Skip to content

RANGER-5643: Fix docker Kerberos for Solr audit dispatcher#1016

Open
ramackri wants to merge 1 commit into
masterfrom
RANGER-5643-batch
Open

RANGER-5643: Fix docker Kerberos for Solr audit dispatcher#1016
ramackri wants to merge 1 commit into
masterfrom
RANGER-5643-batch

Conversation

@ramackri

@ramackri ramackri commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Fixes RANGER-5643: In Kerberos-enabled Docker, the Solr audit dispatcher fails to index audits — SPNEGO errors (LOOKING_UP_SERVER, NEGOTIATE, 401 from Solr) when the dispatcher uses the short Solr hostname.

Problem

The Solr dispatcher consumes from Kafka but cannot write to Solr. Logs show:

NEGOTIATE authentication error: ... Server not found in Kerberos database (7) - LOOKING_UP_SERVER
Error from server at http://ranger-solr:8983/solr/ranger_audits: ... 401 Unauthorized access

Solr’s HTTP service principal is HTTP/ranger-solr.rangernw@REALM, but the dispatcher was configured with http://ranger-solr:8983/.... SPNEGO requires the client target hostname to match the service principal host part.

Changes

File Change
dev-support/ranger-docker/scripts/audit-dispatcher/ranger-audit-dispatcher-solr-site.xml xasecure.audit.destination.solr.urlshttp://ranger-solr.rangernw:8983/solr/ranger_audits
dev-support/ranger-docker/scripts/solr/ranger-solr.sh COOKIE_DOMAINranger-solr.rangernw
dev-support/ranger-docker/scripts/solr/solr-security.json kerberos.cookie.domain and cookie.domainranger-solr.rangernw

Why this is sufficient for Docker

  • Solr SPNEGO: FQDN in solr.urls matches HTTP/ranger-solr.rangernw@EXAMPLE.COM
  • Solr cookies: cookie domain aligned with the same FQDN
  • Dispatcher JAAS _HOST: Docker compose already sets hostname: ranger-audit-dispatcher-solr.rangernw, which matches the keytab entry

Test plan

  • Rebuild and recreate Solr + Solr dispatcher containers: 
    cd dev-support/ranger-docker
docker compose -f docker-compose.ranger-audit-dispatcher-solr.yml build ranger-solr ranger-audit-dispatcher-solr
docker compose -f docker-compose.ranger-audit-dispatcher-solr.yml up -d --force-recreate ranger-solr ranger-audit-dispatcher-solr
  • Confirm dispatcher logs: no LOOKING_UP_SERVER / SPNEGO / 401 on Solr update
  • Generate audit activity via ingestor; verify Solr doc count increases for the test repo/user

@ramackri ramackri requested review from mneethiraj and rameeshm June 14, 2026 05:18
@ramackri ramackri force-pushed the RANGER-5643-batch branch from eb1df72 to 0dd13b3 Compare June 14, 2026 05:20
@mneethiraj

mneethiraj commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

@ramackri - this issue would be fixed by using FQDN of Solr server in dev-support/ranger-docker/scripts/audit-dispatcher/ranger-audit-dispatcher-solr-site.xml, as shown below

xasecure.audit.destination.solr.urls=http://ranger-solr.rangernw:8983/solr/ranger_audits

In addition, ranger-solr container configuration needs to be updated in following files to replace cookie domain from ranger-solr to ranger-solr.rangernw:

  • dev-support/ranger-docker/scripts/solr/ranger-solr.sh (search for COOKIE_DOMAIN)
  • dev-support/ranger-docker/scripts/solr/solr-security.json (search for kerberos.cookie.domain and cookie.domain)

No other changes should be needed. Please review and update.

@cursoragent
RANGER-5643: Fix docker Kerberos for Solr audit dispatcher
5863aa8 
Use Solr FQDN in dispatcher site XML for SPNEGO and align Solr
kerberos.cookie.domain with HTTP/ranger-solr.rangernw@REALM.

Co-authored-by: Cursor <cursoragent@cursor.com>
@ramackri ramackri force-pushed the RANGER-5643-batch branch from a7dd248 to 5863aa8 Compare June 14, 2026 07:49
@ramackri ramackri changed the title RANGER-5643: Expand _HOST in Solr dispatcher JAAS and rewrite Solr URL for Kerberos SPNEGO RANGER-5643: Fix docker Kerberos for Solr audit dispatcher Jun 14, 2026
@ramackri

ramackri commented Jun 14, 2026

Copy link
Copy Markdown
Contributor Author

@ramackri - this issue would be fixed by using FQDN of Solr server in dev-support/ranger-docker/scripts/audit-dispatcher/ranger-audit-dispatcher-solr-site.xml, as shown below

xasecure.audit.destination.solr.urls=http://ranger-solr.rangernw:8983/solr/ranger_audits

In addition, ranger-solr container configuration needs to be updated in following files to replace cookie domain from ranger-solr to ranger-solr.rangernw:

  • dev-support/ranger-docker/scripts/solr/ranger-solr.sh (search for COOKIE_DOMAIN)
  • dev-support/ranger-docker/scripts/solr/solr-security.json (search for kerberos.cookie.domain and cookie.domain)

No other changes should be needed. Please review and update.

@ramackri

ramackri commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

@ramackri - this issue would be fixed by using FQDN of Solr server in dev-support/ranger-docker/scripts/audit-dispatcher/ranger-audit-dispatcher-solr-site.xml, as shown below

xasecure.audit.destination.solr.urls=http://ranger-solr.rangernw:8983/solr/ranger_audits

In addition, ranger-solr container configuration needs to be updated in following files to replace cookie domain from ranger-solr to ranger-solr.rangernw:

  • dev-support/ranger-docker/scripts/solr/ranger-solr.sh (search for COOKIE_DOMAIN)
  • dev-support/ranger-docker/scripts/solr/solr-security.json (search for kerberos.cookie.domain and cookie.domain)

No other changes should be needed. Please review and update.

Yes @mneethiraj reverted JAVA side change and only those 3 file changes will be enough

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mneethiraj mneethiraj mneethiraj left review comments

@rameeshm rameeshm Awaiting requested review from rameeshm

@pradeepagrawal8184 pradeepagrawal8184 Awaiting requested review from pradeepagrawal8184

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ramackri @mneethiraj