We are using Solr's kerberos authentication plugin and we are trying to implement field-level filtering based on the authenticated user and DocTransformer class:
public class FieldAclTransformerFactory extends TransformerFactory { @Override public DocTransformer create(String field, SolrParams params, SolrQueryRequest req) { String user = req.getUserPrincipal().getName(); return new FieldAclTransformer(user); } } //**************************************************** public class FieldAclTransformer extends DocTransformer { String user; public FieldAclTransformer(String user) { this.user = user; } @Override public void transform(SolrDocument doc, int docid, float score) { //filter fields according to applicative logic, based on the authenticated user. } } For simplicity, we do not use authorization plugin (here is our complete security.json file): { "authentication":{ "class": "org.apache.solr.security.KerberosPlugin" } } During develop phase plugin was tested against collection with single shard and everything worked as expected (Solr 8.3.1). After moving to production, plugin failed. During debug we saw that the reason is that SOME shards were getting incorrect user from /req.getUserPrincipal().getName()/: instead of the ORIGINAL user, Solr's SPN is returned. Our best guess is that failing requests are the distributed requests (the requests the are routed from the node that received the original request), and indeed, if we add `/distrib=false/` to our request plugin wasnt failing. So, back to the question... is this a bug in solr, or is that just not way we suppose to get the authenticated user? Thanks. -- Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html