Community Articles

Find and share helpful community-sourced technical articles.
Labels (2)
avatar
Master Guru

These steps have been successfully tried and tested on Ambari-2.4.2.0 and HDP-2.5.3.

.

When you install and configure Solr cloud via Ambari or embedded solr via Ambari Infra on a kerberized cluster, SPNEGO authentication gets enabled by default. There is not direct switch to disable only SPNEGO authentication.

.

Please follow below method to disable it.

.

Step 1 - Login to Ambari server

.

Step 2 - Please take backup of below script

/var/lib/ambari-server/resources/common-services/SOLR/<version>/package/scripts/setup_solr_kerberos_auth.py

.

Step 3 - Edit above script and do the modifications as below

Original value:

command += '\'{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"}}\''
Recommended value:
command += '\'{ }\''

.

Step 4 - Please replace cached script with below command and restart ambari-agent followed by Solr service(via Ambari)

cp /var/lib/ambari-server/resources/mpacks/solr-ambari-mpack-5.5.2.2.5/common-services/SOLR/5.5.2.2.5/package/scripts/setup_solr_kerberos_auth.py /var/lib/ambari-agent/cache/common-services/SOLR/5.5.2.2.5/package/scripts/setup_solr_kerberos_auth.py

.

You should be able to access Solr Web UI without having kerberos ticket.

.

Please comment if you have any feedback/questions/suggestions. Happy Hadooping!! :)

7,908 Views
Comments
avatar
Rising Star

Thanks for the instructions. I have a Kerberos and HTTPS HDP 2.5 cluster, and after Kerberizing, I see errors in the Ambari infra logs of both the nodes that it could not replicate the index between the solr nodes. Is this related to the above steps?

**Note: I am able to access the Solr UI of both the Ambari infra solr nodes, though.

Errors:

	ERROR [c:hadoop_logs s:shard3 r:core_node1 x:hadoop_logs_shard3_replica1] org.apache.solr.update.StreamingSolrClients$1 (StreamingSolrClients.java:79) - error

	org.apache.solr.common.SolrException: Authentication required

and when I restart the Ambari-Infra solr services, I do see the below error as well:

	Expected mime type application/octet-stream but got text/html. <html>
	<head>
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
	<title>Error 401 Authentication required</title>
	</head>
	<body><h2>HTTP ERROR 401</h2>
	<p>Problem accessing /solr/vertex_index_shard1_replica1/get. Reason:
	<pre>  Authentication required</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>
	</body>
	</html>
		

Any inputs on how to resolve this?

Recently, I updated the LogSearch UI to HTTPS and that is unable to connect to the Solr instances ..

Thanks in advance.

avatar
New Contributor

Hi Kuldeep, Thanks for the information. I applied the same steps for HDP 2.6. But, the SPNEGO is still enabled. One thing I observed is that there was no SOLR in the cached script. I created the SOLR directory and subsequent path and copied the modified script. Do you think that's the reason. Any help in this regard is appreciated.

avatar
New Contributor

Thank You. I was strucked at this point for past one day.

avatar
New Contributor

Thank You. I was strucked at this point for past one day.

avatar

Hi Kuldeep, thanks for this hack. IS there a similar hack that can be applied to schema registry too?

avatar
Contributor

I see this is very old post, can we have any property which can be set for solr 7.4 in HDP 3.0.1 to disable spnego authentication?

Please help, we are stuck at this step and not able to access the solr URL getting below error.

HTTP ERROR 403

Problem accessing /solr/. Reason:

    GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
avatar
Explorer

@Moka Have you resolved your issue? What steps did you followed?