You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Ishan Chattopadhyaya (JIRA)" <ji...@apache.org> on 2015/07/06 17:22:04 UTC

[jira] [Commented] (SOLR-7755) An API to edit the security params

    [ https://issues.apache.org/jira/browse/SOLR-7755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14615159#comment-14615159 ] 

Ishan Chattopadhyaya commented on SOLR-7755:
--------------------------------------------

Why does this need to be an endpoint in Solr? Can't all this be a wrapper around the /security.json in ZK and made available as a command line tool similar to zkcli?
The reason I think this shouldn't be an endpoint in Solr is that an admin might want to plan and setup security parameters in a cluster even before starting Solr. Also, authc/authz plugins in an already started up Solr cluster can add watches to the /security.json in ZK to monitor changes made through such a command line tool. That way, this API or "framework" wouldn't need to know what all to expect (i.e. "create-permission" or "add-user" or anything plugin specific). 

Another challenge, that comes to mind, with having an endpoint like this: how would we secure this endpoint itself?

Thoughts, [~anshumg]?

> An API to edit the security params
> ----------------------------------
>
>                 Key: SOLR-7755
>                 URL: https://issues.apache.org/jira/browse/SOLR-7755
>             Project: Solr
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Noble Paul
>            Assignee: Noble Paul
>
> example
> {code}
> curl http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{
> "add-user" : {"name" : "tom", 
>              "role": ["admin","dev"]
>              },
> "create-permission" :{"name":"mycoll-update",
>                       "before" :"some-other-permission",
>                       "path":"/update/*"
>                       "role":["dev","admin"]
>                       }
> }'
> {code}
> Please note that the set of parameters required for a basic ZK based impl will be completely different from that of a Kerberos implementation. However the framework would remain the same. The end point will remain the same, though



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org