[SOLR-15233] ConfigurableInternodeAuthHadoopPlugin with authorization is broken - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 8.4.1
Fix Version/s: 9.0, 8.8.2, 8.9
Component/s: Authentication, Authorization
Labels:
- authentication
- authorization

Description

Setting up a cluster with multiple solr nodes with Kerberos using it for internode communication as well (attached security.json) and added Ranger as authorization plugin.

When sending requests the authentication happens against the end user but the authorization is for solr service user.

Tested two cases (3 nodes, have a collection with 2 replicas on 2 nodes of it):
1. send a query to a node where the collection has replica. Authorization is wrong every nodes

2. send a query to a node which doesn't contain a replica. The first place authorization is fine but when the query distributed it goes as solr service user issued.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

security.json
09/Mar/21 17:20
2 kB
Geza Nagy
Screenshot 2021-03-09 at 18.15.31.png
09/Mar/21 17:20
335 kB
Geza Nagy
solr-15233_Adding_doAs_to_requests_in_CIAHP.patch
31/Mar/21 07:00
4 kB
Geza Nagy
0001-SOLR-15233-Add-negative-test-case-for-KRB-Authz.patch
31/Mar/21 16:43
6 kB
Mike Drob
SOLR-15233-reproducing-unit-test.patch
31/Mar/21 18:42
12 kB
Jason Gerlowski
admin-ui-doAs.png
01/Apr/21 12:01
20 kB
Geza Nagy
SOLR-15233_Enable_delegation_tokens.patch
01/Apr/21 16:15
0.9 kB
Geza Nagy
SOLR-15233.2.patch
01/Apr/21 20:16
15 kB
Mike Drob
SOLR-15233.3.patch
01/Apr/21 22:40
21 kB
Mike Drob
SOLR-15233.4.patch
02/Apr/21 16:29
23 kB
Mike Drob
SOLR-15233.5.patch
02/Apr/21 23:30
33 kB
Mike Drob

Activity

People

Assignee:: Mike Drob

Reporter:: Geza Nagy

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 09/Mar/21 17:20

Updated:: 13/Apr/21 20:10

Resolved:: 05/Apr/21 18:15