mirror of https://github.com/apache/lucene.git
SOLR-9518: Kerberos Delegation Tokens don't work without a chrooted ZK
This commit is contained in:
parent
265d425b00
commit
a973ca1752
|
@ -164,6 +164,8 @@ Bug Fixes
|
|||
|
||||
* SOLR-9325: solr.log is now written to $SOLR_LOGS_DIR without changing log4j.properties (janhoy)
|
||||
|
||||
* SOLR-9518: Kerberos Delegation Tokens don't work without a chrooted ZK (Ishan Chattopadhyaya,via noble)
|
||||
|
||||
Optimizations
|
||||
----------------------
|
||||
|
||||
|
|
|
@ -46,6 +46,11 @@ import org.apache.zookeeper.data.ACL;
|
|||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
/**
|
||||
* This is an authentication filter based on Hadoop's {@link DelegationTokenAuthenticationFilter}.
|
||||
* The Kerberos plugin can be configured to use delegation tokens, which allow an
|
||||
* application to reuse the authentication of an end-user or another application.
|
||||
*/
|
||||
public class DelegationTokenKerberosFilter extends DelegationTokenAuthenticationFilter {
|
||||
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
|
||||
|
||||
|
@ -105,10 +110,10 @@ public class DelegationTokenKerberosFilter extends DelegationTokenAuthentication
|
|||
throw new IllegalArgumentException("zkClient required");
|
||||
}
|
||||
String zkHost = zkClient.getZkServerAddress();
|
||||
String zkChroot = zkHost.substring(zkHost.indexOf("/"));
|
||||
zkChroot = zkChroot.startsWith("/") ? zkChroot.substring(1) : zkChroot;
|
||||
String zkChroot = zkHost.contains("/")? zkHost.substring(zkHost.indexOf("/")): "";
|
||||
String zkNamespace = zkChroot + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH;
|
||||
String zkConnectionString = zkHost.substring(0, zkHost.indexOf("/"));
|
||||
zkNamespace = zkNamespace.startsWith("/") ? zkNamespace.substring(1) : zkNamespace;
|
||||
String zkConnectionString = zkHost.contains("/")? zkHost.substring(0, zkHost.indexOf("/")): zkHost;
|
||||
SolrZkToCuratorCredentialsACLs curatorToSolrZk = new SolrZkToCuratorCredentialsACLs(zkClient);
|
||||
final int connectionTimeoutMs = 30000; // this value is currently hard coded, see SOLR-7561.
|
||||
|
||||
|
|
|
@ -134,12 +134,13 @@ public class KerberosPlugin extends AuthenticationPlugin implements HttpClientIn
|
|||
String zkHost = controller.getZkServerAddress();
|
||||
putParam(params, "token.validity", DELEGATION_TOKEN_VALIDITY, "36000");
|
||||
params.put("zk-dt-secret-manager.enable", "true");
|
||||
|
||||
String chrootPath = zkHost.contains("/")? zkHost.substring(zkHost.indexOf("/")): "";
|
||||
String znodeWorkingPath = chrootPath + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH + "/zkdtsm";
|
||||
// Note - Curator complains if the znodeWorkingPath starts with /
|
||||
String chrootPath = zkHost.substring(zkHost.indexOf("/"));
|
||||
String relativePath = chrootPath.startsWith("/") ? chrootPath.substring(1) : chrootPath;
|
||||
znodeWorkingPath = znodeWorkingPath.startsWith("/")? znodeWorkingPath.substring(1): znodeWorkingPath;
|
||||
putParam(params, "zk-dt-secret-manager.znodeWorkingPath",
|
||||
DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH,
|
||||
relativePath + SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH + "/zkdtsm");
|
||||
DELEGATION_TOKEN_SECRET_MANAGER_ZNODE_WORKING_PATH, znodeWorkingPath);
|
||||
putParam(params, "signer.secret.provider.zookeeper.path",
|
||||
DELEGATION_TOKEN_SECRET_PROVIDER_ZK_PATH, "/token");
|
||||
// need to ensure krb5 is setup properly before running curator;
|
||||
|
|
Loading…
Reference in New Issue