[
https://issues.apache.org/jira/browse/RANGER-2894?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jiayi Liu updated RANGER-2894:
------------------------------
Attachment: 001-RANGER-2894.patch
> Plugins cannot interact with Solr with basic auth as audit targer
> -----------------------------------------------------------------
>
> Key: RANGER-2894
> URL: https://issues.apache.org/jira/browse/RANGER-2894
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 1.1.0, 2.0.0
> Reporter: Nikita Ilyushkin
> Priority: Major
> Attachments: 001-RANGER-2894.patch
>
>
> There seems to be a problem with audit to Solr with [basic
> authentication|https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html].
> With the simple Solr cloud setup with basic auth every plugin I tried (HDFS,
> YARN, HBase, Hive) failed to write audit to it with the similar errors:
> {code:java}
> 2020-06-25T19:39:35,248 ERROR
> [hiveServer2.async.batch_hiveServer2.async.batch.solr_destWriter]
> impl.CloudSolrClient: Request to collection [ranger_audits] failed due to
> (401) org.apache.solr.client.solrj.impl.H
> ttpSolrClient$RemoteSolrException: Error from server at
> http://nilyushkin-hadoop-dev-0.ru-central1.internal:8983/solr/ranger_audits_shard1_replica_n1:
> Expected mime type application/octet-stream but got text/htm
> l. <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 401 require authentication</title>
> </head>
> <body><h2>HTTP ERROR 401</h2>
> <p>Problem accessing /solr/ranger_audits_shard1_replica_n1/update. Reason:
> <pre> require authentication</pre></p>
> </body>
> </html>
> {code}
> tcpdump confirms that no auth headers are in requests.
> Content of ranger-<service_name>-audit.xml:
> {code:java}
> <property>
> <name>xasecure.audit.is.enabled</name>
> <value>true</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr</name>
> <value>true</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.urls</name>
> <value>http://fqdn:8983/solr/ranger_audits</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.user</name>
> <value>rangeraudit</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.password</name>
> <value>admin</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.zookeepers</name>
> <value>fqdn:2181/solr.server</value>
> </property>
> <property>
> <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
> <value>/srv/audit_solr_spool</value>
> </property>
> {code}
> The same results with xasecure.audit.destination.solr.urls instead
> xasecure.audit.destination.solr.zookeepers.
> Ranger Admin on the other hand writes audit just fine with given credentials
> to the same Solr.
> Unsurprisingly, following Solr documentation (underlying solrj really) and
> adding:
> {code:java}
> -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory
> -Dbasicauth=rangeraudit:admin
> {code}
> to the audited daemon (like HiveServer2) solves the problem.
> I also haven't found setBasicAuthCredentials (the second method of auth
> solrj provides) in the plugin sources or packages, so I assume it's just not
> implemented or bugged.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
