You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Mike Drob (JIRA)" <ji...@apache.org> on 2015/07/02 19:25:04 UTC
[jira] [Commented] (SOLR-7692) Implement BasicAuth based impl for
the new Authentication/Authorization APIs
[ https://issues.apache.org/jira/browse/SOLR-7692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14612251#comment-14612251 ]
Mike Drob commented on SOLR-7692:
---------------------------------
{code}
+ public static AuthorizationResponse OK = new AuthorizationResponse(200);
+ public static AuthorizationResponse FORBIDDEN = new AuthorizationResponse(403);
+ public static AuthorizationResponse PROMPT = new AuthorizationResponse(401);
{code}
Please make these final.
{code}
+ private static Set<String> EMPTY_NULL_SET;
{code}
Also final.
{code}
+ @Override
+ public void init(Map<String, Object> initInfo) {
+ mapping.put(null, new WildCardSupportMap());
+ Map map = (Map) initInfo.get("roles");
+ for (Object o : map.entrySet()) {
+ Map.Entry e = (Map.Entry) o;
+ String roleName = (String) e.getKey();
+ usersVsRoles.put(roleName, readSet(map, roleName));
+ }
+ map = (Map) initInfo.get("permissions");
+ for (Object o : map.entrySet()) {
+ Map.Entry e = (Map.Entry) o;
+ Permission p = new Permission((String) e.getKey(), (Map) e.getValue());
+ permissions.add(p);
+ add2Mapping(p);
+ }
+ }
{code}
Is it possible to use generic types instead of doing a bunch of casts? There's a bunch of other places with raw {{Map}} as well.
{code}
+ //check permissions for a collection
+ //return true = allowed, false=not allowed, null= resource requires a principal but none available
+ private MatchStatus checkCollPerm(Map<String, List<Permission>> pathVsPerms,
+ AuthorizationContext context) {
{code}
This comment is misleading - probably left over from an earlier iteration.
Please add a test case that uses the salt when authenticating.
Do you think it would be reasonable to split out the dependency between BasicAuthPlugin and ZkAuthentication? I could imagine somebody wanting to do BasicAuth backed by a different store, were it available.
Will continue to dive deeper in a bit.
> Implement BasicAuth based impl for the new Authentication/Authorization APIs
> ----------------------------------------------------------------------------
>
> Key: SOLR-7692
> URL: https://issues.apache.org/jira/browse/SOLR-7692
> Project: Solr
> Issue Type: New Feature
> Reporter: Noble Paul
> Assignee: Noble Paul
> Attachments: SOLR-7692.patch
>
>
> This involves various components
> h2. Authentication
> A basic auth based authentication filter. This should retrieve the user credentials from ZK. The user name and sha1 hash of password should be stored in ZK
> sample authentication json
> {code:javascript}
> {
> "authentication":{
> "class": "solr.BasicAuth",
> "users" :{
> "john" :{09fljnklnoiuy98 buygujkjnlk",
> "david":"f678njfgfjnklno iuy9865ty",
> "pete": "87ykjnklndfhjh8 98uyiy98",
> }
> }
> }
> {code}
> h2. authorization plugin
> This would store the roles of various users and their privileges in ZK
> sample authorization.json
> {code:javascript}
> {
> "authorization": {
> "class": "solr.ZKAuthorization",
> "roles" :{
> "admin" : ["john"]
> "guest" : ["john", "david","pete"]
> }
> "permissions": {
> "collectionadmin": {
> "roles": ["admin"]
> },
> "coreadmin":{
> "roles":["admin"]
> },
> "config-api": {
> //all collections
> "roles": ["admin"]
> },
> "schema-api": {
> "roles": ["admin"]
> },
> "update": {
> //all collections
> "roles": null
> },
> "query":{
> "roles":null
> },
> "mycoll_update": {
> "collection": "mycoll",
> "path":["/update/*"],
> "roles": ["somebody"]//create a dir called /keys/somebody and put in usr.pwd files
> }
> }
> }
> }
> {code}
> We will also need to provide APIs to create users and assign them roles
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org