[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15831212#comment-15831212 ] Hrishikesh Gadre commented on SOLR-9324: [~ichattopadhyaya] Ok let me take a look. > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Yonik Seeley > Fix For: master (7.0), 6.4 > > Attachments: build-6025.log, SOLR-9324_branch_6x.patch, > SOLR-9324.patch, SOLR-9324.patch, SOLR-9324.patch, SOLR-9324-tests.patch > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15831152#comment-15831152 ] Ishan Chattopadhyaya commented on SOLR-9324: Could someone please take a stab at adding this to the ref guide? [~gchanan], [~hgadre]? I can volunteer to add, if someone can write up a brief description and example here. > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Yonik Seeley > Fix For: master (7.0), 6.4 > > Attachments: build-6025.log, SOLR-9324_branch_6x.patch, > SOLR-9324.patch, SOLR-9324.patch, SOLR-9324.patch, SOLR-9324-tests.patch > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15713576#comment-15713576 ] ASF GitHub Bot commented on SOLR-9324: -- Github user hgadre closed the pull request at: https://github.com/apache/lucene-solr/pull/117 > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Yonik Seeley > Fix For: master (7.0), 6.4 > > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15674918#comment-15674918 ] ASF subversion and git services commented on SOLR-9324: --- Commit 61a6072573f3c801b5d9dc5912ebbd1125f80c0b in lucene-solr's branch refs/heads/branch_6x from [~yo...@apache.org] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=61a6072 ] SOLR-9324: move changes entry to 6.4 > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15674911#comment-15674911 ] ASF subversion and git services commented on SOLR-9324: --- Commit 46ce87c70070448149deedab52c0e4749db818d2 in lucene-solr's branch refs/heads/master from [~yo...@apache.org] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=46ce87c ] SOLR-9324: move changes entry to 6.4 > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15674893#comment-15674893 ] Yonik Seeley commented on SOLR-9324: OK, I've committed this. Thanks Hrishikesh! I'm going to move the CHANGES entry to 6.4 as well... > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15674888#comment-15674888 ] ASF subversion and git services commented on SOLR-9324: --- Commit f084e658b77e1ec98021146318cc37772b73de51 in lucene-solr's branch refs/heads/branch_6x from [~hgadre] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=f084e65 ] SOLR-9324 Fix TestSolrCloudWithSecureImpersonation#testForwarding > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15674884#comment-15674884 ] ASF subversion and git services commented on SOLR-9324: --- Commit f78f698ab0a919e4923f0cbf061dfa254e177555 in lucene-solr's branch refs/heads/branch_6x from [~gchanan] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=f78f698 ] SOLR-9324: Support Secure Impersonation / Proxy User for solr authentication Conflicts: solr/CHANGES.txt solr/core/src/java/org/apache/solr/security/KerberosPlugin.java > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15674885#comment-15674885 ] ASF subversion and git services commented on SOLR-9324: --- Commit 8659fe1cce3f49f37f50f9a74d0eb79ad8d1bf58 in lucene-solr's branch refs/heads/branch_6x from [~gchanan] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=8659fe1 ] SOLR-9324: Fix local host test assumptions > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15674078#comment-15674078 ] Yonik Seeley commented on SOLR-9324: Although security really isn't my area, since this is just a backport to 6x I can probably handle the review if no one else is looking at it... > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15668950#comment-15668950 ] ASF GitHub Bot commented on SOLR-9324: -- GitHub user hgadre opened a pull request: https://github.com/apache/lucene-solr/pull/117 SOLR-9324: Support Secure Impersonation / Proxy User for solr authentication A patch against branch_6x. It also includes unit test fixes applied on the master branch... You can merge this pull request into a Git repository by running: $ git pull https://github.com/hgadre/lucene-solr SOLR-9324_6x Alternatively you can review and apply these changes as the patch at: https://github.com/apache/lucene-solr/pull/117.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #117 commit d23d4a424d636b893b9075968ae21edcddb3500c Author: Gregory Chanan Date: 2016-07-25T18:15:48Z SOLR-9324: Support Secure Impersonation / Proxy User for solr authentication Conflicts: solr/CHANGES.txt solr/core/src/java/org/apache/solr/security/KerberosPlugin.java commit 74b05ba4e42272571eac33609bc15777d1358827 Author: Gregory Chanan Date: 2016-08-06T04:04:58Z SOLR-9324: Fix local host test assumptions commit 40ba331403f8e7201d823ab99edecbbda9c46250 Author: Uwe Schindler Date: 2016-09-03T08:48:01Z SOLR-9460: Disable test that does not work with Windows commit 2d5afdc98eadfa9cc6862f0fa881909c62938af0 Author: Uwe Schindler Date: 2016-09-03T18:30:30Z SOLR-9460: Fully fix test setup commit 32ccf9f62190f3e867fc7edaad198020635fcd4d Author: Hrishikesh Gadre Date: 2016-11-16T00:32:21Z SOLR-9324 Fix TestSolrCloudWithSecureImpersonation#testForwarding > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[
https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15417335#comment-15417335
]
Steve Rowe commented on SOLR-9324:
--
Policeman Jenkins found another {{TestSolrCloudWithSecureImpersonation}} NPE
(doesn't reproduce for me on Linux)
[http://jenkins.thetaphi.de/job/Lucene-Solr-master-Windows/6041/]:
{noformat}
[junit4] Suite: org.apache.solr.cloud.TestSolrCloudWithSecureImpersonation
[junit4] 2> Creating dataDir:
C:\Users\jenkins\workspace\Lucene-Solr-master-Windows\solr\build\solr-core\test\J1\temp\solr.cloud.TestSolrCloudWithSecureImpersonation_D908C925ECB64765-001\init-core-data-001
[junit4] 2> 2677891 INFO
(SUITE-TestSolrCloudWithSecureImpersonation-seed#[D908C925ECB64765]-worker) [
] o.a.s.SolrTestCaseJ4 Randomized ssl (false) and clientAuth (false) via:
@org.apache.solr.util.RandomizeSSL(reason=, value=NaN, ssl=NaN, clientAuth=NaN)
[junit4] 2> 2678039 WARN
(SUITE-TestSolrCloudWithSecureImpersonation-seed#[D908C925ECB64765]-worker) [
] o.a.h.u.NativeCodeLoader Unable to load native-hadoop library for your
platform... using builtin-java classes where applicable
[junit4] 2> 2678060 INFO
(SUITE-TestSolrCloudWithSecureImpersonation-seed#[D908C925ECB64765]-worker) [
] o.a.s.SolrTestCaseJ4 ###deleteCore
[junit4] 2> NOTE: test params are:
codec=FastCompressingStoredFields(storedFieldsFormat=CompressingStoredFieldsFormat(compressionMode=FAST,
chunkSize=5, maxDocsPerChunk=799, blockSize=4),
termVectorsFormat=CompressingTermVectorsFormat(compressionMode=FAST,
chunkSize=5, blockSize=4)), sim=ClassicSimilarity, locale=sr-Latn-BA,
timezone=America/Guayaquil
[junit4] 2> NOTE: Windows 10 10.0 x86/Oracle Corporation 1.8.0_102
(32-bit)/cpus=3,threads=1,free=134681328,total=359464960
[junit4] 2> NOTE: All tests run in this JVM: [AnalyticsQueryTest,
SortSpecParsingTest, TestReload, ChaosMonkeySafeLeaderTest, TestCoreDiscovery,
DebugComponentTest, TestSha256AuthenticationProvider, StatsComponentTest,
TestImplicitCoreProperties, BlockJoinFacetDistribTest,
DistributedFacetPivotSmallAdvancedTest, TestCSVResponseWriter,
TestReloadDeadlock, DirectUpdateHandlerOptimizeTest,
TestReversedWildcardFilterFactory, HdfsChaosMonkeySafeLeaderTest,
ShardSplitTest, ZkNodePropsTest, TestSSLRandomization, TestRandomFlRTGCloud,
TestBinaryField, TestUninvertingReader, TestZkChroot, TestQueryTypes,
TestBackupRepositoryFactory, HLLSerializationTest, SpellingQueryConverterTest,
TolerantUpdateProcessorTest, BasicFunctionalityTest,
ShowFileRequestHandlerTest, TestSolr4Spatial,
DistributedFacetPivotWhiteBoxTest, TestManagedResourceStorage,
SearchHandlerTest, TestSolrQueryParser, HdfsBasicDistributedZkTest,
TestSchemaSimilarityResource, TestQuerySenderListener, SynonymTokenizerTest,
MigrateRouteKeyTest, TestFieldCache, TestIndexSearcher,
SuggestComponentContextFilterQueryTest, TestBulkSchemaAPI,
TestSimpleTrackingShardHandler, ConjunctionSolrSpellCheckerTest,
ZkSolrClientTest, BasicZkTest, DocValuesMissingTest, TestBinaryResponseWriter,
TestCollectionAPI, TestConfigSetsAPIExclusivity,
TestSubQueryTransformerDistrib, DateFieldTest, TestScoreJoinQPNoScore,
DistributedQueryComponentOptimizationTest, TestWriterPerf, ZkStateWriterTest,
SuggesterTSTTest, TestExceedMaxTermLength, TestReRankQParserPlugin,
TlogReplayBufferedWhileIndexingTest, CdcrReplicationDistributedZkTest,
TestSerializedLuceneMatchVersion, TestSchemaManager,
TestSuggestSpellingConverter, DateMathParserTest, TestSimpleQParserPlugin,
TestPHPSerializedResponseWriter, BlobRepositoryCloudTest, TestQueryUtils,
TestSolrConfigHandlerCloud, JavabinLoaderTest, AutoCommitTest,
FacetPivotSmallTest, SolrInfoMBeanTest, TestValueSourceCache,
TestCloudManagedSchema, ConnectionReuseTest, CheckHdfsIndexTest,
TestMiniSolrCloudClusterSSL, TestCustomDocTransformer, TestRawTransformer,
BasicDistributedZk2Test, RequestLoggingTest, EchoParamsTest, DeleteShardTest,
OpenExchangeRatesOrgProviderTest, LoggingHandlerTest, TestDFISimilarityFactory,
TestNumericTerms32, TestFieldCollectionResource, HdfsSyncSliceTest,
TestPerFieldSimilarityWithDefaultOverride, DistributedFacetPivotLargeTest,
IgnoreCommitOptimizeUpdateProcessorFactoryTest,
DefaultValueUpdateProcessorTest, FileUtilsTest, SecurityConfHandlerTest,
CSVRequestHandlerTest, TestRealTimeGet, ConnectionManagerTest, TestRTimerTree,
TestSolrCloudWithKerberosAlt, LeaderInitiatedRecoveryOnCommitTest,
TestRecovery, DistributedMLTComponentTest, TestTolerantUpdateProcessorCloud,
TestExactSharedStatsCache, TermVectorComponentDistributedTest,
CoreAdminCreateDiscoverTest, PluginInfoTest, AtomicUpdatesTest,
TestSlowCompositeReaderWrapper, DistributedDebugComponentTest, BlockCacheTest,
CustomCollectionTest, CoreAdminHandlerTest, BlockJoinFacetSimpleTest,
TestFieldCacheSanityChecker, WordBreakSolrSpellCheckerTest,
OverseerTaskQueueTest, TestInitQParse
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15410761#comment-15410761 ] Gregory Chanan commented on SOLR-9324: -- I'm not going to have a chance to backport this to 6x in the short term...[~hgadre] do you want to take a look? > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15410465#comment-15410465 ] ASF subversion and git services commented on SOLR-9324: --- Commit 678d3f007a492e1bd82833ce35986dce1460c9a8 in lucene-solr's branch refs/heads/master from [~gchanan] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=678d3f0 ] SOLR-9324: Fix local host test assumptions > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324-tests.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324.patch, SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15410451#comment-15410451 ] Gregory Chanan commented on SOLR-9324: -- I believe these are related to the assumptions the test makes about the local box. In the case Varun points to, the assumption is that the user running the process belongs to at least one group. In the cases Steve points to, I believe I assumption is that the loopback device is 127.0.0.1. > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15410429#comment-15410429 ] Gregory Chanan commented on SOLR-9324: -- Interesting, I wasn't able to reproduce any of those failures on my Mac. > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324_branch_6x.patch, build-6025.log > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[
https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15409459#comment-15409459
]
Steve Rowe commented on SOLR-9324:
--
Another {{TestSolrCloudWithSecureImpersonation.testProxyValidateHost()}}
failure from Policeman Jenkins
[http://jenkins.thetaphi.de/job/Lucene-Solr-master-Linux/17468/]:
{noformat}
[junit4] 2> NOTE: reproduce with: ant test
-Dtestcase=TestSolrCloudWithSecureImpersonation
-Dtests.method=testProxyValidateHost -Dtests.seed=B596175E77DFB007
-Dtests.multiplier=3 -Dtests.slow=true -Dtests.locale=so-DJ
-Dtests.timezone=Europe/Guernsey -Dtests.asserts=true
-Dtests.file.encoding=US-ASCII
[junit4] ERROR 0.02s J2 |
TestSolrCloudWithSecureImpersonation.testProxyValidateHost <<<
[junit4]> Throwable #1:
org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error
from server at https://127.0.0.1:37485/solr: Expected mime type
application/octet-stream but got application/json. {
[junit4]> "RemoteException" : {
[junit4]> "message" : "Unauthorized connection for super-user:
localHostAnyGroup from IP localhost.localdomain",
[junit4]> "exception" : "AuthorizationException",
[junit4]> "javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
[junit4]> }
[junit4]> }
[junit4]>at
__randomizedtesting.SeedInfo.seed([B596175E77DFB007:5068D7AF7298E4B0]:0)
[junit4]>at
org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:576)
[junit4]>at
org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:261)
[junit4]>at
org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:250)
[junit4]>at
org.apache.solr.client.solrj.SolrClient.request(SolrClient.java:1219)
[junit4]>at
org.apache.solr.cloud.TestSolrCloudWithSecureImpersonation.testProxyValidateHost(TestSolrCloudWithSecureImpersonation.java:260)
[junit4]>at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(java.base@9-ea/Native
Method)
[junit4]>at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(java.base@9-ea/NativeMethodAccessorImpl.java:62)
[junit4]>at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(java.base@9-ea/DelegatingMethodAccessorImpl.java:43)
[junit4]>at java.lang.Thread.run(java.base@9-ea/Thread.java:843)
{noformat}
> Support Secure Impersonation / Proxy User for solr authentication
> -
>
> Key: SOLR-9324
> URL: https://issues.apache.org/jira/browse/SOLR-9324
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: SolrCloud
>Reporter: Gregory Chanan
>Assignee: Gregory Chanan
> Attachments: SOLR-9324.patch, SOLR-9324.patch, SOLR-9324.patch,
> SOLR-9324_branch_6x.patch, build-6025.log
>
>
> Solr should support Proxy User / Secure Impersonation for authentication, as
> supported by hadoop
> (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html)
> and supported by the hadoop AuthenticationFilter (which we use for the
> KerberosPlugin).
> There are a number of use cases, but a common one is this:
> There is a front end for searches (say, Hue http://gethue.com/) that supports
> its own login mechanisms. If the cluster uses kerberos for authentication,
> hue must have kerberos credentials for each user, which is a pain to manage.
> Instead, hue can be allowed to impersonate known users from known machines so
> it only needs its own kerberos credentials.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[
https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15409444#comment-15409444
]
Steve Rowe commented on SOLR-9324:
--
I've seen the same error Varun reported above, and also this one, which
reproduces for me:
{noformat}
[junit4] 2> NOTE: reproduce with: ant test
-Dtestcase=TestSolrCloudWithSecureImpersonation
-Dtests.method=testProxyValidateHost -Dtests.seed=3258EAE5741811E7
-Dtests.multiplier=2 -Dtests.nightly=true -Dtests.slow=true
-Dtests.linedocsfile=/x1/jenkins/lucene-data/enwiki.random.lines.txt
-Dtests.locale=fr-CA -Dtests.timezone=Pacific/Chuuk -Dtests.asserts=true
-Dtests.file.encoding=ISO-8859-1
[junit4] ERROR 0.03s J2 |
TestSolrCloudWithSecureImpersonation.testProxyValidateHost <<<
[junit4]> Throwable #1:
org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error
from server at https://127.0.0.1:39539/solr: Expected mime type
application/octet-stream but got application/json. {
[junit4]> "RemoteException" : {
[junit4]> "message" : "Unauthorized connection for super-user:
localHostAnyGroup from IP localhost",
[junit4]> "exception" : "AuthorizationException",
[junit4]> "javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
[junit4]> }
[junit4]> }
[junit4]>at
__randomizedtesting.SeedInfo.seed([3258EAE5741811E7:D7A62A14715F4550]:0)
[junit4]>at
org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:576)
[junit4]>at
org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:261)
[junit4]>at
org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:250)
[junit4]>at
org.apache.solr.client.solrj.SolrClient.request(SolrClient.java:1219)
[junit4]>at
org.apache.solr.cloud.TestSolrCloudWithSecureImpersonation.testProxyValidateHost(TestSolrCloudWithSecureImpersonation.java:260)
[junit4]>at java.lang.Thread.run(Thread.java:745)
{noformat}
> Support Secure Impersonation / Proxy User for solr authentication
> -
>
> Key: SOLR-9324
> URL: https://issues.apache.org/jira/browse/SOLR-9324
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: SolrCloud
>Reporter: Gregory Chanan
>Assignee: Gregory Chanan
> Attachments: SOLR-9324.patch, SOLR-9324.patch, SOLR-9324.patch,
> SOLR-9324_branch_6x.patch, build-6025.log
>
>
> Solr should support Proxy User / Secure Impersonation for authentication, as
> supported by hadoop
> (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html)
> and supported by the hadoop AuthenticationFilter (which we use for the
> KerberosPlugin).
> There are a number of use cases, but a common one is this:
> There is a front end for searches (say, Hue http://gethue.com/) that supports
> its own login mechanisms. If the cluster uses kerberos for authentication,
> hue must have kerberos credentials for each user, which is a pain to manage.
> Instead, hue can be allowed to impersonate known users from known machines so
> it only needs its own kerberos credentials.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405040#comment-15405040 ] ASF subversion and git services commented on SOLR-9324: --- Commit a07425a4e1856aa301e7125863a9ad7a606eeb02 in lucene-solr's branch refs/heads/master from [~gchanan] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=a07425a ] SOLR-9324: Fix jira number in CHANGES.txt > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324_branch_6x.patch > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9324) Support Secure Impersonation / Proxy User for solr authentication
[ https://issues.apache.org/jira/browse/SOLR-9324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405032#comment-15405032 ] ASF subversion and git services commented on SOLR-9324: --- Commit e50858c314a138e2c2ced50bee9a5c2754929f8b in lucene-solr's branch refs/heads/master from [~gchanan] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=e50858c ] SOLR-9324: Support Secure Impersonation / Proxy User for solr authentication > Support Secure Impersonation / Proxy User for solr authentication > - > > Key: SOLR-9324 > URL: https://issues.apache.org/jira/browse/SOLR-9324 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrCloud >Reporter: Gregory Chanan >Assignee: Gregory Chanan > Attachments: SOLR-9324.patch, SOLR-9324.patch, SOLR-9324.patch, > SOLR-9324_branch_6x.patch > > > Solr should support Proxy User / Secure Impersonation for authentication, as > supported by hadoop > (http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html) > and supported by the hadoop AuthenticationFilter (which we use for the > KerberosPlugin). > There are a number of use cases, but a common one is this: > There is a front end for searches (say, Hue http://gethue.com/) that supports > its own login mechanisms. If the cluster uses kerberos for authentication, > hue must have kerberos credentials for each user, which is a pain to manage. > Instead, hue can be allowed to impersonate known users from known machines so > it only needs its own kerberos credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
