SOLR-17540: Remove Hadoop Auth Module

[epugh]

https://issues.apache.org/jira/browse/SOLR-17540

Description

Remove Hadoop Auth

Solution

no more Hadoop Auth

Tests

Just removing things

Tasks

• Look at solr-tests.policy
• Do we still need useShortName feature, maybe only supported by hadoop-auth?
• remove licenses
• update versions.lock
• Look at javax.security.auth.kerberos in package-list file in docs render dir
• Is Kerb stuff in Solr clients part of hadoop-auth, or to work with other setups?

[epugh]

Kerb stuff appears to still work! All tests ran.

[janhoy]

Fantastic to see all those files go, and all those external deps removed! Just a few comments..

[risdenk]

There are some more hadoop auth cleanup in the security.policy

• https://github.com/apache/solr/blob/main/solr/server/etc/security.policy#L134
• https://github.com/apache/solr/blob/main/gradle/testing/randomization/policies/solr-tests.policy#L103

[epugh]

There are some more hadoop auth cleanup in the security.policy

* https://github.com/apache/solr/blob/main/solr/server/etc/security.policy#L134

* https://github.com/apache/solr/blob/main/gradle/testing/randomization/policies/solr-tests.policy#L103

Thanks for that! I hope I got them all out...

[epugh]

@janhoy I tried running that script, but couldn't quite grok it. COuld you give an example of what that scripts should be? And let's add an example to the readme or the to script itself!

[janhoy]

@janhoy I tried running that script, but couldn't quite grok it. COuld you give an example of what that scripts should be? And let's add an example to the readme or the to script itself!

It's some time ago, and the script was made to make sure we had redirects for the old regfuide structure, and we also added in page removals. The gist is to mainain the csv file with metadata of all changes, and edit the py script to output the correct htacces.

We likely need to make another CSV section for pages removed in 10.0 guide, and then generate the correct redeirects..

I don't remember where / how the generated htaccess file is checked in though. And I know Antora has some built-in support for generating htaccess as well, should look into it..

To be pragmatic and unblock this, I'd make a Blocker JIRA for 10.0 and maintain a list of the removed pages there, so someone can update htaccess in proper way in due time.

[epugh]

I ran find . -not -path '*/\.*' -type f -exec grep -l -i "kerberos" {} + and wow... There are a LOT more files...

I think what I am hearing is that just removing the module and the light changes to the webapp isn't enough. There are a whole bunch of OTHER places that rely in one way or another on hadoop-auth? I had some thoughts of moving it to the sandbox, but if it's this ingrained in various locations in Solr, then that really doesn't make sense.

Does this align with other folks expectations that removing Hadoop Auth would touch all these files?

./solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java
./solr/core/src/java/org/apache/solr/core/CoreContainer.java
./solr/core/src/java/org/apache/solr/security/AuthorizationContext.java
./solr/core/src/java/org/apache/solr/cli/AuthTool.java
./solr/core/src/java/org/apache/solr/request/json/RequestUtil.java
./solr/bin/solr
./solr/bin/solr.cmd
./solr/bin/solr.in.sh
./solr/solrj/src/test/org/apache/solr/client/solrj/impl/BasicHttpSolrClientTest.java
./solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientBuilder.java
./solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
./solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-8.adoc
./solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
./solr/solr-ref-guide/modules/deployment-guide/pages/authentication-and-authorization-plugins.adoc
./solr/solr-ref-guide/modules/deployment-guide/pages/zookeeper-access-control.adoc
./solr/solr-ref-guide/modules/deployment-guide/pages/solr-on-hdfs.adoc
./solr/solr-ref-guide/modules/deployment-guide/pages/solr-control-script-reference.adoc
./solr/solr-ref-guide/modules/deployment-guide/pages/rule-based-authorization-plugin.adoc
./solr/solr-ref-guide/modules/getting-started/pages/solr-admin-ui.adoc
./solr/webapp/web/js/angular/controllers/index.js
./solr/server/etc/security.policy
./solr/CHANGES.txt
./solr/modules/hdfs/src/java/org/apache/solr/hdfs/HdfsDirectoryFactory.java
./gradle/documentation/render-javadoc/java11/package-list
./gradle/testing/randomization/policies/solr-tests.policy
./dev-tools/scripts/refguide/new-guide.txt
./dev-tools/scripts/refguide/old-guide.txt
./dev-tools/scripts/refguide/htaccess.txt

[dsmiley]

I'm not surprised there's a blast radius that exceeds the module itself. For everything outside the module, we'll need to review/edit with some care and it'll be on a case-by-case basis.

For example HttpSolrClient was a surprising reference you made. I see one method withKerberosDelegationToken but it's only called by certain tests. Surprising to me; should have been documented as such and maybe not public. Furthermore the functionality itself doesn't really reference Kerberos; it references an abstract "delegation token" concept that perhaps might be meaningful outside Kerberos -- I really don't know about that.

[dsmiley]

To answer some of these questions, it's helpful to do git-blame (I use my IDE actually) sometimes with history for the selected code to find the people/issues and then follow up with anyone.

[epugh]

Would someone be willing to look at what is going on in SolrDispatchFilter? Around

solr/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java

Line 336 in 620175a

requestContinues =

it appears that MAYBE there is an opportunity for some refactoring to simplify the flow... Especially since we specifically mention the Hadoop Auth as the reason for the extra complexity.. I do not understand this bit and would love another set of eyes.... I could also see a path to updating the very lengthy comments to say "This has complexity due to hadoop auth partially, and now that it is gone there may be an opportunity for improvement"...

[gus-asf]

Would someone be willing to look at what is going on in SolrDispatchFilter? Around

solr/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java

Line 336 in 620175a

requestContinues =

it appears that MAYBE there is an opportunity for some refactoring to simplify the flow... Especially since we specifically mention the Hadoop Auth as the reason for the extra complexity.. I do not understand this bit and would love another set of eyes.... I could also see a path to updating the very lengthy comments to say "This has complexity due to hadoop auth partially, and now that it is gone there may be an opportunity for improvement"...

I wrote that comment to memorialize several hours of digging I did back when I moved startup to a context listener. One of the things I found perplexing about SolrDispatchFilter when I first tried to understand it for that task was the lack of a call to doFilter(req,resp,filterchain) ... note that our custom version with the boolean retry doesn't count, because it doesn't make the normal call to the method specified by javax.servlet.Filter. Normally filter implementations look like:

  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
      throws IOException, ServletException {

      // Do stuff, that seems important here

      if (importantStuffSeemsHappy) {
        chain.doFilter(request, response, chain);
      } else {
        // do unhappy error type stuff. (maybe/maybe not doFilter anyway)
      }
     // add try/finally if there is mandatory cleanup.
    }
  }

So it was very weird not to find a call to doFilter in the doFilter method, nor in our custom version of it. EVENTUALLY I figured out that that call is made either in the dispatch method, OR in our auth filter (I haven't tried to prove it can't get called twice, but with just SolrDispatchFilter in play that is not currently going to cause a problem since chain.doFilter is a no-op for the final filter). One of the long term goals I have is to start pulling stuff that we are doing in this monster filter out int a series of filters, which will make the individual missions easier to understand and put the cleanup code near the instantiation code where, again it would be much easier to understand (and nesting can be easily seen to be correct).

My impulse (not yet informed by actual attempts) is to rework our auth plugin to be auth filters. The other thing I'm pointing out in that comment is that the HadoopAuthFilter is what seems to stand in the way of writing an if block such as:

      if (authPlugin.authenticate(req, resp)) {            // <<< note the lack of filterchain arg

        // do searchy stuff here

        chain.doFilter(request, response, chain);
      } else {
        // do unhappy 401 error type stuff.
      }
     // add try/finally for mandatory cleanups.
    }

That is of course the first step to breaking auth out to it's own filter where it becomes

  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
      throws IOException, ServletException {
        if (authPlugin.authenticate(req, resp)) {            
          chain.doFilter(request, response, chain);   // <<< dispatch filter is later in the chain.
        } else {
          // do unhappy 401 error type stuff.
        }
       // add try/finally for mandatory cleanups.
    }

The particular issue with the hadoop auth plugin that complicates the transition is that chain.doFilter() comes before a switch statement and other code...

solr/solr/modules/hadoop-auth/src/java/org/apache/solr/security/hadoop/HadoopAuthPlugin.java

Line 247 in 6f94c50

authFilter.doFilter(request, response, filterChain);

At least at the time of that comment it seemed that all the other plugins called chain.doFilter() at the end (or possibly in a shortcut followed by an immediate return statement). Only Hadoop auth seemed to have mandatory actions AFTER doFilter(). If it disappears, we can possibly remove the filterchain argument and make a simpler use of the return value from authenticate().

[epugh]

I am going to not touch SolrDispatchFilter as I don't have a good game plan to move forward with it! Everything else is green.

For CHANGES.txt "Remove Kerberos authentication support from Solr. This in turn removes the Hadoop Auth module". <-- @dsmiley ???

[dsmiley]

Cause and effect is inverted. I suggest:

Removed the Hadoop Auth module, and thus Kerberos authentication and other exotic options.

[dsmiley]

what's this about?

[epugh]

we have this "useShortName" feature, but it turns out it's ONLY ever supported by Kerberos. So it is dead code/unused feature with that...

[dsmiley]

It's not clear that you actually needed to touch this at all. I think the the Hadoop Auth module and HDFS's Kerberos support are completely decoupled. WDYT @risdenk

[dsmiley]

solr-tests.policy and security.policy need to be kept in sync, mostly. It's annoying. So I see you touched one in one way and the other in another way.

[dsmiley]

can these be removed too?
(note: to test, edit solr-tests.policy, not this policy (which is production), and run tests)

[epugh]

okay, aligning the two files, and running tests..

[epugh]

okay, removing things broke things...