lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Jelsma <markus.jel...@openindex.io>
Subject RE: Forwarding authentication credentials in internal node-to-node requests
Date Fri, 11 Jan 2013 16:38:22 GMT
Hmm, you need to set up the HttpClient in HttpShardHandlerFactory but you cannot access the
HttpServletRequest from there, it is only available in SolrDispatchFilter AFAIK. And then,
the HttpServletRequest can only return the remote user name, not the password he, she or it
provided. I don't know how to obtain the password.
 
-----Original message-----
> From:Per Steffensen <steff@designware.dk>
> Sent: Fri 11-Jan-2013 15:28
> To: solr-user@lucene.apache.org
> Subject: Re: Forwarding authentication credentials in internal node-to-node requests
> 
> Hmmm, it will not work for me. I want the "original" credential 
> forwarded in the sub-requests. The credentials are mapped to permissions 
> (authorization), and basically I dont want a user to be able have 
> something done in the (automatically performed by the contacted 
> solr-node) sub-requests that he is not authorized to do. Forward of 
> credentials is a must. So what you are saying is that I should expect to 
> have to do some modifications to Solr in order to achieve what I want?
> 
> Regards, Per Steffensen
> 
> On 1/11/13 2:11 PM, Markus Jelsma wrote:
> > Hi,
> >
> > If your credentials are fixed i would configure username:password in your request
handler's shardHandlerFactory configuration section and then modify HttpShardHandlerFactory.init()
to create a HttpClient with an AuthScope configured with those settings.
> >
> > I don't think you can obtain the original credentials very easy when inside HttpShardHandlerFactory.
> >
> > Cheers
> >   
> > -----Original message-----
> >> From:Per Steffensen <steff@designware.dk>
> >> Sent: Fri 11-Jan-2013 13:07
> >> To: solr-user@lucene.apache.org
> >> Subject: Forwarding authentication credentials in internal node-to-node requests
> >>
> >> Hi
> >>
> >> I read http://wiki.apache.org/solr/SolrSecurity and know a lot about
> >> webcontainer authentication and authorization. Im sure I will be able to
> >> set it up so that each solr-node is will require HTTP authentication for
> >> (selected) incoming requests.
> >>
> >> But solr-nodes also make requests among each other and Im in doubt if
> >> credentials are forwarded from the "original request" to the internal
> >> sub-requests?
> >> E.g. lets say that each solr-node is set up to require authentication
> >> for search request. An "outside" user makes a distributed request
> >> including correct username/password. Since it is a distributed search,
> >> the node which handles the original request from the user will have to
> >> make sub-requests to other solr-nodes but they also require correct
> >> credentials in order to accept this sub-request. Are the credentials
> >> from the original request duplicated to the sub-requests or what options
> >> do I have?
> >> Same thing goes for e.g. update requests if they are sent to a node
> >> which does not run (all) the replica of the shard in which the documents
> >> to be added/updated/deleted belong. The node needs to make sub-request
> >> to other nodes, and it will require forwarding the credentials.
> >>
> >> Does this just work out of the box, or ... ?
> >>
> >> Regards, Per Steffensen
> >>
> 
> 

Mime
View raw message