[
https://issues.apache.org/jira/browse/SOLR-6915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gregory Chanan updated SOLR-6915:
---------------------------------
Attachment: SOLR-6915.patch
Here's a patch implementing the ACLProvider and a test.
Notes:
1) the MiniKdc in hadoop didn't come in until hadoop 2.3.0, so I upgraded the
dependency version
2) As the test demonstrates, you don't need to provide a CredentialsProvider to
get the sasl authentication; modifying the javax.security Configuration takes
care of that
3) ZooKeeper maintains a static collection of AuthenticationProviders. Thus,
if we don't add the SASLAuthenticationProvider to the system properties the
first time we spin up a zookeeper, we won't ever be able to use Sasl, even if
it's in a subsequent test in the same jvm. So, we now set this up in
ZkTestServer.
4) For the apache directory server dependency, I used apacheds-all, rather than
picking the individual components we need. If we picked the individual
components we'd save ~33% of the size of the jar for the complexity of
maintaining all the version, licenses/noticies/etc. I can go either way with
that.
> SaslZkACLProvider and Kerberos Test Using MiniKdc
> -------------------------------------------------
>
> Key: SOLR-6915
> URL: https://issues.apache.org/jira/browse/SOLR-6915
> Project: Solr
> Issue Type: Improvement
> Components: SolrCloud
> Reporter: Gregory Chanan
> Assignee: Gregory Chanan
> Attachments: SOLR-6915.patch
>
>
> We should provide a ZkACLProvider that requires SASL authentication. This
> provider will be useful for administration in a kerberos environment. In
> such an environment, the administrator wants solr to authenticate to
> zookeeper using SASL, since this is only way to authenticate with zookeeper
> via kerberos.
> The authorization model in such a setup can vary, e.g. you can imagine a
> scenario where solr owns (is the only writer of) the non-config znodes, but
> some set of trusted users are allowed to modify the configs. It's hard to
> predict all the possibilities here, but one model that seems generally useful
> is to have a model where solr itself owns all the znodes and all actions that
> require changing the znodes are routed to Solr APIs. That seems simple and
> reasonable as a first version.
> As for testing, I noticed while working on SOLR-6625 that we don't really
> have any infrastructure for testing kerberos integration in unit tests.
> Internally, I've been testing using kerberos-enabled VM clusters, but this
> isn't great since we won't notice any breakages until someone actually spins
> up a VM. So part of this JIRA is to provide some infrastructure for testing
> kerberos at the unit test level (using Hadoop's MiniKdc, HADOOP-9848).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
