lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory Chanan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-7274) Pluggable authentication module in Solr
Date Thu, 02 Apr 2015 04:19:53 GMT

    [ https://issues.apache.org/jira/browse/SOLR-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14392112#comment-14392112
] 

Gregory Chanan commented on SOLR-7274:
--------------------------------------

bq. Can we use what Cloudera does? Gregory Chanan, you might have something to say here.

Right now we edit the web.xml.  Given that is going away, I don't have an objection to alternative
configuration, whether in ZK, system props, some combination of those, etc.  What I'm not
sure about is how you will make the configuration general enough without mentioning Filters.
 I.e. will there be pre-approved authentication mechanisms?   Will I be able to write my own?

This discussion also seems focused on the server side.  Is the client side considered outside
the scope of this jira?  (i'm thinking something like SOLR-6625, but SOLR-4470 is related).

Here's a pointer to the server-side stuff we do at Cloudera.  I'm eager to contribute (or
help contribute) this as part of a new authentication module.  I just want to make sure the
pluggable authentication model is general enough for our use case.

Our web.xml:
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/webapp/web/WEB-INF/web.xml
This adds two filters: HostnameFilter and SolrHadoopAuthenticationFilter.  Together these
support:
- basic auth
- kerberos auth
- proxy user support (like sudo, see https://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html)
- delegation token support (used for MR/spark related jobs: get an authentication token at
the outset and use it throughout the job lifetime so you don't have to pass kerberos keytabs
around the cluster)

The Filters:
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/java/org/apache/solr/servlet/HostnameFilter.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/java/org/apache/solr/servlet/SolrHadoopAuthenticationFilter.java
-- Note this supports delegation tokens.

Some tests around the various functional pieces:
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/SolrHadoopAuthenticationFilterTest.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/SolrHadoopAuthenticationFilterProxyUserTest.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/SolrHadoopAuthenticationFilterDelegationTokenTest.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/HostnameFilterTest.java

> Pluggable authentication module in Solr
> ---------------------------------------
>
>                 Key: SOLR-7274
>                 URL: https://issues.apache.org/jira/browse/SOLR-7274
>             Project: Solr
>          Issue Type: Sub-task
>            Reporter: Anshum Gupta
>
> It would be good to have Solr support different authentication protocols.
> To begin with, it'd be good to have support for kerberos and basic auth.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message