You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Hrishikesh Gadre (JIRA)" <ji...@apache.org> on 2018/03/16 16:05:00 UTC
[jira] [Comment Edited] (SOLR-11781) Pass impersonator info to the
authorization plugin
[ https://issues.apache.org/jira/browse/SOLR-11781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16402083#comment-16402083 ]
Hrishikesh Gadre edited comment on SOLR-11781 at 3/16/18 4:04 PM:
------------------------------------------------------------------
[~janhoy] Typically audit logging is closely related to authorization as we want to identify which "authenticated" user tried to perform an operation that was not authorized. I enhanced AuthorizationContext to explicitly pass the impersonator username (please find attached patch) and implemented audit logging inside the authorization plugin.
{quote}Is there any method to pass information (except for the user principle) from Authentication to authorization? Can Auth plugin fill information in AuthorizationContext?
{quote}
While authentication plugin can pass any arbitrary information via HttpServletRequest object (e.g. using custom attributes), authorization context does not provide access to raw HttpServletRequest object. In my case, KerberosPlugin is already passing impersonator user name. I just had to add another method in AuthorizationContext to forward this info to the Authorization plugin. I wonder if it would make more sense to expose HttpServletRequest object directly to authorization plugin? This way authentication and authorization plugins can pass any information via HttpServletRequest object. I am not sure if the original design did not support it intentionally. What do you think?
was (Author: hgadre):
[~janhoy] Typically audit logging is closely related to authorization as we want to identify which "authenticated" user tried to perform an operation that was not authorized. I enhanced AuthorizationContext to explicitly pass the impersonator username (please find attached patch) and implemented audit logging inside the authorization plugin.
{quote}Is there any method to pass information (except for the user principle) from Authentication to authorization? Can Auth plugin fill information in AuthorizationContext?
{quote}
While authentication plugin can pass any arbitrary information via HttpServletRequest object (e.g. using custom attributes), authorization context does not provide access to raw HttpServletRequest object. In my case, KerberosPlugin is already passing impersonator user name. I just had to add another method in AuthorizationContext to forward this info to the Authorization plugin. I wonder if it would make more sense to expose HttpServletRequest object directly to authorization plugin? This way authentication and authorization plugins can pass any information via HttpServletRequest object. I am not sure if the original design did not support it intentionally. What do you think?
> Pass impersonator info to the authorization plugin
> --------------------------------------------------
>
> Key: SOLR-11781
> URL: https://issues.apache.org/jira/browse/SOLR-11781
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 7.0
> Reporter: Hrishikesh Gadre
> Priority: Minor
> Attachments: SOLR-11781-00.patch
>
>
> SENTRY-1475 implemented Solr authorization plugin based on Sentry. This also includes the audit log functionality in Sentry. Currently authorization context is not providing the impersonator information which is required for the audit logs. We should improve Solr authorization framework to pass this extra information.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org