[jira] [Commented] (SOLR-13726) Krb5HttpClientBuilder avoid setting javax.security.auth.useSubjectCredsOnly

Thu, 29 Aug 2019 10:39:56 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16918808#comment-16918808
 ] 

Kevin Risden commented on SOLR-13726:
-------------------------------------

[~anshum] - curious if you have any opinions/thoughts here on not setting the 
useSubjectCredsOnly system property.

I don't have a patch yet - since I think overall this needs a bit more thought 
about how we handle Kerberos in SolrJ. Ideally we wrap every SolrJ call 
internally with the explicit subject. This would avoid having to fall back to 
the JVM JAAS config unless explicitly required. 

The Hadoop UserGroupInformation class wraps a lot of the ugly internals of JVM 
JAAS configs, but it is a pretty heavy dependency to bring into SolrJ (its part 
of hadoop-common). But it might give some ideas on how to better handle this.

> Krb5HttpClientBuilder avoid setting javax.security.auth.useSubjectCredsOnly
> ---------------------------------------------------------------------------
>
>                 Key: SOLR-13726
>                 URL: https://issues.apache.org/jira/browse/SOLR-13726
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: SolrJ
>            Reporter: Kevin Risden
>            Priority: Major
>
> Solr should avoid setting system properties that affect the entire JVM. 
> Specifically "javax.security.auth.useSubjectCredsOnly" is one that can cause 
> a bunch of issues if SolrJ is colocated with other Kerberos secured services.
> Krb5HttpClientBuilder changes the JVM default to false if it is not set. It 
> is defaulting to true. This affects everything in the JVM. Since SolrJ is 
> meant to be client side, we should avoid doing this.
> [https://github.com/apache/lucene-solr/blame/master/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientBuilder.java#L144]



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to