org.apache.solr.security

Class KerberosPlugin

java.lang.Object

org.apache.solr.security.AuthenticationPlugin

org.apache.solr.security.KerberosPlugin

All Implemented Interfaces:

AutoCloseable, SolrInfoBean, SolrMetricProducer, HttpClientBuilderPlugin

public class KerberosPlugin
extends AuthenticationPlugin
implements HttpClientBuilderPlugin

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.solr.core.SolrInfoBean

SolrInfoBean.Category, SolrInfoBean.Group

Field Summary

Fields

Modifier and Type	Field and Description
static String	COOKIE_DOMAIN_PARAM
static String	COOKIE_PATH_PARAM
static String	COOKIE_PORT_AWARE_PARAM
static String	DELEGATION_TOKEN_ENABLED
static String	DELEGATION_TOKEN_KIND
static String	DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH
static String	DELEGATION_TOKEN_SECRET_PROVIDER
static String	DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH
static String	DELEGATION_TOKEN_TYPE_DEFAULT
static String	DELEGATION_TOKEN_VALIDITY
static String	IMPERSONATOR_DO_AS_HTTP_PARAM
static String	IMPERSONATOR_PREFIX
static String	IMPERSONATOR_USER_NAME
static String	KEYTAB_PARAM
static String	NAME_RULES_PARAM
static String	ORIGINAL_USER_PRINCIPAL_HEADER
static String	PRINCIPAL_PARAM
static String	TOKEN_VALID_PARAM

Fields inherited from class org.apache.solr.security.AuthenticationPlugin

AUTHENTICATION_PLUGIN_PROP, HTTP_HEADER_X_SOLR_AUTHDATA, numAuthenticated, numErrors, numMissingCredentials, numPassThrough, numWrongCredentials, requests, requestTimes, solrMetricsContext, totalTime

Constructor Summary

Constructors

Constructor and Description
KerberosPlugin(CoreContainer coreContainer)

Method Summary

Modifier and Type	Method and Description
void	close() Implementations should always call SolrMetricProducer.super.close() to ensure that metrics with the same life-cycle as this component are properly unregistered.
boolean	doAuthenticate(javax.servlet.ServletRequest req, javax.servlet.ServletResponse rsp, javax.servlet.FilterChain chain) This method attempts to authenticate the request.
SolrHttpClientBuilder	getHttpClientBuilder(SolrHttpClientBuilder builder)
protected javax.servlet.FilterConfig	getInitFilterConfig(Map<String,Object> pluginConfig, boolean skipKerberosChecking)
protected javax.servlet.Filter	getKerberosFilter()
void	init(Map<String,Object> pluginConfig) This is called upon loading up of a plugin, used for setting it up.
protected boolean	interceptInternodeRequest(org.apache.http.HttpRequest httpRequest, org.apache.http.protocol.HttpContext httpContext) Override this method to intercept internode requests.
protected boolean	interceptInternodeRequest(org.eclipse.jetty.client.api.Request request) Override this method to intercept internode requests.
protected void	setKerberosFilter(javax.servlet.Filter kerberosFilter)
void	setup(Http2SolrClient client)

Methods inherited from class org.apache.solr.security.AuthenticationPlugin

authenticate, closeRequest, getCategory, getDescription, getMetricNames, getName, getSolrMetricsContext, initializeMetrics

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.solr.core.SolrInfoBean

getMetricRegistry, getMetricsSnapshot, registerMetricName

Methods inherited from interface org.apache.solr.metrics.SolrMetricProducer

getUniqueMetricTag, initializeMetrics

Field Detail

NAME_RULES_PARAM

public static final String NAME_RULES_PARAM

See Also:

Constant Field Values

COOKIE_DOMAIN_PARAM

public static final String COOKIE_DOMAIN_PARAM

See Also:

Constant Field Values

COOKIE_PATH_PARAM

public static final String COOKIE_PATH_PARAM

See Also:

Constant Field Values

PRINCIPAL_PARAM

public static final String PRINCIPAL_PARAM

See Also:

Constant Field Values

KEYTAB_PARAM

public static final String KEYTAB_PARAM

See Also:

Constant Field Values

TOKEN_VALID_PARAM

public static final String TOKEN_VALID_PARAM

See Also:

Constant Field Values

COOKIE_PORT_AWARE_PARAM

public static final String COOKIE_PORT_AWARE_PARAM

See Also:

Constant Field Values

IMPERSONATOR_PREFIX

public static final String IMPERSONATOR_PREFIX

See Also:

Constant Field Values

DELEGATION_TOKEN_ENABLED

public static final String DELEGATION_TOKEN_ENABLED

See Also:

Constant Field Values

DELEGATION_TOKEN_KIND

public static final String DELEGATION_TOKEN_KIND

See Also:

Constant Field Values

DELEGATION_TOKEN_VALIDITY

public static final String DELEGATION_TOKEN_VALIDITY

See Also:

Constant Field Values

DELEGATION_TOKEN_SECRET_PROVIDER

public static final String DELEGATION_TOKEN_SECRET_PROVIDER

See Also:

Constant Field Values

DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH

public static final String DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH

See Also:

Constant Field Values

DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH

public static final String DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH

See Also:

Constant Field Values

DELEGATION_TOKEN_TYPE_DEFAULT

public static final String DELEGATION_TOKEN_TYPE_DEFAULT

See Also:

Constant Field Values

IMPERSONATOR_DO_AS_HTTP_PARAM

public static final String IMPERSONATOR_DO_AS_HTTP_PARAM

See Also:

Constant Field Values

IMPERSONATOR_USER_NAME

public static final String IMPERSONATOR_USER_NAME

See Also:

Constant Field Values

ORIGINAL_USER_PRINCIPAL_HEADER

public static final String ORIGINAL_USER_PRINCIPAL_HEADER

See Also:

Constant Field Values

Constructor Detail

KerberosPlugin

public KerberosPlugin(CoreContainer coreContainer)

Method Detail

init

public void init(Map<String,Object> pluginConfig)

Description copied from class: AuthenticationPlugin

This is called upon loading up of a plugin, used for setting it up.

Specified by:

init in class AuthenticationPlugin

Parameters:

pluginConfig - Config parameters, possibly from a ZK source

getInitFilterConfig

protected javax.servlet.FilterConfig getInitFilterConfig(Map<String,Object> pluginConfig,
                                                         boolean skipKerberosChecking)

doAuthenticate

public boolean doAuthenticate(javax.servlet.ServletRequest req,
                              javax.servlet.ServletResponse rsp,
                              javax.servlet.FilterChain chain)
                       throws Exception

Description copied from class: AuthenticationPlugin

This method attempts to authenticate the request. Upon a successful authentication, this must call the next filter in the filter chain and set the user principal of the request, or else, upon an error or an authentication failure, throw an exception.

Specified by:

doAuthenticate in class AuthenticationPlugin

Parameters:

req - the http request

rsp - the http response

chain - the servlet filter chain

Returns:

false if the request not be processed by Solr (not continue), i.e. the response and status code have already been sent.

Throws:

Exception - any exception thrown during the authentication, e.g. PrivilegedActionException

interceptInternodeRequest

protected boolean interceptInternodeRequest(org.apache.http.HttpRequest httpRequest,
                                            org.apache.http.protocol.HttpContext httpContext)

Description copied from class: AuthenticationPlugin

Override this method to intercept internode requests. This allows your authentication plugin to decide on per-request basis whether it should handle inter-node requests or delegate to PKIAuthenticationPlugin. Return true to indicate that your plugin did handle the request, or false to signal that PKI plugin should handle it. This method will be called by PKIAuthenticationPlugin's interceptor.

If not overridden, this method will return true for plugins implementing HttpClientBuilderPlugin. This method can be overridden by subclasses e.g. to set HTTP headers, even if you don't use a clientBuilder.

Overrides:

interceptInternodeRequest in class AuthenticationPlugin

Parameters:

httpRequest - the httpRequest that is about to be sent to another internal Solr node

httpContext - the context of that request.

Returns:

true if this plugin handled authentication for the request, else false

interceptInternodeRequest

protected boolean interceptInternodeRequest(org.eclipse.jetty.client.api.Request request)

Description copied from class: AuthenticationPlugin

Override this method to intercept internode requests. This allows your authentication plugin to decide on per-request basis whether it should handle inter-node requests or delegate to PKIAuthenticationPlugin. Return true to indicate that your plugin did handle the request, or false to signal that PKI plugin should handle it. This method will be called by PKIAuthenticationPlugin's interceptor.

If not overridden, this method will return true for plugins implementing HttpClientBuilderPlugin. This method can be overridden by subclasses e.g. to set HTTP headers, even if you don't use a clientBuilder.

Overrides:

interceptInternodeRequest in class AuthenticationPlugin

Parameters:

request - the httpRequest that is about to be sent to another internal Solr node

Returns:

true if this plugin handled authentication for the request, else false

getHttpClientBuilder

public SolrHttpClientBuilder getHttpClientBuilder(SolrHttpClientBuilder builder)

Specified by:

getHttpClientBuilder in interface HttpClientBuilderPlugin

Returns:

Returns an instance of a SolrHttpClientBuilder to be used for configuring the HttpClients for use with SolrJ clients.

setup

public void setup(Http2SolrClient client)

Specified by:

setup in interface HttpClientBuilderPlugin

close

public void close()

Description copied from interface: SolrMetricProducer

Implementations should always call SolrMetricProducer.super.close() to ensure that metrics with the same life-cycle as this component are properly unregistered. This prevents obscure memory leaks. from: https://docs.oracle.com/javase/8/docs/api/java/lang/AutoCloseable.html While this interface method is declared to throw Exception, implementers are strongly encouraged to declare concrete implementations of the close method to throw more specific exceptions, or to throw no exception at all if the close operation cannot fail.

Specified by:

close in interface AutoCloseable

Specified by:

close in interface SolrMetricProducer

getKerberosFilter

protected javax.servlet.Filter getKerberosFilter()

setKerberosFilter

protected void setKerberosFilter(javax.servlet.Filter kerberosFilter)