[ https://issues.apache.org/jira/browse/SOLR-15233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306192#comment-17306192 ]
Geza Nagy commented on SOLR-15233: ---------------------------------- Hi [~gerlowskija], Honestly I haven't tried it with different plugin but this must be reproducible with other plugins as well I think. Here's what I found: The authorization plugins get an authcontext and the userprincipal in it is the getReq().getUserPrincipal(). [https://github.com/apache/solr/blob/9eaefdf6b6178042bd26420fede08c0db65c45f3/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L1115] In our case (Auth with hadoop auth + Kerberos) this will be the one who sent the request and has a valid kerberos ticket or if there is a doAs parameter in the query string then the doAs user. For the internode requests Solr will use it's own kerberos login settings (in my case it's s...@example.com the principal) I saw an old ticket which is very similar to this: https://issues.apache.org/jira/browse/SOLR-13619 But If I understand it right it was solved only for the KerberosPlugin. I already created a patch for the previous repository (lucene-solr), I haven't adopted yet for the current. But what I do in it is intercepting the internode requests in the ConfigurableInternodeAuthHadoopPlugin and set the doAs parameter if it's not presented already. This solved the issue for me but might be a bit naive approach. I'll upload this patch here as soon as I cherry picked to the new repo to see what I'm talking about. Also I'll try to reproduce it in the solr-kerberos-docker as well. > ConfigurableInternodeAuthHadoopPlugin with Ranger is broken > ----------------------------------------------------------- > > Key: SOLR-15233 > URL: https://issues.apache.org/jira/browse/SOLR-15233 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Authentication, Authorization > Affects Versions: 8.4.1 > Reporter: Geza Nagy > Priority: Major > Labels: authentication, authorization > Attachments: Screenshot 2021-03-09 at 18.15.31.png, security.json > > > Setting up a cluster with multiple solr nodes with Kerberos using it for > internode communication as well (attached security.json) and added Ranger as > authorization plugin. > When sending requests the authentication happens against the end user but the > authorization is for solr service user. > Tested two cases (3 nodes, have a collection with 2 replicas on 2 nodes of > it): > 1. send a query to a node where the collection has replica. Authorization is > wrong every nodes > 2. send a query to a node which doesn't contain a replica. The first place > authorization is fine but when the query distributed it goes as solr service > user issued. -- This message was sent by Atlassian Jira (v8.3.4#803005)