You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2021/03/26 16:59:00 UTC

[jira] [Commented] (SOLR-15296) Provide allowlisting mechanism in the JWT auth plugin to ignore paths like login

    [ https://issues.apache.org/jira/browse/SOLR-15296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309557#comment-17309557 ] 

Jan Høydahl commented on SOLR-15296:
------------------------------------

You are right that we have disabled auth on the backend explicitly for /solr/ since the backend knows that it serves the Admin UI which is always just static files.

If you are serving YASA from /v2/plugin/yasa/whatever then there should be some generic way for a plugin to tell Solr that one or more of its paths should not need authentication. This is independent from what auth plugin is active.

I guess it is somewhat related to SOLR-14216 in which we add a configurable list of allow-paths. But that is still manual (solr.in.sh). What we need here is for a plugin to tell Solr that it should add more paths to that list... I wonder whether the PermissionNameProvider interface can be put on the handler and set some special permission? But not sure if we can use that to completely bypass auth since I believe these permissions are part of RBAC.  [~noble.paul]?  [~dep4b]

> Provide allowlisting mechanism in the JWT auth plugin to ignore paths like login
> --------------------------------------------------------------------------------
>
>                 Key: SOLR-15296
>                 URL: https://issues.apache.org/jira/browse/SOLR-15296
>             Project: Solr
>          Issue Type: Wish
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authorization, Plugin system
>            Reporter: Zhenxu Ke
>            Priority: Major
>
> I'm recently working (with [~epugh] ) on YASA to make it work under the auth plugins.
>  
> I saw in the codes that the authenticator allowlists the Admin login path `{{/solr/` explicitly}}, while for YASA, its path must start with `{{/v2`}} , not matching the whitelisted paths and will be intercepted, hence the login page won't be reached and redirected, I also didn't find a allowlisting mechanism in the JWT auth plugin, and [RBAP|https://nightlies.apache.org/Solr/Solr-reference-guide-main/rule-based-authorization-plugin.html] doesn't seem to fit this case either. So I'm wondering if it's possible to provide allowlisting mechanism in the JWT auth plugin, so that users can configure the login paths for plugins like YASA to work?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org