lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivér Szabó (JIRA) <>
Subject [jira] [Commented] (SOLR-11981) Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS
Date Wed, 14 Feb 2018 23:25:00 GMT


Olivér Szabó commented on SOLR-11981:

I found a workaround for that issue:
The property {{}} can be used directly with bin/solr script (!!!
- ant not with {{-a}} option), im closing that issue now as wont fix, but probably it would
be useful to document that to not define {{}} with {{SOLR_AUTHENTICATION_OPTS}}
if you multiple kerberos rules are used.

> Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS
> ----------------------------------------------------------------------------
>                 Key: SOLR-11981
>                 URL:
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>    Affects Versions: 5.5.5, 6.6.2, 7.2.1
>            Reporter: Olivér Szabó
>            Priority: Major
> On secure env, when multiline (or space separated) kerberos name rules are used ( in,  those values cannot be passed to .the start script properly. (using {{}})
> Example:
> {code:java}
> SOLR_JAAS_FILE=solr.jaas
> SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
> SOLR_KERB_NAME_RULES="RULE:[1:$1@$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L RULE:[1:$1@$0](.*@PROD.EXAMPLE.NET)s/@.*///L
> SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
-Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST}"${SOLR_KERB_NAME_RULES}
> {code}
> that will cause:
> {code:java}
> Caused by:$NoMatchingRule:
No rules applied to solr/host.example@ADMIN.EXAMPLE.NET 
> at

> at
> {code}
> Reason for that (probably): in solr start script, there are multiple {{"${SOLR_OPTS[@]}}}-like
(for auth props as well), which magically handle variables as arrays (separated by space or
> I have tried to add {{}} property directly to SOLR_OPTS instead
of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines there even with quotes
or escape characters.
> With Ambari we faced this issue before:,
the quick solution was to patch the start script to use {{"$SOLR_KERB_NAME_RULES"}}
directly where the scripts starts the java process
> You can close this jira invalid if there is a workaround for that issue or fixed already,
if not, then my proposed solution to do something similar. (maybe there are better places
where to put that variable)

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message