[ https://issues.apache.org/jira/browse/RANGER-2894?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jiayi Liu updated RANGER-2894: ------------------------------ Attachment: 001-RANGER-2894.patch > Plugins cannot interact with Solr with basic auth as audit targer > ----------------------------------------------------------------- > > Key: RANGER-2894 > URL: https://issues.apache.org/jira/browse/RANGER-2894 > Project: Ranger > Issue Type: Bug > Components: plugins > Affects Versions: 1.1.0, 2.0.0 > Reporter: Nikita Ilyushkin > Priority: Major > Attachments: 001-RANGER-2894.patch > > > There seems to be a problem with audit to Solr with [basic > authentication|https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html]. > With the simple Solr cloud setup with basic auth every plugin I tried (HDFS, > YARN, HBase, Hive) failed to write audit to it with the similar errors: > {code:java} > 2020-06-25T19:39:35,248 ERROR > [hiveServer2.async.batch_hiveServer2.async.batch.solr_destWriter] > impl.CloudSolrClient: Request to collection [ranger_audits] failed due to > (401) org.apache.solr.client.solrj.impl.H > ttpSolrClient$RemoteSolrException: Error from server at > http://nilyushkin-hadoop-dev-0.ru-central1.internal:8983/solr/ranger_audits_shard1_replica_n1: > Expected mime type application/octet-stream but got text/htm > l. <html> > <head> > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> > <title>Error 401 require authentication</title> > </head> > <body><h2>HTTP ERROR 401</h2> > <p>Problem accessing /solr/ranger_audits_shard1_replica_n1/update. Reason: > <pre> require authentication</pre></p> > </body> > </html> > {code} > tcpdump confirms that no auth headers are in requests. > Content of ranger-<service_name>-audit.xml: > {code:java} > <property> > <name>xasecure.audit.is.enabled</name> > <value>true</value> > </property> > <property> > <name>xasecure.audit.destination.solr</name> > <value>true</value> > </property> > <property> > <name>xasecure.audit.destination.solr.urls</name> > <value>http://fqdn:8983/solr/ranger_audits</value> > </property> > <property> > <name>xasecure.audit.destination.solr.user</name> > <value>rangeraudit</value> > </property> > <property> > <name>xasecure.audit.destination.solr.password</name> > <value>admin</value> > </property> > <property> > <name>xasecure.audit.destination.solr.zookeepers</name> > <value>fqdn:2181/solr.server</value> > </property> > <property> > <name>xasecure.audit.destination.solr.batch.filespool.dir</name> > <value>/srv/audit_solr_spool</value> > </property> > {code} > The same results with xasecure.audit.destination.solr.urls instead > xasecure.audit.destination.solr.zookeepers. > Ranger Admin on the other hand writes audit just fine with given credentials > to the same Solr. > Unsurprisingly, following Solr documentation (underlying solrj really) and > adding: > {code:java} > -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory > -Dbasicauth=rangeraudit:admin > {code} > to the audited daemon (like HiveServer2) solves the problem. > I also haven't found setBasicAuthCredentials (the second method of auth > solrj provides) in the plugin sources or packages, so I assume it's just not > implemented or bugged. -- This message was sent by Atlassian Jira (v8.20.10#820010)