You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2019/10/08 10:39:00 UTC
[jira] [Commented] (SOLR-12666) Support multiple
AuthenticationPlugin's simultaneoulsy
[ https://issues.apache.org/jira/browse/SOLR-12666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16946697#comment-16946697 ]
Jan Høydahl commented on SOLR-12666:
------------------------------------
Or we could allow one plugin as today, and instantiate a chain with only one plugin. Or if we find "chain" as a json key then create the chain with all in the list. That is the easy part. The hard part is to redesign the AuthPlugin API along the lines I suggested above. Any thoghts on that? There are quite few external auth plugins so far, so breaking back-compat with how authenticate() works is not that big of an issue when introduced in a major version.
> Support multiple AuthenticationPlugin's simultaneoulsy
> ------------------------------------------------------
>
> Key: SOLR-12666
> URL: https://issues.apache.org/jira/browse/SOLR-12666
> Project: Solr
> Issue Type: New Feature
> Components: Authentication, security
> Reporter: Jan Høydahl
> Priority: Major
> Labels: authentication
>
> Solr is getting support for more authentication plugins year by year, and customers have developed their own in-house plugins as well.
> At the same time we see more and more JIRAs to add *BasicAuth* support for various clients and use cases, such as SOLR-12584 (Solr Exporter), SOLR-9779 (Streaming expressions), SOLR-11356 (ConcurrentUpdateSolrClient), SOLR-8213 (JDBC), SOLR-12583 (Subquery docTransformer) and SOLR-10322 (Streaming expression daemon), SOLR-12860 (metrics history), SOLR-11759 (DocExpirationUpdateProcessor), SOLR-11959 (CDCR), SOLR-12359 (LIR) and probably more. Some of these may be bugs that can be fixed with PKI though...
> Currently the framework supports *only one active Auth method* (except PKI which is special). Which means that if you use something else than BasicAuth, you're lucky if you get any of the above features to work with your cluster. -Even the AdminUI only supports BasicAuth (implicit via browser).- Admin UI has explicit support for a few plugins only.
> I think the solution is to allow more than one auth plugin to be active at the same time, allowing people to use their custom fancy auth which is tightly integrated with their environment, and at the same time activate e.g. BasicAuth or JWTAuth for use with other clients that do not support the primary auth method.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org