lucene-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gcha...@apache.org
Subject [1/2] lucene-solr:branch_6x: SOLR-9200: Add Delegation Token Support to Solr
Date Tue, 02 Aug 2016 16:53:12 GMT
Repository: lucene-solr
Updated Branches:
  refs/heads/branch_6x c17605b4a -> 6cfec0bd7


http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithDelegationTokens.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithDelegationTokens.java b/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithDelegationTokens.java
new file mode 100644
index 0000000..c5a8f8c
--- /dev/null
+++ b/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithDelegationTokens.java
@@ -0,0 +1,406 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.cloud;
+
+import junit.framework.Assert;
+import org.apache.hadoop.util.Time;
+import org.apache.lucene.util.LuceneTestCase;
+import org.apache.solr.SolrTestCaseJ4;
+import org.apache.solr.client.solrj.impl.HttpSolrClient;
+import org.apache.solr.client.solrj.SolrRequest;
+import org.apache.solr.client.solrj.embedded.JettySolrRunner;
+import org.apache.solr.client.solrj.request.CollectionAdminRequest;
+import org.apache.solr.client.solrj.request.DelegationTokenRequest;
+import org.apache.solr.client.solrj.response.DelegationTokenResponse;
+import org.apache.solr.common.SolrException.ErrorCode;
+import org.apache.solr.common.cloud.SolrZkClient;
+import org.apache.solr.common.params.SolrParams;
+import org.apache.solr.common.params.ModifiableSolrParams;
+import static org.apache.solr.security.HttpParamDelegationTokenAuthenticationHandler.USER_PARAM;
+
+import org.apache.http.HttpStatus;
+import org.apache.solr.security.HttpParamDelegationTokenAuthenticationHandler;
+import org.apache.solr.security.KerberosPlugin;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.lang.invoke.MethodHandles;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Test the delegation token support in the {@link org.apache.solr.security.KerberosPlugin}.
+ */
+@LuceneTestCase.Slow
+@SolrTestCaseJ4.SuppressSSL
+public class TestSolrCloudWithDelegationTokens extends SolrTestCaseJ4 {
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  private static final int NUM_SERVERS = 2;
+  private static MiniSolrCloudCluster miniCluster;
+  private static HttpSolrClient solrClientPrimary;
+  private static HttpSolrClient solrClientSecondary;
+
+  @BeforeClass
+  public static void startup() throws Exception {
+    System.setProperty("authenticationPlugin", KerberosPlugin.class.getName());
+    System.setProperty(KerberosPlugin.DELEGATION_TOKEN_ENABLED, "true");
+    System.setProperty(KerberosPlugin.AUTH_HANDLER_PARAM,
+        HttpParamDelegationTokenAuthenticationHandler.class.getName());
+    System.setProperty("solr.kerberos.cookie.domain", "127.0.0.1");
+
+    miniCluster = new MiniSolrCloudCluster(NUM_SERVERS, createTempDir(), buildJettyConfig("/solr"));
+    JettySolrRunner runnerPrimary = miniCluster.getJettySolrRunners().get(0);
+    solrClientPrimary =
+        new HttpSolrClient.Builder(runnerPrimary.getBaseUrl().toString())
+            .build();
+    JettySolrRunner runnerSecondary = miniCluster.getJettySolrRunners().get(1);
+    solrClientSecondary =
+        new HttpSolrClient.Builder(runnerSecondary.getBaseUrl().toString())
+            .build();
+  }
+
+  @AfterClass
+  public static void shutdown() throws Exception {
+    if (miniCluster != null) {
+      miniCluster.shutdown();
+    }
+    miniCluster = null;
+    solrClientPrimary.close();
+    solrClientPrimary = null;
+    solrClientSecondary.close();
+    solrClientSecondary = null;
+    System.clearProperty("authenticationPlugin");
+    System.clearProperty(KerberosPlugin.DELEGATION_TOKEN_ENABLED);
+    System.clearProperty(KerberosPlugin.AUTH_HANDLER_PARAM);
+    System.clearProperty("solr.kerberos.cookie.domain");
+  }
+
+  private String getDelegationToken(final String renewer, final String user, HttpSolrClient solrClient) throws Exception {
+    DelegationTokenRequest.Get get = new DelegationTokenRequest.Get(renewer) {
+      @Override
+      public SolrParams getParams() {
+        ModifiableSolrParams params = new ModifiableSolrParams(super.getParams());
+        params.set(USER_PARAM, user);
+        return params;
+      }
+    };
+    DelegationTokenResponse.Get getResponse = get.process(solrClient);
+    return getResponse.getDelegationToken();
+  }
+
+  private long renewDelegationToken(final String token, final int expectedStatusCode,
+      final String user, HttpSolrClient client) throws Exception {
+    DelegationTokenRequest.Renew renew = new DelegationTokenRequest.Renew(token) {
+      @Override
+      public SolrParams getParams() {
+        ModifiableSolrParams params = new ModifiableSolrParams(super.getParams());
+        params.set(USER_PARAM, user);
+        return params;
+      }
+
+      @Override
+      public Set<String> getQueryParams() {
+        Set<String> queryParams = super.getQueryParams();
+        queryParams.add(USER_PARAM);
+        return queryParams;
+      }
+    };
+    try {
+      DelegationTokenResponse.Renew renewResponse = renew.process(client);
+      assertEquals(HttpStatus.SC_OK, expectedStatusCode);
+      return renewResponse.getExpirationTime();
+    } catch (HttpSolrClient.RemoteSolrException ex) {
+      assertEquals(expectedStatusCode, ex.code());
+      return -1;
+    }
+  }
+
+  private void cancelDelegationToken(String token, int expectedStatusCode, HttpSolrClient client)
+  throws Exception {
+    DelegationTokenRequest.Cancel cancel = new DelegationTokenRequest.Cancel(token);
+    try {
+      cancel.process(client);
+      assertEquals(HttpStatus.SC_OK, expectedStatusCode);
+    } catch (HttpSolrClient.RemoteSolrException ex) {
+      assertEquals(expectedStatusCode, ex.code());
+    }
+  }
+
+  private void doSolrRequest(String token, int expectedStatusCode, HttpSolrClient client)
+  throws Exception {
+    doSolrRequest(token, expectedStatusCode, client, 1);
+  }
+
+  private void doSolrRequest(String token, int expectedStatusCode, HttpSolrClient client, int trials)
+  throws Exception {
+    int lastStatusCode = 0;
+    for (int i = 0; i < trials; ++i) {
+      lastStatusCode = getStatusCode(token, null, null, client);
+      if (lastStatusCode == expectedStatusCode) {
+        return;
+      }
+      Thread.sleep(1000);
+    }
+    assertEquals("Did not receieve excepted status code", expectedStatusCode, lastStatusCode);
+  }
+
+  private SolrRequest getAdminRequest(final SolrParams params) {
+    return new CollectionAdminRequest.List() {
+      @Override
+      public SolrParams getParams() {
+        ModifiableSolrParams p = new ModifiableSolrParams(super.getParams());
+        p.add(params);
+        return p;
+      }
+    };
+  }
+
+  private int getStatusCode(String token, final String user, final String op, HttpSolrClient client)
+  throws Exception {
+    HttpSolrClient delegationTokenServer =
+        new HttpSolrClient.Builder(client.getBaseURL().toString())
+            .withDelegationToken(token)
+            .withResponseParser(client.getParser())
+            .build();
+    try {
+      ModifiableSolrParams p = new ModifiableSolrParams();
+      if (user != null) p.set(USER_PARAM, user);
+      if (op != null) p.set("op", op);
+      SolrRequest req = getAdminRequest(p);
+      if (user != null || op != null) {
+        Set<String> queryParams = new HashSet<String>();
+        if (user != null) queryParams.add(USER_PARAM);
+        if (op != null) queryParams.add("op");
+        req.setQueryParams(queryParams);
+      }
+      try {
+        delegationTokenServer.request(req, null, null);
+        return HttpStatus.SC_OK;
+      } catch (HttpSolrClient.RemoteSolrException re) {
+        return re.code();
+      }
+    } finally {
+      delegationTokenServer.close();
+    }
+  }
+
+  private void doSolrRequest(HttpSolrClient client, SolrRequest request,
+      int expectedStatusCode) throws Exception {
+    try {
+      client.request(request);
+      assertEquals(HttpStatus.SC_OK, expectedStatusCode);
+    } catch (HttpSolrClient.RemoteSolrException ex) {
+      assertEquals(expectedStatusCode, ex.code());
+    }
+  }
+
+  private void verifyTokenValid(String token) throws Exception {
+     // pass with token
+    doSolrRequest(token, HttpStatus.SC_OK, solrClientPrimary);
+
+    // fail without token
+    doSolrRequest(null, ErrorCode.UNAUTHORIZED.code, solrClientPrimary);
+
+    // pass with token on other server
+    doSolrRequest(token, HttpStatus.SC_OK, solrClientSecondary);
+
+    // fail without token on other server
+    doSolrRequest(null, ErrorCode.UNAUTHORIZED.code, solrClientSecondary);
+  }
+
+  /**
+   * Test basic Delegation Token get/verify
+   */
+  @Test
+  public void testDelegationTokenVerify() throws Exception {
+    final String user = "bar";
+
+    // Get token
+    String token = getDelegationToken(null, user, solrClientPrimary);
+    assertNotNull(token);
+    verifyTokenValid(token);
+  }
+
+  private void verifyTokenCancelled(String token, HttpSolrClient client) throws Exception {
+    // fail with token on both servers.  If cancelToOtherURL is true,
+    // the request went to other url, so FORBIDDEN should be returned immediately.
+    // The cancelled token may take awhile to propogate to the standard url (via ZK).
+    // This is of course the opposite if cancelToOtherURL is false.
+    doSolrRequest(token, ErrorCode.FORBIDDEN.code, client, 10);
+
+    // fail without token on both servers
+    doSolrRequest(null, ErrorCode.UNAUTHORIZED.code, solrClientPrimary);
+    doSolrRequest(null, ErrorCode.UNAUTHORIZED.code, solrClientSecondary);
+  }
+
+  @Test
+  public void testDelegationTokenCancel() throws Exception {
+    {
+      // Get token
+      String token = getDelegationToken(null, "user", solrClientPrimary);
+      assertNotNull(token);
+
+      // cancel token, note don't need to be authenticated to cancel (no user specified)
+      cancelDelegationToken(token, HttpStatus.SC_OK, solrClientPrimary);
+      verifyTokenCancelled(token, solrClientPrimary);
+    }
+
+    {
+      // cancel token on different server from where we got it
+      String token = getDelegationToken(null, "user", solrClientPrimary);
+      assertNotNull(token);
+
+      cancelDelegationToken(token, HttpStatus.SC_OK, solrClientSecondary);
+      verifyTokenCancelled(token, solrClientSecondary);
+    }
+  }
+
+  @Test
+  public void testDelegationTokenCancelFail() throws Exception {
+    // cancel a bogus token
+    cancelDelegationToken("BOGUS", ErrorCode.NOT_FOUND.code, solrClientPrimary);
+
+    {
+      // cancel twice, first on same server
+      String token = getDelegationToken(null, "bar", solrClientPrimary);
+      assertNotNull(token);
+      cancelDelegationToken(token, HttpStatus.SC_OK, solrClientPrimary);
+      cancelDelegationToken(token, ErrorCode.NOT_FOUND.code, solrClientSecondary);
+      cancelDelegationToken(token, ErrorCode.NOT_FOUND.code, solrClientPrimary);
+    }
+
+    {
+      // cancel twice, first on other server
+      String token = getDelegationToken(null, "bar", solrClientPrimary);
+      assertNotNull(token);
+      cancelDelegationToken(token, HttpStatus.SC_OK, solrClientSecondary);
+      cancelDelegationToken(token, ErrorCode.NOT_FOUND.code, solrClientSecondary);
+      cancelDelegationToken(token, ErrorCode.NOT_FOUND.code, solrClientPrimary);
+    }
+  }
+
+  private void verifyDelegationTokenRenew(String renewer, String user)
+  throws Exception {
+    {
+      // renew on same server
+      String token = getDelegationToken(renewer, user, solrClientPrimary);
+      assertNotNull(token);
+      long now = Time.now();
+      assertTrue(renewDelegationToken(token, HttpStatus.SC_OK, user, solrClientPrimary) > now);
+      verifyTokenValid(token);
+    }
+
+    {
+      // renew on different server
+      String token = getDelegationToken(renewer, user, solrClientPrimary);
+      assertNotNull(token);
+      long now = Time.now();
+      assertTrue(renewDelegationToken(token, HttpStatus.SC_OK, user, solrClientSecondary) > now);
+      verifyTokenValid(token);
+    }
+  }
+
+  @Test
+  public void testDelegationTokenRenew() throws Exception {
+    // test with specifying renewer
+    verifyDelegationTokenRenew("bar", "bar");
+
+    // test without specifying renewer
+    verifyDelegationTokenRenew(null, "bar");
+  }
+
+  @Test
+  public void testDelegationTokenRenewFail() throws Exception {
+    // don't set renewer and try to renew as an a different user
+    String token = getDelegationToken(null, "bar", solrClientPrimary);
+    assertNotNull(token);
+    renewDelegationToken(token, ErrorCode.FORBIDDEN.code, "foo", solrClientPrimary);
+    renewDelegationToken(token, ErrorCode.FORBIDDEN.code, "foo", solrClientSecondary);
+
+    // set renewer and try to renew as different user
+    token = getDelegationToken("renewUser", "bar", solrClientPrimary);
+    assertNotNull(token);
+    renewDelegationToken(token, ErrorCode.FORBIDDEN.code, "notRenewUser", solrClientPrimary);
+    renewDelegationToken(token, ErrorCode.FORBIDDEN.code, "notRenewUser", solrClientSecondary);
+  }
+
+  /**
+   * Test that a non-delegation-token "op" http param is handled correctly
+   */
+  @Test
+  public void testDelegationOtherOp() throws Exception {
+    assertEquals(HttpStatus.SC_OK, getStatusCode(null, "bar", "someSolrOperation", solrClientPrimary));
+  }
+
+  @Test
+  public void testZNodePaths() throws Exception {
+    getDelegationToken(null, "bar", solrClientPrimary);
+    SolrZkClient zkClient = new SolrZkClient(miniCluster.getZkServer().getZkAddress(), 1000);
+    try {
+      assertTrue(zkClient.exists("/security/zkdtsm", true));
+      assertTrue(zkClient.exists("/security/token", true));
+    } finally {
+      zkClient.close();
+    }
+  }
+
+  /**
+   * Test HttpSolrServer's delegation token support
+   */
+  @Test
+  public void testDelegationTokenSolrClient() throws Exception {
+    // Get token
+    String token = getDelegationToken(null, "bar", solrClientPrimary);
+    assertNotNull(token);
+
+    SolrRequest request = getAdminRequest(new ModifiableSolrParams());
+
+    // test without token
+    HttpSolrClient ss =
+        new HttpSolrClient.Builder(solrClientPrimary.getBaseURL().toString())
+            .withResponseParser(solrClientPrimary.getParser())
+            .build();
+    try {
+      doSolrRequest(ss, request, ErrorCode.UNAUTHORIZED.code);
+    } finally {
+      ss.close();
+    }
+
+    ss = new HttpSolrClient.Builder(solrClientPrimary.getBaseURL().toString())
+        .withDelegationToken(token)
+        .withResponseParser(solrClientPrimary.getParser())
+        .build();
+    try {
+      // test with token via property
+      doSolrRequest(ss, request, HttpStatus.SC_OK);
+
+      // test with param -- should throw an exception
+      ModifiableSolrParams tokenParam = new ModifiableSolrParams();
+      tokenParam.set("delegation", "invalidToken");
+      try {
+        doSolrRequest(ss, getAdminRequest(tokenParam), ErrorCode.FORBIDDEN.code);
+        Assert.fail("Expected exception");
+      } catch (IllegalArgumentException ex) {}
+    } finally {
+      ss.close();
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithKerberosAlt.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithKerberosAlt.java b/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithKerberosAlt.java
index 7ee510e..4091d2d 100644
--- a/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithKerberosAlt.java
+++ b/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithKerberosAlt.java
@@ -16,19 +16,16 @@
  */
 package org.apache.solr.cloud;
 
-import javax.security.auth.login.Configuration;
-
 import java.io.File;
+import java.lang.invoke.MethodHandles;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
-import java.util.Locale;
 import java.util.Properties;
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
 import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
 
 import org.apache.commons.io.FileUtils;
-import org.apache.hadoop.minikdc.MiniKdc;
 import org.apache.lucene.index.TieredMergePolicy;
 import org.apache.lucene.util.Constants;
 import org.apache.lucene.util.LuceneTestCase;
@@ -54,6 +51,8 @@ import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.RuleChain;
 import org.junit.rules.TestRule;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Test 5 nodes Solr cluster with Kerberos plugin enabled.
@@ -69,7 +68,7 @@ import org.junit.rules.TestRule;
 @LuceneTestCase.SuppressSysoutChecks(bugUrl = "Solr logs to JUL")
 public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
 
-  private final Configuration originalConfig = Configuration.getConfiguration();
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
   protected final int NUM_SERVERS;
   protected final int NUM_SHARDS;
   protected final int REPLICATION_FACTOR;
@@ -80,9 +79,8 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
     REPLICATION_FACTOR = 1;
   }
 
-  private MiniKdc kdc;
+  private KerberosTestServices kerberosTestServices;
 
-  private Locale savedLocale; // in case locale is broken and we need to fill in a working locale
   @Rule
   public TestRule solrTestRules = RuleChain
       .outerRule(new SystemPropertiesRestoreRule());
@@ -99,7 +97,6 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
 
   @Override
   public void setUp() throws Exception {
-    savedLocale = KerberosTestUtil.overrideLocaleIfNotSpportedByMiniKdc();
     super.setUp();
     setupMiniKdc();
     HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer());
@@ -108,12 +105,15 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
   private void setupMiniKdc() throws Exception {
     System.setProperty("solr.jaas.debug", "true");
     String kdcDir = createTempDir()+File.separator+"minikdc";
-    kdc = KerberosTestUtil.getKdc(new File(kdcDir));
+    String solrClientPrincipal = "solr";
     File keytabFile = new File(kdcDir, "keytabs");
+    kerberosTestServices = KerberosTestServices.builder()
+        .withKdc(new File(kdcDir))
+        .withJaasConfiguration(solrClientPrincipal, keytabFile, "SolrClient")
+        .build();
     String solrServerPrincipal = "HTTP/127.0.0.1";
-    String solrClientPrincipal = "solr";
-    kdc.start();
-    kdc.createPrincipal(keytabFile, solrServerPrincipal, solrClientPrincipal);
+    kerberosTestServices.start();
+    kerberosTestServices.getKdc().createPrincipal(keytabFile, solrServerPrincipal, solrClientPrincipal);
 
     String jaas = "SolrClient {\n"
         + " com.sun.security.auth.module.Krb5LoginModule required\n"
@@ -126,9 +126,6 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
         + " principal=\"" + solrClientPrincipal + "\";\n"
         + "};";
 
-    Configuration conf = new KerberosTestUtil.JaasConfiguration(solrClientPrincipal, keytabFile, "SolrClient");
-    Configuration.setConfiguration(conf);
-
     String jaasFilePath = kdcDir+File.separator+"jaas-client.conf";
     FileUtils.write(new File(jaasFilePath), jaas, StandardCharsets.UTF_8);
     System.setProperty("java.security.auth.login.config", jaasFilePath);
@@ -137,6 +134,9 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
     System.setProperty("solr.kerberos.principal", solrServerPrincipal);
     System.setProperty("solr.kerberos.keytab", keytabFile.getAbsolutePath());
     System.setProperty("authenticationPlugin", "org.apache.solr.security.KerberosPlugin");
+    boolean enableDt = random().nextBoolean();
+    log.info("Enable delegation token: " + enableDt);
+    System.setProperty("solr.kerberos.delegation.token.enabled", new Boolean(enableDt).toString());
     // Extracts 127.0.0.1 from HTTP/127.0.0.1@EXAMPLE.COM
     System.setProperty("solr.kerberos.name.rules", "RULE:[1:$1@$0](.*EXAMPLE.COM)s/@.*//"
         + "\nRULE:[2:$2@$0](.*EXAMPLE.COM)s/@.*//"
@@ -243,11 +243,7 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
     System.clearProperty("authenticationPlugin");
     System.clearProperty("solr.kerberos.name.rules");
     System.clearProperty("solr.jaas.debug");
-    Configuration.setConfiguration(this.originalConfig);
-    if (kdc != null) {
-      kdc.stop();
-    }
-    Locale.setDefault(savedLocale);
+    kerberosTestServices.stop();
     super.tearDown();
   }
 }

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/core/src/test/org/apache/solr/cloud/VMParamsZkACLAndCredentialsProvidersTest.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/cloud/VMParamsZkACLAndCredentialsProvidersTest.java b/solr/core/src/test/org/apache/solr/cloud/VMParamsZkACLAndCredentialsProvidersTest.java
index 31919a8..95422fa 100644
--- a/solr/core/src/test/org/apache/solr/cloud/VMParamsZkACLAndCredentialsProvidersTest.java
+++ b/solr/core/src/test/org/apache/solr/cloud/VMParamsZkACLAndCredentialsProvidersTest.java
@@ -21,6 +21,7 @@ import java.lang.invoke.MethodHandles;
 import java.nio.charset.Charset;
 
 import org.apache.solr.SolrTestCaseJ4;
+import org.apache.solr.common.cloud.SecurityAwareZkACLProvider;
 import org.apache.solr.common.cloud.SolrZkClient;
 import org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider;
 import org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider;
@@ -76,6 +77,8 @@ public class VMParamsZkACLAndCredentialsProvidersTest extends SolrTestCaseJ4 {
     zkClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
     zkClient.create("/protectedCreateNode", "content".getBytes(DATA_ENCODING), CreateMode.PERSISTENT, false);
     zkClient.makePath("/protectedMakePathNode", "content".getBytes(DATA_ENCODING), CreateMode.PERSISTENT, false);
+
+    zkClient.create(SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH, "content".getBytes(DATA_ENCODING), CreateMode.PERSISTENT, false);
     zkClient.close();
     
     clearSecuritySystemProperties();
@@ -106,7 +109,9 @@ public class VMParamsZkACLAndCredentialsProvidersTest extends SolrTestCaseJ4 {
     
     SolrZkClient zkClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
     try {
-      doTest(zkClient, false, false, false, false, false);
+      doTest(zkClient,
+          false, false, false, false, false,
+          false, false, false, false, false);
     } finally {
       zkClient.close();
     }
@@ -118,7 +123,9 @@ public class VMParamsZkACLAndCredentialsProvidersTest extends SolrTestCaseJ4 {
     
     SolrZkClient zkClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
     try {
-      doTest(zkClient, false, false, false, false, false);
+      doTest(zkClient,
+          false, false, false, false, false,
+          false, false, false, false, false);
     } finally {
       zkClient.close();
     }
@@ -130,7 +137,9 @@ public class VMParamsZkACLAndCredentialsProvidersTest extends SolrTestCaseJ4 {
 
     SolrZkClient zkClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
     try {
-      doTest(zkClient, true, true, true, true, true);
+      doTest(zkClient,
+          true, true, true, true, true,
+          true, true, true, true, true);
     } finally {
       zkClient.close();
     }
@@ -142,17 +151,23 @@ public class VMParamsZkACLAndCredentialsProvidersTest extends SolrTestCaseJ4 {
 
     SolrZkClient zkClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
     try {
-      doTest(zkClient, true, true, false, false, false);
+      doTest(zkClient,
+          true, true, false, false, false,
+          false, false, false, false, false);
     } finally {
       zkClient.close();
     }
   }
     
-  protected static void doTest(SolrZkClient zkClient, boolean getData, boolean list, boolean create, boolean setData, boolean delete) throws Exception {
+  protected static void doTest(
+      SolrZkClient zkClient,
+      boolean getData, boolean list, boolean create, boolean setData, boolean delete,
+      boolean secureGet, boolean secureList, boolean secureCreate, boolean secureSet, boolean secureDelete) throws Exception {
     doTest(zkClient, "/protectedCreateNode", getData, list, create, setData, delete);
     doTest(zkClient, "/protectedMakePathNode", getData, list, create, setData, delete);
     doTest(zkClient, "/unprotectedCreateNode", true, true, true, true, delete);
     doTest(zkClient, "/unprotectedMakePathNode", true, true, true, true, delete);
+    doTest(zkClient, SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH, secureGet, secureList, secureCreate, secureSet, secureDelete);
   }
   
   protected static void doTest(SolrZkClient zkClient, String path, boolean getData, boolean list, boolean create, boolean setData, boolean delete) throws Exception {

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenAuthenticationHandler.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenAuthenticationHandler.java b/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenAuthenticationHandler.java
new file mode 100644
index 0000000..7c5c94a
--- /dev/null
+++ b/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenAuthenticationHandler.java
@@ -0,0 +1,109 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.security;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.AuthenticationToken;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
+
+import org.apache.http.NameValuePair;
+import org.apache.http.client.utils.URLEncodedUtils;
+
+/**
+ * AuthenticationHandler that supports delegation tokens and simple
+ * authentication via the "user" http parameter
+ */
+public class HttpParamDelegationTokenAuthenticationHandler extends
+    DelegationTokenAuthenticationHandler {
+
+  public static final String USER_PARAM = "user";
+
+  public HttpParamDelegationTokenAuthenticationHandler() {
+    super(new HttpParamAuthenticationHandler());
+  }
+
+  @Override
+  public void init(Properties config) throws ServletException {
+    Properties conf = new Properties();
+    for (Map.Entry entry : config.entrySet()) {
+      conf.setProperty((String) entry.getKey(), (String) entry.getValue());
+    }
+    conf.setProperty(TOKEN_KIND, KerberosPlugin.DELEGATION_TOKEN_TYPE_DEFAULT);
+    super.init(conf);
+  }
+ 
+  private static String getHttpParam(HttpServletRequest request, String param) {
+    List<NameValuePair> pairs =
+      URLEncodedUtils.parse(request.getQueryString(), Charset.forName("UTF-8"));
+    for (NameValuePair nvp : pairs) {
+      if(param.equals(nvp.getName())) {
+        return nvp.getValue();
+      }
+    }
+    return null;
+  }
+
+  private static class HttpParamAuthenticationHandler
+      implements AuthenticationHandler {
+
+    @Override
+    public String getType() {
+      return "dummy";
+    }
+
+    @Override
+    public void init(Properties config) throws ServletException {
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+    @Override
+    public boolean managementOperation(AuthenticationToken token,
+        HttpServletRequest request, HttpServletResponse response)
+        throws IOException, AuthenticationException {
+      return false;
+    }
+
+    @Override
+    public AuthenticationToken authenticate(HttpServletRequest request,
+        HttpServletResponse response)
+        throws IOException, AuthenticationException {
+      AuthenticationToken token = null;
+      String userName = getHttpParam(request, USER_PARAM);
+      if (userName != null) {
+        return new AuthenticationToken(userName, userName, "test");
+      } else {
+        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        response.setHeader("WWW-Authenticate", "dummy");
+      }
+      return token;
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/core/src/test/org/apache/solr/security/MockAuthenticationPlugin.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/security/MockAuthenticationPlugin.java b/solr/core/src/test/org/apache/solr/security/MockAuthenticationPlugin.java
index e3cf7bd..3013086 100644
--- a/solr/core/src/test/org/apache/solr/security/MockAuthenticationPlugin.java
+++ b/solr/core/src/test/org/apache/solr/security/MockAuthenticationPlugin.java
@@ -20,11 +20,16 @@ import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
 import java.io.IOException;
 import java.security.Principal;
 import java.util.Map;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Predicate;
 
+import org.apache.http.auth.BasicUserPrincipal;
+
 public class MockAuthenticationPlugin extends AuthenticationPlugin {
   static Predicate<ServletRequest> predicate;
 
@@ -33,7 +38,7 @@ public class MockAuthenticationPlugin extends AuthenticationPlugin {
   }
 
   @Override
-  public void doAuthenticate(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+  public boolean doAuthenticate(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
     String user = null;
     if (predicate != null) {
       if (predicate.test(request)) {
@@ -41,9 +46,32 @@ public class MockAuthenticationPlugin extends AuthenticationPlugin {
         request.removeAttribute(Principal.class.getName());
       }
     }
-    forward(user, request, response, filterChain);
+
+    final FilterChain ffc = filterChain;
+    final AtomicBoolean requestContinues = new AtomicBoolean(false);
+    forward(user, request, response, new FilterChain() {
+      @Override
+      public void doFilter(ServletRequest req, ServletResponse res) throws IOException, ServletException {
+        ffc.doFilter(req, res);
+        requestContinues.set(true);
+      }
+    });
+    return requestContinues.get();
   }
 
+  protected void forward(String user, ServletRequest  req, ServletResponse rsp,
+                                    FilterChain chain) throws IOException, ServletException {
+    if(user != null) {
+      final Principal p = new BasicUserPrincipal(user);
+      req = new HttpServletRequestWrapper((HttpServletRequest) req) {
+        @Override
+        public Principal getUserPrincipal() {
+          return p;
+        }
+      };
+    }
+    chain.doFilter(req,rsp);
+  }
 
   @Override
   public void close() throws IOException {

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/licenses/curator-recipes-2.8.0.jar.sha1
----------------------------------------------------------------------
diff --git a/solr/licenses/curator-recipes-2.8.0.jar.sha1 b/solr/licenses/curator-recipes-2.8.0.jar.sha1
new file mode 100644
index 0000000..82d8946
--- /dev/null
+++ b/solr/licenses/curator-recipes-2.8.0.jar.sha1
@@ -0,0 +1 @@
+c563e25fb37f85a6b029bc9746e75573640474fb

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/licenses/curator-recipes-LICENSE-ASL.txt
----------------------------------------------------------------------
diff --git a/solr/licenses/curator-recipes-LICENSE-ASL.txt b/solr/licenses/curator-recipes-LICENSE-ASL.txt
new file mode 100644
index 0000000..7a4a3ea
--- /dev/null
+++ b/solr/licenses/curator-recipes-LICENSE-ASL.txt
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/licenses/curator-recipes-NOTICE.txt
----------------------------------------------------------------------
diff --git a/solr/licenses/curator-recipes-NOTICE.txt b/solr/licenses/curator-recipes-NOTICE.txt
new file mode 100644
index 0000000..f568d0f
--- /dev/null
+++ b/solr/licenses/curator-recipes-NOTICE.txt
@@ -0,0 +1,5 @@
+Apache Curator
+Copyright 2013-2014 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/ivy.xml
----------------------------------------------------------------------
diff --git a/solr/solrj/ivy.xml b/solr/solrj/ivy.xml
index ceefcc3..f2296c5 100644
--- a/solr/solrj/ivy.xml
+++ b/solr/solrj/ivy.xml
@@ -1,3 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
 <!--
    Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements.  See the NOTICE file
@@ -40,6 +41,10 @@
 
     <dependency org="org.slf4j" name="slf4j-log4j12" rev="${/org.slf4j/slf4j-log4j12}" conf="test"/>
 
+    <dependency org="com.fasterxml.jackson.core" name="jackson-annotations"  rev="${/com.fasterxml.jackson.core/jackson-annotations}"   conf="compile"/>
+    <dependency org="com.fasterxml.jackson.core" name="jackson-core" rev="${/com.fasterxml.jackson.core/jackson-core}" conf="compile"/>
+    <dependency org="com.fasterxml.jackson.core" name="jackson-databind" rev="${/com.fasterxml.jackson.core/jackson-databind}" conf="compile"/>
+    <dependency org="com.google.guava" name="guava" rev="${/com.google.guava/guava}" conf="compile"/>
     <exclude org="*" ext="*" matcher="regexp" type="${ivy.exclude.types}"/>
   </dependencies>
 </ivy-module>

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
index 538a2b7..b6fd836 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
@@ -23,6 +23,7 @@ import java.lang.invoke.MethodHandles;
 import java.net.ConnectException;
 import java.net.SocketTimeoutException;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Iterator;
@@ -30,6 +31,7 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.Locale;
 import java.util.Set;
+import java.util.TreeSet;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 
@@ -770,7 +772,44 @@ public class HttpSolrClient extends SolrClient {
       super(code, "Error from server at " + remoteHost + ": " + msg, th);
     }
   }
-  
+
+  private static class DelegationTokenHttpSolrClient extends HttpSolrClient {
+    private final String DELEGATION_TOKEN_PARAM = "delegation";
+    private final String delegationToken;
+
+    public DelegationTokenHttpSolrClient(String baseURL,
+                                         HttpClient client,
+                                         ResponseParser parser,
+                                         boolean allowCompression,
+                                         String delegationToken) {
+      super(baseURL, client, parser, allowCompression);
+      if (delegationToken == null) {
+        throw new IllegalArgumentException("Delegation token cannot be null");
+      }
+      this.delegationToken = delegationToken;
+      setQueryParams(new TreeSet<String>(Arrays.asList(DELEGATION_TOKEN_PARAM)));
+      invariantParams = new ModifiableSolrParams();
+      invariantParams.set(DELEGATION_TOKEN_PARAM, delegationToken);
+    }
+
+    @Override
+    protected HttpRequestBase createMethod(final SolrRequest request, String collection) throws IOException, SolrServerException {
+      SolrParams params = request.getParams();
+      if (params.getParams(DELEGATION_TOKEN_PARAM) != null) {
+        throw new IllegalArgumentException(DELEGATION_TOKEN_PARAM + " parameter not supported");
+      }
+      return super.createMethod(request, collection);
+    }
+
+    @Override
+    public void setQueryParams(Set<String> queryParams) {
+      if (queryParams == null || !queryParams.contains(DELEGATION_TOKEN_PARAM)) {
+        throw new IllegalArgumentException("Query params must contain " + DELEGATION_TOKEN_PARAM);
+      }
+      super.setQueryParams(queryParams);
+    }
+  }
+
   /**
    * Constructs {@link HttpSolrClient} instances from provided configuration.
    */
@@ -779,6 +818,7 @@ public class HttpSolrClient extends SolrClient {
     private HttpClient httpClient;
     private ResponseParser responseParser;
     private boolean compression;
+    private String delegationToken;
     
     /**
      * Create a Builder object, based on the provided Solr URL.
@@ -815,7 +855,14 @@ public class HttpSolrClient extends SolrClient {
       this.compression = compression;
       return this;
     }
-    
+
+    /**
+     * Use a delegation token for authenticating via the KerberosPlugin
+     */
+    public Builder withDelegationToken(String delegationToken) {
+      this.delegationToken = delegationToken;
+      return this;
+    }
     /**
      * Create a {@link HttpSolrClient} based on provided configuration.
      */
@@ -823,7 +870,11 @@ public class HttpSolrClient extends SolrClient {
       if (baseSolrUrl == null) {
         throw new IllegalArgumentException("Cannot create HttpSolrClient without a valid baseSolrUrl!");
       }
-      return new HttpSolrClient(baseSolrUrl, httpClient, responseParser, compression);
+      if (delegationToken == null) {
+        return new HttpSolrClient(baseSolrUrl, httpClient, responseParser, compression);
+      } else {
+        return new DelegationTokenHttpSolrClient(baseSolrUrl, httpClient, responseParser, compression, delegationToken);
+      }
     }
   }
 }

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java
index 8b2705b..f2a7adb 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java
@@ -27,6 +27,7 @@ import java.util.Set;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;
 
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.http.HttpEntity;
 import org.apache.http.HttpEntityEnclosingRequest;
 import org.apache.http.HttpException;
@@ -53,7 +54,16 @@ public class Krb5HttpClientConfigurer extends HttpClientConfigurer {
   public static final String LOGIN_CONFIG_PROP = "java.security.auth.login.config";
   private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
   
-  private static final Configuration jaasConfig = new SolrJaasConfiguration();
+  private static Configuration jaasConfig = new SolrJaasConfiguration();
+
+  /**
+   * The jaasConfig is static, which makes it problematic for testing in the same jvm.
+   * Call this function to regenerate the static config (this is not thread safe).
+   */
+  @VisibleForTesting
+  public static void regenerateJaasConfiguration() {
+    jaasConfig = new SolrJaasConfiguration();
+  }
 
   public void configure(DefaultHttpClient httpClient, SolrParams config) {
     super.configure(httpClient, config);

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/java/org/apache/solr/client/solrj/request/DelegationTokenRequest.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/request/DelegationTokenRequest.java b/solr/solrj/src/java/org/apache/solr/client/solrj/request/DelegationTokenRequest.java
new file mode 100644
index 0000000..6d2f0cb
--- /dev/null
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/request/DelegationTokenRequest.java
@@ -0,0 +1,152 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.solr.client.solrj.request;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.apache.solr.client.solrj.SolrRequest;
+import org.apache.solr.client.solrj.SolrClient;
+import org.apache.solr.client.solrj.impl.NoOpResponseParser;
+import org.apache.solr.client.solrj.response.DelegationTokenResponse;
+
+import org.apache.solr.common.params.ModifiableSolrParams;
+import org.apache.solr.common.params.SolrParams;
+import org.apache.solr.common.util.ContentStream;
+
+/**
+ * Class for making Solr delegation token requests.
+ *
+ * @since Solr 6.2
+ */
+public abstract class DelegationTokenRequest
+    <Q extends DelegationTokenRequest<Q,R>, R extends DelegationTokenResponse>
+    extends SolrRequest<R> {
+
+  protected static final String OP_KEY = "op";
+  protected static final String TOKEN_KEY = "token";
+
+  public DelegationTokenRequest(METHOD m) {
+    // path doesn't really matter -- the filter will respond to any path.
+    // setting the path to admin/collections lets us pass through CloudSolrServer
+    // without having to specify a collection (that may not even exist yet).
+    super(m, "/admin/collections");
+  }
+
+  protected abstract Q getThis();
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public Collection<ContentStream> getContentStreams() throws IOException {
+    return null;
+  }
+
+  @Override
+  protected abstract R createResponse(SolrClient client);
+
+  public static class Get extends DelegationTokenRequest<Get, DelegationTokenResponse.Get> {
+    protected String renewer;
+
+    public Get() {
+      this(null);
+    }
+
+    public Get(String renewer) {
+      super(METHOD.GET);
+      this.renewer = renewer;
+      setResponseParser(new DelegationTokenResponse.JsonMapResponseParser());
+      setQueryParams(new TreeSet<String>(Arrays.asList(OP_KEY)));
+    }
+
+    @Override
+    protected Get getThis() {
+      return this;
+    }
+
+    @Override
+    public SolrParams getParams() {
+      ModifiableSolrParams params = new ModifiableSolrParams();
+      params.set(OP_KEY, "GETDELEGATIONTOKEN");
+      if (renewer != null) params.set("renewer", renewer);
+      return params;
+    }
+
+    @Override
+    public DelegationTokenResponse.Get createResponse(SolrClient client) { return new DelegationTokenResponse.Get(); }
+  }
+
+  public static class Renew extends DelegationTokenRequest<Renew, DelegationTokenResponse.Renew> {
+    protected String token;
+
+    @Override
+    protected Renew getThis() {
+      return this;
+    }
+
+    public Renew(String token) {
+      super(METHOD.PUT);
+      this.token = token;
+      setResponseParser(new DelegationTokenResponse.JsonMapResponseParser());
+      setQueryParams(new TreeSet<String>(Arrays.asList(OP_KEY, TOKEN_KEY)));
+    }
+
+    @Override
+    public SolrParams getParams() {
+      ModifiableSolrParams params = new ModifiableSolrParams();
+      params.set(OP_KEY, "RENEWDELEGATIONTOKEN");
+      params.set(TOKEN_KEY, token);
+      return params;
+    }
+
+    @Override
+    public DelegationTokenResponse.Renew createResponse(SolrClient client) { return new DelegationTokenResponse.Renew(); }
+  }
+
+  public static class Cancel extends DelegationTokenRequest<Cancel, DelegationTokenResponse.Cancel> {
+    protected String token;
+
+    public Cancel(String token) {
+      super(METHOD.PUT);
+      this.token = token;
+      setResponseParser(new NoOpResponseParser());
+      Set<String> queryParams = new TreeSet<String>();
+      setQueryParams(new TreeSet<String>(Arrays.asList(OP_KEY, TOKEN_KEY)));
+    }
+
+    @Override
+    protected Cancel getThis() {
+      return this;
+    }
+
+    @Override
+    public SolrParams getParams() {
+      ModifiableSolrParams params = new ModifiableSolrParams();
+      params.set(OP_KEY, "CANCELDELEGATIONTOKEN");
+      params.set(TOKEN_KEY, token);
+      return params;
+    }
+
+    @Override
+    public DelegationTokenResponse.Cancel createResponse(SolrClient client) { return new DelegationTokenResponse.Cancel(); }
+  }
+}

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/java/org/apache/solr/client/solrj/response/DelegationTokenResponse.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/response/DelegationTokenResponse.java b/solr/solrj/src/java/org/apache/solr/client/solrj/response/DelegationTokenResponse.java
new file mode 100644
index 0000000..c80e2eb
--- /dev/null
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/response/DelegationTokenResponse.java
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.solr.client.solrj.response;
+
+import org.apache.solr.client.solrj.ResponseParser;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.NamedList;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.util.Map;
+
+/**
+ * Delegation Token responses
+ */
+public abstract class DelegationTokenResponse extends SolrResponseBase {
+
+  public static class Get extends DelegationTokenResponse {
+
+    /**
+     * Get the urlString to be used as the delegation token
+     */
+    public String getDelegationToken() {
+      try {
+        Map map = (Map)getResponse().get("Token");
+        if (map != null) {
+          return (String)map.get("urlString");
+        }
+      } catch (ClassCastException e) {
+        throw new SolrException (SolrException.ErrorCode.SERVER_ERROR,
+          "parsing error", e);
+      }
+      return null;
+    }
+  }
+
+  public static class Renew extends DelegationTokenResponse {
+    public Long getExpirationTime() {
+      try {
+        return (Long)getResponse().get("long");
+      } catch (ClassCastException e) {
+        throw new SolrException (SolrException.ErrorCode.SERVER_ERROR,
+          "parsing error", e);
+      }
+    }
+  }
+
+  public static class Cancel extends DelegationTokenResponse {
+  }
+
+  /**
+   * ResponseParser for JsonMaps.  Used for Get and Renew DelegationToken responses.
+   */
+  public static class JsonMapResponseParser extends ResponseParser {
+    @Override
+    public String getWriterType() {
+      return "json";
+    }
+
+    @Override
+    public NamedList<Object> processResponse(InputStream body, String encoding) {
+      ObjectMapper mapper = new ObjectMapper();
+      Map map = null;
+      try {
+        map = mapper.readValue(body, Map.class);
+      } catch (IOException e) {
+        throw new SolrException (SolrException.ErrorCode.SERVER_ERROR,
+          "parsing error", e);
+      }
+      NamedList<Object> list = new NamedList<Object>();
+      list.addAll(map);
+      return list;
+    }
+
+    @Override
+    public NamedList<Object> processResponse(Reader reader) {
+      throw new RuntimeException("Cannot handle character stream");
+    }
+
+    @Override
+    public String getContentType() {
+      return "application/json";
+    }
+
+    @Override
+    public String getVersion() {
+      return "1";
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/java/org/apache/solr/common/cloud/SaslZkACLProvider.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/SaslZkACLProvider.java b/solr/solrj/src/java/org/apache/solr/common/cloud/SaslZkACLProvider.java
index eaccb8c..c67ad12 100644
--- a/solr/solrj/src/java/org/apache/solr/common/cloud/SaslZkACLProvider.java
+++ b/solr/solrj/src/java/org/apache/solr/common/cloud/SaslZkACLProvider.java
@@ -30,19 +30,22 @@ import org.apache.zookeeper.data.Id;
  * configurations have already been set up and will not be modified, or
  * where configuration changes are controlled via Solr APIs.
  */
-public class SaslZkACLProvider extends DefaultZkACLProvider {
+public class SaslZkACLProvider extends SecurityAwareZkACLProvider {
 
   private static String superUser = System.getProperty("solr.authorization.superuser", "solr");
 
   @Override
-  protected List<ACL> createGlobalACLsToAdd() {
-    List<ACL> result = new ArrayList<ACL>();
-    result.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", superUser)));
-    result.add(new ACL(ZooDefs.Perms.READ, ZooDefs.Ids.ANYONE_ID_UNSAFE));
+  protected List<ACL> createNonSecurityACLsToAdd() {
+    List<ACL> ret = new ArrayList<ACL>();
+    ret.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", superUser)));
+    ret.add(new ACL(ZooDefs.Perms.READ, ZooDefs.Ids.ANYONE_ID_UNSAFE));
+    return ret;
+  }
 
-    if (result.isEmpty()) {
-      result = super.createGlobalACLsToAdd();
-    }
-    return result;
+  @Override
+  protected List<ACL> createSecurityACLsToAdd() {
+    List<ACL> ret = new ArrayList<ACL>();
+    ret.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", superUser)));
+    return ret;
   }
 }

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/java/org/apache/solr/common/cloud/SecurityAwareZkACLProvider.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/SecurityAwareZkACLProvider.java b/solr/solrj/src/java/org/apache/solr/common/cloud/SecurityAwareZkACLProvider.java
new file mode 100644
index 0000000..1c74d94
--- /dev/null
+++ b/solr/solrj/src/java/org/apache/solr/common/cloud/SecurityAwareZkACLProvider.java
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.common.cloud;
+
+import java.util.List;
+
+import org.apache.zookeeper.data.ACL;
+
+/**
+ * {@link ZkACLProvider} capable of returning a different set of
+ * {@link ACL}s for security-related znodes (default: subtree under /security)
+ * vs non-security-related znodes.
+ */
+public abstract class SecurityAwareZkACLProvider implements ZkACLProvider {
+  public static final String SECURITY_ZNODE_PATH = "/security";
+
+  private List<ACL> nonSecurityACLsToAdd;
+  private List<ACL> securityACLsToAdd;
+
+
+  @Override
+  public List<ACL> getACLsToAdd(String zNodePath) {
+    if (isSecurityZNodePath(zNodePath)) {
+      return getSecurityACLsToAdd();
+    } else {
+      return getNonSecurityACLsToAdd();
+    }
+  }
+
+  protected boolean isSecurityZNodePath(String zNodePath) {
+    if (zNodePath != null
+        && (zNodePath.equals(SECURITY_ZNODE_PATH) || zNodePath.startsWith(SECURITY_ZNODE_PATH + "/"))) {
+      return true;
+    }
+    return false;
+  }
+
+  /**
+   * @return Set of ACLs to return for non-security related znodes
+   */
+  protected abstract List<ACL> createNonSecurityACLsToAdd();
+
+  /**
+   * @return Set of ACLs to return security-related znodes
+   */
+  protected abstract List<ACL> createSecurityACLsToAdd();
+
+  private List<ACL> getNonSecurityACLsToAdd() {
+    if (nonSecurityACLsToAdd == null) {
+      synchronized (this) {
+        if (nonSecurityACLsToAdd == null) nonSecurityACLsToAdd = createNonSecurityACLsToAdd();
+      }
+    }
+    return nonSecurityACLsToAdd;
+  }
+
+  private List<ACL> getSecurityACLsToAdd() {
+    if (securityACLsToAdd == null) {
+      synchronized (this) {
+        if (securityACLsToAdd == null) securityACLsToAdd = createSecurityACLsToAdd();
+      }
+    }
+    return securityACLsToAdd;
+  }
+}

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/java/org/apache/solr/common/cloud/SolrZkClient.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/SolrZkClient.java b/solr/solrj/src/java/org/apache/solr/common/cloud/SolrZkClient.java
index af6f9be..516b7b9 100644
--- a/solr/solrj/src/java/org/apache/solr/common/cloud/SolrZkClient.java
+++ b/solr/solrj/src/java/org/apache/solr/common/cloud/SolrZkClient.java
@@ -122,12 +122,12 @@ public class SolrZkClient implements Closeable {
 
   public SolrZkClient(String zkServerAddress, int zkClientTimeout, int clientConnectTimeout,
       ZkClientConnectionStrategy strat, final OnReconnect onReconnect, BeforeReconnect beforeReconnect, ZkACLProvider zkACLProvider) {
-    this.zkClientConnectionStrategy = strat;
     this.zkServerAddress = zkServerAddress;
     
     if (strat == null) {
       strat = new DefaultConnectionStrategy();
     }
+    this.zkClientConnectionStrategy = strat;
 
     if (!strat.hasZkCredentialsToAddAutomatically()) {
       ZkCredentialsProvider zkCredentialsToAddAutomatically = createZkCredentialsToAddAutomatically();

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/java/org/apache/solr/common/cloud/VMParamsAllAndReadonlyDigestZkACLProvider.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/VMParamsAllAndReadonlyDigestZkACLProvider.java b/solr/solrj/src/java/org/apache/solr/common/cloud/VMParamsAllAndReadonlyDigestZkACLProvider.java
index f6f491b..8866245 100644
--- a/solr/solrj/src/java/org/apache/solr/common/cloud/VMParamsAllAndReadonlyDigestZkACLProvider.java
+++ b/solr/solrj/src/java/org/apache/solr/common/cloud/VMParamsAllAndReadonlyDigestZkACLProvider.java
@@ -20,13 +20,14 @@ import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.List;
 
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.solr.common.StringUtils;
 import org.apache.zookeeper.ZooDefs;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
 
-public class VMParamsAllAndReadonlyDigestZkACLProvider extends DefaultZkACLProvider {
+public class VMParamsAllAndReadonlyDigestZkACLProvider extends SecurityAwareZkACLProvider {
 
   public static final String DEFAULT_DIGEST_READONLY_USERNAME_VM_PARAM_NAME = "zkDigestReadonlyUsername";
   public static final String DEFAULT_DIGEST_READONLY_PASSWORD_VM_PARAM_NAME = "zkDigestReadonlyPassword";
@@ -53,29 +54,56 @@ public class VMParamsAllAndReadonlyDigestZkACLProvider extends DefaultZkACLProvi
     this.zkDigestReadonlyPasswordVMParamName = zkDigestReadonlyPasswordVMParamName;
   }
 
+  /**
+   * @return Set of ACLs to return for non-security related znodes
+   */
+  @Override
+  protected List<ACL> createNonSecurityACLsToAdd() {
+    return createACLsToAdd(true);
+  }
 
+  /**
+   * @return Set of ACLs to return security-related znodes
+   */
   @Override
-  protected List<ACL> createGlobalACLsToAdd() {
-    try {
+  protected List<ACL> createSecurityACLsToAdd() {
+    return createACLsToAdd(false);
+  }
+
+  protected List<ACL> createACLsToAdd(boolean includeReadOnly) {
+    String digestAllUsername = System.getProperty(zkDigestAllUsernameVMParamName);
+    String digestAllPassword = System.getProperty(zkDigestAllPasswordVMParamName);
+    String digestReadonlyUsername = System.getProperty(zkDigestReadonlyUsernameVMParamName);
+    String digestReadonlyPassword = System.getProperty(zkDigestReadonlyPasswordVMParamName);
+
+    return createACLsToAdd(includeReadOnly,
+        digestAllUsername, digestAllPassword,
+        digestReadonlyUsername, digestReadonlyPassword);
+  }
+
+  @VisibleForTesting
+  protected List<ACL> createACLsToAdd(boolean includeReadOnly,
+                                      String digestAllUsername, String digestAllPassword,
+                                      String digestReadonlyUsername, String digestReadonlyPassword) {
+
+      try {
       List<ACL> result = new ArrayList<ACL>();
   
       // Not to have to provide too much credentials and ACL information to the process it is assumed that you want "ALL"-acls
       // added to the user you are using to connect to ZK (if you are using VMParamsSingleSetCredentialsDigestZkCredentialsProvider)
-      String digestAllUsername = System.getProperty(zkDigestAllUsernameVMParamName);
-      String digestAllPassword = System.getProperty(zkDigestAllPasswordVMParamName);
       if (!StringUtils.isEmpty(digestAllUsername) && !StringUtils.isEmpty(digestAllPassword)) {
         result.add(new ACL(ZooDefs.Perms.ALL, new Id("digest", DigestAuthenticationProvider.generateDigest(digestAllUsername + ":" + digestAllPassword))));
       }
-  
-      // Besides that support for adding additional "READONLY"-acls for another user
-      String digestReadonlyUsername = System.getProperty(zkDigestReadonlyUsernameVMParamName);
-      String digestReadonlyPassword = System.getProperty(zkDigestReadonlyPasswordVMParamName);
-      if (!StringUtils.isEmpty(digestReadonlyUsername) && !StringUtils.isEmpty(digestReadonlyPassword)) {
-        result.add(new ACL(ZooDefs.Perms.READ, new Id("digest", DigestAuthenticationProvider.generateDigest(digestReadonlyUsername + ":" + digestReadonlyPassword))));
+
+      if (includeReadOnly) {
+        // Besides that support for adding additional "READONLY"-acls for another user
+        if (!StringUtils.isEmpty(digestReadonlyUsername) && !StringUtils.isEmpty(digestReadonlyPassword)) {
+          result.add(new ACL(ZooDefs.Perms.READ, new Id("digest", DigestAuthenticationProvider.generateDigest(digestReadonlyUsername + ":" + digestReadonlyPassword))));
+        }
       }
       
       if (result.isEmpty()) {
-        result = super.createGlobalACLsToAdd();
+        result = ZooDefs.Ids.OPEN_ACL_UNSAFE;
       }
       
       return result;

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/java/org/apache/solr/common/cloud/ZkClientConnectionStrategy.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/ZkClientConnectionStrategy.java b/solr/solrj/src/java/org/apache/solr/common/cloud/ZkClientConnectionStrategy.java
index 43a2c52..acc5abf 100644
--- a/solr/solrj/src/java/org/apache/solr/common/cloud/ZkClientConnectionStrategy.java
+++ b/solr/solrj/src/java/org/apache/solr/common/cloud/ZkClientConnectionStrategy.java
@@ -97,7 +97,9 @@ public abstract class ZkClientConnectionStrategy {
   public boolean hasZkCredentialsToAddAutomatically() {
     return zkCredentialsToAddAutomatically != null;
   }
-  
+
+  public ZkCredentialsProvider getZkCredentialsToAddAutomatically() { return zkCredentialsToAddAutomatically; }
+
   protected SolrZooKeeper createSolrZooKeeper(final String serverAddress, final int zkClientTimeout,
       final Watcher watcher) throws IOException {
     SolrZooKeeper result = new SolrZooKeeper(serverAddress, zkClientTimeout, watcher);

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/test/org/apache/solr/client/solrj/request/TestDelegationTokenRequest.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/request/TestDelegationTokenRequest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/request/TestDelegationTokenRequest.java
new file mode 100644
index 0000000..47b8385
--- /dev/null
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/request/TestDelegationTokenRequest.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.client.solrj.request;
+
+import org.apache.lucene.util.LuceneTestCase;
+
+import org.junit.Test;
+
+/**
+ * Test for DelegationTokenRequests
+ */
+public class TestDelegationTokenRequest extends LuceneTestCase {
+
+  @Test
+  public void testGetRequest() throws Exception {
+    // without renewer
+    DelegationTokenRequest.Get get = new DelegationTokenRequest.Get();
+    assertEquals("GETDELEGATIONTOKEN", get.getParams().get("op"));
+    assertNull(get.getParams().get("renewer"));
+
+
+    // with renewer
+    final String renewer = "test";
+    get = new DelegationTokenRequest.Get(renewer);
+    assertEquals("GETDELEGATIONTOKEN", get.getParams().get("op"));
+    assertEquals(renewer, get.getParams().get("renewer"));
+  }
+
+  @Test
+  public void testRenewRequest() throws Exception {
+    final String token = "testToken";
+    DelegationTokenRequest.Renew renew = new DelegationTokenRequest.Renew(token);
+    assertEquals("RENEWDELEGATIONTOKEN", renew.getParams().get("op"));
+    assertEquals(token, renew.getParams().get("token"));
+    assertTrue(renew.getQueryParams().contains("op"));
+    assertTrue(renew.getQueryParams().contains("token"));
+
+    // can handle null token
+    renew = new DelegationTokenRequest.Renew(null);
+    renew.getParams();
+  }
+
+  @Test
+  public void testCancelRequest() throws Exception {
+    final String token = "testToken";
+    DelegationTokenRequest.Cancel cancel = new DelegationTokenRequest.Cancel(token);
+    assertEquals("CANCELDELEGATIONTOKEN", cancel.getParams().get("op"));
+    assertEquals(token, cancel.getParams().get("token"));
+    assertTrue(cancel.getQueryParams().contains("op"));
+    assertTrue(cancel.getQueryParams().contains("token"));
+
+    // can handle null token
+    cancel = new DelegationTokenRequest.Cancel(null);
+    cancel.getParams();
+  }
+}

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6cfec0bd/solr/solrj/src/test/org/apache/solr/client/solrj/response/TestDelegationTokenResponse.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/response/TestDelegationTokenResponse.java b/solr/solrj/src/test/org/apache/solr/client/solrj/response/TestDelegationTokenResponse.java
new file mode 100644
index 0000000..c376223
--- /dev/null
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/response/TestDelegationTokenResponse.java
@@ -0,0 +1,138 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.solr.client.solrj.response;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.io.IOUtils;
+
+import org.apache.lucene.util.LuceneTestCase;
+import org.apache.solr.client.solrj.ResponseParser;
+import org.apache.solr.client.solrj.request.DelegationTokenRequest;
+import org.apache.solr.common.SolrException;
+
+import org.junit.Test;
+
+import org.noggit.CharArr;
+import org.noggit.JSONWriter;
+
+public class TestDelegationTokenResponse extends LuceneTestCase {
+
+  private void delegationTokenResponse(DelegationTokenRequest request,
+      DelegationTokenResponse response, String responseBody) throws Exception {
+    ResponseParser parser = request.getResponseParser();
+    response.setResponse(parser.processResponse(
+      IOUtils.toInputStream(responseBody, "UTF-8"), "UTF-8"));
+  }
+
+  private String getNestedMapJson(String outerKey, String innerKey, Object innerValue) {
+    CharArr out = new CharArr();
+    JSONWriter w = new JSONWriter(out, 2);
+    Map<String, Object> innerMap = new HashMap<String, Object>();
+    innerMap.put(innerKey, innerValue);
+    Map<String, Map<String, Object>> outerMap = new HashMap<String, Map<String, Object>>();
+    outerMap.put(outerKey, innerMap);
+    w.write(outerMap);
+    return out.toString();
+  }
+
+  private String getMapJson(String key, Object value) {
+    CharArr out = new CharArr();
+    JSONWriter w = new JSONWriter(out, 2);
+    Map<String, Object> map = new HashMap<String, Object>();
+    map.put(key, value);
+    w.write(map);
+    return out.toString();
+  }
+
+  @Test
+  public void testGetResponse() throws Exception {
+    DelegationTokenRequest.Get getRequest = new DelegationTokenRequest.Get();
+    DelegationTokenResponse.Get getResponse = new DelegationTokenResponse.Get();
+
+    // not a map
+    try {
+      delegationTokenResponse(getRequest, getResponse, "");
+      getResponse.getDelegationToken();
+      fail("Expected SolrException");
+    } catch (SolrException se) {
+    }
+
+    // doesn't have Token outerMap
+    final String someToken = "someToken";
+    delegationTokenResponse(getRequest, getResponse, getNestedMapJson("NotToken", "urlString", someToken));
+    assertNull(getResponse.getDelegationToken());
+
+    // Token is not a map
+    try {
+      delegationTokenResponse(getRequest, getResponse, getMapJson("Token", someToken));
+      getResponse.getDelegationToken();
+      fail("Expected SolrException");
+    } catch (SolrException se) {
+    }
+
+    // doesn't have urlString
+    delegationTokenResponse(getRequest, getResponse, getNestedMapJson("Token", "notUrlString", someToken));
+    assertNull(getResponse.getDelegationToken());
+
+    // has Token + urlString
+    delegationTokenResponse(getRequest, getResponse, getNestedMapJson("Token", "urlString", someToken));
+    assertEquals(someToken, getResponse.getDelegationToken());
+  }
+
+  @Test
+  public void testRenewResponse() throws Exception {
+    DelegationTokenRequest.Renew renewRequest = new DelegationTokenRequest.Renew("token");
+    DelegationTokenResponse.Renew renewResponse = new DelegationTokenResponse.Renew();
+
+    // not a map
+    try {
+      delegationTokenResponse(renewRequest, renewResponse, "");
+      renewResponse.getExpirationTime();
+      fail("Expected SolrException");
+    } catch (SolrException se) {
+    }
+
+    // doesn't have long
+    delegationTokenResponse(renewRequest, renewResponse, getMapJson("notLong", "123"));
+    assertNull(renewResponse.getExpirationTime());
+
+    // long isn't valid
+    try {
+      delegationTokenResponse(renewRequest, renewResponse, getMapJson("long", "aaa"));
+      renewResponse.getExpirationTime();
+      fail("Expected SolrException");
+    } catch (SolrException se) {
+    }
+
+    // valid
+    Long expirationTime = new Long(Long.MAX_VALUE);
+    delegationTokenResponse(renewRequest, renewResponse,
+      getMapJson("long", expirationTime));
+    assertEquals(expirationTime, renewResponse.getExpirationTime());
+  }
+
+  @Test
+  public void testCancelResponse() throws Exception {
+    // expect empty response
+    DelegationTokenRequest.Cancel cancelRequest = new DelegationTokenRequest.Cancel("token");
+    DelegationTokenResponse.Cancel cancelResponse = new DelegationTokenResponse.Cancel();
+    delegationTokenResponse(cancelRequest, cancelResponse, "");
+  }
+}


Mime
View raw message