You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by mosheB <mo...@mail.com> on 2020/02/03 15:47:52 UTC
Getting authenticated user inside DocTransformer plugin
We are using Solr's kerberos authentication plugin and we are trying to
implement field-level filtering based on the authenticated user and
DocTransformer class:
public class FieldAclTransformerFactory extends TransformerFactory {
@Override
public DocTransformer create(String field, SolrParams params,
SolrQueryRequest req) {
String user = req.getUserPrincipal().getName();
return new FieldAclTransformer(user);
}
}
//****************************************************
public class FieldAclTransformer extends DocTransformer {
String user;
public FieldAclTransformer(String user) {
this.user = user;
}
@Override
public void transform(SolrDocument doc, int docid, float score) {
//filter fields according to applicative logic, based on the authenticated
user.
}
}
For simplicity, we do not use authorization plugin (here is our complete
security.json file):
{
"authentication":{
"class": "org.apache.solr.security.KerberosPlugin"
}
}
During develop phase plugin was tested against collection with single shard
and everything worked as expected (Solr 8.3.1).
After moving to production, plugin failed. During debug we saw that the
reason is that SOME shards were getting incorrect user from
/req.getUserPrincipal().getName()/: instead of the ORIGINAL user, Solr's SPN
is returned.
Our best guess is that failing requests are the distributed requests (the
requests the are routed from the node that received the original request),
and indeed, if we add `/distrib=false/` to our request plugin wasnt failing.
So, back to the question... is this a bug in solr, or is that just not way
we suppose to get the authenticated user?
Thanks.
--
Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html
Re: Getting authenticated user inside DocTransformer plugin
Posted by Ishan Chattopadhyaya <ic...@gmail.com>.
This is a problem, indeed. I've opened
https://issues.apache.org/jira/browse/SOLR-14491 to address this.
On Mon, Feb 3, 2020 at 11:08 PM mosheB <mo...@mail.com> wrote:
> We are using Solr's kerberos authentication plugin and we are trying to
> implement field-level filtering based on the authenticated user and
> DocTransformer class:
>
> public class FieldAclTransformerFactory extends TransformerFactory {
> @Override
> public DocTransformer create(String field, SolrParams params,
> SolrQueryRequest req) {
> String user = req.getUserPrincipal().getName();
> return new FieldAclTransformer(user);
> }
> }
> //****************************************************
> public class FieldAclTransformer extends DocTransformer {
> String user;
> public FieldAclTransformer(String user) {
> this.user = user;
> }
>
> @Override
> public void transform(SolrDocument doc, int docid, float score) {
> //filter fields according to applicative logic, based on
> the authenticated
> user.
> }
> }
>
> For simplicity, we do not use authorization plugin (here is our complete
> security.json file):
> {
> "authentication":{
> "class": "org.apache.solr.security.KerberosPlugin"
> }
> }
>
> During develop phase plugin was tested against collection with single shard
> and everything worked as expected (Solr 8.3.1).
> After moving to production, plugin failed. During debug we saw that the
> reason is that SOME shards were getting incorrect user from
> /req.getUserPrincipal().getName()/: instead of the ORIGINAL user, Solr's
> SPN
> is returned.
> Our best guess is that failing requests are the distributed requests (the
> requests the are routed from the node that received the original request),
> and indeed, if we add `/distrib=false/` to our request plugin wasnt
> failing.
>
> So, back to the question... is this a bug in solr, or is that just not way
> we suppose to get the authenticated user?
> Thanks.
>
>
>
> --
> Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>