Skip to content

RANGER-5603: Docker setup updated to use Solr 9.4.1#981

Draft
pradeepagrawal8184 wants to merge 2 commits into
masterfrom
RANGER-5603_SOLR2
Draft

RANGER-5603: Docker setup updated to use Solr 9.4.1#981
pradeepagrawal8184 wants to merge 2 commits into
masterfrom
RANGER-5603_SOLR2

Conversation

@pradeepagrawal8184
Copy link
Copy Markdown
Contributor

@pradeepagrawal8184 pradeepagrawal8184 commented May 26, 2026

What changes were proposed in this pull request?

Updates Ranger Docker dev stack for Solr 9.4.1 with Kerberos: use mounted keytabs under /etc/keytabs, policy cache under /etc/ranger, Solr 9 Kerberos/hadoop-auth wiring, and Ranger Admin Solr audit access via FQDN + JAAS (fixes SPNEGO / xaudit 401).

Changes:

- Dockerfile.ranger-solr: Default SOLR_VERSION 9.4.1 (align with .env).
- docker-compose.ranger.yml: Bind-mount audit core conf + core.properties; mount ranger-solr-security-changes.cfg from repo; SOLR_SECURITY_MANAGER_ENABLED=false for Solr 9 + Ranger.
- ranger-solr.sh: Stop copying keytabs to /var/solr/data (stale after KDC restart); use /etc/keytabs; Solr 9 SOLR_AUTH_TYPE/Hadoop Kerberos; policy cache dir; hadoop-auth module; bootstrap core.properties; pass opts into entrypoint.
- solr-jaas.conf, solr-security.json, ranger-solr-plugin-install.properties: Keytabs and policy cache paths → /etc/keytabs and /etc/ranger/dev_solr/policycache.
- ranger-admin-install-postgres.properties: Audit URL ranger-solr.rangernw (SPNEGO); empty serviceName; useTicketCache=false.

How was this patch tested?

- mvn package -Pranger-solr-plugin -DskipTests; copy *-admin.tar.gz, *-solr-plugin.tar.gz, version → dev-support/ranger-docker/dist/.
- export RANGER_DB_TYPE=postgres
- docker compose -f docker-compose.ranger.yml build && docker compose -f docker-compose.ranger.yml up -d
- Solr 9.4.1; dev_solr policies download; ranger_audits core healthy.
- Plugin audit write + Solr SPNEGO read on ranger_audits.
- Admin xaudit: curl -u admin:rangerR0cks! 'http://localhost:6080/service/xaudit/access_audit?pageSize=2&startIndex=0' → JSON with totalCount (not 401/HTML).

@mneethiraj mneethiraj requested a review from Copilot May 26, 2026 13:02
Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Ranger Docker dev stack and related Solr plugin packaging/configuration to run against Solr 9.4.1 with Kerberos/SPNEGO, including changes to keytab/policy-cache locations and Solr 9 security module wiring.

Changes:

  • Bump Docker dev stack Solr version to 9.4.1 and adjust container entrypoint/config mounts accordingly.
  • Update Solr Kerberos/SPNEGO configuration (Solr 9 Hadoop auth plugin class, JAAS/keytab paths, audit URL FQDN).
  • Adjust Ranger Solr plugin packaging/runtime bits (assembly deps, authorizer handler null-safety, policy-cache path, enhanced Jersey validation logging).

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java Avoids repeated handler lookup and prevents potential NPE in warning log when handler is null.
distro/src/main/assembly/plugin-solr.xml Updates dependency include list for the Solr plugin assembly (adds Graal/ICU artifacts, removes some previously bundled libs).
dev-support/ranger-docker/scripts/solr/solr-security.json Switches Kerberos auth plugin class to Solr 9 hadoop-auth FQCN.
dev-support/ranger-docker/scripts/solr/solr-ranger_audits/solrconfig.xml Updates cache implementations to Caffeine-based caches for Solr 9.
dev-support/ranger-docker/scripts/solr/solr-jaas.conf Minor cleanup (trailing whitespace removal).
dev-support/ranger-docker/scripts/solr/ranger-solr.sh Updates Solr container startup to use mounted keytabs/JAAS, enable hadoop-auth module, set allowPaths, and bootstrap core.properties when needed.
dev-support/ranger-docker/scripts/solr/ranger-solr-plugin-install.properties Sets policy cache path under /etc/ranger/... for the dev Solr repo.
dev-support/ranger-docker/scripts/solr/ranger_audits/core.properties Adds Solr 9 core instance marker file for the ranger_audits core.
dev-support/ranger-docker/scripts/admin/ranger-admin-install-postgres.properties Points Ranger Admin audit Solr URL at the Solr FQDN and updates JAAS options for SPNEGO behavior.
dev-support/ranger-docker/Dockerfile.ranger-solr Updates default Solr image tag to 9.4.1 and prepares /etc/ranger ownership/dirs.
dev-support/ranger-docker/docker-compose.ranger.yml Adds bind mounts for core config/core.properties, mounts updated enable template, relocates JAAS mount, and disables Solr SecurityManager by default.
dev-support/ranger-docker/.env Bumps SOLR_VERSION to 9.4.1.
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerJersey2ClientBuilder.java Improves logging details during anti-MOXy validation (but changes validation behavior).
Comments suppressed due to low confidence (2)

dev-support/ranger-docker/scripts/solr/ranger-solr.sh:36

  • solr.kerberos.cookie.domain is set to ranger-solr, but the rest of the stack (e.g., Solr principal and Ranger Admin audit URL) uses the FQDN ranger-solr.rangernw. With a mismatched cookie domain, SPNEGO auth cookies may be rejected by clients (leading to repeated 401s). Consider setting the cookie domain to ranger-solr.rangernw (host-only) or .rangernw (domain-wide), aligned with how Solr is accessed.
  # Use KDC-generated keytabs from the volume mount (/etc/keytabs); do not copy into
  # /var/solr/data or they go stale after KDC restart (Checksum failed on login).
  JAAS_CONFIG="-Djava.security.auth.login.config=/var/solr/data/jaas.conf"
  JAAS_APPNAME="-Dsolr.kerberos.jaas.appname=Client"
  KRB5_CONF="-Djava.security.krb5.conf=/etc/krb5.conf"
  KERBEROS_KEYTAB="-Dsolr.kerberos.keytab=/etc/keytabs/HTTP.keytab"
  KERBEROS_PRINCIPAL="-Dsolr.kerberos.principal=HTTP/ranger-solr.rangernw@EXAMPLE.COM"
  COOKIE_DOMAIN="-Dsolr.kerberos.cookie.domain=ranger-solr"

dev-support/ranger-docker/scripts/solr/solr-security.json:9

  • kerberos.cookie.domain / cookie.domain are set to ranger-solr, but the configured principal uses ranger-solr.rangernw and other services in this dev stack use the FQDN. A cookie domain that doesn’t match the host clients use can cause SPNEGO auth cookies to be rejected (leading to repeated 401s). Align these cookie domain values with the actual hostname/FQDN used to access Solr (e.g., ranger-solr.rangernw or .rangernw).
    "class":                  "org.apache.solr.security.hadoop.KerberosPlugin",
    "kerberos.principal":     "HTTP/ranger-solr.rangernw@EXAMPLE.COM",
    "kerberos.keytab":        "/etc/keytabs/HTTP.keytab",
    "kerberos.name.rules":    "RULE:[2:$1@$0](.*@EXAMPLE.COM)s/@.*//\nRULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT",
    "kerberos.cookie.domain": "ranger-solr",
    "cookie.domain":          "ranger-solr",
    "token.valid":            3600

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread agents-common/src/main/java/org/apache/ranger/plugin/util/RangerJersey2ClientBuilder.java
if (!jacksonRegistered) {
LOG.error("CRITICAL: Jackson JSON provider is not registered! Default JSON processing may fail.");
isValid = false;
LOG.error("CRITICAL: Jackson JSON provider is not registered! Default JSON processing may fail. Classes={}", config.getClasses().stream().map(Class::getCanonicalName).collect(Collectors.toList()));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mneethiraj mneethiraj mneethiraj approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pradeepagrawal8184 @mneethiraj