[
https://issues.apache.org/jira/browse/SOLR-7950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14715499#comment-14715499
]
Ishan Chattopadhyaya commented on SOLR-7950:
--------------------------------------------
bq. So we may have to introduce Basic authentication scheme (in addition to
SPNEGO) in Solr by some other way.
We already have basic auth,
https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
However, we still don't have it working together as yet.
bq. I don't think we use the Hadoop security framework in Solr.
The hadoop-auth's kerberos authentication filters are used. The support for
delegation tokens still isn't there.
> Invalid auth scheme configuration of Http client when using Kerberos (SPNEGO)
> -----------------------------------------------------------------------------
>
> Key: SOLR-7950
> URL: https://issues.apache.org/jira/browse/SOLR-7950
> Project: Solr
> Issue Type: Bug
> Affects Versions: 4.10.3, Trunk
> Reporter: Hrishikesh Gadre
> Assignee: Gregory Chanan
> Attachments: solr-7950-v2.patch, solr-7950.patch
>
>
> When using kerberos authentication mechanism (SPNEGO auth scheme), the Apache
> Http client is incorrectly configured with *all* auth schemes (e.g. Basic,
> Digest, NTLM, Kerberos, Negotiate etc.) instead of just 'Negotiate'.
> This issue was identified after configuring Solr with both Basic + Negotiate
> authentication schemes simultaneously. The problem in this case is that Http
> client is configured with Kerberos credentials and the default (and
> incorrect) auth scheme configuration prefers Basic authentication over
> Kerberos. Since the basic authentication credentials are missing, the
> authentication and as a result the Http request fails. (I ran into this
> problem while creating a collection where there is an internal communication
> between Solr servers).
> The root cause for this issue is that, AbstractHttpClient::getAuthSchemes()
> API call prepares an AuthSchemeRegistry instance with all possible
> authentication schemes. Hence when we register the SPNEGO auth scheme in Solr
> codebase, it overrides the previous configuration for SPNEGO - but doesn't
> remove the other auth schemes from the client configuration. Please take a
> look at relevant code snippet.
> https://github.com/apache/lucene-solr/blob/trunk/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L80
> A trivial fix would be to prepare a new AuthSchemeRegistry instance
> configured with just SPENGO mechanism and set it in the HttpClient.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
