Support Questions
Find answers, ask questions, and share your expertise

solrj + kerbero

solrj + kerbero

Explorer

Hi, I hope someone who had experience using solrj with kerberos could help me out and I read the instruction below

Using SolrJ with a Kerberized Solr

To use Kerberos authentication in a SolrJ application, you need the following two lines before you create a SolrClient:

System.setProperty("java.security.auth.login.config", "/home/foo/jaas-client.conf"); HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer());

You need to specify a Kerberos service principal for the client and a corresponding keytab in the JAAS client configuration file above. This principal should be different from the service principal we created for Solr .

Here’s an example:

SolrJClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/foo.keytab"
storeKey=true
useTicketCache=true
debug=true
principal="solrclient@EXAMPLE.COM";
};
My questions:
1. What should I put for the principal in the jaas-client.conf file, should I include the hostname of the server where the SolrJ program is running on?  For example: solrclient/<hostname>@EXAMPLE.com ?


2. I tried to create keytab and principle on a windows version of KDC
I ran this command: Ktpass princ solrclient@<realm> mapuser solrclient -pass <password> -ptype KRB5_NT_PRINCIPAL out solr.service.keytab.client


Then, I got this error: ( I hide the value of OU and DC)
Failed to set property 'servicePrincipalName' to 'solrclient' on Dn 'CN=solrclient,OU=<OU>,DC=<DC>,DC=<DC>,DC=<DC>': 0x13.
WARNING: Unable to set SPN mapping data.

What do I do wrong?

Thank you.

2 REPLIES 2

Re: solrj + kerbero

Super Guru
@Wing Lo

I am not sure about SOLRJ but this is a Kerberos issue. Couple of things.

Shouldn't the comman have "-mapuser" instead of "mapuser".

Also, I think you need to specify domain name for SOLR client. something like this:

-mapuser solrclient@domainname.com -pass <> [rest of your command].

If you haven't seen already, this link might help.

Re: solrj + kerbero

Contributor

Question 1:

I believe that in this case you do not need the hostname in the principal (i.e. an SPN is not required). This principal is the service account that you are using to authenticate to Solr. If you wanted to do something like SPNEGO and forward the end-user's KRB Ticket to Solr, that'd be a different configuration that would require that you create a SPN.

Question 2:

You don't need to do this with KTPass since you don't need a SPN, I'd recommend using the ktab.exe bundled with Java, it'll be more reliable for what you're trying to accomplish.

http://docs.oracle.com/javase/7/docs/technotes/tools/windows/ktab.html