Support Questions

Report Inappropriate Content · ‎10-25-2016

my solr can working normal.when i use the security.json like this

{
    "authentication": {
        "class": "solr.BasicAuthPlugin",
        "blockUnknown": true,
        "credentials": {
            "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw="
        }
    },
    "authorization": {
        "class": "solr.RuleBasedAuthorizationPlugin"
    }
}

but when i Securing Solr Collections with Ranger as below:

{
    "authentication": {
        "class": "solr.BasicAuthPlugin",
        "credentials": {
            "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw="
        }
    },
    "authorization": {
        "class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"
    }
}

solr-plugin can show in ranger-audit-plugin. But solr cant work when i open http://localhost:8983/solr/

HTTP ERROR 500
Problem accessing /solr/. Reason:
    {trace=java.lang.NullPointerException
	at org.apache.solr.servlet.HttpSolrCall$2.toString(HttpSolrCall.java:1020)
	at java.lang.String.valueOf(String.java:2849)
	at java.lang.StringBuilder.append(StringBuilder.java:128)
	at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:227)
	at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:128)
	at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:420)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:225)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:183)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:499)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
	at java.lang.Thread.run(Thread.java:745)
,code=500}
Powered by Jetty://

jstraub · ‎10-25-2016

Did you enable the Ranger Solr Plugin using the enable-ranger-plugin.sh script? What version of Solr and Ranger is this?

You might want to enable the Ranger Plugin again and make sure that all ranger jars/xmls have been copied to .../solr/server/solr-webapp/webapp/WEB-INF/classes and .../solr/server/solr-webapp/webapp/WEB-INF/libs

(Validate the paths, not sure if they are 100% correct)

View solution in original post

vsuvagia · ‎10-25-2016

@Fang Heart, are you trying to enable Ranger solr plugin under non secured environment i.e non-kerberised env ?, Ranger Solr plugin is supported to work under kerberized environments. You can follow the steps described here to enable Ranger Solr plugin.

Report Inappropriate Content · ‎10-25-2016

if ranger no authorization with ranger,my solr can work normal but it can't show plugin in ranger.

vsuvagia · ‎10-25-2016

@Fang Heart

You can follow the steps mentioned in https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5.0+Installation#ApacheRanger0.5....

Report Inappropriate Content · ‎10-25-2016

this is what I did, so i'm confused.

vsuvagia · ‎10-25-2016

@Fang Heart, did you install kerberos ?

Report Inappropriate Content · ‎10-25-2016

no.it's needed?

vsuvagia · ‎10-25-2016

@Fang Heart , yes Kerberos is needed and Solr should be configured in cloud mode you can follow the instructions for installing and configuring solr in cloud mode here

vergari · ‎05-22-2018

Hello @Jonas Straub,

sorry for reopening this old topic, but I'm getting the same error.

In my case, cluster is kerberized. I'm using HDP 2.6.0.3 with Ambari 2.5.0.3 and Solr 5.5 installed via Mpack. Solr authentication via SPNEGO is working fine, but when I tried to enable the ranger plugin for solr I'm getting a strange behavior, because if I configure log4j for INFO I'm getting 403 error (but ranger policies are well configured and I can see the ranger cache updated locally on the solr node), while if I set log4j to log DEBUG information I'm getting a 500 error from solr server. Looking at the source code of solr and ranger-solr it seems that ranger plugin is unable to obtain the AuthorizationContext, in fact I can see these lines in the log:

2018-05-22 13:03:17,703 [qtp537548559-18 - /solr/] DEBUG [   ] org.apache.solr.servlet.HttpSolrCall (HttpSolrCall.java:316) - no handler or core retrieved for /, follow through...
2018-05-22 13:03:17,703 [qtp537548559-18 - /solr/] DEBUG [   ] org.apache.solr.servlet.HttpSolrCall (HttpSolrCall.java:499) - PkiAuthenticationPlugin says authorization required : true
2018-05-22 13:03:17,704 [qtp537548559-18 - /solr/] DEBUG [   ] org.apache.solr.servlet.HttpSolrCall (HttpSolrCall.java:421) - AuthorizationContext : [FAILED toString()]
....
2018-05-22 13:03:17,717 [qtp537548559-18 - /solr/] ERROR [   ] org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer (RangerSolrAuthorizer.java:288) - Error getting request context!!!
java.lang.NullPointerException
        at org.apache.solr.servlet.HttpSolrCall$2.getParams(HttpSolrCall.java:953)
        at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.logAuthorizationConext(RangerSolrAuthorizer.java:279)
        at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:165)
        at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:128)
        at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:422)

Since this version of Ambari does not support the ranger solr plugin, I had to manually edit the setup_solr_kerberos_auth.py script, adding "authorization":{"class":"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}, so my current security.json file on zookeeper is the following:

{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class":"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}

apart of that, I followed the instructions provided here and the repo on ranger is working.

Is it a missing configuration or maybe a bug? Exact versions I using are the following:

ranger-solr-plugin-0.7.0.2.6.0.3-8.el6.noarch
ranger_2_6_0_3_8-solr-plugin-0.7.0.2.6.0.3-8.x86_64

lucidworks-hdpsearch-2.6-100.noarch

Thanks,

Davide

Cloudera Community

Support Questions

Securing Solr with Ranger ERROR 500