You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2020/05/03 21:29:00 UTC
[jira] [Commented] (SOLR-12131) Authorization plugin support for
getting user's roles from the outside
[ https://issues.apache.org/jira/browse/SOLR-12131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17098574#comment-17098574 ]
Jan Høydahl commented on SOLR-12131:
------------------------------------
See updated PR
* Brought up to date with master branch
* RefGuide text revised, also addressing [~noble.paul]'s feedback
* New param 'rolesClaim' in JWTAuthPlugin which can pull user roles from any JWT claim
Please review, targeting 8.6 for this
> Authorization plugin support for getting user's roles from the outside
> ----------------------------------------------------------------------
>
> Key: SOLR-12131
> URL: https://issues.apache.org/jira/browse/SOLR-12131
> Project: Solr
> Issue Type: New Feature
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> Currently the {{RuleBasedAuthorizationPlugin}} relies on explicitly mapping users to roles. However, when users are authenticated by an external Identity service (e.g. JWT as implemented in SOLR-12121), that external service keeps track of the user's roles, and will pass that as a "claim" in the token (JWT).
> In order for Solr to be able to Authorise requests based on those roles, the Authorization plugin should be able to accept (verified) roles from the request instead of explicit mapping.
> Suggested approach is to create a new interface {{VerifiedUserRoles}} and a {{PrincipalWithUserRoles}} which implements the interface. The Authorization plugin can then pull the roles from request. By piggy-backing on the Principal, we have a seamless way to transfer extra external information, and there is also a natural relationship:
> {code:java}
> User Authentication -> Role validation -> Creating a Principal{code}
> I plan to add the interface, the custom Principal class and restructure {{RuleBasedAuthorizationPlugin}} in an abstract base class and two implementations: {{RuleBasedAuthorizationPlugin}} (as today) and a new {{ExternalRoleRuleBasedAuthorizationPlugin.}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org