lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory Chanan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-7950) Invalid auth scheme configuration of Http client when using Kerberos (SPNEGO)
Date Mon, 24 Aug 2015 19:35:46 GMT

    [ https://issues.apache.org/jira/browse/SOLR-7950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14709922#comment-14709922
] 

Gregory Chanan commented on SOLR-7950:
--------------------------------------

Patch looks correct to me; not sure I understand the symptoms though.

{quote}This issue was identified after configuring Solr with both Basic + Negotiate authentication
schemes simultaneously. The problem in this case is that Http client is configured with Kerberos
credentials and the default (and incorrect) auth scheme configuration prefers Basic authentication
over Kerberos. Since the basic authentication credentials are missing, the authentication
and as a result the Http request fails. (I ran into this problem while creating a collection
where there is an internal communication between Solr servers).{quote}

We don't support Basic + Negotiate now, right?  So we need another solr patch to expose the
underlying problem?

There's no fall back mechanism?  E.g. if you fail basic you can fall back to SPNego?  Or can
you prefer SPNego over basic?

> Invalid auth scheme configuration of Http client when using Kerberos (SPNEGO)
> -----------------------------------------------------------------------------
>
>                 Key: SOLR-7950
>                 URL: https://issues.apache.org/jira/browse/SOLR-7950
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 4.10.3, Trunk
>            Reporter: Hrishikesh Gadre
>            Assignee: Gregory Chanan
>         Attachments: solr-7950.patch
>
>
> When using kerberos authentication mechanism (SPNEGO auth scheme), the Apache Http client
is incorrectly configured with *all* auth schemes (e.g. Basic, Digest, NTLM, Kerberos, Negotiate
etc.) instead of just 'Negotiate'. 
> This issue was identified after configuring Solr with both Basic + Negotiate authentication
schemes simultaneously. The problem in this case is that Http client is configured with Kerberos
credentials and the default (and incorrect) auth scheme configuration prefers Basic authentication
over Kerberos. Since the basic authentication credentials are missing, the authentication
and as a result the Http request fails. (I ran into this problem while creating a collection
where there is an internal communication between Solr servers).
> The root cause for this issue is that, AbstractHttpClient::getAuthSchemes() API call
prepares an AuthSchemeRegistry instance with all possible authentication schemes. Hence when
we register the SPNEGO auth scheme in Solr codebase, it overrides the previous configuration
for SPNEGO - but doesn't remove the other auth schemes from the client configuration. Please
take a look at relevant code snippet.
> https://github.com/apache/lucene-solr/blob/trunk/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L80
> A trivial fix would be to prepare a new AuthSchemeRegistry instance configured with just
SPENGO mechanism and set it in the HttpClient.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message