Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Securing Solr with Ranger ERROR 500

avatar
Explorer

my solr can working normal.when i use the security.json like this

{
    "authentication": {
        "class": "solr.BasicAuthPlugin",
        "blockUnknown": true,
        "credentials": {
            "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw="
        }
    },
    "authorization": {
        "class": "solr.RuleBasedAuthorizationPlugin"
    }
}

but when i Securing Solr Collections with Ranger as below:

{
    "authentication": {
        "class": "solr.BasicAuthPlugin",
        "credentials": {
            "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw="
        }
    },
    "authorization": {
        "class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"
    }
}

solr-plugin can show in ranger-audit-plugin. But solr cant work when i open http://localhost:8983/solr/

HTTP ERROR 500
Problem accessing /solr/. Reason:
    {trace=java.lang.NullPointerException
	at org.apache.solr.servlet.HttpSolrCall$2.toString(HttpSolrCall.java:1020)
	at java.lang.String.valueOf(String.java:2849)
	at java.lang.StringBuilder.append(StringBuilder.java:128)
	at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:227)
	at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:128)
	at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:420)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:225)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:183)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:499)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
	at java.lang.Thread.run(Thread.java:745)
,code=500}
Powered by Jetty://
1 ACCEPTED SOLUTION

avatar

Did you enable the Ranger Solr Plugin using the enable-ranger-plugin.sh script? What version of Solr and Ranger is this?

You might want to enable the Ranger Plugin again and make sure that all ranger jars/xmls have been copied to .../solr/server/solr-webapp/webapp/WEB-INF/classes and .../solr/server/solr-webapp/webapp/WEB-INF/libs

(Validate the paths, not sure if they are 100% correct)

View solution in original post

17 REPLIES 17

avatar
Rising Star

@Fang Heart, are you trying to enable Ranger solr plugin under non secured environment i.e non-kerberised env ?, Ranger Solr plugin is supported to work under kerberized environments. You can follow the steps described here to enable Ranger Solr plugin.

avatar
Explorer

if ranger no authorization with ranger,my solr can work normal but it can't show plugin in ranger.

avatar
Rising Star

avatar
Explorer
this is what I did, so i'm confused.

avatar
Rising Star

@Fang Heart, did you install kerberos ?

avatar
Explorer

no.it's needed?

avatar
Rising Star

@Fang Heart , yes Kerberos is needed and Solr should be configured in cloud mode you can follow the instructions for installing and configuring solr in cloud mode here

avatar
Expert Contributor

Hello @Jonas Straub,

sorry for reopening this old topic, but I'm getting the same error.

In my case, cluster is kerberized. I'm using HDP 2.6.0.3 with Ambari 2.5.0.3 and Solr 5.5 installed via Mpack. Solr authentication via SPNEGO is working fine, but when I tried to enable the ranger plugin for solr I'm getting a strange behavior, because if I configure log4j for INFO I'm getting 403 error (but ranger policies are well configured and I can see the ranger cache updated locally on the solr node), while if I set log4j to log DEBUG information I'm getting a 500 error from solr server. Looking at the source code of solr and ranger-solr it seems that ranger plugin is unable to obtain the AuthorizationContext, in fact I can see these lines in the log:

2018-05-22 13:03:17,703 [qtp537548559-18 - /solr/] DEBUG [   ] org.apache.solr.servlet.HttpSolrCall (HttpSolrCall.java:316) - no handler or core retrieved for /, follow through...
2018-05-22 13:03:17,703 [qtp537548559-18 - /solr/] DEBUG [   ] org.apache.solr.servlet.HttpSolrCall (HttpSolrCall.java:499) - PkiAuthenticationPlugin says authorization required : true
2018-05-22 13:03:17,704 [qtp537548559-18 - /solr/] DEBUG [   ] org.apache.solr.servlet.HttpSolrCall (HttpSolrCall.java:421) - AuthorizationContext : [FAILED toString()]
....
2018-05-22 13:03:17,717 [qtp537548559-18 - /solr/] ERROR [   ] org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer (RangerSolrAuthorizer.java:288) - Error getting request context!!!
java.lang.NullPointerException
        at org.apache.solr.servlet.HttpSolrCall$2.getParams(HttpSolrCall.java:953)
        at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.logAuthorizationConext(RangerSolrAuthorizer.java:279)
        at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:165)
        at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:128)
        at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:422)

Since this version of Ambari does not support the ranger solr plugin, I had to manually edit the setup_solr_kerberos_auth.py script, adding "authorization":{"class":"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}, so my current security.json file on zookeeper is the following:

{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class":"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}

apart of that, I followed the instructions provided here and the repo on ranger is working.

Is it a missing configuration or maybe a bug? Exact versions I using are the following:

ranger-solr-plugin-0.7.0.2.6.0.3-8.el6.noarch
ranger_2_6_0_3_8-solr-plugin-0.7.0.2.6.0.3-8.x86_64

lucidworks-hdpsearch-2.6-100.noarch

Thanks,

Davide