[
https://issues.apache.org/jira/browse/SOLR-7692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14628347#comment-14628347
]
Noble Paul commented on SOLR-7692:
----------------------------------
bq.Would it make sense to split out the authc/authz framework changes and the
plugins themselves into two separate issues?
I'm thinking of doing that..
bq.Can we rename TestZkAuthentication to something more appropriate?
sure
bq. make ZK as one of many possible (and configurable) sources for credential
stores for these plugins based on basicauth?
The most common use case would be to use basic auth plugin and store the
credentials elsewhere. The code is organized so that the credentials check is
done in a separate class.
{{ZkBasedAuthorizationPlugin}} cannot have another option . You can either use
that or use something else altogether . Say, {{RangerAuthorizationPlugin}} ?
> Implement BasicAuth based impl for the new Authentication/Authorization APIs
> ----------------------------------------------------------------------------
>
> Key: SOLR-7692
> URL: https://issues.apache.org/jira/browse/SOLR-7692
> Project: Solr
> Issue Type: New Feature
> Reporter: Noble Paul
> Assignee: Noble Paul
> Attachments: SOLR-7692.patch, SOLR-7692.patch, SOLR-7692.patch,
> SOLR-7692.patch
>
>
> This involves various components
> h2. Authentication
> A basic auth based authentication filter. This should retrieve the user
> credentials from ZK. The user name and sha1 hash of password should be
> stored in ZK
> sample authentication json
> {code:javascript}
> {
> "authentication":{
> "class": "solr.BasicAuthPlugin",
> "users" :{
> "john" :"09fljnklnoiuy98 buygujkjnlk",
> "david":"f678njfgfjnklno iuy9865ty",
> "pete": "87ykjnklndfhjh8 98uyiy98",
> }
> }
> }
> {code}
> h2. authorization plugin
> This would store the roles of various users and their privileges in ZK
> sample authorization.json
> {code:javascript}
> {
> "authorization": {
> "class": "solr.ZKAuthorization",
> "roles" :{
> "admin" : ["john"]
> "guest" : ["john", "david","pete"]
> }
> "permissions": {
> "collection-edit": {
> "role": "admin"
> },
> "coreadmin":{
> "role":"admin"
> },
> "config-edit": {
> //all collections
> "role": "admin",
> "method":"POST"
> },
> "schema-edit": {
> "roles": "admin",
> "method":"POST"
> },
> "update": {
> //all collections
> "role": "dev"
> },
> "mycoll_update": {
> "collection": "mycoll",
> "path":["/update/*"],
> "role": ["somebody"]
> }
> }
> }
> }
> {code}
> We will also need to provide APIs to create users and assign them roles
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
