Package org.apache.solr.security
Class KerberosPlugin
- java.lang.Object
-
- org.apache.solr.security.AuthenticationPlugin
-
- org.apache.solr.security.KerberosPlugin
-
- All Implemented Interfaces:
AutoCloseable
,SolrInfoBean
,SolrMetricProducer
,HttpClientBuilderPlugin
public class KerberosPlugin extends AuthenticationPlugin implements HttpClientBuilderPlugin
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface org.apache.solr.core.SolrInfoBean
SolrInfoBean.Category, SolrInfoBean.Group
-
-
Field Summary
Fields Modifier and Type Field Description static String
COOKIE_DOMAIN_PARAM
static String
COOKIE_PATH_PARAM
static String
COOKIE_PORT_AWARE_PARAM
static String
DELEGATION_TOKEN_ENABLED
static String
DELEGATION_TOKEN_KIND
static String
DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH
static String
DELEGATION_TOKEN_SECRET_PROVIDER
static String
DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH
static String
DELEGATION_TOKEN_TYPE_DEFAULT
static String
DELEGATION_TOKEN_VALIDITY
static String
IMPERSONATOR_DO_AS_HTTP_PARAM
static String
IMPERSONATOR_PREFIX
static String
IMPERSONATOR_USER_NAME
static String
KEYTAB_PARAM
static String
NAME_RULES_PARAM
static String
ORIGINAL_USER_PRINCIPAL_HEADER
static String
PRINCIPAL_PARAM
static String
TOKEN_VALID_PARAM
-
Fields inherited from class org.apache.solr.security.AuthenticationPlugin
AUTHENTICATION_PLUGIN_PROP, HTTP_HEADER_X_SOLR_AUTHDATA, numAuthenticated, numErrors, numMissingCredentials, numPassThrough, numWrongCredentials, requests, requestTimes, solrMetricsContext, totalTime
-
-
Constructor Summary
Constructors Constructor Description KerberosPlugin(CoreContainer coreContainer)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
close()
Implementations should always callSolrMetricProducer.super.close()
to ensure that metrics with the same life-cycle as this component are properly unregistered.boolean
doAuthenticate(javax.servlet.ServletRequest req, javax.servlet.ServletResponse rsp, javax.servlet.FilterChain chain)
This method attempts to authenticate the request.SolrHttpClientBuilder
getHttpClientBuilder(SolrHttpClientBuilder builder)
protected javax.servlet.FilterConfig
getInitFilterConfig(Map<String,Object> pluginConfig, boolean skipKerberosChecking)
protected javax.servlet.Filter
getKerberosFilter()
void
init(Map<String,Object> pluginConfig)
This is called upon loading up of a plugin, used for setting it up.protected boolean
interceptInternodeRequest(org.apache.http.HttpRequest httpRequest, org.apache.http.protocol.HttpContext httpContext)
Override this method to intercept internode requests.protected boolean
interceptInternodeRequest(org.eclipse.jetty.client.api.Request request)
Override this method to intercept internode requests.protected void
setKerberosFilter(javax.servlet.Filter kerberosFilter)
void
setup(Http2SolrClient client)
-
Methods inherited from class org.apache.solr.security.AuthenticationPlugin
authenticate, closeRequest, getCategory, getDescription, getMetricNames, getName, getSolrMetricsContext, initializeMetrics
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.solr.core.SolrInfoBean
getMetricRegistry, getMetricsSnapshot, registerMetricName
-
Methods inherited from interface org.apache.solr.metrics.SolrMetricProducer
initializeMetrics
-
-
-
-
Field Detail
-
NAME_RULES_PARAM
public static final String NAME_RULES_PARAM
- See Also:
- Constant Field Values
-
COOKIE_DOMAIN_PARAM
public static final String COOKIE_DOMAIN_PARAM
- See Also:
- Constant Field Values
-
COOKIE_PATH_PARAM
public static final String COOKIE_PATH_PARAM
- See Also:
- Constant Field Values
-
PRINCIPAL_PARAM
public static final String PRINCIPAL_PARAM
- See Also:
- Constant Field Values
-
KEYTAB_PARAM
public static final String KEYTAB_PARAM
- See Also:
- Constant Field Values
-
TOKEN_VALID_PARAM
public static final String TOKEN_VALID_PARAM
- See Also:
- Constant Field Values
-
COOKIE_PORT_AWARE_PARAM
public static final String COOKIE_PORT_AWARE_PARAM
- See Also:
- Constant Field Values
-
IMPERSONATOR_PREFIX
public static final String IMPERSONATOR_PREFIX
- See Also:
- Constant Field Values
-
DELEGATION_TOKEN_ENABLED
public static final String DELEGATION_TOKEN_ENABLED
- See Also:
- Constant Field Values
-
DELEGATION_TOKEN_KIND
public static final String DELEGATION_TOKEN_KIND
- See Also:
- Constant Field Values
-
DELEGATION_TOKEN_VALIDITY
public static final String DELEGATION_TOKEN_VALIDITY
- See Also:
- Constant Field Values
-
DELEGATION_TOKEN_SECRET_PROVIDER
public static final String DELEGATION_TOKEN_SECRET_PROVIDER
- See Also:
- Constant Field Values
-
DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH
public static final String DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH
- See Also:
- Constant Field Values
-
DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH
public static final String DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH
- See Also:
- Constant Field Values
-
DELEGATION_TOKEN_TYPE_DEFAULT
public static final String DELEGATION_TOKEN_TYPE_DEFAULT
- See Also:
- Constant Field Values
-
IMPERSONATOR_DO_AS_HTTP_PARAM
public static final String IMPERSONATOR_DO_AS_HTTP_PARAM
- See Also:
- Constant Field Values
-
IMPERSONATOR_USER_NAME
public static final String IMPERSONATOR_USER_NAME
- See Also:
- Constant Field Values
-
ORIGINAL_USER_PRINCIPAL_HEADER
public static final String ORIGINAL_USER_PRINCIPAL_HEADER
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
KerberosPlugin
public KerberosPlugin(CoreContainer coreContainer)
-
-
Method Detail
-
init
public void init(Map<String,Object> pluginConfig)
Description copied from class:AuthenticationPlugin
This is called upon loading up of a plugin, used for setting it up.- Specified by:
init
in classAuthenticationPlugin
- Parameters:
pluginConfig
- Config parameters, possibly from a ZK source
-
getInitFilterConfig
protected javax.servlet.FilterConfig getInitFilterConfig(Map<String,Object> pluginConfig, boolean skipKerberosChecking)
-
doAuthenticate
public boolean doAuthenticate(javax.servlet.ServletRequest req, javax.servlet.ServletResponse rsp, javax.servlet.FilterChain chain) throws Exception
Description copied from class:AuthenticationPlugin
This method attempts to authenticate the request. Upon a successful authentication, this must call the next filter in the filter chain and set the user principal of the request, or else, upon an error or an authentication failure, throw an exception.- Specified by:
doAuthenticate
in classAuthenticationPlugin
- Parameters:
req
- the http requestrsp
- the http responsechain
- the servlet filter chain- Returns:
- false if the request not be processed by Solr (not continue), i.e. the response and status code have already been sent.
- Throws:
Exception
- any exception thrown during the authentication, e.g. PrivilegedActionException
-
interceptInternodeRequest
protected boolean interceptInternodeRequest(org.apache.http.HttpRequest httpRequest, org.apache.http.protocol.HttpContext httpContext)
Description copied from class:AuthenticationPlugin
Override this method to intercept internode requests. This allows your authentication plugin to decide on per-request basis whether it should handle inter-node requests or delegate toPKIAuthenticationPlugin
. Return true to indicate that your plugin did handle the request, or false to signal that PKI plugin should handle it. This method will be called byPKIAuthenticationPlugin
's interceptor.If not overridden, this method will return true for plugins implementing
HttpClientBuilderPlugin
. This method can be overridden by subclasses e.g. to set HTTP headers, even if you don't use a clientBuilder.- Overrides:
interceptInternodeRequest
in classAuthenticationPlugin
- Parameters:
httpRequest
- the httpRequest that is about to be sent to another internal Solr nodehttpContext
- the context of that request.- Returns:
- true if this plugin handled authentication for the request, else false
-
interceptInternodeRequest
protected boolean interceptInternodeRequest(org.eclipse.jetty.client.api.Request request)
Description copied from class:AuthenticationPlugin
Override this method to intercept internode requests. This allows your authentication plugin to decide on per-request basis whether it should handle inter-node requests or delegate toPKIAuthenticationPlugin
. Return true to indicate that your plugin did handle the request, or false to signal that PKI plugin should handle it. This method will be called byPKIAuthenticationPlugin
's interceptor.If not overridden, this method will return true for plugins implementing
HttpClientBuilderPlugin
. This method can be overridden by subclasses e.g. to set HTTP headers, even if you don't use a clientBuilder.- Overrides:
interceptInternodeRequest
in classAuthenticationPlugin
- Parameters:
request
- the httpRequest that is about to be sent to another internal Solr node- Returns:
- true if this plugin handled authentication for the request, else false
-
getHttpClientBuilder
public SolrHttpClientBuilder getHttpClientBuilder(SolrHttpClientBuilder builder)
- Specified by:
getHttpClientBuilder
in interfaceHttpClientBuilderPlugin
- Returns:
- Returns an instance of a SolrHttpClientBuilder to be used for configuring the HttpClients for use with SolrJ clients.
-
setup
public void setup(Http2SolrClient client)
- Specified by:
setup
in interfaceHttpClientBuilderPlugin
-
close
public void close()
Description copied from interface:SolrMetricProducer
Implementations should always callSolrMetricProducer.super.close()
to ensure that metrics with the same life-cycle as this component are properly unregistered. This prevents obscure memory leaks. from: https://docs.oracle.com/javase/8/docs/api/java/lang/AutoCloseable.html While this interface method is declared to throw Exception, implementers are strongly encouraged to declare concrete implementations of the close method to throw more specific exceptions, or to throw no exception at all if the close operation cannot fail.- Specified by:
close
in interfaceAutoCloseable
- Specified by:
close
in interfaceSolrMetricProducer
-
getKerberosFilter
protected javax.servlet.Filter getKerberosFilter()
-
setKerberosFilter
protected void setKerberosFilter(javax.servlet.Filter kerberosFilter)
-
-