[ https://issues.apache.org/jira/browse/SOLR-7950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14715499#comment-14715499 ]
Ishan Chattopadhyaya commented on SOLR-7950: -------------------------------------------- bq. So we may have to introduce Basic authentication scheme (in addition to SPNEGO) in Solr by some other way. We already have basic auth, https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin However, we still don't have it working together as yet. bq. I don't think we use the Hadoop security framework in Solr. The hadoop-auth's kerberos authentication filters are used. The support for delegation tokens still isn't there. > Invalid auth scheme configuration of Http client when using Kerberos (SPNEGO) > ----------------------------------------------------------------------------- > > Key: SOLR-7950 > URL: https://issues.apache.org/jira/browse/SOLR-7950 > Project: Solr > Issue Type: Bug > Affects Versions: 4.10.3, Trunk > Reporter: Hrishikesh Gadre > Assignee: Gregory Chanan > Attachments: solr-7950-v2.patch, solr-7950.patch > > > When using kerberos authentication mechanism (SPNEGO auth scheme), the Apache > Http client is incorrectly configured with *all* auth schemes (e.g. Basic, > Digest, NTLM, Kerberos, Negotiate etc.) instead of just 'Negotiate'. > This issue was identified after configuring Solr with both Basic + Negotiate > authentication schemes simultaneously. The problem in this case is that Http > client is configured with Kerberos credentials and the default (and > incorrect) auth scheme configuration prefers Basic authentication over > Kerberos. Since the basic authentication credentials are missing, the > authentication and as a result the Http request fails. (I ran into this > problem while creating a collection where there is an internal communication > between Solr servers). > The root cause for this issue is that, AbstractHttpClient::getAuthSchemes() > API call prepares an AuthSchemeRegistry instance with all possible > authentication schemes. Hence when we register the SPNEGO auth scheme in Solr > codebase, it overrides the previous configuration for SPNEGO - but doesn't > remove the other auth schemes from the client configuration. Please take a > look at relevant code snippet. > https://github.com/apache/lucene-solr/blob/trunk/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L80 > A trivial fix would be to prepare a new AuthSchemeRegistry instance > configured with just SPENGO mechanism and set it in the HttpClient. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org