Hmmm, it will not work for me. I want the "original" credential
forwarded in the sub-requests. The credentials are mapped to permissions
(authorization), and basically I dont want a user to be able have
something done in the (automatically performed by the contacted
solr-node) sub-requests that he is not authorized to do. Forward of
credentials is a must. So what you are saying is that I should expect to
have to do some modifications to Solr in order to achieve what I want?
Regards, Per Steffensen
On 1/11/13 2:11 PM, Markus Jelsma wrote:
Hi,
If your credentials are fixed i would configure username:password in your
request handler's shardHandlerFactory configuration section and then modify
HttpShardHandlerFactory.init() to create a HttpClient with an AuthScope
configured with those settings.
I don't think you can obtain the original credentials very easy when inside
HttpShardHandlerFactory.
Cheers
-----Original message-----
From:Per Steffensen <st...@designware.dk>
Sent: Fri 11-Jan-2013 13:07
To: solr-user@lucene.apache.org
Subject: Forwarding authentication credentials in internal node-to-node requests
Hi
I read http://wiki.apache.org/solr/SolrSecurity and know a lot about
webcontainer authentication and authorization. Im sure I will be able to
set it up so that each solr-node is will require HTTP authentication for
(selected) incoming requests.
But solr-nodes also make requests among each other and Im in doubt if
credentials are forwarded from the "original request" to the internal
sub-requests?
E.g. lets say that each solr-node is set up to require authentication
for search request. An "outside" user makes a distributed request
including correct username/password. Since it is a distributed search,
the node which handles the original request from the user will have to
make sub-requests to other solr-nodes but they also require correct
credentials in order to accept this sub-request. Are the credentials
from the original request duplicated to the sub-requests or what options
do I have?
Same thing goes for e.g. update requests if they are sent to a node
which does not run (all) the replica of the shard in which the documents
to be added/updated/deleted belong. The node needs to make sub-request
to other nodes, and it will require forwarding the credentials.
Does this just work out of the box, or ... ?
Regards, Per Steffensen
