SOLR-18270 CertAuthPlugin : update the lookup attribute (without parametrization)#4474
SOLR-18270 CertAuthPlugin : update the lookup attribute (without parametrization)#4474heitzjm wants to merge 8 commits into
Conversation
|
I'd rather have jakarta as default and javax as fallback for code back-portability and compatibility. |
|
As asked, I've just updated this PR with the fallback. I ran the failed test again, and it was successful. |
| (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); | ||
| (X509Certificate[]) request.getAttribute(CURRENT_REQUEST_ATTRIBUTE_NAME); | ||
| if (certs == null || certs.length == 0) { | ||
| certs=(X509Certificate[]) request.getAttribute(OLD_REQUEST_ATTRIBUTE_NAME); |
There was a problem hiding this comment.
Do we still need to check the old name?
My understanding is this name changed with new Jetty. I don't think we will ever go back to the other name. We are good with checking only the new name in 10+.
There was a problem hiding this comment.
I think both should stay - in my understanding, SOLR, at its basis, is a web application that could run in other java web application servers than the Jetty provided in the Docker image - so I think it would be better to keep both names to ease integration. This way, this PR might even be merged to SOLR 9 as well.
There was a problem hiding this comment.
Makes sense. Lets keep it this way.
There was a problem hiding this comment.
You may want to rename the variables to something meaningful, how about:
JAVAX_REQUEST_ATTRIBUTE_NAME
JAKARTA_REQUEST_ATTRIBUTE_NAME ?
Also, you will need to run spotless check, you're missing some white spaces
There was a problem hiding this comment.
@heitzjm these days, Solr only runs in Jetty, and we've been getting more specific to just that. Notice we no longer produce a .war file. I think the only place where you might have solr run in another container is via the EmbeddedSolr approach.. Having said that, I don't think we have made a "This is how it is" explicit decision, and I'm fine with the backcompat for now.
There was a problem hiding this comment.
Maybe I'm wrong, but I don't know of anyone that's taking Solr and running it in a different app server or even a different Jetty version than what Solr ships with. Our code is really tightly coupled with Jetty to the point where I doubt that sort of thing is even possible.
Ultimately it's a minor concern that's not worth holding up the PR, but the odds are so small of someone doing this successfully that idk that the fallback logic is worth it 🤷
|
If nothing else comes to the PR, I'll merge it early next week. |
| (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); | ||
| (X509Certificate[]) request.getAttribute(CURRENT_REQUEST_ATTRIBUTE_NAME); | ||
| if (certs == null || certs.length == 0) { | ||
| certs=(X509Certificate[]) request.getAttribute(OLD_REQUEST_ATTRIBUTE_NAME); |
There was a problem hiding this comment.
You may want to rename the variables to something meaningful, how about:
JAVAX_REQUEST_ATTRIBUTE_NAME
JAKARTA_REQUEST_ATTRIBUTE_NAME ?
Also, you will need to run spotless check, you're missing some white spaces
…itespace formatting
|
Thanks @laminelam and @psalagnac . I have just updated the code. I hope it is fine now. |
|
@heitzjm Formatting is still broken. Please make sure to run |
|
Thanks @psalagnac for the gradlew commands, I have just run them. |
|
I just triggered the builds... |
gerlowskija
left a comment
There was a problem hiding this comment.
Left a few comments/questions inline, but this looks close enough that I hope we can merge it soon. I'll circle back next week for a re-review if I see replies here.
One more general comment:
I'm surprised that this PR can change the attribute-name used without needing any corresponding changes in CertAuthPluginTest. Should there be some changes there do you think?
| private static final String PARAM_PRINCIPAL_RESOLVER = "principalResolver"; | ||
| private static final String PARAM_CLASS = "class"; | ||
| private static final String PARAM_PARAMS = "params"; | ||
| private static final String JAVAX_REQUEST_ATTRIBUTE_NAME = |
There was a problem hiding this comment.
[0] We probably don't want to support reading both properties forever.
Could you put a TODO comment here nudging someone in the future to remove support for the 'javax' variant on/after Solr 11
There was a problem hiding this comment.
Sure, I do it. And this time, I am using gradlew with tidy and precommit !
| throws Exception { | ||
| X509Certificate[] certs = | ||
| (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); | ||
| (X509Certificate[]) request.getAttribute(JAKARTA_REQUEST_ATTRIBUTE_NAME); |
There was a problem hiding this comment.
I implemented the fallback logic because at the time of writing, I was still thinking of Solr as of a web application running in a web application server (that is, that could be distributed with a web application archive (war) file). However, @epugh #4474 (comment) made me notice Solr is no more distributed that way.
At least having the fallback could allow to merge the commit in both 9.x and 10.x.
There was a problem hiding this comment.
I had a chat with @dsmiley today, and he confirmed that Solr is NOT ever going to run in anything but Jetty, so we don't need to support that. Of course, that doesn't apply to the embedded mode ;-).
| @@ -0,0 +1,8 @@ | |||
| title: Update looked up attribute for SSL authentication | |||
There was a problem hiding this comment.
As I understand your JIRA description, CertAuthPlugin is broken entirely in Solr 10, since it's looking at the wrong attribute name?
If that's correct, then this is a pretty serious bug you're fixing here! We should tweak the wording to highlight it more strongly. Maybe something like:
| title: Update looked up attribute for SSL authentication | |
| title: CertAuthPlugin now uses correct Jetty attribute for certificate lookup |
There was a problem hiding this comment.
Yes, CertAuthPlugin is broken in Solr 10 because of the attribute name mismatch - and it was hard for me to find out why, while trying to migrate from Solr 9 to 10. However, I think the wording also depends on the target (9 and/or 10).
| throws Exception { | ||
| X509Certificate[] certs = | ||
| (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); | ||
| (X509Certificate[]) request.getAttribute(JAKARTA_REQUEST_ATTRIBUTE_NAME); |
There was a problem hiding this comment.
I implemented the fallback logic because at the time of writing, I was still thinking of Solr as of a web application running in a web application server (that is, that could be distributed with a web application archive (war) file). However, @epugh #4474 (comment) made me notice Solr is no more distributed that way.
At least having the fallback could allow to merge the commit in both 9.x and 10.x.
OK, I guess. Though CertAuthPlugin already works on 9.x, doesn't it. So I'm not sure why the PR would go back to that branch at all? But as I said above it's so minor a thing that it's not worth holding up the PR over 🤷 |
|
Btw - for some reason when I initially reviewed the PR GH didn't load any of the previous comment/review history. Only saw folks' prior comments on a reload. Sorry for the noise and repetition! |
No problem. I am grateful for the support everyone gives me on this PR ! |
CertAuthPluginTest.java uses a mock that does not take care of the looked up attribute, and provides unit tests. As the problem is an integration concern, I think it is fair that the unit tests did not detect the problem. However I am not convinced that writing an integration test would be worth the time... |
https://issues.apache.org/jira/browse/SOLR-18270
Description
This PR only update the request attribute used by CertAuthPlugin to match the one filled by Jetty 12 - for SOLR 10. SOLR 9 works fine in the Official Docker Image, as it uses a lower major Jetty version.
Solution
This PR only updates the request attribute used by CertAuthPlugin to match the one filled by Jetty 12 - for SOLR 10, and provides, after revision, as advised by @laminelam, a fallback on the old attribute.
Tests
I checked locally by compiling SOLR from source, as well as building Docker Image from source and tested it in a K8S environment.
Checklist
Please review the following and check all that apply:
mainbranch../gradlew check.5582 tests completed, 1 failed, 184 skipped
ERROR: The following test(s) have failed:
=> however, in my opinion, this test does not seem to be relevant for this PR
unreleased/SOLR-18270-easy-fix-without-parametrization.yml