[
https://issues.apache.org/jira/browse/SOLR-9513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15725467#comment-15725467
]
Ishan Chattopadhyaya commented on SOLR-9513:
--------------------------------------------
Sorry, it took me a while to review the patch. I think it looks good. Here are
a few observations/suggestions:
# In GenericHadoopAuthPlugin, Class.forName() was used for loading the client
builder. However, we've used SolrResourceLoader.newInstance() traditionally for
loading resources from the classpath (for reference, see CoreContainer's
initializeAuthorizationPlugin() method).
# GenericHadoopAuthPlugin implements HttpClientBuilderPlugin, and hence
necessarily uses a specified client builder factory to be used for internode
communication. This is fine in many cases, however this removes the possibility
of using the internal PKIAuthentication for internode communication. Consider a
scenario where a cluster needs to be configured to use a hadoop-auth based
authentication mechanism for user < - > solr communication, but simple PKI
based authentication for solr < - > solr communication.
I think we should give the users the option to use default authentication for
internal communication (PKI authentication) or to use a client builder. I think
what can be done is to somehow make the client builder factory optional, and
use PKI based authentication where such a parameter is not passed in. This
might mean that we have two concrete classes: one that implements
HttpClientBuilderPlugin, one that doesn't.
# The Hadoop based tests tend to not work well on Windows. Unless you've tested
on Windows and found them to be working well, I suggest lets disable them
(TestSolrCloudWithHadoopAuthPlugin, TestDelegationWithHadoopAuth). Please see
SOLR-9460 for reference.
> Introduce a generic authentication plugin which delegates all functionality
> to Hadoop authentication framework
> --------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-9513
> URL: https://issues.apache.org/jira/browse/SOLR-9513
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Hrishikesh Gadre
>
> Currently Solr kerberos authentication plugin delegates the core logic to
> Hadoop authentication framework. But the configuration parameters required by
> the Hadoop authentication framework are hardcoded in the plugin code itself.
> https://github.com/apache/lucene-solr/blob/5b770b56d012279d334f41e4ef7fe652480fd3cf/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java#L119
> The problem with this approach is that we need to make code changes in Solr
> to expose new capabilities added in Hadoop authentication framework. e.g.
> HADOOP-12082
> We should implement a generic Solr authentication plugin which will accept
> configuration parameters via security.json (in Zookeeper) and delegate them
> to Hadoop authentication framework. This will allow to utilize new features
> in Hadoop without code changes in Solr.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
