You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Ishan Chattopadhyaya (JIRA)" <ji...@apache.org> on 2015/04/01 05:36:52 UTC
[jira] [Comment Edited] (SOLR-7274) Pluggable authentication module
in Solr
[ https://issues.apache.org/jira/browse/SOLR-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14389336#comment-14389336 ]
Ishan Chattopadhyaya edited comment on SOLR-7274 at 4/1/15 3:36 AM:
--------------------------------------------------------------------
I am working on implementing pluggable authentication support, initially supporting Kerberos and Basic Auth mechanisms.
Here's a high level design that I'm working towards:
An authentication layer, consisting of servlet filters for each of the supported mechanisms, need to be written and configured (via environment variables) to be invoked before the requests hit the SolrDispatchFilter. (In case of us moving away from the servlets paradigm, this can later be folded into the SolrDispatchFilter.) This authentication layer should ensure that the request, which leaves this layer and gets propogated down the chain, must, at least, have a java.security.Principal object associated with the request. This user principal could be used, for example, by any downstream authorization layer (SOLR-7275) to perform fine grained access control based on requests, resources etc.
As for inter-node requests, the interfaces should support both (a) inter-node requests authenticating using the original user principal (where possible); as well as (b) inter-node requests authenticating using a node's own service principal.
(SOLR-4470 has some context for this with respect to basic auth.)
was (Author: ichattopadhyaya):
I am working on implementing pluggable authentication support, initially supporting Kerberos and Basic Auth mechanisms.
Here's a high level design that I'm working towards:
An authentication layer, consisting of servlet filters for each of the supported mechanisms, need to be written and configured (via web.xml) to be invoked before the requests hit the SolrDispatchFilter. (In case of us moving away from the servlets paradigm, this can later be folded into the SolrDispatchFilter.) This authentication layer should ensure that the request, which leaves this layer and gets propogated down the chain, must, at least, have a java.security.Principal object associated with the request. This user principal could be used, for example, by any downstream authorization layer (SOLR-7275) to perform fine grained access control based on requests, resources etc.
As for inter-node requests, the interfaces should support both (a) inter-node requests authenticating using the original user principal (where possible); as well as (b) inter-node requests authenticating using a node's own service principal.
(SOLR-4470 has some context for this with respect to basic auth.)
> Pluggable authentication module in Solr
> ---------------------------------------
>
> Key: SOLR-7274
> URL: https://issues.apache.org/jira/browse/SOLR-7274
> Project: Solr
> Issue Type: Sub-task
> Reporter: Anshum Gupta
>
> It would be good to have Solr support different authentication protocols.
> To begin with, it'd be good to have support for kerberos and basic auth.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org