You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ge...@apache.org on 2019/10/11 16:27:27 UTC
[lucene-solr] branch branch_7_7 updated: SOLR-13472: Forwarded
requests should skip authorization on receiving nodes
This is an automated email from the ASF dual-hosted git repository.
gerlowskija pushed a commit to branch branch_7_7
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_7_7 by this push:
new b4242a1 SOLR-13472: Forwarded requests should skip authorization on receiving nodes
b4242a1 is described below
commit b4242a1bfb418e8b1f1cedf4cf9f97e20e4cd866
Author: Ishan Chattopadhyaya <is...@apache.org>
AuthorDate: Mon Jul 15 14:43:41 2019 +0530
SOLR-13472: Forwarded requests should skip authorization on receiving nodes
---
solr/CHANGES.txt | 2 +
.../java/org/apache/solr/servlet/HttpSolrCall.java | 55 +++++++++++++---------
2 files changed, 36 insertions(+), 21 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 805a7c3..48f13ce 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -40,6 +40,8 @@ Bug fixes
* SOLR-13828: Improve ExecutePlanAction error handling.
+* SOLR-13472: Forwarded requests should skip authorization on receiving nodes (Ishan Chattopadhyaya)
+
================== 7.7.2 ==================
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
diff --git a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
index 9b8c589..5ecd29f 100644
--- a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
+++ b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
@@ -448,6 +448,26 @@ public class HttpSolrCall {
}
}
+ Action authorize() throws IOException {
+ AuthorizationContext context = getAuthCtx();
+ log.debug("AuthorizationContext : {}", context);
+ AuthorizationResponse authResponse = cores.getAuthorizationPlugin().authorize(context);
+ if (authResponse.statusCode == AuthorizationResponse.PROMPT.statusCode) {
+ Map<String, String> headers = (Map) getReq().getAttribute(AuthenticationPlugin.class.getName());
+ if (headers != null) {
+ for (Map.Entry<String, String> e : headers.entrySet()) response.setHeader(e.getKey(), e.getValue());
+ }
+ log.debug("USER_REQUIRED "+req.getHeader("Authorization")+" "+ req.getUserPrincipal());
+ }
+ if (!(authResponse.statusCode == HttpStatus.SC_ACCEPTED) && !(authResponse.statusCode == HttpStatus.SC_OK)) {
+ log.info("USER_REQUIRED auth header {} context : {} ", req.getHeader("Authorization"), context);
+ sendError(authResponse.statusCode,
+ "Unauthorized request, Response code: " + authResponse.statusCode);
+ return RETURN;
+ }
+ return null;
+ }
+
/**
* This method processes the request.
*/
@@ -467,27 +487,20 @@ public class HttpSolrCall {
try {
init();
- /* Authorize the request if
- 1. Authorization is enabled, and
- 2. The requested resource is not a known static file
- */
- if (cores.getAuthorizationPlugin() != null && shouldAuthorize()) {
- AuthorizationContext context = getAuthCtx();
- log.debug("AuthorizationContext : {}", context);
- AuthorizationResponse authResponse = cores.getAuthorizationPlugin().authorize(context);
- if (authResponse.statusCode == AuthorizationResponse.PROMPT.statusCode) {
- Map<String, String> headers = (Map) getReq().getAttribute(AuthenticationPlugin.class.getName());
- if (headers != null) {
- for (Map.Entry<String, String> e : headers.entrySet()) response.setHeader(e.getKey(), e.getValue());
- }
- log.debug("USER_REQUIRED "+req.getHeader("Authorization")+" "+ req.getUserPrincipal());
- }
- if (!(authResponse.statusCode == HttpStatus.SC_ACCEPTED) && !(authResponse.statusCode == HttpStatus.SC_OK)) {
- log.info("USER_REQUIRED auth header {} context : {} ", req.getHeader("Authorization"), context);
- sendError(authResponse.statusCode,
- "Unauthorized request, Response code: " + authResponse.statusCode);
- return RETURN;
- }
+
+ // Perform authorization here, if:
+ // (a) Authorization is enabled, and
+ // (b) The requested resource is not a known static file
+ // (c) And this request should be handled by this node (see NOTE below)
+ // NOTE: If the query is to be handled by another node, then let that node do the authorization.
+ // In case of authentication using BasicAuthPlugin, for example, the internode request
+ // is secured using PKI authentication and the internode request here will contain the
+ // original user principal as a payload/header, using which the receiving node should be
+ // able to perform the authorization.
+ if (cores.getAuthorizationPlugin() != null && shouldAuthorize()
+ && !(action == REMOTEQUERY || action == FORWARD)) {
+ Action authorizationAction = authorize();
+ if (authorizationAction != null) return authorizationAction;
}
HttpServletResponse resp = response;