lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <>
Subject [jira] [Updated] (SOLR-9640) Support PKI authentication in standalone mode
Date Thu, 13 Oct 2016 14:40:20 GMT


Jan Høydahl updated SOLR-9640:
    Attachment: SOLR-9640.patch

Attaching patch which works with  my limited testing

* Fix bug in SolrDispatchFilter - path {{/admin/info/key}} should always be open. It required
authentication since we were comparing with {{getPathInfo}} instead of {{getServletPath}}
* Always register PKIAuthenticationPlugin in CoreContainer
* In {{PKIAuthenticationPlugin.getRemotePublicKey()}} generate URL for node based on {{nodeName}}
when not running ZK mode

Local testing with manual sharding between two standalone nodes works, the PKI kicks in. Have
not tested with /replication etc.

h3. Todo:
* Write a unit test
* Generating nodeName from {{host}} and {{port}} properties of CloudConfig, which seems a
bit odd when not running cloud. Could we move these three lines outside the {{<solrcloud>}}
tag in {{solr.xml}}?
    <str name="host">${host:}</str>
    <int name="hostPort">${jetty.port:8983}</int>
    <str name="hostContext">${hostContext:solr}</str>
* Generating urlScheme based on whether an ssl property is set, since we do not have access
to clusterProps. Is this the best way?
urlScheme = System.getProperty("solr.jetty.keystore") == null ? "http" : "https";

> Support PKI authentication in standalone mode
> ---------------------------------------------
>                 Key: SOLR-9640
>                 URL:
>             Project: Solr
>          Issue Type: New Feature
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>            Reporter: Jan Høydahl
>         Attachments: SOLR-9640.patch
> While working with SOLR-9481 I managed to secure Solr standalone on a single-node server.
However, when adding {{&shards=localhost:8081/solr/foo,localhost:8082/solr/foo}} to the
request, I get 401 error.
> To solve it we either need to add support for inter-node stuff in all the plugins, but
it would be sweet if the PKI stuff would work also for standalone.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message