You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by kr...@apache.org on 2021/10/22 18:32:56 UTC
[solr] branch main updated: SOLR-15617: Add
kerberos.name.rules.mechanism support to KerberosPlugin (#306)
This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new 678f137 SOLR-15617: Add kerberos.name.rules.mechanism support to KerberosPlugin (#306)
678f137 is described below
commit 678f1372ad7a70fa0fc5ab613def481ba6956c8c
Author: Kevin Risden <ri...@users.noreply.github.com>
AuthorDate: Fri Oct 22 14:32:49 2021 -0400
SOLR-15617: Add kerberos.name.rules.mechanism support to KerberosPlugin (#306)
Signed-off-by: Kevin Risden <kr...@apache.org>
---
solr/CHANGES.txt | 2 ++
solr/core/src/java/org/apache/solr/security/KerberosPlugin.java | 3 +++
solr/solr-ref-guide/src/kerberos-authentication-plugin.adoc | 9 +++++++++
3 files changed, 14 insertions(+)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index f7e288b..9279c94 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -158,6 +158,8 @@ when told to. The admin UI now tells it to. (Nazerke Seidan, David Smiley)
* SOLR-15301: Eliminate repetitive index size calculation for Solr metrics (Andras Salamon)
+* SOLR-15617: Add kerberos.name.rules.mechanism support to KerberosPlugin (Kevin Risden)
+
Build
---------------------
diff --git a/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java b/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java
index 804566c..5da7c29 100644
--- a/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java
@@ -33,6 +33,7 @@ import javax.servlet.http.HttpServletResponse;
import com.fasterxml.jackson.core.JsonGenerator;
import com.google.common.annotations.VisibleForTesting;
+import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
import org.apache.http.HttpRequest;
import org.apache.http.protocol.HttpContext;
@@ -58,6 +59,7 @@ public class KerberosPlugin extends AuthenticationPlugin implements HttpClientBu
private Filter kerberosFilter;
public static final String NAME_RULES_PARAM = "solr.kerberos.name.rules";
+ public static final String NAME_RULES_MECHANISM_PARAM = "solr.kerberos.name.rules.mechanism";
public static final String COOKIE_DOMAIN_PARAM = "solr.kerberos.cookie.domain";
public static final String COOKIE_PATH_PARAM = "solr.kerberos.cookie.path";
public static final String PRINCIPAL_PARAM = "solr.kerberos.principal";
@@ -105,6 +107,7 @@ public class KerberosPlugin extends AuthenticationPlugin implements HttpClientBu
Map<String, String> params = new HashMap<>();
params.put("type", "kerberos");
putParam(params, "kerberos.name.rules", NAME_RULES_PARAM, "DEFAULT");
+ putParam(params, "kerberos.name.rules.mechanism", NAME_RULES_MECHANISM_PARAM, KerberosName.DEFAULT_MECHANISM);
putParam(params, "token.valid", TOKEN_VALID_PARAM, "30");
putParam(params, "cookie.path", COOKIE_PATH_PARAM, "/");
if (!skipKerberosChecking) {
diff --git a/solr/solr-ref-guide/src/kerberos-authentication-plugin.adoc b/solr/solr-ref-guide/src/kerberos-authentication-plugin.adoc
index 0370de9..1ba50ab 100644
--- a/solr/solr-ref-guide/src/kerberos-authentication-plugin.adoc
+++ b/solr/solr-ref-guide/src/kerberos-authentication-plugin.adoc
@@ -272,6 +272,15 @@ These parameters can be passed at the command line with the `bin/solr` start com
Used to map Kerberos principals to short names.
Example of a name rule: `RULE:[1:$1@$0](.\*EXAMPLE.COM)s/@.*//`.
+`solr.kerberos.name.rules.mechanism`::
++
+[%autowidth,frame=none]
+|===
+|Optional |Default: `hadoop`
+|===
++
+The mechanism used to map Kerberos principals to short names. This can be either `hadoop` or `mit`.
+
`solr.kerberos.cookie.domain`::
+
[%autowidth,frame=none]