Re: Forwarding authentication credentials in internal node-to-node requests
I will figure out. Essence of question was if it was there out-of-the-box. Thanks! Regards, Per Steffensen On 1/11/13 5:38 PM, Markus Jelsma wrote: Hmm, you need to set up the HttpClient in HttpShardHandlerFactory but you cannot access the HttpServletRequest from there, it is only available in SolrDispatchFilter AFAIK. And then, the HttpServletRequest can only return the remote user name, not the password he, she or it provided. I don't know how to obtain the password. -Original message- From:Per Steffensen st...@designware.dk Sent: Fri 11-Jan-2013 15:28 To: solr-user@lucene.apache.org Subject: Re: Forwarding authentication credentials in internal node-to-node requests Hmmm, it will not work for me. I want the original credential forwarded in the sub-requests. The credentials are mapped to permissions (authorization), and basically I dont want a user to be able have something done in the (automatically performed by the contacted solr-node) sub-requests that he is not authorized to do. Forward of credentials is a must. So what you are saying is that I should expect to have to do some modifications to Solr in order to achieve what I want? Regards, Per Steffensen On 1/11/13 2:11 PM, Markus Jelsma wrote: Hi, If your credentials are fixed i would configure username:password in your request handler's shardHandlerFactory configuration section and then modify HttpShardHandlerFactory.init() to create a HttpClient with an AuthScope configured with those settings. I don't think you can obtain the original credentials very easy when inside HttpShardHandlerFactory. Cheers -Original message- From:Per Steffensen st...@designware.dk Sent: Fri 11-Jan-2013 13:07 To: solr-user@lucene.apache.org Subject: Forwarding authentication credentials in internal node-to-node requests Hi I read http://wiki.apache.org/solr/SolrSecurity and know a lot about webcontainer authentication and authorization. Im sure I will be able to set it up so that each solr-node is will require HTTP authentication for (selected) incoming requests. But solr-nodes also make requests among each other and Im in doubt if credentials are forwarded from the original request to the internal sub-requests? E.g. lets say that each solr-node is set up to require authentication for search request. An outside user makes a distributed request including correct username/password. Since it is a distributed search, the node which handles the original request from the user will have to make sub-requests to other solr-nodes but they also require correct credentials in order to accept this sub-request. Are the credentials from the original request duplicated to the sub-requests or what options do I have? Same thing goes for e.g. update requests if they are sent to a node which does not run (all) the replica of the shard in which the documents to be added/updated/deleted belong. The node needs to make sub-request to other nodes, and it will require forwarding the credentials. Does this just work out of the box, or ... ? Regards, Per Steffensen
RE: Forwarding authentication credentials in internal node-to-node requests
Hi, If your credentials are fixed i would configure username:password in your request handler's shardHandlerFactory configuration section and then modify HttpShardHandlerFactory.init() to create a HttpClient with an AuthScope configured with those settings. I don't think you can obtain the original credentials very easy when inside HttpShardHandlerFactory. Cheers -Original message- From:Per Steffensen st...@designware.dk Sent: Fri 11-Jan-2013 13:07 To: solr-user@lucene.apache.org Subject: Forwarding authentication credentials in internal node-to-node requests Hi I read http://wiki.apache.org/solr/SolrSecurity and know a lot about webcontainer authentication and authorization. Im sure I will be able to set it up so that each solr-node is will require HTTP authentication for (selected) incoming requests. But solr-nodes also make requests among each other and Im in doubt if credentials are forwarded from the original request to the internal sub-requests? E.g. lets say that each solr-node is set up to require authentication for search request. An outside user makes a distributed request including correct username/password. Since it is a distributed search, the node which handles the original request from the user will have to make sub-requests to other solr-nodes but they also require correct credentials in order to accept this sub-request. Are the credentials from the original request duplicated to the sub-requests or what options do I have? Same thing goes for e.g. update requests if they are sent to a node which does not run (all) the replica of the shard in which the documents to be added/updated/deleted belong. The node needs to make sub-request to other nodes, and it will require forwarding the credentials. Does this just work out of the box, or ... ? Regards, Per Steffensen
Re: Forwarding authentication credentials in internal node-to-node requests
Hmmm, it will not work for me. I want the original credential forwarded in the sub-requests. The credentials are mapped to permissions (authorization), and basically I dont want a user to be able have something done in the (automatically performed by the contacted solr-node) sub-requests that he is not authorized to do. Forward of credentials is a must. So what you are saying is that I should expect to have to do some modifications to Solr in order to achieve what I want? Regards, Per Steffensen On 1/11/13 2:11 PM, Markus Jelsma wrote: Hi, If your credentials are fixed i would configure username:password in your request handler's shardHandlerFactory configuration section and then modify HttpShardHandlerFactory.init() to create a HttpClient with an AuthScope configured with those settings. I don't think you can obtain the original credentials very easy when inside HttpShardHandlerFactory. Cheers -Original message- From:Per Steffensen st...@designware.dk Sent: Fri 11-Jan-2013 13:07 To: solr-user@lucene.apache.org Subject: Forwarding authentication credentials in internal node-to-node requests Hi I read http://wiki.apache.org/solr/SolrSecurity and know a lot about webcontainer authentication and authorization. Im sure I will be able to set it up so that each solr-node is will require HTTP authentication for (selected) incoming requests. But solr-nodes also make requests among each other and Im in doubt if credentials are forwarded from the original request to the internal sub-requests? E.g. lets say that each solr-node is set up to require authentication for search request. An outside user makes a distributed request including correct username/password. Since it is a distributed search, the node which handles the original request from the user will have to make sub-requests to other solr-nodes but they also require correct credentials in order to accept this sub-request. Are the credentials from the original request duplicated to the sub-requests or what options do I have? Same thing goes for e.g. update requests if they are sent to a node which does not run (all) the replica of the shard in which the documents to be added/updated/deleted belong. The node needs to make sub-request to other nodes, and it will require forwarding the credentials. Does this just work out of the box, or ... ? Regards, Per Steffensen
RE: Forwarding authentication credentials in internal node-to-node requests
Hmm, you need to set up the HttpClient in HttpShardHandlerFactory but you cannot access the HttpServletRequest from there, it is only available in SolrDispatchFilter AFAIK. And then, the HttpServletRequest can only return the remote user name, not the password he, she or it provided. I don't know how to obtain the password. -Original message- From:Per Steffensen st...@designware.dk Sent: Fri 11-Jan-2013 15:28 To: solr-user@lucene.apache.org Subject: Re: Forwarding authentication credentials in internal node-to-node requests Hmmm, it will not work for me. I want the original credential forwarded in the sub-requests. The credentials are mapped to permissions (authorization), and basically I dont want a user to be able have something done in the (automatically performed by the contacted solr-node) sub-requests that he is not authorized to do. Forward of credentials is a must. So what you are saying is that I should expect to have to do some modifications to Solr in order to achieve what I want? Regards, Per Steffensen On 1/11/13 2:11 PM, Markus Jelsma wrote: Hi, If your credentials are fixed i would configure username:password in your request handler's shardHandlerFactory configuration section and then modify HttpShardHandlerFactory.init() to create a HttpClient with an AuthScope configured with those settings. I don't think you can obtain the original credentials very easy when inside HttpShardHandlerFactory. Cheers -Original message- From:Per Steffensen st...@designware.dk Sent: Fri 11-Jan-2013 13:07 To: solr-user@lucene.apache.org Subject: Forwarding authentication credentials in internal node-to-node requests Hi I read http://wiki.apache.org/solr/SolrSecurity and know a lot about webcontainer authentication and authorization. Im sure I will be able to set it up so that each solr-node is will require HTTP authentication for (selected) incoming requests. But solr-nodes also make requests among each other and Im in doubt if credentials are forwarded from the original request to the internal sub-requests? E.g. lets say that each solr-node is set up to require authentication for search request. An outside user makes a distributed request including correct username/password. Since it is a distributed search, the node which handles the original request from the user will have to make sub-requests to other solr-nodes but they also require correct credentials in order to accept this sub-request. Are the credentials from the original request duplicated to the sub-requests or what options do I have? Same thing goes for e.g. update requests if they are sent to a node which does not run (all) the replica of the shard in which the documents to be added/updated/deleted belong. The node needs to make sub-request to other nodes, and it will require forwarding the credentials. Does this just work out of the box, or ... ? Regards, Per Steffensen