[
https://issues.apache.org/jira/browse/SOLR-7950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hrishikesh Gadre updated SOLR-7950:
-----------------------------------
Attachment: solr-7950-v2.patch
[~gchanan]
>>We don't support Basic + Negotiate now, right? So we need another solr patch
>>to expose the underlying problem?
Yes that is correct. I identified this issue while working on LDAP integration
(Please refer to
[HADOOP-12082|https://issues.apache.org/jira/browse/HADOOP-12082]). I don't
think we use the Hadoop security framework in Solr. So we may have to introduce
Basic authentication scheme (in addition to SPNEGO) in Solr by some other way.
>>There's no fall back mechanism?
No. When server supports multiple authentication schemes, client needs to pick
one scheme to use (based on list of preferences). The default configuration
prefers BASIC scheme over SPENGO. Hence the client attempts to use basic auth
scheme. But since the username/password credentials are not configured - the
authentication fails. With my patch, we explicitly configure client to use
SPNEGO.
>>Or can you prefer SPNego over basic?
Yes. This can be done by adding SPNEGO before BASIC in the preference list.
Here is how the default preferences are initialized.
http://grepcode.com/file/repo1.maven.org/maven2/org.apache.httpcomponents/httpclient/4.4.1/org/apache/http/impl/client/AbstractHttpClient.java#AbstractHttpClient.createAuthSchemeRegistry%28%29
I think when we configure HttpClientUtil with Krb5HttpClientConfigurer, we
intend to use Kerberos authentication mechanism on the client side. Hence I
think just configuring one auth scheme (SPNEGO in this case) is preferable than
SPNEGO & BASIC
I have also updated the patch to fix a unit test failure.
> Invalid auth scheme configuration of Http client when using Kerberos (SPNEGO)
> -----------------------------------------------------------------------------
>
> Key: SOLR-7950
> URL: https://issues.apache.org/jira/browse/SOLR-7950
> Project: Solr
> Issue Type: Bug
> Affects Versions: 4.10.3, Trunk
> Reporter: Hrishikesh Gadre
> Assignee: Gregory Chanan
> Attachments: solr-7950-v2.patch, solr-7950.patch
>
>
> When using kerberos authentication mechanism (SPNEGO auth scheme), the Apache
> Http client is incorrectly configured with *all* auth schemes (e.g. Basic,
> Digest, NTLM, Kerberos, Negotiate etc.) instead of just 'Negotiate'.
> This issue was identified after configuring Solr with both Basic + Negotiate
> authentication schemes simultaneously. The problem in this case is that Http
> client is configured with Kerberos credentials and the default (and
> incorrect) auth scheme configuration prefers Basic authentication over
> Kerberos. Since the basic authentication credentials are missing, the
> authentication and as a result the Http request fails. (I ran into this
> problem while creating a collection where there is an internal communication
> between Solr servers).
> The root cause for this issue is that, AbstractHttpClient::getAuthSchemes()
> API call prepares an AuthSchemeRegistry instance with all possible
> authentication schemes. Hence when we register the SPNEGO auth scheme in Solr
> codebase, it overrides the previous configuration for SPNEGO - but doesn't
> remove the other auth schemes from the client configuration. Please take a
> look at relevant code snippet.
> https://github.com/apache/lucene-solr/blob/trunk/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L80
> A trivial fix would be to prepare a new AuthSchemeRegistry instance
> configured with just SPENGO mechanism and set it in the HttpClient.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
