Solr
  1. Solr
  2. SOLR-4470

Support for basic http auth in internal solr requests

    Details

      Description

      We want to protect any HTTP-resource (url). We want to require credentials no matter what kind of HTTP-request you make to a Solr-node.

      It can faily easy be acheived as described on http://wiki.apache.org/solr/SolrSecurity. This problem is that Solr-nodes also make "internal" request to other Solr-nodes, and for it to work credentials need to be provided here also.

      Ideally we would like to "forward" credentials from a particular request to all the "internal" sub-requests it triggers. E.g. for search and update request.

      But there are also "internal" requests

      • that only indirectly/asynchronously triggered from "outside" requests (e.g. shard creation/deletion/etc based on calls to the "Collection API")
      • that do not in any way have relation to an "outside" "super"-request (e.g. replica synching stuff)

      We would like to aim at a solution where "original" credentials are "forwarded" when a request directly/synchronously trigger a subrequest, and fallback to a configured "internal credentials" for the asynchronous/non-rooted requests.

      In our solution we would aim at only supporting basic http auth, but we would like to make a "framework" around it, so that not to much refactoring is needed if you later want to make support for other kinds of auth (e.g. digest)

      We will work at a solution but create this JIRA issue early in order to get input/comments from the community as early as possible.

      1. SOLR-4470.patch
        276 kB
        Jan Høydahl
      2. SOLR-4470.patch
        356 kB
        Jan Høydahl
      3. SOLR-4470.patch
        333 kB
        Jan Høydahl
      4. SOLR-4470.patch
        333 kB
        Jan Høydahl
      5. SOLR-4470.patch
        276 kB
        Jan Høydahl
      6. SOLR-4470.patch
        276 kB
        Jan Høydahl
      7. SOLR-4470.patch
        276 kB
        Jan Høydahl
      8. SOLR-4470.patch
        276 kB
        Jan Høydahl
      9. SOLR-4470.patch
        277 kB
        Jan Høydahl
      10. SOLR-4470.patch
        277 kB
        Jan Høydahl
      11. SOLR-4470.patch
        277 kB
        Jan Høydahl
      12. SOLR-4470.patch
        278 kB
        Jan Høydahl
      13. SOLR-4470_trunk_r1568857.patch
        271 kB
        Per Steffensen
      14. SOLR-4470_branch_4x_r1454444.patch
        307 kB
        Per Steffensen
      15. SOLR-4470_branch_4x_r1452629.patch
        273 kB
        Per Steffensen
      16. SOLR-4470_branch_4x_r1452629.patch
        274 kB
        Per Steffensen

        Issue Links

          Activity

          Per Steffensen created issue -
          Jan Høydahl made changes -
          Field Original Value New Value
          Link This issue duplicates SOLR-4407 [ SOLR-4407 ]
          Jan Høydahl made changes -
          Link This issue relates SOLR-608 [ SOLR-608 ]
          Per Steffensen made changes -
          Attachment SOLR-4470_branch_4x_r1452629.patch [ 12572153 ]
          Per Steffensen made changes -
          Attachment SOLR-4470_branch_4x_r1452629.patch [ 12572309 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12572444 ]
          Jan Høydahl made changes -
          Issue Type Bug [ 1 ] New Feature [ 2 ]
          Jan Høydahl made changes -
          Fix Version/s 5.0 [ 12321664 ]
          Jan Høydahl made changes -
          Labels authentication solrclient solrcloud authentication https solrclient solrcloud ssl
          Per Steffensen made changes -
          Attachment SOLR-4470_branch_4x_r1454444.patch [ 12572819 ]
          Robert Muir made changes -
          Fix Version/s 4.3 [ 12324128 ]
          Fix Version/s 5.0 [ 12321664 ]
          Fix Version/s 4.2 [ 12323893 ]
          Jan Høydahl made changes -
          Fix Version/s 4.4 [ 12324324 ]
          Fix Version/s 4.3 [ 12324128 ]
          Gavin made changes -
          Link This issue relates to SOLR-608 [ SOLR-608 ]
          Gavin made changes -
          Link This issue relates to SOLR-608 [ SOLR-608 ]
          Jan Høydahl made changes -
          Assignee Jan Høydahl [ janhoy ]
          Jan Høydahl made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12590758 ]
          Steve Rowe made changes -
          Fix Version/s 5.0 [ 12321664 ]
          Fix Version/s 4.5 [ 12324743 ]
          Fix Version/s 4.4 [ 12324324 ]
          Sea Marie made changes -
          Comment [ Hi,

          I am running a simple two-node SolrCloud cluster with this patch (pulled from Jan's GitHub and built from there) using the built-in ZooKeeper and Jetty.

          I made a few small changes to the Jetty configs to restrict access via basic auth on all SOLR resources. After rebooting with these changes, the SolrCore on my second node is not coming up - it seems like the credentials are not being used in the core recovery code, or not being passed to ZooKeeper, or something. Have I missed some configuration step? Or am I confused and this scenario is not supported by this patch?

          h5. Changes I made in Jetty to enable basic auth:

          h6. etc/webdefault.xml (perhaps protecting everything is overly general?):
          {noformat}
            <security-constraint>
              <web-resource-collection>
                <web-resource-name>Solr authenticated application</web-resource-name>
                <url-pattern>/</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                <role-name>access-role</role-name>
              </auth-constraint>
            </security-constraint>

            <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>Access Realm</realm-name>
            </login-config>
          {noformat}

          h6. etc/jetty.xml:
          {noformat}
              <Call name="addBean">
                <Arg>
          <New class="org.eclipse.jetty.security.HashLoginService">
          <Set name="name">Access Realm</Set>
          <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
          <Set name="refreshInterval">0</Set>
          </New>
                </Arg>
              </Call>
          {noformat}
          h6. etc/realm.properties (redacted for obvious reasons :))
          {noformat}
            user: password, access-role
          {noformat}

          h5. Changes to SOLR-related things:
          scripts/ctl.sh (on host2):
          {noformat}
          SOLR="$JAVABIN -Dbootstrap_confdir=$SOLR_HOME/collection1/conf -Dcollection.configName=myconf -DzkRun -DzkHost=host1:9983 -Dsolr.solr.home=$SOLR_HOME -Djetty.logs=$INSTALL_PATH/logs/ -Djetty.home=$INSTALL_PATH/ -jar -DinternalAuthCredentialsBasicAuthUsername=user -DinternalAuthCredentialsBasicAuthPassword=password $INSTALL_PATH/start.jar $INSTALL_PATH/etc/jetty.xml"
          {noformat}
          (on host1, same as above w/o the -DzkHost param)

          h5. The error I'm seeing (on "host2", the second node, only. "host1", the leader is fine):
          {noformat}
          INFO - 2013-09-16 23:36:58.409; org.apache.solr.client.solrj.impl.HttpClientUtil; Creating new http client, config:maxConnections=128&maxConnectionsPerHost=32&followRedirects=false
          ERROR - 2013-09-16 23:36:58.433; org.apache.solr.common.SolrException; Error while trying to recover. core=collection1:org.apache.solr.client.solrj.impl.HttpSolrServer$RemoteSolrException: Server at http://host1:8983/solr returned non ok status:401, message:Unauthorized
                  at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:385)
                  at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:180)
                  at org.apache.solr.cloud.RecoveryStrategy.sendPrepRecoveryCmd(RecoveryStrategy.java:198)
                  at org.apache.solr.cloud.RecoveryStrategy.doRecovery(RecoveryStrategy.java:342)
                  at org.apache.solr.cloud.RecoveryStrategy.run(RecoveryStrategy.java:219)
          {noformat}

          ]
          Adrien Grand made changes -
          Fix Version/s 4.6 [ 12325000 ]
          Fix Version/s 5.0 [ 12321664 ]
          Fix Version/s 4.5 [ 12324743 ]
          Uwe Schindler made changes -
          Fix Version/s 4.7 [ 12325573 ]
          Fix Version/s 4.6 [ 12325000 ]
          Per Steffensen made changes -
          Attachment SOLR-4470_trunk_r1568857.patch [ 12629424 ]
          Jan Høydahl made changes -
          Fix Version/s 5.0 [ 12321664 ]
          Fix Version/s 4.7 [ 12325573 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12630273 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.diff [ 12630274 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.diff [ 12630274 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12630517 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12630664 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12630687 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12630698 ]
          Jan Høydahl made changes -
          Link This issue relates to SOLR-4407 [ SOLR-4407 ]
          Jan Høydahl made changes -
          Link This issue duplicates SOLR-4407 [ SOLR-4407 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12634111 ]
          Jan Høydahl made changes -
          Link This issue requires SOLR-5853 [ SOLR-5853 ]
          Jan Høydahl made changes -
          Link This issue requires SOLR-5220 [ SOLR-5220 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12634695 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12634697 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12634703 ]
          Jan Høydahl made changes -
          Attachment SOLR-4470.patch [ 12634740 ]
          David Webster made changes -
          Comment [ We took advantage of the fact that SOLR is deployed to Tomcat. Tomcat, being the reference implementation of the servlet standard means you can use JAAS LoginModules, which essentially intercept the request stream before it even gets to the application layer, and exercise authtentication and provide authorization tokens for use in th ]
          Jan Høydahl made changes -
          Status In Progress [ 3 ] Open [ 1 ]

            People

            • Assignee:
              Jan Høydahl
              Reporter:
              Per Steffensen
            • Votes:
              17 Vote for this issue
              Watchers:
              26 Start watching this issue

              Dates

              • Created:
                Updated:

                Development