Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-12799

Allow Authentication Plugins to easily intercept internode requests

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 8.0
    • Component/s: Authentication
    • Labels:
      None

      Description

      Solr security framework currently allows a plugin to declare statically by implementing the HttpClientBuilderPlugin interface whether it will handle internode requests. If it implements the interface, the plugin MUST handle ALL internode requests, even requests originating from Solr itself. Likewise, if a plugin does not implement the interface, ALL requests will be authenticated by the built-in PKIAuthenticationPlugin.

      In some cases (such as SOLR-12121) there is a need to forward end-user credentials on internode requests, but let PKI handle it for solr-originated requests. This is currently not possible without a dirty hack where each plugin duplicates some PKI logic and calls PKI plugin from its own interceptor even if it is disabled.

      This Jira makes this use case officially supported by the framework by:

      • Letting PKIAuthenticationPlugin be always enabled. PKI will now in its interceptor on a per-request basis first give the authc plugin a chance to handle the request
      • Adding a protected method to abstract class AuthenticationPlugin
        protected boolean interceptInternodeRequest(HttpRequest httpRequest, HttpContext httpContext)
        

        that can be overridden by plugins in order to easily intercept requests without registering its own interceptor. Returning 'false' delegates to PKI.

      Existing Authc plugins do not need to change as a result of this, and they will work exactly as before, i.e. either handle ALL or NONE internode auth.

      New plugins choosing to override the new interceptInternodeRequest method will obtain per-request control over who will secure each request. The first user of this feature will be JWT token based auth in SOLR-12121.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                janhoy Jan Høydahl
                Reporter:
                janhoy Jan Høydahl
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1.5h
                  1.5h