You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Ishan Chattopadhyaya (JIRA)" <ji...@apache.org> on 2015/04/10 21:39:12 UTC

[jira] [Updated] (SOLR-7274) Pluggable authentication module in Solr

     [ https://issues.apache.org/jira/browse/SOLR-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ishan Chattopadhyaya updated SOLR-7274:
---------------------------------------
    Attachment: SOLR-7274.patch

Added an initial patch, mainly focussing around the pluggable framework part.

It defines an AuthenticationLayerFilter which is called just before the SolrDispatchFilter. The AuthenticationLayerFilter (during its init()) looks for a AuthenticationLayerPlugin classname from the following places, in order, (a) ZK's clusterprops.json containing an "authcPlugin" property, (b) System property "authcPlugin". 

AuthenticationLayerPlugin has the following interface:

{noformat}
public interface AuthenticationLayerPlugin {
  
  public void init(FilterConfig conf);
  
  public void doAuthenticate(ServletRequest req, ServletResponse rsp,
      FilterChain chain) throws Exception;

  public HttpClientConfigurer getDefaultConfigurer();
}
{noformat}

A reference Kerberos authentication plugin, based on the hadoop-auth's AuthenticationFilter, is included in the patch. 

On the server side, the plugin contains a filter, called KerberosFilter, whose properties (e.g. keytab, service principal etc.) are populated from system properties.

On the client side (also used for internode communication), an extended HttpClientConfigurer instance (derived from Cloudera's implementation) is used to configure the HttpClient used by HttpSolrClient. It uses a jaas config file from the system property "java.security.auth.login.config" containing client's keytab and user principal. For repeatable requests through the HttpSolrClient, I've wrapped around the request entities in BufferedHttpEntity. Currently, in this patch, no extra authentication metadata is being passed around from main request to sub request for now. Going forward, a generic callback framework might be more desireable, e.g. SOLR-6625.

Here's how I start and test this:

Here's my clusterprops.json in ZK, before starting solr (if one doesn't want to use ZK for this, could pass -DauthcPlugin=org.apache.solr.security.KerberosPlugin to start script):
{noformat}
{"authcPlugin":"org.apache.solr.security.KerberosPlugin"}
{noformat}

Here's my start command:
{noformat}
bin/solr -c -z localhost:2181 -a "-Djava.security.auth.login.config=/home/ishan/jaas-client.conf 
\     -Dcookie.domain=192.168.0.107 -Dkerberos.principal=HTTP/192.168.0.107@EXAMPLE.COM 
\     -Dkerberos.keytab=/tmp/107solr.keytab"
{noformat}

Here's my /home/ishan/jaas-client.conf file:

{noformat}
SolrClient {
 com.sun.security.auth.module.Krb5LoginModule required
 useKeyTab=true
 keyTab="/tmp/107solr.keytab"
 storeKey=true
 useTicketCache=true
 debug=true
 principal="HTTP/192.168.0.107@EXAMPLE.COM"; 
};
{noformat}

Here's a way to test:
{noformat}
kinit
curl --negotiate -u : "http://192.168.0.107:8983/solr/"
{noformat}


> Pluggable authentication module in Solr
> ---------------------------------------
>
>                 Key: SOLR-7274
>                 URL: https://issues.apache.org/jira/browse/SOLR-7274
>             Project: Solr
>          Issue Type: Sub-task
>            Reporter: Anshum Gupta
>         Attachments: SOLR-7274.patch
>
>
> It would be good to have Solr support different authentication protocols.
> To begin with, it'd be good to have support for kerberos and basic auth.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org