[jira] [Commented] (NIFI-5148) Solr processors failing to authenticate against Kerberized Solr
[ https://issues.apache.org/jira/browse/NIFI-5148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16495536#comment-16495536 ] ASF GitHub Bot commented on NIFI-5148: -- Github user asfgit closed the pull request at: https://github.com/apache/nifi/pull/2674 > Solr processors failing to authenticate against Kerberized Solr > --- > > Key: NIFI-5148 > URL: https://issues.apache.org/jira/browse/NIFI-5148 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.6.0 >Reporter: Bryan Bende >Assignee: Bryan Bende >Priority: Major > Fix For: 1.7.0 > > > It appears that with the new default value of "useSubjectCredsOnly=true" in > NiFi's bootstrap.conf that this can cause an issue for the Solr processors > when talking to a kerberized Solr. > The SolrJ client code that we are using specifically calls this out as being > problematic: > [https://github.com/apache/lucene-solr/blob/branch_6x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L75-L88] > We should refactor the kerberos approach in the Solr processors to resolve > this issue and make general improvements. We should be performing a JAAS > login and wrapping calls in Subject.doAs, and we should try and move away > from the system level JAAS property and leverage the new keytab controller > service. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5148) Solr processors failing to authenticate against Kerberized Solr
[ https://issues.apache.org/jira/browse/NIFI-5148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16495534#comment-16495534 ] ASF subversion and git services commented on NIFI-5148: --- Commit f69b720464d540c8ea32f7ddbc58d08cb566a630 in nifi's branch refs/heads/master from [~bbende] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=f69b720 ] NIFI-5148 Refactoring Kerberos auth for Solr processors - Created resuable KeytabUser and KeytabConfiguration in nifi-security-utils - Refactored Solr processors to use a KeytabControllerService and no longer rely on JAAS system property - Wrapped all calls in SolrProcessor onTrigger in a doAs when kerberos is enabled - Added IT tests against MiniKDC - This closes #2674 > Solr processors failing to authenticate against Kerberized Solr > --- > > Key: NIFI-5148 > URL: https://issues.apache.org/jira/browse/NIFI-5148 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.6.0 >Reporter: Bryan Bende >Assignee: Bryan Bende >Priority: Major > Fix For: 1.7.0 > > > It appears that with the new default value of "useSubjectCredsOnly=true" in > NiFi's bootstrap.conf that this can cause an issue for the Solr processors > when talking to a kerberized Solr. > The SolrJ client code that we are using specifically calls this out as being > problematic: > [https://github.com/apache/lucene-solr/blob/branch_6x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L75-L88] > We should refactor the kerberos approach in the Solr processors to resolve > this issue and make general improvements. We should be performing a JAAS > login and wrapping calls in Subject.doAs, and we should try and move away > from the system level JAAS property and leverage the new keytab controller > service. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5148) Solr processors failing to authenticate against Kerberized Solr
[ https://issues.apache.org/jira/browse/NIFI-5148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16495535#comment-16495535 ] ASF GitHub Bot commented on NIFI-5148: -- Github user mcgilman commented on the issue: https://github.com/apache/nifi/pull/2674 Thanks @bbende! This has been merged to master. > Solr processors failing to authenticate against Kerberized Solr > --- > > Key: NIFI-5148 > URL: https://issues.apache.org/jira/browse/NIFI-5148 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.6.0 >Reporter: Bryan Bende >Assignee: Bryan Bende >Priority: Major > Fix For: 1.7.0 > > > It appears that with the new default value of "useSubjectCredsOnly=true" in > NiFi's bootstrap.conf that this can cause an issue for the Solr processors > when talking to a kerberized Solr. > The SolrJ client code that we are using specifically calls this out as being > problematic: > [https://github.com/apache/lucene-solr/blob/branch_6x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L75-L88] > We should refactor the kerberos approach in the Solr processors to resolve > this issue and make general improvements. We should be performing a JAAS > login and wrapping calls in Subject.doAs, and we should try and move away > from the system level JAAS property and leverage the new keytab controller > service. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5148) Solr processors failing to authenticate against Kerberized Solr
[ https://issues.apache.org/jira/browse/NIFI-5148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16493905#comment-16493905 ] ASF GitHub Bot commented on NIFI-5148: -- Github user mcgilman commented on the issue: https://github.com/apache/nifi/pull/2674 Will review... > Solr processors failing to authenticate against Kerberized Solr > --- > > Key: NIFI-5148 > URL: https://issues.apache.org/jira/browse/NIFI-5148 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.6.0 >Reporter: Bryan Bende >Assignee: Bryan Bende >Priority: Major > > It appears that with the new default value of "useSubjectCredsOnly=true" in > NiFi's bootstrap.conf that this can cause an issue for the Solr processors > when talking to a kerberized Solr. > The SolrJ client code that we are using specifically calls this out as being > problematic: > [https://github.com/apache/lucene-solr/blob/branch_6x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L75-L88] > We should refactor the kerberos approach in the Solr processors to resolve > this issue and make general improvements. We should be performing a JAAS > login and wrapping calls in Subject.doAs, and we should try and move away > from the system level JAAS property and leverage the new keytab controller > service. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5148) Solr processors failing to authenticate against Kerberized Solr
[ https://issues.apache.org/jira/browse/NIFI-5148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16463088#comment-16463088 ] ASF GitHub Bot commented on NIFI-5148: -- GitHub user bbende opened a pull request: https://github.com/apache/nifi/pull/2674 NIFI-5148 Refactoring Kerberos auth for Solr processors - Created resuable KeytabUser and KeytabConfiguration in nifi-security-utils - Refactored Solr processors to use a KeytabControllerService and no longer rely on JAAS system property - Wrapped all calls in SolrProcessor onTrigger in a doAs when kerberos is enabled Thank you for submitting a contribution to Apache NiFi. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [ ] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [ ] Does your PR title start with NIFI- where is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [ ] Has your PR been rebased against the latest commit within the target branch (typically master)? - [ ] Is your initial contribution a single, squashed commit? ### For code changes: - [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? - [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/bbende/nifi solr-kerberos-refactor Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/2674.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2674 commit d5332ae4e3a958027becb2f41c0da594dab0f7a5 Author: Bryan Bende Date: 2018-05-02T20:17:05Z NIFI-5148 Refactoring Kerberos auth for Solr processors - Created resuable KeytabUser and KeytabConfiguration in nifi-security-utils - Refactored Solr processors to use a KeytabControllerService and no longer rely on JAAS system property - Wrapped all calls in SolrProcessor onTrigger in a doAs when kerberos is enabled > Solr processors failing to authenticate against Kerberized Solr > --- > > Key: NIFI-5148 > URL: https://issues.apache.org/jira/browse/NIFI-5148 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.6.0 >Reporter: Bryan Bende >Assignee: Bryan Bende >Priority: Major > > It appears that with the new default value of "useSubjectCredsOnly=true" in > NiFi's bootstrap.conf that this can cause an issue for the Solr processors > when talking to a kerberized Solr. > The SolrJ client code that we are using specifically calls this out as being > problematic: > [https://github.com/apache/lucene-solr/blob/branch_6x/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L75-L88] > We should refactor the kerberos approach in the Solr processors to resolve > this issue and make general improvements. We should be performing a JAAS > login and wrapping calls in Subject.doAs, and we should try and move away > from the system level JAAS property and leverage the new keytab controller > service. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
