[
https://issues.apache.org/jira/browse/SOLR-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14392112#comment-14392112
]
Gregory Chanan commented on SOLR-7274:
--------------------------------------
bq. Can we use what Cloudera does? Gregory Chanan, you might have something to
say here.
Right now we edit the web.xml. Given that is going away, I don't have an
objection to alternative configuration, whether in ZK, system props, some
combination of those, etc. What I'm not sure about is how you will make the
configuration general enough without mentioning Filters. I.e. will there be
pre-approved authentication mechanisms? Will I be able to write my own?
This discussion also seems focused on the server side. Is the client side
considered outside the scope of this jira? (i'm thinking something like
SOLR-6625, but SOLR-4470 is related).
Here's a pointer to the server-side stuff we do at Cloudera. I'm eager to
contribute (or help contribute) this as part of a new authentication module. I
just want to make sure the pluggable authentication model is general enough for
our use case.
Our web.xml:
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/webapp/web/WEB-INF/web.xml
This adds two filters: HostnameFilter and SolrHadoopAuthenticationFilter.
Together these support:
- basic auth
- kerberos auth
- proxy user support (like sudo, see
https://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html)
- delegation token support (used for MR/spark related jobs: get an
authentication token at the outset and use it throughout the job lifetime so
you don't have to pass kerberos keytabs around the cluster)
The Filters:
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/java/org/apache/solr/servlet/HostnameFilter.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/java/org/apache/solr/servlet/SolrHadoopAuthenticationFilter.java
-- Note this supports delegation tokens.
Some tests around the various functional pieces:
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/SolrHadoopAuthenticationFilterTest.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/SolrHadoopAuthenticationFilterProxyUserTest.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/SolrHadoopAuthenticationFilterDelegationTokenTest.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/HostnameFilterTest.java
> Pluggable authentication module in Solr
> ---------------------------------------
>
> Key: SOLR-7274
> URL: https://issues.apache.org/jira/browse/SOLR-7274
> Project: Solr
> Issue Type: Sub-task
> Reporter: Anshum Gupta
>
> It would be good to have Solr support different authentication protocols.
> To begin with, it'd be good to have support for kerberos and basic auth.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
