You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2018/03/22 21:01:00 UTC
[jira] [Updated] (SOLR-12120) New plugin type AuditLoggerPlugin
[ https://issues.apache.org/jira/browse/SOLR-12120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Høydahl updated SOLR-12120:
-------------------------------
Description:
Solr needs a well defined plugin point to implement audit logging functionality, which is independent from whatever {{AuthenticationPlugin}} or {{AuthorizationPlugin}} are in use at the time.
It seems reasonable to introduce a new plugin type {{AuditLoggerPlugin}}. It could be configured in solr.xml or it could be a third type of plugin defined in {{security.json}}, i.e.
{code}
{
"authentication" : { "class" : ... },
"authorization" : { "class" : ... },
"auditlogging" : { "class" : "x.y.MyAuditLogger", ... }
}
{code}
We could then instrument SolrDispatchFilter to the audit plugin with an AuditEvent at important points such as successful authentication:
{code:java}
auditLoggerPlugin.audit(new SolrAuditEvent(EventType.AUTHENTICATED, request));
{code}
We will mark the impl as {{@lucene.experimental}} in the first release to let it settle as people write their own plugin implementations.
was:
Solr needs a well defined plugin point to implement audit logging functionality, which is independent from whatever {{AuthenticationPlugin}} or {{AuthorizationPlugin}} are in use at the time.
It seems reasonable to introduce a new plugin type {{AuditLoggerPlugin}}. It could be configured in solr.xml or it could be a third type of plugin defined in {{security.json}}, i.e.
{code:java}
"authentication" : { "class" : ... }
"authorization" : { "class" : ... }
"auditlogging" : { "class" : "x.y.MyAuditLogger", ... }{code}
We could then instrument SolrDispatchFilter to call {{auditlogger.authenticationFailed(request, response, msg)}} if auth failed and the request is going to be aborted, and likewise HttpSolrCall could call relevant methods when a final autz decision is made, e.g. {{auditlogger.notAuthorized(authCtx, request, response)}}, and if all is OK, it could call {{auditlogger.ok()}} for success logging.
If no auditlogger is explicitly configured, we can fallback to a default {{SolrLogAuditLogger}} that logs to standard Solr log, or we could setup log4j to output a new {{logs/audit.log}} file.
> New plugin type AuditLoggerPlugin
> ---------------------------------
>
> Key: SOLR-12120
> URL: https://issues.apache.org/jira/browse/SOLR-12120
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
>
> Solr needs a well defined plugin point to implement audit logging functionality, which is independent from whatever {{AuthenticationPlugin}} or {{AuthorizationPlugin}} are in use at the time.
> It seems reasonable to introduce a new plugin type {{AuditLoggerPlugin}}. It could be configured in solr.xml or it could be a third type of plugin defined in {{security.json}}, i.e.
> {code}
> {
> "authentication" : { "class" : ... },
> "authorization" : { "class" : ... },
> "auditlogging" : { "class" : "x.y.MyAuditLogger", ... }
> }
> {code}
> We could then instrument SolrDispatchFilter to the audit plugin with an AuditEvent at important points such as successful authentication:
> {code:java}
> auditLoggerPlugin.audit(new SolrAuditEvent(EventType.AUTHENTICATED, request));
> {code}
>
> We will mark the impl as {{@lucene.experimental}} in the first release to let it settle as people write their own plugin implementations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org