Firstly, I would like to check if my understanding is correct on how this should be implemented.
After reading the Solr 6.6.0 Kerberos Documentation (I've included some code snippets below) I believe I would need to create an initial CloudSolrClient to retrieve the token from Solr, by passing the cloudSolrClient to the getDelegationToken(...) method.
private String getDelegationToken(final String renewer, final String user, HttpSolrClient solrClient) throws Exception {
DelegationTokenRequest.Get get = new DelegationTokenRequest.Get(renewer) {
@Override
public SolrParams getParams() {
ModifiableSolrParams params = new ModifiableSolrParams(super.getParams());
params.set("user", user);
return params;
}
};
DelegationTokenResponse.Get getResponse = get.process(solrClient);
return getResponse.getDelegationToken();
}
It then looks like I need to create another CloudSolrClient object that take a HttpSolrClient with the token retrieved above:
CloudSolrClient client = new CloudSolrClient.Builder()
.withZkHost("http://localhost:2181")
.withLBHttpSolrClientBuilder(new LBHttpSolrClient.Builder()
.withResponseParser(client.getParser())
.withHttpSolrClientBuilder(
new HttpSolrClient.Builder()
.withKerberosDelegationToken(token)
))
.build();
My first question with the code above is the client.getParser() - client hasn't been initialized, how is it possible to use it here?
Also where I have multiple users, according to the above code, I would have to create two CloudSolrClient objects for each user? The first to retrieve the token getDelegationToken and the second object to query Solr with the token provided new CloudSolrClient.Builder() .... .withKerberosDelegationToken(token). Update: I may be able to reuse the SolrClient used to retrieve tokens.
Finally, I don't understand how the renewer works - I understand a token can expire and has to be renewed but how does passing a String as a renewer help renew tokens and what should this string be? I'd be grateful if someone can point me towards to some useful documentation or provide a clear explanation how how this works. Update: I may be wrong but for the renewer should the value be "zookeeper" I found out from documentation here that zookeeper is used store and manage the token information.
