You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by is...@apache.org on 2020/06/01 08:08:23 UTC
[lucene-solr] branch branch_8x updated: SOLR-14491: Intercepting
internode requests in KerberosPlugin when HTTP/2 client is used
This is an automated email from the ASF dual-hosted git repository.
ishan pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8x by this push:
new 7fe79e3 SOLR-14491: Intercepting internode requests in KerberosPlugin when HTTP/2 client is used
7fe79e3 is described below
commit 7fe79e3eeafd9691e2ba285560fed4db03525ec0
Author: Ishan Chattopadhyaya <is...@apache.org>
AuthorDate: Mon Jun 1 13:37:12 2020 +0530
SOLR-14491: Intercepting internode requests in KerberosPlugin when HTTP/2 client is used
---
solr/CHANGES.txt | 2 ++
.../org/apache/solr/security/KerberosPlugin.java | 27 ++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 83602bd..54dd094 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -130,6 +130,8 @@ Bug Fixes
* SOLR-14498: Upgrade to Caffeine 2.8.4, which fixes the cache poisoning issue. (Jakub Zytka, ab)
+* SOLR-14491: Intercepting internode requests in KerberosPlugin when HTTP/2 client is used (Ishan Chattopadhyaya, Moshe Bla)
+
Other Changes
---------------------
* SOLR-14197: SolrResourceLoader: marked many methods as deprecated, and in some cases rerouted exiting logic to avoid
diff --git a/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java b/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java
index ce3010c..381419f 100644
--- a/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/KerberosPlugin.java
@@ -36,6 +36,7 @@ import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthentica
import org.apache.http.HttpRequest;
import org.apache.http.protocol.HttpContext;
import org.apache.solr.client.solrj.impl.Http2SolrClient;
+import org.apache.solr.client.solrj.impl.HttpListenerFactory;
import org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder;
import org.apache.solr.client.solrj.impl.SolrHttpClientBuilder;
import org.apache.solr.cloud.ZkController;
@@ -45,6 +46,7 @@ import org.apache.solr.common.cloud.SecurityAwareZkACLProvider;
import org.apache.solr.core.CoreContainer;
import org.apache.solr.request.SolrRequestInfo;
import org.apache.solr.servlet.SolrDispatchFilter;
+import org.eclipse.jetty.client.api.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -96,6 +98,7 @@ public class KerberosPlugin extends AuthenticationPlugin implements HttpClientBu
}
}
+
@VisibleForTesting
protected FilterConfig getInitFilterConfig(Map<String, Object> pluginConfig, boolean skipKerberosChecking) {
Map<String, String> params = new HashMap();
@@ -259,12 +262,36 @@ public class KerberosPlugin extends AuthenticationPlugin implements HttpClientBu
}
@Override
+ protected boolean interceptInternodeRequest(Request request) {
+ SolrRequestInfo info = SolrRequestInfo.getRequestInfo();
+ if (info != null && (info.getAction() == SolrDispatchFilter.Action.FORWARD ||
+ info.getAction() == SolrDispatchFilter.Action.REMOTEQUERY)) {
+ if (info.getUserPrincipal() != null) {
+ if (log.isInfoEnabled()) {
+ log.info("Setting original user principal: {}", info.getUserPrincipal().getName());
+ }
+ request.header(ORIGINAL_USER_PRINCIPAL_HEADER, info.getUserPrincipal().getName());
+ return true;
+ }
+ }
+ return false;
+ }
+
+ @Override
public SolrHttpClientBuilder getHttpClientBuilder(SolrHttpClientBuilder builder) {
return kerberosBuilder.getBuilder(builder);
}
@Override
public void setup(Http2SolrClient client) {
+ final HttpListenerFactory.RequestResponseListener listener = new HttpListenerFactory.RequestResponseListener() {
+ @Override
+ public void onQueued(Request request) {
+ interceptInternodeRequest(request);
+ }
+ };
+ client.addListenerFactory(() -> listener);
+
kerberosBuilder.setup(client);
}