You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2018/10/03 14:34:00 UTC
[jira] [Commented] (SOLR-12799) Allow Authentication Plugins to
easily intercept internode requests
[ https://issues.apache.org/jira/browse/SOLR-12799?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16637035#comment-16637035 ]
Jan Høydahl commented on SOLR-12799:
------------------------------------
See the first PR at [GitHub Pull Request #458|https://github.com/apache/lucene-solr/pull/458]. Additions since last patch:
* Moved the {{Principal}} forwarding code from SOLR-12121 to this issue
* Extended {{BasicAuthPlugin}} with a new property {{forwardCredentials}}, allowing new and existing users to easily configure use of basic auth also on inter-node requests originating from an outside user request:
** When {{forwardCredentials }}is not set, it defaults to false, and works exactly as before
** When {{forwardCredentials=true}}, the plugin will add the basicAuth header to all forwarded requests, and leave all other requests to PKI as before.
** We carry username and password in a new {{BasicAuthUserPrincipal}} class that is passed on in {{SolrRequest}} both on updates and queries
* Added test to {{BasicAuthIntegrationTest}} which performs a distributed query before setting the property and after. Have found no way to assert in the test whether PKI or BasicAuth plugin handled the sub-request, but plan to do this by counting metrics once SOLR-12791 is in.
When this is committed, then SOLR-12121 becomes simpler.
> Allow Authentication Plugins to easily intercept internode requests
> -------------------------------------------------------------------
>
> Key: SOLR-12799
> URL: https://issues.apache.org/jira/browse/SOLR-12799
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Solr security framework currently allows a plugin to declare statically by implementing the {{HttpClientBuilderPlugin}} interface whether it will handle internode requests. If it implements the interface, the plugin MUST handle ALL internode requests, even requests originating from Solr itself. Likewise, if a plugin does not implement the interface, ALL requests will be authenticated by the built-in {{PKIAuthenticationPlugin}}.
> In some cases (such as SOLR-12121) there is a need to forward end-user credentials on internode requests, but let PKI handle it for solr-originated requests. This is currently not possible without a dirty hack where each plugin duplicates some PKI logic and calls PKI plugin from its own interceptor even if it is disabled.
> This Jira makes this use case officially supported by the framework by:
> * Letting {{PKIAuthenticationPlugin}} be always enabled. PKI will now in its interceptor on a per-request basis first give the authc plugin a chance to handle the request
> * Adding a protected method to abstract class {{AuthenticationPlugin}}
> {code:java}
> protected boolean interceptInternodeRequest(HttpRequest httpRequest, HttpContext httpContext)
> {code}
> that can be overridden by plugins in order to easily intercept requests without registering its own interceptor. Returning 'false' delegates to PKI.
> Existing Authc plugins do *not* need to change as a result of this, and they will work exactly as before, i.e. either handle ALL or NONE internode auth.
> New plugins choosing to *override* the new {{interceptInternodeRequest}} method will obtain per-request control over who will secure each request. The first user of this feature will be JWT token based auth in SOLR-12121.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org