We are using Solr's kerberos authentication plugin and we are trying to
implement field-level filtering based on the authenticated user and
DocTransformer class:
public class FieldAclTransformerFactory extends TransformerFactory {
@Override
public DocTransformer create(String field, SolrParams params,
SolrQueryRequest req) {
String user = req.getUserPrincipal().getName();
return new FieldAclTransformer(user);
}
}
//****************************************************
public class FieldAclTransformer extends DocTransformer {
String user;
public FieldAclTransformer(String user) {
this.user = user;
}
@Override
public void transform(SolrDocument doc, int docid, float score) {
//filter fields according to applicative logic, based on the
authenticated
user.
}
}
For simplicity, we do not use authorization plugin (here is our complete
security.json file):
{
"authentication":{
"class": "org.apache.solr.security.KerberosPlugin"
}
}
During develop phase plugin was tested against collection with single shard
and everything worked as expected (Solr 8.3.1).
After moving to production, plugin failed. During debug we saw that the
reason is that SOME shards were getting incorrect user from
/req.getUserPrincipal().getName()/: instead of the ORIGINAL user, Solr's SPN
is returned.
Our best guess is that failing requests are the distributed requests (the
requests the are routed from the node that received the original request),
and indeed, if we add `/distrib=false/` to our request plugin wasnt failing.
So, back to the question... is this a bug in solr, or is that just not way
we suppose to get the authenticated user?
Thanks.
--
Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html
