Hi @Robert Levas We added the rule : RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// And now I am able to successfully work on the terminal : $ hadoop org.apache.hadoop.security.HadoopKerberosName user@EXAMPLE.COM Name: user@EXAMPLE.COM to user But I still can't access my Solr UI. When I go to the UI, I get a pop-up asking me for authentication, I type my username and password and I still get : HTTP ERROR 500 Problem accessing /solr/. Reason: Server Error Caused by: org.apache.solr.common.SolrException: Error during request authentication, at org.apache.solr.servlet.SolrDispatchFilter.authenticateRequest(SolrDispatchFilter.java:319) at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:222) at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:208) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to user@EXAMPLE.COM at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:378) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:348) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:348) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:507) at org.apache.solr.security.KerberosFilter.doFilter(KerberosFilter.java:46) at org.apache.solr.security.KerberosPlugin.doAuthenticate(KerberosPlugin.java:144) at org.apache.solr.servlet.SolrDispatchFilter.authenticateRequest(SolrDispatchFilter.java:311) ... 22 more Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to user@EXAMPLE.COM ... View more

Thanks for your help, I will try this today and let you know asap if this has solved the issue. ... View more

I don't know about the rules for Solr. The thing is that there was no rules for solr befor I added the two mentioned above. The result of your command is : $ hadoop org.apache.hadoop.security.HadoopKerberosName user@EXAMPLE.COM 18/01/23 15:28:10 INFO util.KerberosName: No auth_to_local rules applied to user@EXAMPLE.COM Name: user@EXAMPLE.COM to user@EXAMPLE.COM I also tried : $ hadoop org.apache.hadoop.security.HadoopKerberosName user@MY.PROD.EXAMPLE.COM Name: user@MY.PROD.EXAMPLE.COM to user ... View more

RULE:[1:$1@$0](ambari-qa-cluster1@MY.PROD.EXAMPLE.COM)s/.*/ambari-qa/ RULE:[1:$1@$0](hbase-cluster1@MY.PROD.EXAMPLE.COM)s/.*/hbase/ RULE:[1:$1@$0](hdfs-cluster1@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ RULE:[1:$1@$0](spark-cluster1@MY.PROD.EXAMPLE.COM)s/.*/spark/ RULE:[1:$1@$0](zeppelin-cluster1@MY.PROD.EXAMPLE.COM)s/.*/zeppelin/ RULE:[1:$1@$0](.*@MY.PROD.EXAMPLE.COM)s/@.*// RULE:[2:$1@$0](amshbase@MY.PROD.EXAMPLE.COM)s/.*/ams/ RULE:[2:$1@$0](amszk@MY.PROD.EXAMPLE.COM)s/.*/ams/ RULE:[2:$1@$0](atlas@MY.PROD.EXAMPLE.COM)s/.*/atlas/ RULE:[2:$1@$0](dn@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](falcon@MY.PROD.EXAMPLE.COM)s/.*/falcon/ RULE:[2:$1@$0](hbase@MY.PROD.EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](hive@MY.PROD.EXAMPLE.COM)s/.*/hive/ RULE:[2:$1@$0](jhs@MY.PROD.EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0](jn@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](knox@MY.PROD.EXAMPLE.COM)s/.*/knox/ RULE:[2:$1@$0](livy@MY.PROD.EXAMPLE.COM)s/.*/livy/ RULE:[2:$1@$0](nfs@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](nm@MY.PROD.EXAMPLE.COM)s/.*/yarn/ RULE:[2:$1@$0](nn@MY.PROD.EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](oozie@MY.PROD.EXAMPLE.COM)s/.*/oozie/ RULE:[2:$1@$0](rangeradmin@MY.PROD.EXAMPLE.COM)s/.*/ranger/ RULE:[2:$1@$0](rangertagsync@MY.PROD.EXAMPLE.COM)s/.*/rangertagsync/ RULE:[2:$1@$0](rangerusersync@MY.PROD.EXAMPLE.COM)s/.*/rangerusersync/ RULE:[2:$1@$0](rm@MY.PROD.EXAMPLE.COM)s/.*/yarn/ RULE:[2:$1@$0](yarn@MY.PROD.EXAMPLE.COM)s/.*/yarn/ RULE:[1:$1@$0](infra-solr@MY.PROD.EXAMPLE.COM)s/.*/solr/ RULE:[2:$1@$0](infra-solr@MY.PROD.EXAMPLE.COM)s/.*/solr/ DEFAULT I added the last two before DEFAULT (that was already there). It is still not working. The rule you mentionned is already there. Please note that my user name is username@EXAMPLE.COM whereas all principals name are @MY.PROD.EXAMPLE.COM When I look into /etc/ambari-infra-solr/conf/security.json, I get : { "authentication": { "class": "org.apache.solr.security.KerberosPlugin" }, "authorization": { "class": "org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin", "user-role": { "infra-solr@MY.PROD.EXAMPLE.COM": "admin", "logsearch@MY.PROD.EXAMPLE.COM": ["logsearch_user", "ranger_admin_user", "dev"], "logfeeder@MY.PROD.EXAMPLE.COM": ["logfeeder_user", "dev"], "atlas@MY.PROD.EXAMPLE.COM": ["atlas_user", "ranger_audit_user", "dev"], "nn@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"], "hbase@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"], "hive@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"], "knox@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"], "kafka@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"], "rangerkms@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"], "storm-bdtest1@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"], "rm@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"], "nifi@MY.PROD.EXAMPLE.COM": ["ranger_audit_user", "dev"], "rangeradmin@MY.PROD.EXAMPLE.COM": ["ranger_admin_user", "ranger_audit_user", "dev"] }, "permissions": [ { "name" : "collection-admin-read", "role" :null }, { "name" : "collection-admin-edit", "role" : ["admin", "logsearch_user", "logfeeder_user", "atlas_user", "ranger_admin_user"] }, { "name":"read", "role": "dev" }, { "collection": ["hadoop_logs", "audit_logs", "history"], "role": ["admin", "logsearch_user", "logfeeder_user"], "name": "logsearch-manager", "path": "/*" }, { "collection": ["vertex_index", "edge_index", "fulltext_index"], "role": ["admin", "atlas_user"], "name": "atlas-manager", "path": "/*" }, { "collection": "ranger_audits", "role": ["admin", "ranger_admin_user", "ranger_audit_user"], "name": "ranger-manager", "path": "/*" }] } } ... View more

Hi @Shyam Sunder Rai and @Robert Levas , thanks for the answer ! I was also thinking it is a problem related to auth_to_local. That's why I added a new rule for solr : RULE:[2:$1@$0](infra-solr@EXAMPLE.COM)s/.*/solr/ and restarted. But nothing changes, I still got the 500 error. How to be sure of the principal and regex to use in the rule ? I tried to find an example for Solr rule but nothing on the Internet 😮 ... View more