lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Per Steffensen <>
Subject Re: Forwarding authentication credentials in internal node-to-node requests
Date Fri, 11 Jan 2013 14:21:08 GMT
Hmmm, it will not work for me. I want the "original" credential 
forwarded in the sub-requests. The credentials are mapped to permissions 
(authorization), and basically I dont want a user to be able have 
something done in the (automatically performed by the contacted 
solr-node) sub-requests that he is not authorized to do. Forward of 
credentials is a must. So what you are saying is that I should expect to 
have to do some modifications to Solr in order to achieve what I want?

Regards, Per Steffensen

On 1/11/13 2:11 PM, Markus Jelsma wrote:
> Hi,
> If your credentials are fixed i would configure username:password in your request handler's
shardHandlerFactory configuration section and then modify HttpShardHandlerFactory.init() to
create a HttpClient with an AuthScope configured with those settings.
> I don't think you can obtain the original credentials very easy when inside HttpShardHandlerFactory.
> Cheers
> -----Original message-----
>> From:Per Steffensen <>
>> Sent: Fri 11-Jan-2013 13:07
>> To:
>> Subject: Forwarding authentication credentials in internal node-to-node requests
>> Hi
>> I read and know a lot about
>> webcontainer authentication and authorization. Im sure I will be able to
>> set it up so that each solr-node is will require HTTP authentication for
>> (selected) incoming requests.
>> But solr-nodes also make requests among each other and Im in doubt if
>> credentials are forwarded from the "original request" to the internal
>> sub-requests?
>> E.g. lets say that each solr-node is set up to require authentication
>> for search request. An "outside" user makes a distributed request
>> including correct username/password. Since it is a distributed search,
>> the node which handles the original request from the user will have to
>> make sub-requests to other solr-nodes but they also require correct
>> credentials in order to accept this sub-request. Are the credentials
>> from the original request duplicated to the sub-requests or what options
>> do I have?
>> Same thing goes for e.g. update requests if they are sent to a node
>> which does not run (all) the replica of the shard in which the documents
>> to be added/updated/deleted belong. The node needs to make sub-request
>> to other nodes, and it will require forwarding the credentials.
>> Does this just work out of the box, or ... ?
>> Regards, Per Steffensen

View raw message