You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Jason Gerlowski (Jira)" <ji...@apache.org> on 2021/03/22 11:21:00 UTC

[jira] [Commented] (SOLR-15233) ConfigurableInternodeAuthHadoopPlugin with Ranger is broken

    [ https://issues.apache.org/jira/browse/SOLR-15233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306124#comment-17306124 ] 

Jason Gerlowski commented on SOLR-15233:
----------------------------------------

Hey [~gezan], thanks for reporting.  Do you think the issue is unique to Ranger, or could it be reproduced without?  If there's an easier way to reproduce I might be able to take a look, but the Ranger plugin is technically 3rd-party code and I have no experience with setting it up or debugging it.

Would it be possible to come up with a Dockerized environment that can reproduce the problem? (perhaps piggy-backing on [this project|https://github.com/chatman/solr-kerberos-docker])

> ConfigurableInternodeAuthHadoopPlugin with Ranger is broken
> -----------------------------------------------------------
>
>                 Key: SOLR-15233
>                 URL: https://issues.apache.org/jira/browse/SOLR-15233
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication, Authorization
>    Affects Versions: 8.4.1
>            Reporter: Geza Nagy
>            Priority: Major
>              Labels: authentication, authorization
>         Attachments: Screenshot 2021-03-09 at 18.15.31.png, security.json
>
>
> Setting up a cluster with multiple solr nodes with Kerberos using it for internode communication as well (attached security.json) and added Ranger as authorization plugin.
> When sending requests the authentication happens against the end user but the authorization is for solr service user.
> Tested two cases (3 nodes, have a collection with 2 replicas on 2 nodes of it):
> 1. send a query to a node where the collection has replica. Authorization is wrong every nodes
> 2. send a query to a node which doesn't contain a replica. The first place authorization is fine but when the query distributed it goes as solr service user issued.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)