[jira] [Commented] (SOLR-7274) Pluggable authentication module in Solr

Gregory Chanan (JIRA) Wed, 01 Apr 2015 21:20:07 -0700

    [ 
https://issues.apache.org/jira/browse/SOLR-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14392112#comment-14392112
 ]


Gregory Chanan commented on SOLR-7274:
--------------------------------------

bq. Can we use what Cloudera does? Gregory Chanan, you might have something to 
say here.

Right now we edit the web.xml.  Given that is going away, I don't have an 
objection to alternative configuration, whether in ZK, system props, some 
combination of those, etc.  What I'm not sure about is how you will make the 
configuration general enough without mentioning Filters.  I.e. will there be 
pre-approved authentication mechanisms?   Will I be able to write my own?

This discussion also seems focused on the server side.  Is the client side 
considered outside the scope of this jira?  (i'm thinking something like 
SOLR-6625, but SOLR-4470 is related).

Here's a pointer to the server-side stuff we do at Cloudera.  I'm eager to 
contribute (or help contribute) this as part of a new authentication module.  I 
just want to make sure the pluggable authentication model is general enough for 
our use case.

Our web.xml:
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/webapp/web/WEB-INF/web.xml
This adds two filters: HostnameFilter and SolrHadoopAuthenticationFilter.  
Together these support:
- basic auth
- kerberos auth
- proxy user support (like sudo, see 
https://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html)
- delegation token support (used for MR/spark related jobs: get an 
authentication token at the outset and use it throughout the job lifetime so 
you don't have to pass kerberos keytabs around the cluster)

The Filters:
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/java/org/apache/solr/servlet/HostnameFilter.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/java/org/apache/solr/servlet/SolrHadoopAuthenticationFilter.java
 -- Note this supports delegation tokens.

Some tests around the various functional pieces:
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/SolrHadoopAuthenticationFilterTest.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/SolrHadoopAuthenticationFilterProxyUserTest.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/SolrHadoopAuthenticationFilterDelegationTokenTest.java
https://github.com/cloudera/lucene-solr/blob/cdh5-4.4.0_5.3.2/solr/core/src/test/org/apache/solr/servlet/HostnameFilterTest.java

> Pluggable authentication module in Solr
> ---------------------------------------
>
>                 Key: SOLR-7274
>                 URL: https://issues.apache.org/jira/browse/SOLR-7274
>             Project: Solr
>          Issue Type: Sub-task
>            Reporter: Anshum Gupta
>
> It would be good to have Solr support different authentication protocols.
> To begin with, it'd be good to have support for kerberos and basic auth.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-7274) Pluggable authentication module in Solr

Reply via email to