In our environment we have had issues with Kerberos authentication failing with SolrJ 6.3 and Java 1.8. The only solution was to back Java down to 1.7 or upgrade SolrJ to 6.6.
I just tried the flow on the Lab systems running Nifi 1.7 and Kerberos authentication worked. Looks like we are going to be doing an upgrade. -----Original Message----- From: Bryan Bende [mailto:bbe...@gmail.com] Sent: Monday, October 15, 2018 12:21 PM To: users@nifi.apache.org Subject: [EXTERNAL] Re: Re: putsolrcontentstream and kerberos I'm running Oracle JDK 1.8.0_162 and NiFi should be using SolrJ 6.2.0 [1]. Not sure if it is worth trying to upgrade, but the 1.7.0 release re-factored how the kerberos auth is handled for the Solr processors so that it no longer relies on the JAAS configuration [2]. It's possible that could resolve your issue, but hard to say. [1] https://github.com/apache/nifi/blob/rel/nifi-1.6.0/nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/pom.xml#L26 [2] https://issues.apache.org/jira/browse/NIFI-5148 On Mon, Oct 15, 2018 at 1:00 PM Dan Caulfield <dan.caulfi...@gm.com> wrote: > > Yes, curl works fine. Just out of curiosity, what version of java are you > running? Does anyone know which version of SolrJ is using the the 1.6 > putsolrcontentstream? > > -----Original Message----- > From: Bryan Bende [mailto:bbe...@gmail.com] > Sent: Friday, October 12, 2018 2:08 PM > To: users@nifi.apache.org > Subject: [EXTERNAL] Re: putsolrcontentstream and kerberos > > I've only done it against Solr cloud, but I don't know a reason why it > wouldn't work against standalone Solr. > > Nothing is jumping out at me as being wrong with your config. My JAAS config > was the following: > > SolrJClient { > com.sun.security.auth.module.Krb5LoginModule required > useKeyTab=true > keyTab="/Users/bbende/Projects/docker-kdc/krb5.keytab" > storeKey=true > useTicketCache=false > debug=true > principal="n...@solr.org"; > }; > > Can you successfully access Solr from a curl command? > > curl --negotiate -u : > "http://vmsol001.epg.nam.gm.com:8983/solr/collection1/select"; > > Assuming you did a kinit first. > > On Fri, Oct 12, 2018 at 2:48 PM Dan Caulfield <dan.caulfi...@gm.com> wrote: > > > > When attempting to use the putsolrcontentstream (Version 1.6.0) to load > > json file into a Solr 6.3 cluster that requires Kerberos authentication. > > > > > > > > I have set the -D > > java.security.auth.login.config=/disk-1/nifi/jaas/jaas.conf > > > > > > > > And the jass file looks like this - > > > > MicroServicesSolrClient { > > > > com.sun.security.auth.module.Krb5LoginModule required > > > > useKeyTab=true > > > > storeKey=true > > > > keyTab="/disk-1/nifi/keytabs/MSSolrClient" > > > > serviceName="solr" > > > > principal="mssolru...@xxxxx.gm.com"; > > > > }; > > > > GMASTSolrClient { > > > > com.sun.security.auth.module.Krb5LoginModule required > > > > useKeyTab=true > > > > storeKey=true > > > > useTicketCache=true > > > > debug=true > > > > keyTab="/disk-1/nifi/keytabs/GMSolrClient" > > > > serviceName="solr" > > > > principal="gmsolru...@xxxxx.gm.com"; > > > > }; > > > > > > > > The Processor is set to – > > > > Solr Type – Standard > > > > Solr Location - > > http://vmsol001.epg.nam.gm.com:8983/solr/collection1/ > > > > Content Stream Path - /update/json/docs > > > > Content-Type – application/json > > > > JAAS Client App Name – GMASTSolrClient > > > > > > > > Does the 1.6 version of the PutSolrContentStream support Kerberos? > > We are getting the 401 authentication error - > > > > > > > > > > > > 198730787914459,size=119100] to Solr due to > > org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: > > Error from server at http://vmsol001.epg.nam.gm.com:8983/solr: > > Expected mime type application/octet-stream but got text/html. > > <html> > > > > <head> > > > > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> > > > > <title>Error 401 Authentication required</title> > > > > </head> > > > > <body><h2>HTTP ERROR 401</h2> > > > > <p>Problem accessing /solr/select. Reason: > > > > <pre> Authentication required</pre></p> > > > > </body> > > > > </html> > > > > ; routing to failure: > > org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: > > Error from server at http://vmsol001.epg.nam.gm.com:8983/solr: > > Expected mime type application/octet-stream but got text/html. > > <html> > > > > <head> > > > > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> > > > > <title>Error 401 Authentication required</title> > > > > </head> > > > > <body><h2>HTTP ERROR 401</h2> > > > > <p>Problem accessing /solr/select. Reason: > > > > <pre> Authentication required</pre></p> > > > > </body> > > > > </html> > > > > > > > > org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: > > Error from server at http://vmsol001.epg.nam.gm.com:8983/solr: > > Expected mime type application/octet-stream but got text/html. > > <html> > > > > <head> > > > > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> > > > > <title>Error 401 Authentication required</title> > > > > </head> > > > > <body><h2>HTTP ERROR 401</h2> > > > > org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: > > Error from server at http://vmsol001.epg.nam.gm.com:8983/solr: > > Expected mime type application/octet-stream but got text/html. > > <html> > > > > <head> > > > > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> > > > > <title>Error 401 Authentication required</title> > > > > </head> > > > > <body><h2>HTTP ERROR 401</h2> > > > > <p>Problem accessing /solr/select. Reason: > > > > <pre> Authentication required</pre></p> > > > > </body> > > > > </html> > > > > > > > > at > > org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpS > > ol > > rClient.java:560) > > > > at > > org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrCli > > en > > t.java:261) > > > > at > > org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrCli > > en > > t.java:250) > > > > at > > org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:14 > > 9) > > > > at > > org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:16 > > 6) > > > > at > > org.apache.nifi.processors.solr.PutSolrContentStream$1.process(PutSo > > lr > > ContentStream.java:242) > > > > at > > org.apache.nifi.controller.repository.StandardProcessSession.read(St > > an > > dardProcessSession.java:2207) > > > > at > > org.apache.nifi.controller.repository.StandardProcessSession.read(St > > an > > dardProcessSession.java:2175) > > > > at > > org.apache.nifi.processors.solr.PutSolrContentStream.onTrigger(PutSo > > lr > > ContentStream.java:199) > > > > at > > org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProces > > so > > r.java:27) > > > > at > > org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardP > > ro > > cessorNode.java:1147) > > > > at > > org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableT > > as > > k.java:175) > > > > at > > org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.r > > un > > (TimerDrivenSchedulingAgent.java:117) > > > > at > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:5 > > 11 > > ) > > > > at > > java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > > > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask > > .a > > ccess$301(ScheduledThreadPoolExecutor.java:180) > > > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask > > .r > > un(ScheduledThreadPoolExecutor.java:294) > > > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor > > .j > > ava:1149) > > > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. > > java:624) > > > > at java.lang.Thread.run(Thread.java:748) > > > > > > Dan Caulfield > > Hyper Scale Engineer > > > > GM – NA Information Technology – Hyper Scale Data Solutions > > > > dan.caulfi...@gm.com > > > > > > > > > > > > Nothing in this message is intended to constitute an electronic signature > > unless a specific statement to the contrary is included in this message. > > > > Confidentiality Note: This message is intended only for the person or > > entity to which it is addressed. It may contain confidential and/or > > privileged material. Any review, transmission, dissemination or other use, > > or taking of any action in reliance upon this message by persons or > > entities other than the intended recipient is prohibited and may be > > unlawful. If you received this message in error, please contact the sender > > and delete it from your computer. > > > Nothing in this message is intended to constitute an electronic signature > unless a specific statement to the contrary is included in this message. > > Confidentiality Note: This message is intended only for the person or entity > to which it is addressed. It may contain confidential and/or privileged > material. Any review, transmission, dissemination or other use, or taking of > any action in reliance upon this message by persons or entities other than > the intended recipient is prohibited and may be unlawful. If you received > this message in error, please contact the sender and delete it from your > computer. Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message. Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is prohibited and may be unlawful. If you received this message in error, please contact the sender and delete it from your computer.
