2.4.3 Release Notes

New features

Fusion 2.4.3 supports a new auth realm type called "SSO Trusted HTTP" (trusted-http in the REST API) that is useful in single sign-on (SSO) environments.

Use the Realms API to configure this realm type:

curl -u admin:password123 -H 'content-type:application/json' -X POST :3000/api/realm-configs -d @./realm-config.json

Below is a sample configuration:

{"id":"test-id",
 "enabled":true,
 "name":"sso-test",
 "realmType":"trusted-http",
 "config":{"identityKey":"REMOTE_USER",
           "groups": {"key":"GROUPS",
                      "delimiter":"|",
                       "roleMapping": [["a","admin"], ["b","foo"]]},
           "allowedIps":["127.0.0.1", "0:0:0:0:0:0:0:1", "localhost"]}}

identityKey

The name of an HTTP headers entry. If this key is found in the headers map, it used as the identity of the client (username, for example).

The X-FORWARDED-FOR header is inspected for this client IP first; the value is split on comma, and the first entry is taken. This would normally be used in cases where the client was forwarded to Fusion through one or more external proxy servers. If the X-FORWARDED-FOR header is not present in the request, the REMOTE-ADDR header value is used instead.

groups

Configuration keys for auth groups:

* key + The name of an HTTP header, used as the source of group names.

* delimiter + The character used to split the value (defaults to comma).

* roleMapping + A set of 2-tuples, used for mapping the external group values to Fusion Roles.

allowedIps

Allow access to only a set of known client IPs. When this property is defined and the client IP is not included in it, the realm logic return a 401.

Improvements

  • A new REST API endpoint, spark/driver/status, reports the location of all the current Spark drivers:

    curl -X GET http://localhost:8765/api/v1/spark/driver/status
    
    {
      "/spark-drivers/1577a149c68Tec3eeaea" : {
        "id" : "1577a149c68Tec3eeaea",
        "hostname" : "10.0.0.42",
        "port" : 53410,
        "scripted" : false
      }
    }
  • Logging of complete document contents is now suppressed at the ERROR level when an exception occurs during pipeline processing. INFO-level logging must be enabled for com.lucidworks.apollo.pipeline.impl.DelegatingStageCallback in order to log the entire document. Setting this to WARN or ERROR prevents logging any pipeline documents.

  • A new Request delay (ms) configuration field for the Jive connector provides support for throttling.

Bug fixes

  • A bug was fixed which caused long delays in query responses.

  • Running jobs are now listed correctly in distributed Fusion environments.

  • Multivalued pipeline doc fields are now handled correctly in the Solr Partial Update index stage.

  • The Spark driver now fails gracefully when jar creation fails.

  • The LDAP config.bind.password field is now encrypted at the input point of the realm-configs endpoint, and decrypted at the point at which we call bind on the LDAP connection.

    Passwords are now replaced with __REDACTED__ when returned from the API. If the value __REDACTED__ is given to the update endpoint (PUT), the password will be ignored, and the existing value will be used instead.

  • Some performance bugs were fixed.

  • Some bugs were fixed for Jive, Sharepoint, and MongoDB datasources.