Jan Høydahl updated SOLR-9640:
    Attachment: SOLR-9640.patch

Attaching patch which works with  my limited testing

* Fix bug in SolrDispatchFilter - path {{/admin/info/key}} should always be 
open. It required authentication since we were comparing with {{getPathInfo}} 
instead of {{getServletPath}}
* Always register PKIAuthenticationPlugin in CoreContainer
* In {{PKIAuthenticationPlugin.getRemotePublicKey()}} generate URL for node 
based on {{nodeName}} when not running ZK mode

Local testing with manual sharding between two standalone nodes works, the PKI 
kicks in. Have not tested with /replication etc.

h3. Todo:
* Write a unit test
* Generating nodeName from {{host}} and {{port}} properties of CloudConfig, 
which seems a bit odd when not running cloud. Could we move these three lines 
outside the {{<solrcloud>}} tag in {{solr.xml}}?
    <str name="host">${host:}</str>
    <int name="hostPort">${jetty.port:8983}</int>
    <str name="hostContext">${hostContext:solr}</str>
* Generating urlScheme based on whether an ssl property is set, since we do not 
have access to clusterProps. Is this the best way?
urlScheme = System.getProperty("solr.jetty.keystore") == null ? "http" : 

> Support PKI authentication in standalone mode
> ---------------------------------------------
>                 Key: SOLR-9640
>                 URL: https://issues.apache.org/jira/browse/SOLR-9640
>             Project: Solr
>          Issue Type: New Feature
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>            Reporter: Jan Høydahl
>         Attachments: SOLR-9640.patch
> While working with SOLR-9481 I managed to secure Solr standalone on a 
> single-node server. However, when adding 
> {{&shards=localhost:8081/solr/foo,localhost:8082/solr/foo}} to the request, I 
> get 401 error.
> To solve it we either need to add support for inter-node stuff in all the 
> plugins, but it would be sweet if the PKI stuff would work also for 
> standalone.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to