SOLR-17789: Fix Internode Authorization not working for external roles

[bct-timo-crabbe]

https://issues.apache.org/jira/browse/SOLR-17789

Description

Solr nodes do not pass full authorization details to other nodes.
Steps to reproduce:

1. Deploy cluster with more then one node
2. Use a authentication plugin where roles are supplied externally (like JWTAuth).
3. Add a private collection with lower number of replicas then the number of nodes in the cluster
4. Send request to node that does not holds a replica of the collection to force forwarding.

This results in a return code 403.

Solution

Add the current user's Security Principal on the HttpClientContext in the sendRemoteQuery method (solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java) like the executeMethod method on the HttPSolrClient (solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java)

Tests

testInternodeAuthorization on the jwt-auth plugin (solr\modules\jwt-auth\src\test\org\apache\solr\security\jwt\JWTAuthPluginIntegrationTest.java).

This test will setup a test cluster with three nodes, create a private collection with only two replicas and will query every node for the documents in the collection.

Checklist

Please review the following and check all that apply:

• I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
• I have created a Jira issue and added the issue ID to my pull request title.
• I have given Solr maintainers access to contribute to my PR branch. (optional but recommended, not available for branches on forks living under an organisation)
• I have developed this patch against the main branch.
• I have developed this patch against the branch_9x branch.
• I have run ./gradlew check.
• Failed on benchmarking tests
• I have added tests for my changes.
• I have added documentation for the Reference Guide

[dsmiley]

Great work!
I love the test, especially. It will help me replace the remote query implementation while ensuring that the security characteristics are working. Passing principal / auth stuff is very subtle.

[dsmiley]

Suggested change

	* nodes using jwtAuth for both authentication and authorization.Add a private collection with
	* nodes using jwtAuth for both authentication and authorization. Add a private collection with

What is a "private" collection?

[bct-timo-crabbe]

A private collection is a collection that is not publicly available i.e., a collection where access has been restricted to certain user role(s). See the authorization section in the security.json the new test is using: solr/modules/jwt-auth/src/test-files/solr/security/jwt_plugin_jwk_security_with_authorization.json

[HoustonPutman]

Maybe a restricted collection would make more sense?

[dsmiley]

"A collection with restricted access" is much clearer. "private collection" sounds like some documented/defined concept.

[bct-timo-crabbe]

Can we still merge this in the upcoming 9.9 release?

[dsmiley]

Maybe too late; it's up to @HoustonPutman
I'm good with merging this and am happy to do it if Houston asks.

Obviously needs a CHANGES.txt but can be added last second by a committer. How about this wording?:

When Solr forwards/proxies requests to another node that can service the request, it needs to pass authorization headers.