Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-9520

Kerberos delegation support with CloudSolrClient

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.3, 7.0
    • Component/s: None
    • Security Level: Public (Default Security Level. Issues are Public)
    • Labels:
      None

      Description

      HSC support is available, but we need to add support to CSC.

      1. SOLR-9520.patch
        21 kB
        Ishan Chattopadhyaya
      2. SOLR-9520.patch
        19 kB
        Noble Paul
      3. SOLR-9520.patch
        20 kB
        Ishan Chattopadhyaya
      4. SOLR-9520.patch
        17 kB
        Noble Paul
      5. SOLR-9520.patch
        13 kB
        Ishan Chattopadhyaya
      6. SOLR-9520.patch
        12 kB
        Ishan Chattopadhyaya
      7. SOLR-9520-6x.patch
        8 kB
        Ishan Chattopadhyaya
      8. SOLR-9520-6x.patch
        17 kB
        Ishan Chattopadhyaya
      9. SOLR-9520-6x.patch
        17 kB
        Ishan Chattopadhyaya
      10. SOLR-9520-6x.patch
        13 kB
        Ishan Chattopadhyaya

        Issue Links

          Activity

          Hide
          ichattopadhyaya Ishan Chattopadhyaya added a comment -

          Attached a patch that adds support for delegation tokens for CSC. As of this patch, if a delegation token has changed, a new CSC instance must be created. Gregory Chanan, can you please review?

          Show
          ichattopadhyaya Ishan Chattopadhyaya added a comment - Attached a patch that adds support for delegation tokens for CSC. As of this patch, if a delegation token has changed, a new CSC instance must be created. Gregory Chanan , can you please review?
          Hide
          ichattopadhyaya Ishan Chattopadhyaya added a comment -

          Had an offline discussion with Noble, and he just pointed out to me that the CSC should take in an LBHSC builder, and the LBHSC should take in the HSC builder. This will ensure that the CSC and LBHSC can remain oblivious of the delegation token, only the builders will have that information. I'm working on that change.

          Show
          ichattopadhyaya Ishan Chattopadhyaya added a comment - Had an offline discussion with Noble, and he just pointed out to me that the CSC should take in an LBHSC builder, and the LBHSC should take in the HSC builder. This will ensure that the CSC and LBHSC can remain oblivious of the delegation token, only the builders will have that information. I'm working on that change.
          Hide
          ichattopadhyaya Ishan Chattopadhyaya added a comment - - edited

          Updated patch that adds the capability to pass in a HSC builder during the construction of an LBHSC. This will enable the users to pass on an HSC builder with delegation tokens to create an LBHSC, which can be used within a CSC. This is also more generic than my previous patch, since any future additions to HSC builder can easily be used by CSC users, without any modification to CSC or LBHSC code.
          Also, separated out the DelegationTokensHttpSolrClient inner class from HttpSolrClient.
          Noble Paul, Gregory Chanan, please review.

          Show
          ichattopadhyaya Ishan Chattopadhyaya added a comment - - edited Updated patch that adds the capability to pass in a HSC builder during the construction of an LBHSC. This will enable the users to pass on an HSC builder with delegation tokens to create an LBHSC, which can be used within a CSC. This is also more generic than my previous patch, since any future additions to HSC builder can easily be used by CSC users, without any modification to CSC or LBHSC code. Also, separated out the DelegationTokensHttpSolrClient inner class from HttpSolrClient. Noble Paul , Gregory Chanan , please review.
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 8e31e501384c47b88072590257d1a0345da94fa4 in lucene-solr's branch refs/heads/branch_6x from Noble Paul
          [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=8e31e50 ]

          SOLR-9520: Kerberos delegation support in SolrJ

          Show
          jira-bot ASF subversion and git services added a comment - Commit 8e31e501384c47b88072590257d1a0345da94fa4 in lucene-solr's branch refs/heads/branch_6x from Noble Paul [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=8e31e50 ] SOLR-9520 : Kerberos delegation support in SolrJ
          Hide
          ichattopadhyaya Ishan Chattopadhyaya added a comment -

          Here's a patch for master.

          Show
          ichattopadhyaya Ishan Chattopadhyaya added a comment - Here's a patch for master.
          Hide
          ichattopadhyaya Ishan Chattopadhyaya added a comment -

          And the corresponding patch for 6x (to be applied on top of the previous one for 6x / current branch_6x's HEAD).

          Show
          ichattopadhyaya Ishan Chattopadhyaya added a comment - And the corresponding patch for 6x (to be applied on top of the previous one for 6x / current branch_6x's HEAD).
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 50abf9571c2d641f2216a5f9a00662b1474edea3 in lucene-solr's branch refs/heads/branch_6x from Noble Paul
          [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=50abf95 ]

          SOLR-9520: Kerberos delegation support in SolrJ

          Show
          jira-bot ASF subversion and git services added a comment - Commit 50abf9571c2d641f2216a5f9a00662b1474edea3 in lucene-solr's branch refs/heads/branch_6x from Noble Paul [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=50abf95 ] SOLR-9520 : Kerberos delegation support in SolrJ
          Hide
          romseygeek Alan Woodward added a comment -

          I think this may be causing test failures on master? eg https://jenkins.thetaphi.de/job/Lucene-Solr-master-Windows/6156/

          Show
          romseygeek Alan Woodward added a comment - I think this may be causing test failures on master? eg https://jenkins.thetaphi.de/job/Lucene-Solr-master-Windows/6156/
          Hide
          mkhludnev Mikhail Khludnev added a comment -

          Can it be to CloudSolrClientBuilderTest failures "Connection evictor" leakage failures, since https://jenkins.thetaphi.de/job/Lucene-Solr-master-Linux/17963/ ?
          Here's a side note: SolrTestCaseJ4.teardownTestCases(SolrTestCaseJ4.java:261) awaits for 30 sec, but HttpClientBuilder waits for 50 sec, although waiting might be pointless.

          Show
          mkhludnev Mikhail Khludnev added a comment - Can it be to CloudSolrClientBuilderTest failures "Connection evictor" leakage failures, since https://jenkins.thetaphi.de/job/Lucene-Solr-master-Linux/17963/ ? Here's a side note: SolrTestCaseJ4.teardownTestCases(SolrTestCaseJ4.java:261) awaits for 30 sec, but HttpClientBuilder waits for 50 sec, although waiting might be pointless.
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit fb33980f24078f64cb68d9489cdd89203c432bdb in lucene-solr's branch refs/heads/master from Noble Paul
          [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=fb33980 ]

          SOLR-9520: Kerberos delegation support in SolrJ

          Show
          jira-bot ASF subversion and git services added a comment - Commit fb33980f24078f64cb68d9489cdd89203c432bdb in lucene-solr's branch refs/heads/master from Noble Paul [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=fb33980 ] SOLR-9520 : Kerberos delegation support in SolrJ
          Hide
          shalinmangar Shalin Shekhar Mangar added a comment -

          Closing after 6.3.0 release.

          Show
          shalinmangar Shalin Shekhar Mangar added a comment - Closing after 6.3.0 release.
          Hide
          hgadre Hrishikesh Gadre added a comment -

          Ishan Chattopadhyaya While working on SOLR-9513, I found that we have deprecated following method in HttpSolrClient,

          public Builder withDelegationToken(String delegationToken)

          The suggestion seems to be to use following method instead,

          public Builder withKerberosDelegationToken(String delegationToken) {

          This is unfortunate since the delegation token mechanism is not really tied to kerberos as such although the primary motivation is to overcome the scalability limit of KDC. Is there any chance to "un-deprecate" the original method ?

          Show
          hgadre Hrishikesh Gadre added a comment - Ishan Chattopadhyaya While working on SOLR-9513 , I found that we have deprecated following method in HttpSolrClient, public Builder withDelegationToken(String delegationToken) The suggestion seems to be to use following method instead, public Builder withKerberosDelegationToken(String delegationToken) { This is unfortunate since the delegation token mechanism is not really tied to kerberos as such although the primary motivation is to overcome the scalability limit of KDC. Is there any chance to "un-deprecate" the original method ?
          Hide
          ichattopadhyaya Ishan Chattopadhyaya added a comment -

          Noble suggested that we rename it to include "Kerberos" in the method name in order to avoid confusion. Since the delegation tokens are used together with Kerberos (i.e. DelegationTokenKerberosFilter), it made sense to me at the time.
          However, I just reviewed the delegation token functionality and realized that it is possible to use it even without Kerberos as a standalone authentication mechanism. In that light, I agree that the method be called "withDelegationToken". Hrishikesh, can you please open another issue for this, for undeprecating withDelegationToken and deprecating withKerberosDelegationToken? We can take the discussion, if any is required, to that issue. Also, apologies that I didn't mark this deprecation anywhere in the description/comments for this issue. Thanks for the catch.

          Show
          ichattopadhyaya Ishan Chattopadhyaya added a comment - Noble suggested that we rename it to include "Kerberos" in the method name in order to avoid confusion. Since the delegation tokens are used together with Kerberos (i.e. DelegationTokenKerberosFilter), it made sense to me at the time. However, I just reviewed the delegation token functionality and realized that it is possible to use it even without Kerberos as a standalone authentication mechanism. In that light, I agree that the method be called "withDelegationToken". Hrishikesh, can you please open another issue for this, for undeprecating withDelegationToken and deprecating withKerberosDelegationToken? We can take the discussion, if any is required, to that issue. Also, apologies that I didn't mark this deprecation anywhere in the description/comments for this issue. Thanks for the catch.

            People

            • Assignee:
              noble.paul Noble Paul
              Reporter:
              ichattopadhyaya Ishan Chattopadhyaya
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development