NTLM plugin issue - Solr Intra-node communication fails when using custom AuthenticationPlugin

[Michael Erlikhman <me...@varonis.com.INVALID>]

Hi,
This is (somewhat) in continuation to the previous 401 Unauthorized thread,
TL;DR - Solr Intra-node communication fails when using a custom AuthenticationPlugin.

Below is the situation as we see it here in the dev. team:

The way our plugin is supposed to work (and has worked in Solr 7) is as follows:
We create a plugin that is both AuthenticationPlugin and HttpClientBuilderPlugin. (public class X extends AuthenticationPlugin implements HttpClientBuilderPlugin)

The HttpClientBuilderPlugin creates a SolrHttpClientBuilder which we call NtlmHTTPClientBuilder.
The builder creates a CredentialsProvider that creates NTLM credentials and registers NTLMSchemeFactory to be used for AuthSchemes.NTLM.
NTLMScheme is what should perform the handshake that authenticates the user and generates a token to be added in the header of the requests.
In webdefaults.xml, we have added a filter using a Waffle plugin that rejects requests without a valid header (this part still works in Solr 8)

!!!The problem is when the shards are communicating with one another, the token is not part of the request.!!!

What we discovered is this:
Unless interceptInternodeRequest is overwritten to return true, our plugin is not used
BUT even in case it does return true, the client that Solr uses is built in, HttpShardHandlerFactory creates a shard handler, that creates a Solr client that creates an http client - all with internal builders and not using our HttpClientBuilderPlugin at all.

Looking at other plugins, it seems that we need to implement "setup (Http2SolrClient client)" - but the client is already built, and we cannot inject (in any way we found) the credentials builder.
We can add a listener and intervene in the request, but the NTLM handshake is done over multiple calls and cannot be performed in one request.


We have also noticed that this change (the "setup (Http2SolrClient client)") has been added in Solr 8.8.1: https://github.com/apache/solr/commit/f80e8e11672d31c6e12069d2bd12a28b92e5a336

To sum as it, at this moment we are blocked from using our AuthenticationPlugin as then the intra-node communication fails.
Any assistance/suggestions are welcome, thank you!

Thanks,
Michael


________________________________
This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.