[ https://issues.apache.org/jira/browse/SOLR-10199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Risden updated SOLR-10199: -------------------------------- Fix Version/s: 8.x master (9.0) > Solr's Kerberos functionality does not work in Java9 due to dependency on > hadoop's AuthenticationFilter which attempt access to JVM protected classes > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: SOLR-10199 > URL: https://issues.apache.org/jira/browse/SOLR-10199 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Hadoop Integration > Reporter: Hoss Man > Assignee: Kevin Risden > Priority: Major > Labels: Java9 > Fix For: master (9.0), 8.x > > Attachments: SOLR-10199.patch > > > (discovered this while working on test improvements for SOLR-8052) > Our Kerberos based authn/authz features are all built on top of Hadoop's > {{AuthenticationFilter}} which in turn uses Hadoop's {{KerberosUtil}} -- but > this does not work on Java9/jigsaw JVMs because that class in turn attempts > to access {{sun.security.jgss.GSSUtil}} which is not exported by {{module > java.security.jgss}} > This means that Solr users who depend on Kerberos will not be able to upgrade > to Java9, even if they do not use any Hadoop specific features of Solr. > ---- > Example log messages... > {noformat} > [junit4] 2> 6833 WARN (qtp442059499-30) [ ] > o.a.h.s.a.s.AuthenticationFilter Authentication exception: > java.lang.IllegalAccessException: class > org.apache.hadoop.security.authentication.util.KerberosUtil cannot access > class sun.security.jgss.GSSUtil (in module java.security.jgss) because module > java.security.jgss does not export sun.security.jgss to unnamed module > @4b38fe8b > [junit4] 2> 6841 WARN > (TEST-TestSolrCloudWithKerberosAlt.testBasics-seed#[95A583AF82D1EBBE]) [ ] > o.a.h.c.p.ResponseProcessCookies Invalid cookie header: "Set-Cookie: > hadoop.auth=; Path=/; Domain=127.0.0.1; Expires=Ara, 01-Sa-1970 00:00:00 GMT; > HttpOnly". Invalid 'expires' attribute: Ara, 01-Sa-1970 00:00:00 GMT > {noformat} > (NOTE: HADOOP-14115 is cause of malformed cookie expiration) > ultimately the client gets a 403 error (as seen in a testcase with patch from > SOLR-8052 applied and java9 assume commented out)... > {noformat} > [junit4] ERROR 7.10s | TestSolrCloudWithKerberosAlt.testBasics <<< > [junit4] > Throwable #1: > org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error > from server at http://127.0.0.1:34687/solr: Expected mime type > application/octet-stream but got text/html. <html> > [junit4] > <head> > [junit4] > <meta http-equiv="Content-Type" > content="text/html;charset=ISO-8859-1"/> > [junit4] > <title>Error 403 </title> > [junit4] > </head> > [junit4] > <body> > [junit4] > <h2>HTTP ERROR: 403</h2> > [junit4] > <p>Problem accessing /solr/admin/collections. Reason: > [junit4] > <pre> java.lang.IllegalAccessException: class > org.apache.hadoop.security.authentication.util.KerberosUtil cannot access > class sun.security.jgss.GSSUtil (in module java.security.jgss) because module > java.security.jgss does not export sun.security.jgss to unnamed module > @4b38fe8b</pre></p> > [junit4] > <hr /><a href="http://eclipse.org/jetty">Powered by Jetty:// > 9.3.14.v20161028</a><hr/> > [junit4] > </body> > [junit4] > </html> > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org