[
https://issues.apache.org/jira/browse/SOLR-12799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16722832#comment-16722832
]
Jan Høydahl commented on SOLR-12799:
------------------------------------
I see the new methods added for the new client.
But looks like e.g. {{BasicAuthIntegrationTest}} explicitly creates an old
client in {{HttpClientUtil.createClient()}}? How can we make sure that this
test actually runs with HTTP2 and tests the new code paths?
So I guess that plugins wanting to override this needs to override both those
methods (which is a pity).
I feel the overrides for {{BasicAuthPlugin}} has too much redundant code, we
could factor out the common part here in a new method and keep the overridden
methods 2-3 lines only:
{code:java}
@Override
protected boolean interceptInternodeRequest(HttpRequest httpRequest,
HttpContext httpContext) {
if (forwardCredentials) {
if (httpContext instanceof HttpClientContext) {
HttpClientContext httpClientContext = (HttpClientContext) httpContext;
if (httpClientContext.getUserToken() instanceof BasicAuthUserPrincipal) {
BasicAuthUserPrincipal principal = (BasicAuthUserPrincipal)
httpClientContext.getUserToken();
String userPassBase64 = Base64.encodeBase64String((principal.getName()
+ ":" + principal.getPassword()).getBytes(StandardCharsets.UTF_8));
httpRequest.setHeader(HttpHeaders.AUTHORIZATION, "Basic " +
userPassBase64);
return true;
}
}
}
return false;
}
@Override
protected boolean interceptInternodeRequest(Request request) {
if (forwardCredentials) {
Object userToken =
request.getAttributes().get(Http2SolrClient.REQ_PRINCIPAL_KEY);
if (userToken instanceof BasicAuthUserPrincipal) {
BasicAuthUserPrincipal principal = (BasicAuthUserPrincipal) userToken;
String userPassBase64 = Base64.encodeBase64String((principal.getName() +
":" + principal.getPassword()).getBytes(StandardCharsets.UTF_8));
request.header(HttpHeaders.AUTHORIZATION, "Basic " + userPassBase64);
return true;
}
}
return false;
}
{code}
> Allow Authentication Plugins to easily intercept internode requests
> -------------------------------------------------------------------
>
> Key: SOLR-12799
> URL: https://issues.apache.org/jira/browse/SOLR-12799
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Fix For: master (8.0)
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Solr security framework currently allows a plugin to declare statically by
> implementing the {{HttpClientBuilderPlugin}} interface whether it will handle
> internode requests. If it implements the interface, the plugin MUST handle
> ALL internode requests, even requests originating from Solr itself. Likewise,
> if a plugin does not implement the interface, ALL requests will be
> authenticated by the built-in {{PKIAuthenticationPlugin}}.
> In some cases (such as SOLR-12121) there is a need to forward end-user
> credentials on internode requests, but let PKI handle it for solr-originated
> requests. This is currently not possible without a dirty hack where each
> plugin duplicates some PKI logic and calls PKI plugin from its own
> interceptor even if it is disabled.
> This Jira makes this use case officially supported by the framework by:
> * Letting {{PKIAuthenticationPlugin}} be always enabled. PKI will now in its
> interceptor on a per-request basis first give the authc plugin a chance to
> handle the request
> * Adding a protected method to abstract class {{AuthenticationPlugin}}
> {code:java}
> protected boolean interceptInternodeRequest(HttpRequest httpRequest,
> HttpContext httpContext)
> {code}
> that can be overridden by plugins in order to easily intercept requests
> without registering its own interceptor. Returning 'false' delegates to PKI.
> Existing Authc plugins do *not* need to change as a result of this, and they
> will work exactly as before, i.e. either handle ALL or NONE internode auth.
> New plugins choosing to *override* the new {{interceptInternodeRequest}}
> method will obtain per-request control over who will secure each request. The
> first user of this feature will be JWT token based auth in SOLR-12121.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
