Hi Knox community,
We'd like to use Knox (0.11 currently) to expose the Solr API outside our main
Hadoop cluster. We currently have it configured so that Knox verifies basic
authentication credentials, and then allows the HTTP request to be proxied
through to Solr.
I see we can restrict this, on a per-service basis, to particular groups, as
per:
<param>
<name>SOLRAPI.acl</name>
<value>*;usergroup1;*</value>
</param>
Is there a way to configure Knox such that it only allows access to the correct
'collection' for a particular 'user group'? Knox can discover the 'user group'
via an LDAP query, I believe. The 'collection name' is just part of the URL.
https://github.com/apache/knox/blob/5dac768d2ed2ad051724b998db5a7a1f39a599b0/gateway-service-definitions/src/main/resources/services/solr/5.5.0/rewrite.xml#L20
<rule dir="IN" name="SOLRAPI/solr/inbound/query"
pattern="*://*:*/**/solr/{collection=**}/{query=**}?{**}">
<rewrite
template="{$serviceUrl[SOLRAPI]}/{collection=**}/{query=**}?{**}"/>
</rule>
I thought about some ways to do this, but none seem successful:
* A different 'topology' for each user group. This doesn’t work because the
service doesn't include the collection name, so I can't vary the collection
name on a per-topology basis:
<service>
<role>SOLRAPI</role>
<url>http://solr-server:8000/solr</url>
</service>
* Looking for a 'url filtering' feature in Knox
* Creating more 'services', one per user-group, so then I can use
SOLRAPIGROUP1.acl, SOLRAPIGROUP2.acl, etc. This doesn't work as the service
definition doesn't include the collection name. However; if I'm creating new
services, then maybe I can customise the rewrite.xml so that more of the URL
comes from the service/url configuration. This might be my best option?
Many thanks for pointers,
Nick
--
Nick Piper | Open Source SME | Defence
CGI IT UK Limited. A CGI Group Inc. Company
Registered Office 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.
Registered in England & Wales - Number 947968
