Hi Nick - Using the typical layered approach to security, we only provide service level authorization capabilities at the gateway. The finer grained access controls are generally done much close to the resource itself. I'm not sure whether there is a Ranger integration for Solr or not but that would be good place to look.
Alternatively, you could consider building a custom authorization provider to plugin. It would need to include a URL matcher string and service and maybe just a comma separated list of group names. Like Java EE authorization semantics. The existing AclsAuthz provider should be able to be used as an example for getting to the groups and to the current service name. As well as loading the URL matcher strings into a mapping of matchers to group lists. Note however that I generally avoid this level of access checks at the gateway because there are often other paths to the same resource. Most notably from CLIs on a gateway node or from mapreduce jobs inside the cluster. Hope that is helpful. --larry On Tue, May 23, 2017 at 10:00 AM, Piper, Nick <[email protected]> wrote: > Hi Knox community, > > We'd like to use Knox (0.11 currently) to expose the Solr API outside our > main Hadoop cluster. We currently have it configured so that Knox verifies > basic authentication credentials, and then allows the HTTP request to be > proxied through to Solr. > > I see we can restrict this, on a per-service basis, to particular groups, > as per: > > <param> > <name>SOLRAPI.acl</name> > <value>*;usergroup1;*</value> > </param> > > Is there a way to configure Knox such that it only allows access to the > correct 'collection' for a particular 'user group'? Knox can discover the > 'user group' via an LDAP query, I believe. The 'collection name' is just > part of the URL. > > https://github.com/apache/knox/blob/5dac768d2ed2ad051724b998db5a7a > 1f39a599b0/gateway-service-definitions/src/main/ > resources/services/solr/5.5.0/rewrite.xml#L20 > > <rule dir="IN" name="SOLRAPI/solr/inbound/query" > pattern="*://*:*/**/solr/{collection=**}/{query=**}?{**}"> > <rewrite template="{$serviceUrl[SOLRAPI]}/{collection=**}/{ > query=**}?{**}"/> > </rule> > > I thought about some ways to do this, but none seem successful: > > * A different 'topology' for each user group. This doesn’t work because > the service doesn't include the collection name, so I can't vary the > collection name on a per-topology basis: > > <service> > <role>SOLRAPI</role> > <url>http://solr-server:8000/solr</url> > </service> > > * Looking for a 'url filtering' feature in Knox > * Creating more 'services', one per user-group, so then I can use > SOLRAPIGROUP1.acl, SOLRAPIGROUP2.acl, etc. This doesn't work as the service > definition doesn't include the collection name. However; if I'm creating > new services, then maybe I can customise the rewrite.xml so that more of > the URL comes from the service/url configuration. This might be my best > option? > > Many thanks for pointers, > > Nick > > -- > Nick Piper | Open Source SME | Defence > CGI IT UK Limited. A CGI Group Inc. Company > Registered Office 250 Brook Drive, Green Park, Reading RG2 6UA, United > Kingdom. Registered in England & Wales - Number 947968 > > > >
