[jira] [Commented] (KNOX-528) Support for Apache SOLR REST APIs

Mon, 05 Dec 2016 20:34:15 -0800 

    [ 
https://issues.apache.org/jira/browse/KNOX-528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15724303#comment-15724303
 ] 

Larry McCay commented on KNOX-528:
----------------------------------

Hi [~mcparlandjcgi] - 

Regarding the service definition decisions in the following:

{noformat}
+<service role="SOLRAPI" name="solr" version="5.5.0">
+    <policies>
+        <policy role="webappsec"/>
+        <policy role="authentication" name="Anonymous"/>
+        <policy role="rewrite"/>
+        <policy role="authorization"/>
+    </policies>
+    <routes>
+        <route path="/solr/**/**?**">
+             <rewrite apply="SOLRAPI/solr/inbound/query" to="request.url"/>
+        </route>
+    </routes>
+     <dispatch 
classname="org.apache.hadoop.gateway.dispatch.PassAllHeadersDispatch"/>
+</service>
{noformat}

can you describe why we want to require that all authentication to the solr API 
be delegated to solr itself?

I notice that you pass basic credentials to Knox in the evidence file but not 
to Solr when going direct.
I suspect that you expect Knox to authentication using the basic credentials in 
that case.
When you actually specify the name "Anonymous" as the authentication provider 
in the above - you are indicating that Knox will allow Anonymous access to the 
service. If the service itself handles its own authentication then we will 
allow that and pass along any cookies that are set as appropriate.

That is actually what the dispatch that you defined for solr above does.
<dispatch 
classname="org.apache.hadoop.gateway.dispatch.PassAllHeadersDispatch"/>

This may be appropriate for solr, I haven't had a chance to dig into solr 
service details yet.
Many services in the Hadoop ecosystem support the notion of Trusted Proxies.
This would allow us to authenticate a request intended for Solr at the gateway 
then during dispatch we would authenticate as the trusted proxy (in this case 
as knox) and pass a doas for the authenticated user.

Does solr support trusted proxies in this way?

> Support for Apache SOLR REST APIs
> ---------------------------------
>
>                 Key: KNOX-528
>                 URL: https://issues.apache.org/jira/browse/KNOX-528
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Rick Kellogg
>            Assignee: John McParland
>             Fix For: 0.11.0
>
>         Attachments: KNOX-528.patch, KNOX-528_squashed.patch, 
> knoxSolrTestEvidence.txt, solrTestEvidence.txt
>
>
> Add Knox support for routing and securing Apache SOLR's REST APIs
> See: https://wiki.apache.org/solr/Solrj



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to