You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Ishan Chattopadhyaya (JIRA)" <ji...@apache.org> on 2019/07/11 00:52:00 UTC

[jira] [Commented] (SOLR-13619) Kerberos: 403 when node doesn't host collection

    [ https://issues.apache.org/jira/browse/SOLR-13619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16882548#comment-16882548 ] 

Ishan Chattopadhyaya commented on SOLR-13619:
---------------------------------------------

Internode communication also happens using Kerberos. Fix for this requires original user principal to be sent along, so that authorization can be skipped and done on the forwarded node using the original user principal (instead of the Solr node's service principal).

Added PR for this, https://github.com/apache/lucene-solr/pull/773.
This should be applied after applying SOLR-13472 fix. This is currently for 8x branch, will update for master at the time of committing.
[~noble.paul], can you please review?

> Kerberos: 403 when node doesn't host collection
> -----------------------------------------------
>
>                 Key: SOLR-13619
>                 URL: https://issues.apache.org/jira/browse/SOLR-13619
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Ishan Chattopadhyaya
>            Priority: Major
>
> This is a spin off from SOLR-13472, specifically to tackle the Kerberos case. Here's the security.json to reproduce the same problem as of SOLR-13472:
> {code}
> {
>  "authentication": {"class": "org.apache.solr.security.KerberosPlugin"},
>  "authorization": {
>    "class": "solr.RuleBasedAuthorizationPlugin",
>    "permissions": [
>      {
>        "name": "read",
>        "role": "*"
>      },
>      {
>        "name": "update",
>        "role": [
>          "indexer",
>          "admin"
>        ]
>      },
>      {
>        "name": "all",
>        "role": "admin"
>      }
>    ],
>    "user-role": {
>      "HTTP/solr1@EXAMPLE.COM": "admin",
>      "HTTP/solr2@EXAMPLE.COM": "admin",
>      "client@EXAMPLE.COM": "indexer"
>    }
>  }
> }
> {code}
> Here, client@EXAMPLE.COM should be able to issue /update and /select requests to both solr1 and solr2, but it throws 403 for the node that doesn't host the collection.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org