You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "Mike Drob (Jira)" <ji...@apache.org> on 2020/05/01 17:18:00 UTC

[jira] [Commented] (SOLR-14430) Authorization plugins should check roles from request

    [ https://issues.apache.org/jira/browse/SOLR-14430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17097524#comment-17097524 ] 

Mike Drob commented on SOLR-14430:
----------------------------------

I think that's definitely movement in the right direction. I'd like to reuse as much of the servlet spec as we can without creating our own way of handling it since I believe it will be less surprising for the next dev to come along, and might make it easier for them to integrate with frameworks that are relatively standards conforming. After your changes, it seems like {{isUserInRole}} would be easy to implement by delegating to {{getVerifiedRoles().contains(getUserPrincipal().getName())}}. Happy to see that as part of the other patch, or we can address it here as follow on, no real preference.

> Authorization plugins should check roles from request
> -----------------------------------------------------
>
>                 Key: SOLR-14430
>                 URL: https://issues.apache.org/jira/browse/SOLR-14430
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>            Reporter: Mike Drob
>            Priority: Major
>
> The AuthorizationContext exposes {{getUserPrincipal}} to the plugin, but it does not allow the plugin to interrogate the request for {{isUserInRole}}. If we trust the request enough to get a principal from it, then we should trust it enough to ask about roles, as those could have been defined and verified by an authentication plugin.
> This model would be an alternative to the current model where RuleBasedAuthorizationPlugin maintains its own user->role mapping.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org