[jira] [Commented] (SOLR-13619) Kerberos: 403 when node doesn't host collection

Wed, 10 Jul 2019 17:52:16 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16882548#comment-16882548
 ] 

Ishan Chattopadhyaya commented on SOLR-13619:
---------------------------------------------

Internode communication also happens using Kerberos. Fix for this requires 
original user principal to be sent along, so that authorization can be skipped 
and done on the forwarded node using the original user principal (instead of 
the Solr node's service principal).

Added PR for this, https://github.com/apache/lucene-solr/pull/773.
This should be applied after applying SOLR-13472 fix. This is currently for 8x 
branch, will update for master at the time of committing.
[~noble.paul], can you please review?

> Kerberos: 403 when node doesn't host collection
> -----------------------------------------------
>
>                 Key: SOLR-13619
>                 URL: https://issues.apache.org/jira/browse/SOLR-13619
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Ishan Chattopadhyaya
>            Priority: Major
>
> This is a spin off from SOLR-13472, specifically to tackle the Kerberos case. 
> Here's the security.json to reproduce the same problem as of SOLR-13472:
> {code}
> {
>  "authentication": {"class": "org.apache.solr.security.KerberosPlugin"},
>  "authorization": {
>    "class": "solr.RuleBasedAuthorizationPlugin",
>    "permissions": [
>      {
>        "name": "read",
>        "role": "*"
>      },
>      {
>        "name": "update",
>        "role": [
>          "indexer",
>          "admin"
>        ]
>      },
>      {
>        "name": "all",
>        "role": "admin"
>      }
>    ],
>    "user-role": {
>      "HTTP/so...@example.com": "admin",
>      "HTTP/so...@example.com": "admin",
>      "cli...@example.com": "indexer"
>    }
>  }
> }
> {code}
> Here, cli...@example.com should be able to issue /update and /select requests 
> to both solr1 and solr2, but it throws 403 for the node that doesn't host the 
> collection.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to