[
https://issues.apache.org/jira/browse/SOLR-13726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16918804#comment-16918804
]
Kevin Risden commented on SOLR-13726:
-------------------------------------
SOLR-7468 introduced this a long time ago. This came up recently while trying
to debug an issue where the JVM hangs looking for Kerberos credentials.
javax.security.auth.useSubjectCredsOnly=false causes this behavior. We should
therefore definitely avoid setting the property. The warning should be enough
to help correct this.
In an ideal world, the SolrJ kerberos handling would automatically set the Java
Subject and not have to worry about this setting being configured at all.
> Krb5HttpClientBuilder avoid setting javax.security.auth.useSubjectCredsOnly
> ---------------------------------------------------------------------------
>
> Key: SOLR-13726
> URL: https://issues.apache.org/jira/browse/SOLR-13726
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Kevin Risden
> Priority: Major
>
> Solr should avoid setting system properties that affect the entire JVM.
> Specifically "javax.security.auth.useSubjectCredsOnly" is one that can cause
> a bunch of issues if SolrJ is colocated with other Kerberos secured services.
> Krb5HttpClientBuilder changes the JVM default to false if it is not set. It
> is defaulting to true. This affects everything in the JVM. Since SolrJ is
> meant to be client side, we should avoid doing this.
> [https://github.com/apache/lucene-solr/blame/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientBuilder.java#L144]
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
