Support Questions

Find answers, ask questions, and share your expertise

Sentry Issue with Solr accessing

avatar
Contributor

 

Hello !

 

I have setup Solr in my cloudera quickstart vm. Also, I kerborized it and enabled sentry. I created some collections and able to do MapReduce task to index files into those collections. However, while I am trying to access later using solr admin ui, I am getting this below error. It seems, i need to add "cloudera" user to the admin group via sentry. Please help in this issue.

 

Error log as below:

 

2017-06-05 04:53:20,708 INFO org.apache.solr.servlet.SolrDispatchFilter: [admin] webapp=null path=/admin/cores params={indexInfo=false&_=1496663600675&wt=json} status=401 QTime=30 
2017-06-05 04:53:26,720 INFO org.apache.solr.servlet.SolrDispatchFilter: [admin] webapp=null path=/admin/cores params={action=STATUS&wt=json} status=0 QTime=46 
2017-06-05 04:54:26,658 INFO org.apache.solr.servlet.SolrDispatchFilter: [admin] webapp=null path=/admin/cores params={action=STATUS&wt=json} status=0 QTime=46 
2017-06-05 04:55:26,618 INFO org.apache.solr.servlet.SolrDispatchFilter: [admin] webapp=null path=/admin/cores params={action=STATUS&wt=json} status=0 QTime=55 
2017-06-05 04:56:26,602 INFO org.apache.solr.servlet.SolrDispatchFilter: [admin] webapp=null path=/admin/cores params={action=STATUS&wt=json} status=0 QTime=52 
2017-06-05 04:57:26,709 INFO org.apache.solr.servlet.SolrDispatchFilter: [admin] webapp=null path=/admin/cores params={action=STATUS&wt=json} status=0 QTime=63 
2017-06-05 04:58:27,358 INFO org.apache.solr.servlet.SolrDispatchFilter: [admin] webapp=null path=/admin/cores params={action=STATUS&wt=json} status=0 QTime=70 
2017-06-05 04:59:27,281 INFO org.apache.solr.servlet.SolrDispatchFilter: [admin] webapp=null path=/admin/cores params={action=STATUS&wt=json} status=0 QTime=47 
2017-06-05 05:00:27,259 INFO org.apache.solr.servlet.SolrDispatchFilter: [admin] webapp=null path=/admin/cores params={action=STATUS&wt=json} status=0 QTime=46 
2017-06-05 05:01:27,288 INFO org.apache.solr.servlet.SolrDispatchFilter: [admin] webapp=null path=/admin/cores params={action=STATUS&wt=json} status=0 QTime=57 
2017-06-05 05:02:26,889 ERROR org.apache.solr.core.SolrCore: org.apache.solr.common.SolrException: org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException: User cloudera does not have privileges for admin
	at org.apache.solr.sentry.SentryIndexAuthorizationSingleton.authorizeCollectionAction(SentryIndexAuthorizationSingleton.java:185)
	at org.apache.solr.sentry.SentryIndexAuthorizationSingleton.authorizeCollectionAdminAction(SentryIndexAuthorizationSingleton.java:105)
	at org.apache.solr.handler.SecureRequestHandlerUtil.checkSentryAdminCollection(SecureRequestHandlerUtil.java:79)
	at org.apache.solr.handler.SecureRequestHandlerUtil.checkSentryAdminCollection(SecureRequestHandlerUtil.java:48)
	at org.apache.solr.handler.admin.SecureCoreAdminHandler.handleRequestBody(SecureCoreAdminHandler.java:136)
	at org.apache.solr.handler.RequestHandlerBase.handleRequest(RequestHandlerBase.java:135)
	at org.apache.solr.servlet.SolrDispatchFilter.handleAdminRequest(SolrDispatchFilter.java:871)
	at org.apache.solr.servlet.SolrDispatchFilter.httpSolrCall(SolrDispatchFilter.java:314)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:260)
	at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:255)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.solr.servlet.SolrHadoopAuthenticationFilter$2.doFilter(SolrHadoopAuthenticationFilter.java:408)
	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:622)
	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.doFilter(DelegationTokenAuthenticationFilter.java:301)
	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:574)
	at org.apache.solr.servlet.SolrHadoopAuthenticationFilter.doFilter(SolrHadoopAuthenticationFilter.java:413)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:612)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:503)
	at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException: User cloudera does not have privileges for admin
	at org.apache.sentry.binding.solr.authz.SolrAuthzBinding.authorizeCollection(SolrAuthzBinding.java:182)
	at org.apache.solr.sentry.SentryIndexAuthorizationSingleton.authorizeCollectionAction(SentryIndexAuthorizationSingleton.java:180)
	... 28 more

Thanks

1 ACCEPTED SOLUTION

avatar
Contributor

I am making a mistake while defining "sentry-provider.ini"

 

correct one should be as below:

 


[groups]
cloudera = admin_role
[roles]
admin_role = collection = *->action=*

 

This is solved !

View solution in original post

2 REPLIES 2

avatar
Contributor

I am making a mistake while defining "sentry-provider.ini"

 

correct one should be as below:

 


[groups]
cloudera = admin_role
[roles]
admin_role = collection = *->action=*

 

This is solved !

avatar
Rising Star

Yes, thats correct. You can get more details here

https://www.cloudera.com/documentation/enterprise/5-9-x/topics/search_sentry.html

 

Also, Now sentry as a service is also provided for solr you can use that too and use solr sentry tool commands