[
https://issues.apache.org/jira/browse/SOLR-13619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16882548#comment-16882548
]
Ishan Chattopadhyaya edited comment on SOLR-13619 at 7/15/19 9:36 AM:
----------------------------------------------------------------------
Internode communication also happens using Kerberos. Fix for this requires
original user principal to be sent along, so that authorization can be skipped
and done on the forwarded node using the original user principal (instead of
the Solr node's service principal).
-Added PR for this-
This should be applied after applying SOLR-13472 fix. This is currently for 8x
branch, will update for master at the time of committing.
[~noble.paul], can you please review?
was (Author: ichattopadhyaya):
Internode communication also happens using Kerberos. Fix for this requires
original user principal to be sent along, so that authorization can be skipped
and done on the forwarded node using the original user principal (instead of
the Solr node's service principal).
Added PR for this, https://github.com/apache/lucene-solr/pull/773.
This should be applied after applying SOLR-13472 fix. This is currently for 8x
branch, will update for master at the time of committing.
[~noble.paul], can you please review?
> Kerberos: 403 when node doesn't host collection
> -----------------------------------------------
>
> Key: SOLR-13619
> URL: https://issues.apache.org/jira/browse/SOLR-13619
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Ishan Chattopadhyaya
> Assignee: Ishan Chattopadhyaya
> Priority: Major
>
> This is a spin off from SOLR-13472, specifically to tackle the Kerberos case.
> Here's the security.json to reproduce the same problem as of SOLR-13472:
> {code}
> {
> "authentication": {"class": "org.apache.solr.security.KerberosPlugin"},
> "authorization": {
> "class": "solr.RuleBasedAuthorizationPlugin",
> "permissions": [
> {
> "name": "read",
> "role": "*"
> },
> {
> "name": "update",
> "role": [
> "indexer",
> "admin"
> ]
> },
> {
> "name": "all",
> "role": "admin"
> }
> ],
> "user-role": {
> "HTTP/[email protected]": "admin",
> "HTTP/[email protected]": "admin",
> "[email protected]": "indexer"
> }
> }
> }
> {code}
> Here, [email protected] should be able to issue /update and /select requests
> to both solr1 and solr2, but it throws 403 for the node that doesn't host the
> collection.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
