You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2020/02/13 09:34:00 UTC

[jira] [Commented] (SOLR-14216) Exclude HealthCheck from authentication

    [ https://issues.apache.org/jira/browse/SOLR-14216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036066#comment-17036066 ] 

Jan Høydahl commented on SOLR-14216:
------------------------------------

I started on this, but the current way we make certain paths escape auth is by adding an extra if statement in three different locations:
 * SolrDispatchFilter
 * HttpSolrCall
 * PKIAuthenitcationPlugin

And each of these checks are slightly different since they compare against either the full URL or only the context path. In addition, if we want to open a path that has both V1 and V2 API support, that needs to be handled explicitly which is error prone.

So it would perhaps be better with a central generic location and a uniform way to specify what URL (suffixes) to whitelist, so you don't need to mess with {{/solr/____v2/foo}} style urls etc. Any suggestions to how this could be done, and where to configure the list of paths to keep public?

> Exclude HealthCheck from authentication
> ---------------------------------------
>
>                 Key: SOLR-14216
>                 URL: https://issues.apache.org/jira/browse/SOLR-14216
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Major
>
> The {{HealthCheckHandler}} on {{/api/node/health}} and {{/solr/admin/info/health}} should by default not be subject to authentication, but be open for all. This allows for load balancers and various monitoring to probe Solr's health without having to support the auth scheme in place. I can't see any reason we need auth on the health endpoint.
> It is possible to achieve the same by setting blockUnknown=false and configuring three RBAC permissions: One for v1 endpoint, one for v2 endpoint and one "all" catch all at the end of the chain. But this is cumbersome so better have this ootb.
> An alternative solution is to create a separate HttpServer for health check, listening on a different port, just like embedded ZK and JMX.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org