[
https://issues.apache.org/jira/browse/SOLR-14491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17108565#comment-17108565
]
Ishan Chattopadhyaya commented on SOLR-14491:
---------------------------------------------
Here's the brief analysis:
# Non query based internode communication in Solr happen via
UpdateShardHandler's default http client, which is a Apache HttpClient
implementation.
# For the doctransformer and shard queries, the HttpShardHandler's httpclient
is used, which is Jetty HttpClient (supports http/2).
# Request Interceptors are added to the Apache HttpClient by the kerberos
plugin, that passes client's username. But, this doesn't happen for Jetty's
HttpClient.
This happened ever since the Jetty's httpclient (http/2 client) was introduced.
We need a way to intercept requests by the kerberos plugin for this jetty
httpclient as well.
> DocTransformers don't use correct principal using Kerberos
> ----------------------------------------------------------
>
> Key: SOLR-14491
> URL: https://issues.apache.org/jira/browse/SOLR-14491
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Ishan Chattopadhyaya
> Priority: Major
>
> This issue was reported by [~moshebla] here:
> [https://lucene.472066.n3.nabble.com/Getting-authenticated-user-inside-DocTransformer-plugin-td4454941.html]
> This is a problem since the original user principal isn't passed along for
> doctransformers (and possibly other internode query operations).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
