.sh script? What version of Solr and Ranger is this?
You might want to enable the Ranger Plugin again and make sure that all ranger jars/xmls have been copied to .../solr/server/solr-webapp/webapp/WEB-INF/classes and .../solr/server/solr-webapp/webapp/WEB-INF/libs
(Validate the paths, not sure if they are 100% correct)
Created 10-25-2016 09:50 AM
Did you enable the Ranger Solr Plugin using the enable-ranger-plugin.sh script? What version of Solr and Ranger is this?
You might want to enable the Ranger Plugin again and make sure that all ranger jars/xmls have been copied to .../solr/server/solr-webapp/webapp/WEB-INF/classes and .../solr/server/solr-webapp/webapp/WEB-INF/libs
(Validate the paths, not sure if they are 100% correct)
Created 10-25-2016 10:05 AM
i use solr-5.5.0 ranger0.6.2 .i have enable the Ranger Plugin again.and copy from solr-plugin/lib、solr-plugin/lib/solr-plugin/lib/ranger-solr-plugin-impl、solr-plugin/install/lib all jar to .../solr/server/solr-webapp/webapp/WEB-INF/libs. and solr-plugin/install/solr-plugin/install/enable all xml to .../solr/server/solr-webapp/webapp/WEB-INF/classes. And restarted the solr but nothing changed.
Created 10-25-2016 10:20 AM
Sorry I probably should have been more explicit, the ranger plugin script will copy all jars and xmls to the locations I mentioned above, you dont have to copy anything on your own. Can you run an "ls -al" on the two directories and post the result?
Also can you upload the Ranger xml files inside the "classes" directory?
How does your solr.in.sh look like?
Created 10-25-2016 01:36 PM
yes,the ranger plugin script will copy jars and xmls to the locations you mentioned above.I also copy some manually to make sure all is in it.
and the "classes"
-rwxr--r-- 1 root root 2270 Oct 25 18:14 ranger-policymgr-ssl.xml -rw-r--r-- 1 root root 69 Oct 25 18:14 ranger-security.xml -rwxr--r-- 1 root root 9668 Oct 25 18:14 ranger-solr-audit.xml -rwxr--r-- 1 root root 2913 Oct 25 18:14 ranger-solr-security.xml
the "lib"
antlr4-runtime-4.5.1-1.jar httpclient-4.4.1.jar lucene-queryparser-5.5.0.jar asm-5.0.4.jar httpcore-4.4.1.jar lucene-sandbox-5.5.0.jar asm-commons-5.0.4.jar httpmime-4.4.1.jar lucene-spatial-5.5.0.jar commons-cli-1.2.jar jackson-core-2.5.4.jar lucene-suggest-5.5.0.jar commons-codec-1.10.jar jackson-core-asl-1.9.13.jar mysql-connector-java-5.1.38-bin.jar commons-collections-3.2.1.jar jackson-dataformat-smile-2.5.4.jar noggit-0.6.jar commons-collections-3.2.2.jar jackson-jaxrs-1.8.3.jar org.restlet-2.3.0.jar commons-configuration-1.10.jar jackson-jaxrs-1.9.13.jar org.restlet.ext.servlet-2.3.0.jar commons-configuration-1.6.jar jackson-mapper-asl-1.9.13.jar protobuf-java-2.5.0.jar commons-exec-1.3.jar jackson-xc-1.8.3.jar ranger-plugin-classloader-0.6.2-SNAPSHOT.jar commons-fileupload-1.2.1.jar javax.persistence-2.1.0.jar ranger-plugins-audit-0.6.2-SNAPSHOT.jar commons-io-2.4.jar jcl-over-slf4j-1.7.7.jar ranger-plugins-common-0.6.2-SNAPSHOT.jar commons-lang-2.6.jar jersey-bundle-1.17.1.jar ranger-plugins-cred-0.6.2-SNAPSHOT.jar commons-logging-1.2.jar joda-time-2.2.jar ranger-plugins-installer-0.6.2-SNAPSHOT.jar concurrentlinkedhashmap-lru-1.2.jar jul-to-slf4j-1.7.7.jar ranger-solr-plugin-0.6.2-SNAPSHOT.jar credentialbuilder-0.6.2-SNAPSHOT.jar log4j-1.2.17.jar ranger-solr-plugin-impl dom4j-1.6.1.jar lucene-analyzers-common-5.5.0.jar ranger-solr-plugin-shim-0.6.2-SNAPSHOT.jar eclipselink-2.5.2.jar lucene-analyzers-kuromoji-5.5.0.jar slf4j-api-1.7.5.jar gson-2.2.4.jar lucene-analyzers-phonetic-5.5.0.jar slf4j-api-1.7.7.jar guava-11.0.2.jar lucene-backward-codecs-5.5.0.jar slf4j-log4j12-1.7.7.jar guava-14.0.1.jar lucene-codecs-5.5.0.jar solr-core-5.5.0.jar hadoop-annotations-2.6.0.jar lucene-core-5.5.0.jar solr-solrj-5.5.0.jar hadoop-auth-2.6.0.jar lucene-expressions-5.5.0.jar spatial4j-0.5.jar hadoop-auth-2.7.1.jar lucene-grouping-5.5.0.jar stax2-api-3.1.4.jar hadoop-common-2.6.0.jar lucene-highlighter-5.5.0.jar t-digest-3.1.jar hadoop-common-2.7.1.jar lucene-join-5.5.0.jar woodstox-core-asl-4.4.1.jar hadoop-hdfs-2.6.0.jar lucene-memory-5.5.0.jar zookeeper-3.4.6.jar hppc-0.7.1.jar lucene-misc-5.5.0.jar htrace-core-3.0.4.jar lucene-queries-5.5.0.jar
my solr.in.sh
SOLR_JAVA_MEM=('-Xms512m' '-Xmx512m') # Enable verbose GC logging GC_LOG_OPTS="-verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails \ -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime" # These GC settings have shown to work well for a number of common Solr workloads GC_TUNE="-XX:NewRatio=3 \ -XX:SurvivorRatio=4 \ -XX:TargetSurvivorRatio=90 \ -XX:MaxTenuringThreshold=8 \ -XX:+UseConcMarkSweepGC \ -XX:+UseParNewGC \ -XX:ConcGCThreads=4 -XX:ParallelGCThreads=4 \ -XX:+CMSScavengeBeforeRemark \ -XX:PretenureSizeThreshold=64m \ -XX:+UseCMSInitiatingOccupancyOnly \ -XX:CMSInitiatingOccupancyFraction=50 \ -XX:CMSMaxAbortablePrecleanTime=6000 \ -XX:+CMSParallelRemarkEnabled \ -XX:+ParallelRefProcEnabled" SOLR_PID_DIR=/opt/solr_8001 SOLR_HOME=/opt/solr_8001/data LOG4J_PROPS=/opt/solr_8001/log4j.xml SOLR_LOGS_DIR=/opt/solr_8001/logs ZK_HOST="192.168.91.161:2181,192.168.91.162:2181,192.168.91.163:2181" SOLR_PORT=8983 SOLR_MODE=solrcloud SOLR_ZK_CREDS_AND_ACLS="-DzkDigestUsername=admin -DzkDigestPassword=admin" SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"
Created 10-26-2016 03:40 AM
I assume your solr instance is running under the solr-user? If yes, make sure all the ranger files and the directory "classes" is owned by that user.
Does that Solr Home directory exist, "/opt/solr_8001/data" ? Also is it owned by the user that is running the solr instances?
Created 10-26-2016 04:00 PM
i have see your article
i have some question :
1 .if kerbores is needed for solr-plugin.
2.which user your use in solr ,and what user you write in ranger-solr-service.
3.which commond you use to start solrcloud.
Created 10-31-2016 04:48 AM
1.I think you can use Ranger Solr Plugin without Kerberos, however kerberos provides the authentication layer and therefore an additional layer of security.
2.Solr itself runs under the solr user, however the users that are allowed to access and manage your solr collections is totally up to you. You can define separate policies for each Solr Collection in Ranger and assign permissions to groups or users
3.Usually, I configure my Solr instances in a way that allows me to use "service solr start" to start my solr cloud. In order to make this work, you have to make sure ZK_HOST is defined in your solr config (solr.in.sh)
Created 10-27-2016 08:50 AM
Hello,i install the kerbeos it can work normal .but i want kown if we can Test Connectioncan show successly in ranger , if we can ,what i should do?
Created 10-31-2016 04:51 AM
In order to test the connection between the Ranger Solr Plugin and the Ranger service, you can login to the Ranger Admin UI and go to Audit -> Plugins. This will show a list of synchronizations between the Ranger Plugin and Ranger service. You can also check /etc/ranger/<repository name>/policycache/.... and check the timestamp of the policycache json.