Return-Path: X-Original-To: apmail-manifoldcf-dev-archive@www.apache.org Delivered-To: apmail-manifoldcf-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 269BF183EA for ; Mon, 29 Jun 2015 14:39:05 +0000 (UTC) Received: (qmail 46831 invoked by uid 500); 29 Jun 2015 14:39:05 -0000 Delivered-To: apmail-manifoldcf-dev-archive@manifoldcf.apache.org Received: (qmail 46790 invoked by uid 500); 29 Jun 2015 14:39:05 -0000 Mailing-List: contact dev-help@manifoldcf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@manifoldcf.apache.org Delivered-To: mailing list dev@manifoldcf.apache.org Received: (qmail 46773 invoked by uid 99); 29 Jun 2015 14:39:05 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Jun 2015 14:39:05 +0000 Date: Mon, 29 Jun 2015 14:39:04 +0000 (UTC) From: "Karl Wright (JIRA)" To: dev@manifoldcf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (CONNECTORS-642) Need an ElasticSearch plugin for enforcing ManifoldCF security MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CONNECTORS-642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14605583#comment-14605583 ] Karl Wright edited comment on CONNECTORS-642 at 6/29/15 2:38 PM: ----------------------------------------------------------------- ElasticSearch-Plugin-MCF v3.0 works properly with ElasticSearch v1.5.2 (not tested with older versions, tested with v1.6 - not working - will be fixed in v3.1). To provide security filtering of results of the queries there should be only "u" HTTP GET query parameter passed with username as a value to obtain filtered results (without "u" parameter ElasticSearch works as normally). E.g. with 'http://elasticsearchHostAndPort/_all/_search?u=ben' results are filtered using tokens obtained from provided ManifoldCF Authority Connector (default: http://localhost:8345/mcf-authority-service/UserACLs?username=ben) for user 'ben'. To work with APIs additional point to forward the request to the proper ElasticSearch instance and in meantime with addition of the "u" parameter (obtained e.g. from the Spring Security) should be prepared. E.g. with Spring Framework prepare Controller such like this: {code} @RestController @RequestMapping("/search") public class SearchController { private SearchService searchService; @Autowired public SearchController(SearchService searchService){ this.searchService = searchService; } @RequestMapping(value="**", method = RequestMethod.POST) public ResponseEntity forwardQuery(HttpServletRequest request) throws ServletException, IOException { try { return new ResponseEntity<>(searchService.search(request),new HttpHeaders(),HttpStatus.OK); } catch (IOException e) { return new ResponseEntity<>( "IO Problem: " + e.getMessage(),new HttpHeaders(),HttpStatus.INTERNAL_SERVER_ERROR); } } } {code} and service such like this: {code} @Service public class SearchService { private final CloseableHttpClient httpClient = HttpClients.createDefault(); public String search(HttpServletRequest request) throws IOException { String jsonBody = IOUtils.toString(request.getInputStream()); Authentication auth = SecurityContextHolder.getContext().getAuthentication(); String username = auth.getName(); String forwardTo = "http://elasticsearchHostAndPort" + request.getServletPath() + "?u=" + username; forwardTo = forwardTo.replace("/search", ""); HttpPost post = new HttpPost(forwardTo); post.setEntity(new StringEntity(jsonBody)); HttpResponse httpResponse = httpClient.execute(post); int rval = httpResponse.getStatusLine().getStatusCode(); if (rval != 200) { String response = EntityUtils.toString(httpResponse.getEntity(), "utf-8"); throw new IOException(" Connection problem: " + Integer.toString(rval)+"; " + response); } InputStream is = httpResponse.getEntity().getContent(); return IOUtils.toString(is); } } {code} and use in host field in ElasticSearch client "yourSiteHostAndPort/search". was (Author: supersyn): ElasticSearch-Plugin-MCF v3.0 works properly with ElasticSearch v1.5.2 (not tested with older versions, tested with v1.6 - not working - will be fixed in v3.1). To provide security filtering of results of the queries there should be only "u" HTTP GET query parameter passed with username as a value to obtain filtered results (without "u" parameter ElasticSearch works as normally). E.g. with 'http://elasticsearchHostAndPort/_all/_search?u=ben' results are filtered using tokens obtained from provided ManifoldCF Authority Connector (default: http://localhost:8345/mcf-authority-service/UserACLs?username=ben) for user 'ben'. To work with APIs additional point to forward the request to the proper ElasticSearch instance and in meantime with addition of the "u" parameter (obtained e.g. from the Spring Security) should be prepared. E.g. with Spring Framework prepare Controller such like this: @RestController @RequestMapping("/search") public class SearchController { private SearchService searchService; @Autowired public SearchController(SearchService searchService){ this.searchService = searchService; } @RequestMapping(value="**", method = RequestMethod.POST) public ResponseEntity forwardQuery(HttpServletRequest request) throws ServletException, IOException { try { return new ResponseEntity<>(searchService.search(request),new HttpHeaders(),HttpStatus.OK); } catch (IOException e) { return new ResponseEntity<>( "IO Problem: " + e.getMessage(),new HttpHeaders(),HttpStatus.INTERNAL_SERVER_ERROR); } } } and service such like this: @Service public class SearchService { private final CloseableHttpClient httpClient = HttpClients.createDefault(); public String search(HttpServletRequest request) throws IOException { String jsonBody = IOUtils.toString(request.getInputStream()); Authentication auth = SecurityContextHolder.getContext().getAuthentication(); String username = auth.getName(); String forwardTo = "http://elasticsearchHostAndPort" + request.getServletPath() + "?u=" + username; forwardTo = forwardTo.replace("/search", ""); HttpPost post = new HttpPost(forwardTo); post.setEntity(new StringEntity(jsonBody)); HttpResponse httpResponse = httpClient.execute(post); int rval = httpResponse.getStatusLine().getStatusCode(); if (rval != 200) { String response = EntityUtils.toString(httpResponse.getEntity(), "utf-8"); throw new IOException(" Connection problem: " + Integer.toString(rval)+"; " + response); } InputStream is = httpResponse.getEntity().getContent(); return IOUtils.toString(is); } } and use in host field in ElasticSearch client "yourSiteHostAndPort/search". > Need an ElasticSearch plugin for enforcing ManifoldCF security > -------------------------------------------------------------- > > Key: CONNECTORS-642 > URL: https://issues.apache.org/jira/browse/CONNECTORS-642 > Project: ManifoldCF > Issue Type: New Feature > Components: Elastic Search connector > Affects Versions: ManifoldCF 1.1 > Reporter: Karl Wright > Assignee: Karl Wright > Fix For: ManifoldCF 1.2 > > > ElasticSearch is becoming popular and we need to support it fully. In order for that to happen, we really need an ElasticSearch ManifoldCF plugin. -- This message was sent by Atlassian JIRA (v6.3.4#6332)