[ https://issues.apache.org/jira/browse/SOLR-6556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexandre Rafalovitch closed SOLR-6556. --------------------------------------- Resolution: Cannot Reproduce > User from trusted kerberos realm can't access admin console > ------------------------------------------------------------ > > Key: SOLR-6556 > URL: https://issues.apache.org/jira/browse/SOLR-6556 > Project: Solr > Issue Type: Bug > Components: web gui > Affects Versions: 4.4 > Environment: CDH5.1.2 + Kerberos + Sentry > Reporter: Andrejs Dubovskis > Priority: Minor > > SOLR security configured accordingly [this > document|http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH5/latest/CDH5-Security-Guide/cdh5sg_search_security.html] > User from primary realm (used by Hadoop cluster itself) can access the > console, but user from trusted realm can't. > {code} > Sep 24, 2014 9:30:13 AM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet LoadAdminUI threw exception > org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: > No rules applied to admin@TRUSTED.REALM > at > org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:359) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:329) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:415) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:329) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:349) > at > org.apache.solr.servlet.SolrHadoopAuthenticationFilter.doFilter(SolrHadoopAuthenticationFilter.java:148) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.solr.servlet.HostnameFilter.doFilter(HostnameFilter.java:86) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > at java.lang.Thread.run(Thread.java:745) > {code} > Required kerberos auth_to_local rules are defined in hadoop/core-site.xml > file and was added to /etc/krb5.conf as well. > Another CDH components (for example, Impala) use these rules and allow access > for users from trusted domain. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org