From solr-user-return-77394-apmail-lucene-solr-user-archive=lucene.apache.org@lucene.apache.org Fri Jan 11 13:04:36 2013 Return-Path: X-Original-To: apmail-lucene-solr-user-archive@minotaur.apache.org Delivered-To: apmail-lucene-solr-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9F647EC90 for ; Fri, 11 Jan 2013 13:04:36 +0000 (UTC) Received: (qmail 38986 invoked by uid 500); 11 Jan 2013 13:04:33 -0000 Delivered-To: apmail-lucene-solr-user-archive@lucene.apache.org Received: (qmail 38940 invoked by uid 500); 11 Jan 2013 13:04:32 -0000 Mailing-List: contact solr-user-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: solr-user@lucene.apache.org Delivered-To: mailing list solr-user@lucene.apache.org Received: (qmail 38932 invoked by uid 99); 11 Jan 2013 13:04:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Jan 2013 13:04:32 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=MIME_QP_LONG_LINE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [178.21.113.82] (HELO mail.openindex.io) (178.21.113.82) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Jan 2013 13:04:26 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.openindex.io (Postfix) with ESMTP id 1585DFC002 for ; Fri, 11 Jan 2013 13:11:13 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at mail.openindex.io Received: from mail.openindex.io ([127.0.0.1]) by localhost (mail.openindex.io [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vdu+bcqdUoh7 for ; Fri, 11 Jan 2013 13:11:11 +0000 (UTC) Received: from mail.openindex.io (localhost [127.0.0.1]) by mail.openindex.io (Postfix) with ESMTP id CBFCBFC001 for ; Fri, 11 Jan 2013 13:11:11 +0000 (UTC) Subject: RE: Forwarding authentication credentials in internal node-to-node requests From: =?utf-8?Q?Markus_Jelsma?= To: =?utf-8?Q?solr-user=40lucene=2Eapache=2Eorg?= Date: Fri, 11 Jan 2013 13:11:11 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable In-Reply-To: <50EFFEB2.10605@designware.dk> References: <50EFFEB2.10605@designware.dk> X-Priority: 3 (Normal) X-Mailer: Zarafa 7.0.7-34256 Message-Id: X-Virus-Checked: Checked by ClamAV on apache.org Hi, If your credentials are fixed i would configure username:password in your request handler's shardHandlerFactory configuration section and then modify HttpShardHandlerFactory.init() to create a HttpClient with an AuthScope configured with those settings. I don't think you can obtain the original credentials very easy when inside HttpShardHandlerFactory. Cheers=20 =20 -----Original message----- > From:Per Steffensen > Sent: Fri 11-Jan-2013 13:07 > To: solr-user@lucene.apache.org > Subject: Forwarding authentication credentials in internal node-to-node requests >=20 > Hi >=20 > I read http://wiki.apache.org/solr/SolrSecurity and know a lot about=20 > webcontainer authentication and authorization. Im sure I will be able to=20 > set it up so that each solr-node is will require HTTP authentication for=20 > (selected) incoming requests. >=20 > But solr-nodes also make requests among each other and Im in doubt if=20 > credentials are forwarded from the "original request" to the internal=20 > sub-requests=3F > E.g. lets say that each solr-node is set up to require authentication=20 > for search request. An "outside" user makes a distributed request=20 > including correct username/password. Since it is a distributed search,=20 > the node which handles the original request from the user will have to=20 > make sub-requests to other solr-nodes but they also require correct=20 > credentials in order to accept this sub-request. Are the credentials=20 > from the original request duplicated to the sub-requests or what options=20 > do I have=3F > Same thing goes for e.g. update requests if they are sent to a node=20 > which does not run (all) the replica of the shard in which the documents=20 > to be added/updated/deleted belong. The node needs to make sub-request=20 > to other nodes, and it will require forwarding the credentials. >=20 > Does this just work out of the box, or ... =3F >=20 > Regards, Per Steffensen >=20