ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nikita Ilyushkin (Jira)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-2894) Plugins cannot interact with Solr with basic auth as audit targer
Date Sun, 13 Sep 2020 23:07:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-2894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17195137#comment-17195137
] 

Nikita Ilyushkin commented on RANGER-2894:
------------------------------------------

No. Neither I wanted it in this installation nor I found requirement of Kerberos in documentation.

> Plugins cannot interact with Solr with basic auth as audit targer
> -----------------------------------------------------------------
>
>                 Key: RANGER-2894
>                 URL: https://issues.apache.org/jira/browse/RANGER-2894
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 1.1.0, 2.0.0
>            Reporter: Nikita Ilyushkin
>            Priority: Major
>
> There seems to be a problem with audit to Solr with [basic authentication|https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html].
>  With the simple Solr cloud setup with basic auth every plugin I tried (HDFS, YARN, HBase,
Hive) failed to write audit to it with the similar errors:
> {code:java}
> 2020-06-25T19:39:35,248 ERROR [hiveServer2.async.batch_hiveServer2.async.batch.solr_destWriter]
impl.CloudSolrClient: Request to collection [ranger_audits] failed due to (401) org.apache.solr.client.solrj.impl.H
> ttpSolrClient$RemoteSolrException: Error from server at http://nilyushkin-hadoop-dev-0.ru-central1.internal:8983/solr/ranger_audits_shard1_replica_n1:
Expected mime type application/octet-stream but got text/htm
> l. <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 401 require authentication</title>
> </head>
> <body><h2>HTTP ERROR 401</h2>
> <p>Problem accessing /solr/ranger_audits_shard1_replica_n1/update. Reason:
> <pre>    require authentication</pre></p>
> </body>
> </html>
> {code}
> tcpdump confirms that no auth headers are in requests.
>  Content of ranger-<service_name>-audit.xml:
> {code:java}
>     <property>
>         <name>xasecure.audit.is.enabled</name>
>         <value>true</value>
>     </property>
>     <property>
>         <name>xasecure.audit.destination.solr</name>
>         <value>true</value>
>     </property>
>     <property>
>         <name>xasecure.audit.destination.solr.urls</name>
>         <value>http://fqdn:8983/solr/ranger_audits</value>
>     </property>
>     <property>
>         <name>xasecure.audit.destination.solr.user</name>
>         <value>rangeraudit</value>
>     </property>
>     <property>
>         <name>xasecure.audit.destination.solr.password</name>
>         <value>admin</value>
>     </property>
>     <property>
>         <name>xasecure.audit.destination.solr.zookeepers</name>
>         <value>fqdn:2181/solr.server</value>
>     </property>
>     <property>
>         <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
>         <value>/srv/audit_solr_spool</value>
>     </property>
> {code}
> The same results with xasecure.audit.destination.solr.urls instead xasecure.audit.destination.solr.zookeepers.
> Ranger Admin on the other hand writes audit just fine with given credentials to the same
Solr.
>  Unsurprisingly, following Solr documentation (underlying solrj really) and adding:
> {code:java}
> -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory
-Dbasicauth=rangeraudit:admin
> {code}
> to the audited daemon (like HiveServer2) solves the problem.
>  I also haven't found setBasicAuthCredentials (the second method of auth solrj provides)
in the plugin sources or packages, so I assume it's just not implemented or bugged.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message