Configuring Solr for Kerberos and accessing it requires a lot of things done correctly, else it is very difficult to debug.
I had written this article a while ago, you can give a try. But note that, all clients needs to be Kerberos aware. So if you are using curl, then make sure you have kinit’ed before making the call. Also check for the cookies returned. If you are accessing via browser, note only certain browsers picks your local kinit by default. Others, including Chrome, you need to do additional steps. https://cwiki.apache.org/confluence/display/RANGER/How+to+configure+Solr+Cloud+with+Kerberos+for+Ranger+0.5 Thanks Bosco From: "方久鑫 (fangheart)" <fanghe...@fangheart.win> Date: Wednesday, January 4, 2017 at 11:19 PM To: Don Bosco Durai <bo...@apache.org> Subject: Re: Re: ranger solr-plugin Now i install ranger not in kerberos,but solr in kerberos,After authentication and authorization ,Enven "Test connection" still can't show nomal,But my ranger It seems that can control the solr when i after add base policy,when i use commond such as curl --negotiate -u : http://test-1:8983/solr/gettingstarted/select?q=film Besides after authorization,the solr webUI cant't use .That cause some trouble for me.it caused by ranger not in kerberos? From: Don Bosco Durai Date: 2017-01-05 04:25 To: user@ranger.incubator.apache.org CC: fangheart Subject: Re: ranger solr-plugin Gautam, thanks. This is what I was looking for. The document looks pretty detailed. But had a hard time finding it. We should have a central page with the links to the different documents. Fangheart, can you go through the steps as noted in the document and let us know if it works for you? And give any feedback you might have. Thanks Bosco From: Gautam Borad <gbo...@gmail.com> Reply-To: <user@ranger.incubator.apache.org> Date: Tuesday, January 3, 2017 at 10:16 PM To: <user@ranger.incubator.apache.org> Cc: fangheart <fanghe...@fangheart.win> Subject: Re: ranger solr-plugin Bosco, there is a session "Creating Keytab and principals" in the doc, if that is what you want. After that one will have to enable the plugin like any other plugin. However, will still give the doc one shot and try to update if anything is missing. Thanks. On Wed, Jan 4, 2017 at 12:47 AM, Don Bosco Durai <bo...@apache.org> wrote: Gautam, this is mostly how to setup Apache Ranger to run in Kerberos mode. I know, when installed via Ambari, we create the Ranger Admin and Lookup user keytabs and appropriate properties are automatically configured. So if someone want to do this manually or via our manual setup script, then is there any documentation. If we don’t, we should create a JIRA and track it for now. Thanks Bosco From: Gautam Borad <gbo...@gmail.com> Reply-To: <user@ranger.incubator.apache.org> Date: Tuesday, January 3, 2017 at 12:34 AM To: <user@ranger.incubator.apache.org> Cc: fangheart <fanghe...@fangheart.win> Subject: Re: ranger solr-plugin The following documents should server your purpose : - Enable Ranger Solr Plugin - Configure SolrCloud in secure mode - Ranger installation in Kerberos Environment Also Bosco, am not sure if any changes were done to the setup script for Solr plugin support. The script is generic for all components. On Mon, Jan 2, 2017 at 11:15 PM, Don Bosco Durai <bo...@apache.org> wrote: The latest release supports Kerberos. However, the setup is done via Apache Ambari. I am not sure whether there is a documentation to set this up for manual Ranger install. Ankita, since you worked on this, did we update the manual install scripts and is there any documentation around it? Thanks Bosco From: fangheart <fanghe...@fangheart.win> Date: Wednesday, December 28, 2016 at 4:38 PM To: Don Bosco Durai <bo...@apache.org> Subject: Re: ranger solr-plugin Thank you very much for your reply.if you can support the kerberoes for ranger admin,i will thank you very much. Best wishes for you. On 12/28/2016 08:53, Don Bosco Durai wrote: For “Test Connection” to work, you need to have the Ranger Admin also Kerberized. Just for your information, connection from Ranger Admin to Solr is only required for “collections” lookup. If you know the collections, then you can manually type them while creating the policies. Let me know if you need help on setting up Kerberos for Ranger Admin. Bosco From: "方久鑫 (fangheart)" <fanghe...@fangheart.win> Date: Friday, October 28, 2016 at 1:20 AM To: Don Bosco Durai <bo...@apache.org> Subject: Re: Re: ranger solr-plugin my version is 0.6. And now i install the kerberos. it can work normal . But now i have another question. When the authorization and authentication is completed. ranger-solr-service test connection can't show successfully.It show HTTP 401 Authentication required. What should i do let it can test connection? Thank you for your reply. fanghe...@fangheart.win From: Don Bosco Durai Date: 2016-10-28 03:10 To: 方久鑫 (fangheart) CC: user@ranger.incubator.apache.org; ranger Subject: Re: ranger solr-plugin [Copied user and dev group] Hello I personally have not tested with Solr’s basic auth. All my testing was with Kerberos. Which Ranger version are you using? Looking at the line numbers, it doesn’t seem to be Ranger 0.6 Bosco From: "方久鑫 (fangheart)" <fanghe...@fangheart.win> Date: Tuesday, October 25, 2016 at 2:14 AM To: bosco <bo...@apache.org> Subject: ranger solr-plugin my solr can working normal.when i use the security.json like this { "authentication": { "class": "solr.BasicAuthPlugin", "blockUnknown": true, "credentials": { "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw=" } }, "authorization": { "class": "solr.RuleBasedAuthorizationPlugin" } } but when i Securing Solr Collections with Ranger as below: { "authentication": { "class": "solr.BasicAuthPlugin", "credentials": { "root": "v1kx29vsv2JHda4iY+rqpNpHscwW29rH1z6rzI/6LVI= tL5DTOVBr1eRaW8u1Hyo5JluY8bMqkeQJ573pgLynDw=" } }, "authorization": { "class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer" } } solr-plugin can show in ranger-audit-plugin. But solr can't work normal when i open http://localhost:8983/solr/ HTTP ERROR 500 Problem accessing /solr/. Reason: {trace=java.lang.NullPointerException at org.apache.solr.servlet.HttpSolrCall$2.toString(HttpSolrCall.java:1020) at java.lang.String.valueOf(String.java:2849) at java.lang.StringBuilder.append(StringBuilder.java:128) at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:227) at org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer.authorize(RangerSolrAuthorizer.java:128) at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:420) at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:225) at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:183) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745) ,code=500} Powered by Jetty:// fanghe...@fangheart.win -- Regards, Gautam. -- Regards, Gautam.
