lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivér Szabó (JIRA) <>
Subject [jira] [Commented] (SOLR-11981) Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS
Date Mon, 26 Feb 2018 17:58:00 GMT


Olivér Szabó commented on SOLR-11981:

Probably the reason could be that variable was set in a file and then its formatted multiple
times after that,as the -D will be added into SOLR_OPTS anyway in the end

> Multiple kerberos name rules can not be passed with SOLR_AUTHENTICATION_OPTS
> ----------------------------------------------------------------------------
>                 Key: SOLR-11981
>                 URL:
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>    Affects Versions: 5.5.5, 6.6.2, 7.2.1
>            Reporter: Olivér Szabó
>            Priority: Major
> On secure env, when multiline (or space separated) kerberos name rules are used ( in,  those values cannot be passed to .the start script properly. (using {{}})
> Example:
> {code:java}
> SOLR_JAAS_FILE=solr.jaas
> SOLR_KERB_KEYTAB=/etc/security/keytabs/solr.keytab
> SOLR_KERB_NAME_RULES="RULE:[1:$1@$0](.*@ADMIN.EXAMPLE.NET)s/@.*///L RULE:[1:$1@$0](.*@PROD.EXAMPLE.NET)s/@.*///L
> SOLR_AUTHENTICATION_CLIENT_CONFIGURER="org.apache.solr.client.solrj.impl.Krb5HttpClientConfigurer"
-Dsolr.kerberos.keytab=${SOLR_KERB_KEYTAB} -Dsolr.kerberos.cookie.domain=${SOLR_HOST}"${SOLR_KERB_NAME_RULES}
> {code}
> that will cause:
> {code:java}
> Caused by:$NoMatchingRule:
No rules applied to solr/host.example@ADMIN.EXAMPLE.NET 
> at

> at
> {code}
> Reason for that (probably): in solr start script, there are multiple {{"${SOLR_OPTS[@]}}}-like
(for auth props as well), which magically handle variables as arrays (separated by space or
> I have tried to add {{}} property directly to SOLR_OPTS instead
of SOLR_AUTHENTICATION_OPTS, but i could not using spaces/newlines there even with quotes
or escape characters.
> With Ambari we faced this issue before:,
the quick solution was to patch the start script to use {{"$SOLR_KERB_NAME_RULES"}}
directly where the scripts starts the java process
> You can close this jira invalid if there is a workaround for that issue or fixed already,
if not, then my proposed solution to do something similar. (maybe there are better places
where to put that variable)

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message