Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Securing Solr with Ranger ERROR 500

avatar
Explorer

my solr can working normal.when i use the security.json like this

{
    "authentication": {
        "class": "solr.BasicAuthPlugin",
        "blockUnknown": true,
        "credentials": {
            "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw="
        }
    },
    "authorization": {
        "class": "solr.RuleBasedAuthorizationPlugin"
    }
}

but when i Securing Solr Collections with Ranger as below:

{
    "authentication": {
        "class": "solr.BasicAuthPlugin",
        "credentials": {
            "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw="
        }
    },
    "authorization": {
        "class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"
    }
}

solr-plugin can show in ranger-audit-plugin. But solr cant work when i open http://localhost:8983/solr/

HTTP ERROR 500
Problem accessing /solr/. Reason:
    {trace=java.lang.NullPointerException
	at org.apache.solr.servlet.HttpSolrCall$2.toString(HttpSolrCall.java:1020)
	at java.lang.String.valueOf(String.java:2849)
	at java.lang.StringBuilder.append(StringBuilder.java:128)
	at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:227)
	at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:128)
	at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:420)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:225)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:183)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:499)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
	at java.lang.Thread.run(Thread.java:745)
,code=500}
Powered by Jetty://
1 ACCEPTED SOLUTION

avatar

Did you enable the Ranger Solr Plugin using the enable-ranger-plugin.sh script? What version of Solr and Ranger is this?

You might want to enable the Ranger Plugin again and make sure that all ranger jars/xmls have been copied to .../solr/server/solr-webapp/webapp/WEB-INF/classes and .../solr/server/solr-webapp/webapp/WEB-INF/libs

(Validate the paths, not sure if they are 100% correct)

View solution in original post

17 REPLIES 17

avatar

Did you enable the Ranger Solr Plugin using the enable-ranger-plugin.sh script? What version of Solr and Ranger is this?

You might want to enable the Ranger Plugin again and make sure that all ranger jars/xmls have been copied to .../solr/server/solr-webapp/webapp/WEB-INF/classes and .../solr/server/solr-webapp/webapp/WEB-INF/libs

(Validate the paths, not sure if they are 100% correct)

avatar
Explorer

i use solr-5.5.0 ranger0.6.2 .i have enable the Ranger Plugin again.and copy from solr-plugin/lib、solr-plugin/lib/solr-plugin/lib/ranger-solr-plugin-impl、solr-plugin/install/lib all jar to .../solr/server/solr-webapp/webapp/WEB-INF/libs. and solr-plugin/install/solr-plugin/install/enable all xml to .../solr/server/solr-webapp/webapp/WEB-INF/classes. And restarted the solr but nothing changed.

avatar

Sorry I probably should have been more explicit, the ranger plugin script will copy all jars and xmls to the locations I mentioned above, you dont have to copy anything on your own. Can you run an "ls -al" on the two directories and post the result?

Also can you upload the Ranger xml files inside the "classes" directory?

How does your solr.in.sh look like?

avatar
Explorer

yes,the ranger plugin script will copy jars and xmls to the locations you mentioned above.I also copy some manually to make sure all is in it.

and the "classes"

-rwxr--r-- 1 root root 2270 Oct 25 18:14 ranger-policymgr-ssl.xml
-rw-r--r-- 1 root root   69 Oct 25 18:14 ranger-security.xml
-rwxr--r-- 1 root root 9668 Oct 25 18:14 ranger-solr-audit.xml
-rwxr--r-- 1 root root 2913 Oct 25 18:14 ranger-solr-security.xml

the "lib"

antlr4-runtime-4.5.1-1.jar            httpclient-4.4.1.jar                 lucene-queryparser-5.5.0.jar
asm-5.0.4.jar                         httpcore-4.4.1.jar                   lucene-sandbox-5.5.0.jar
asm-commons-5.0.4.jar                 httpmime-4.4.1.jar                   lucene-spatial-5.5.0.jar
commons-cli-1.2.jar                   jackson-core-2.5.4.jar               lucene-suggest-5.5.0.jar
commons-codec-1.10.jar                jackson-core-asl-1.9.13.jar          mysql-connector-java-5.1.38-bin.jar
commons-collections-3.2.1.jar         jackson-dataformat-smile-2.5.4.jar   noggit-0.6.jar
commons-collections-3.2.2.jar         jackson-jaxrs-1.8.3.jar              org.restlet-2.3.0.jar
commons-configuration-1.10.jar        jackson-jaxrs-1.9.13.jar             org.restlet.ext.servlet-2.3.0.jar
commons-configuration-1.6.jar         jackson-mapper-asl-1.9.13.jar        protobuf-java-2.5.0.jar
commons-exec-1.3.jar                  jackson-xc-1.8.3.jar                 ranger-plugin-classloader-0.6.2-SNAPSHOT.jar
commons-fileupload-1.2.1.jar          javax.persistence-2.1.0.jar          ranger-plugins-audit-0.6.2-SNAPSHOT.jar
commons-io-2.4.jar                    jcl-over-slf4j-1.7.7.jar             ranger-plugins-common-0.6.2-SNAPSHOT.jar
commons-lang-2.6.jar                  jersey-bundle-1.17.1.jar             ranger-plugins-cred-0.6.2-SNAPSHOT.jar
commons-logging-1.2.jar               joda-time-2.2.jar                    ranger-plugins-installer-0.6.2-SNAPSHOT.jar
concurrentlinkedhashmap-lru-1.2.jar   jul-to-slf4j-1.7.7.jar               ranger-solr-plugin-0.6.2-SNAPSHOT.jar
credentialbuilder-0.6.2-SNAPSHOT.jar  log4j-1.2.17.jar                     ranger-solr-plugin-impl
dom4j-1.6.1.jar                       lucene-analyzers-common-5.5.0.jar    ranger-solr-plugin-shim-0.6.2-SNAPSHOT.jar
eclipselink-2.5.2.jar                 lucene-analyzers-kuromoji-5.5.0.jar  slf4j-api-1.7.5.jar
gson-2.2.4.jar                        lucene-analyzers-phonetic-5.5.0.jar  slf4j-api-1.7.7.jar
guava-11.0.2.jar                      lucene-backward-codecs-5.5.0.jar     slf4j-log4j12-1.7.7.jar
guava-14.0.1.jar                      lucene-codecs-5.5.0.jar              solr-core-5.5.0.jar
hadoop-annotations-2.6.0.jar          lucene-core-5.5.0.jar                solr-solrj-5.5.0.jar
hadoop-auth-2.6.0.jar                 lucene-expressions-5.5.0.jar         spatial4j-0.5.jar
hadoop-auth-2.7.1.jar                 lucene-grouping-5.5.0.jar            stax2-api-3.1.4.jar
hadoop-common-2.6.0.jar               lucene-highlighter-5.5.0.jar         t-digest-3.1.jar
hadoop-common-2.7.1.jar               lucene-join-5.5.0.jar                woodstox-core-asl-4.4.1.jar
hadoop-hdfs-2.6.0.jar                 lucene-memory-5.5.0.jar              zookeeper-3.4.6.jar
hppc-0.7.1.jar                        lucene-misc-5.5.0.jar
htrace-core-3.0.4.jar                 lucene-queries-5.5.0.jar



my solr.in.sh

SOLR_JAVA_MEM=('-Xms512m' '-Xmx512m')


# Enable verbose GC logging
GC_LOG_OPTS="-verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails \
-XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime"


# These GC settings have shown to work well for a number of common Solr workloads
GC_TUNE="-XX:NewRatio=3 \
-XX:SurvivorRatio=4 \
-XX:TargetSurvivorRatio=90 \
-XX:MaxTenuringThreshold=8 \
-XX:+UseConcMarkSweepGC \
-XX:+UseParNewGC \
-XX:ConcGCThreads=4 -XX:ParallelGCThreads=4 \
-XX:+CMSScavengeBeforeRemark \
-XX:PretenureSizeThreshold=64m \
-XX:+UseCMSInitiatingOccupancyOnly \
-XX:CMSInitiatingOccupancyFraction=50 \
-XX:CMSMaxAbortablePrecleanTime=6000 \
-XX:+CMSParallelRemarkEnabled \
-XX:+ParallelRefProcEnabled"


SOLR_PID_DIR=/opt/solr_8001
SOLR_HOME=/opt/solr_8001/data
LOG4J_PROPS=/opt/solr_8001/log4j.xml
SOLR_LOGS_DIR=/opt/solr_8001/logs
ZK_HOST="192.168.91.161:2181,192.168.91.162:2181,192.168.91.163:2181"
SOLR_PORT=8983
SOLR_MODE=solrcloud


SOLR_ZK_CREDS_AND_ACLS="-DzkDigestUsername=admin -DzkDigestPassword=admin"
SOLR_OPTS="$SOLR_OPTS $SOLR_ZK_CREDS_AND_ACLS"

avatar

I assume your solr instance is running under the solr-user? If yes, make sure all the ranger files and the directory "classes" is owned by that user.

Does that Solr Home directory exist, "/opt/solr_8001/data" ? Also is it owned by the user that is running the solr instances?

avatar
Explorer

i have see your article

https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html...

i have some question :

1 .if kerbores is needed for solr-plugin.

2.which user your use in solr ,and what user you write in ranger-solr-service.

3.which commond you use to start solrcloud.

avatar

@Fang Heart

1.I think you can use Ranger Solr Plugin without Kerberos, however kerberos provides the authentication layer and therefore an additional layer of security.

2.Solr itself runs under the solr user, however the users that are allowed to access and manage your solr collections is totally up to you. You can define separate policies for each Solr Collection in Ranger and assign permissions to groups or users

3.Usually, I configure my Solr instances in a way that allows me to use "service solr start" to start my solr cloud. In order to make this work, you have to make sure ZK_HOST is defined in your solr config (solr.in.sh)

avatar
Explorer

Hello,i install the kerbeos it can work normal .but i want kown if we can Test Connectioncan show successly in ranger , if we can ,what i should do?

avatar
@Fang Heart

In order to test the connection between the Ranger Solr Plugin and the Ranger service, you can login to the Ranger Admin UI and go to Audit -> Plugins. This will show a list of synchronizations between the Ranger Plugin and Ranger service. You can also check /etc/ranger/<repository name>/policycache/.... and check the timestamp of the policycache json.