Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-15233

ConfigurableInternodeAuthHadoopPlugin with authorization is broken

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      Setting up a cluster with multiple solr nodes with Kerberos using it for internode communication as well (attached security.json) and added Ranger as authorization plugin.

      When sending requests the authentication happens against the end user but the authorization is for solr service user.

      Tested two cases (3 nodes, have a collection with 2 replicas on 2 nodes of it):
      1. send a query to a node where the collection has replica. Authorization is wrong every nodes

      2. send a query to a node which doesn't contain a replica. The first place authorization is fine but when the query distributed it goes as solr service user issued.

      Attachments

        1. 0001-SOLR-15233-Add-negative-test-case-for-KRB-Authz.patch
          6 kB
          Mike Drob
        2. admin-ui-doAs.png
          20 kB
          Geza Nagy
        3. Screenshot 2021-03-09 at 18.15.31.png
          335 kB
          Geza Nagy
        4. security.json
          2 kB
          Geza Nagy
        5. solr-15233_Adding_doAs_to_requests_in_CIAHP.patch
          4 kB
          Geza Nagy
        6. SOLR-15233_Enable_delegation_tokens.patch
          0.9 kB
          Geza Nagy
        7. SOLR-15233.2.patch
          15 kB
          Mike Drob
        8. SOLR-15233.3.patch
          21 kB
          Mike Drob
        9. SOLR-15233.4.patch
          23 kB
          Mike Drob
        10. SOLR-15233.5.patch
          33 kB
          Mike Drob
        11. SOLR-15233-reproducing-unit-test.patch
          12 kB
          Jason Gerlowski

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            mdrob Mike Drob Assign to me
            gezan Geza Nagy
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment