[
https://issues.apache.org/jira/browse/SOLR-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14389336#comment-14389336
]
Ishan Chattopadhyaya edited comment on SOLR-7274 at 4/1/15 5:44 AM:
--------------------------------------------------------------------
I am working on implementing pluggable authentication support, initially
supporting Kerberos and Basic Auth mechanisms.
Here's a high level design that I'm working towards:
* An authentication layer, consisting of plugins for each of the supported
mechanisms, needs to be written to be invoked before the SolrDispatchFilter.
* The configuration as to which plugin to be used, or if at all a security
mechanism is needed, could come from ZK.
* Every plugin's configuration (e.g. a keytab file path, service principal for
kerberos) could be done using System.getProperties().
* This authentication layer should ensure that the request, which leaves this
layer and gets propogated down the chain, must, at least, have a
java.security.Principal object associated with the request.
* This user principal could be used, for example, by any downstream
authorization layer (SOLR-7275) to perform fine grained access control based on
requests, resources etc.
* As for inter-node requests, the interfaces should support both (a) inter-node
requests authenticating using the original user principal (where possible); as
well as (b) inter-node requests authenticating using a node's own service
principal.
(SOLR-4470 has some context for this with respect to basic auth.)
was (Author: ichattopadhyaya):
I am working on implementing pluggable authentication support, initially
supporting Kerberos and Basic Auth mechanisms.
Here's a high level design that I'm working towards:
An authentication layer, consisting of servlet filters for each of the
supported mechanisms, need to be written and configured (via environment
variables) to be invoked before the requests hit the SolrDispatchFilter. (In
case of us moving away from the servlets paradigm, this can later be folded
into the SolrDispatchFilter.) This authentication layer should ensure that the
request, which leaves this layer and gets propogated down the chain, must, at
least, have a java.security.Principal object associated with the request. This
user principal could be used, for example, by any downstream authorization
layer (SOLR-7275) to perform fine grained access control based on requests,
resources etc.
As for inter-node requests, the interfaces should support both (a) inter-node
requests authenticating using the original user principal (where possible); as
well as (b) inter-node requests authenticating using a node's own service
principal.
(SOLR-4470 has some context for this with respect to basic auth.)
> Pluggable authentication module in Solr
> ---------------------------------------
>
> Key: SOLR-7274
> URL: https://issues.apache.org/jira/browse/SOLR-7274
> Project: Solr
> Issue Type: Sub-task
> Reporter: Anshum Gupta
>
> It would be good to have Solr support different authentication protocols.
> To begin with, it'd be good to have support for kerberos and basic auth.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]