[jira] [Commented] (SOLR-17789) Internode Authorization not working for external roles

Wed, 30 Jul 2025 19:59:05 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-17789?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18011070#comment-18011070
 ] 

ASF subversion and git services commented on SOLR-17789:
--------------------------------------------------------

Commit 065dcfd48d8a07b67dd38423348397dd38c13d7d in solr's branch 
refs/heads/branch_9x from bct-timo-crabbe
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=065dcfd48d8 ]

SOLR-17789: Fix Internode Authorization not working for external roles (#3397)

When Solr forwards/proxies requests to another node that can service the 
request, it needs to pass authorization headers.

* Allow tests to choose the number of nodes their test cluster has
* Test if solr cluster properly forwards authentication principal
* Add user principal on http context when forwarding query


> Internode Authorization not working for external roles
> ------------------------------------------------------
>
>                 Key: SOLR-17789
>                 URL: https://issues.apache.org/jira/browse/SOLR-17789
>             Project: Solr
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 9.7, 9.8
>            Reporter: Timo Crabbé
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Solr nodes do not pass full authorization details to other nodes.
> Steps to reproduce:
>  # Deploy cluster with more then one node
>  # Use a authentication plugin where roles are supplied externally (like 
> JWTAuth).
>  # Add a private collection with lower number of replicas then the number of 
> nodes in the cluster
>  # Send request to node that does not holds a replica of the collection to 
> force forwarding.
> This results in a return code 403, because the sendRemoteQuery function in 
> `solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java` does not add 
> the current user's Security Principal on the HttpClientContext like the 
> executeMethod function does in 
> solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to