[
https://issues.apache.org/jira/browse/SOLR-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16070799#comment-16070799
]
Hrishikesh Gadre commented on SOLR-10814:
-----------------------------------------
[~ichattopadhyaya] [~noble.paul] Thanks for your feedback.
Note - I have not yet updated the patch as I was wanted to ensure that we all
agree on the approach. Here is the summary of my thinking so far,
* we need to be backwards compatible with respect to
RuleBasedAuthorizationPlugin. Hence we should make the switch from principal
name to user_name configurable.
* We should use short user name instead of principal as most of the role based
authorization solutions are using short user names. Here we have two options,
*option (a)* Expose both short user-name and principal
Advantages
(a) No need to worry about backwards incompatibility
Disadvantages
(a) Confusing for the third party integrators (Since similar information is
available from both these APIs, which one should be used?) Clearly using
getPrincipal() will require updating authorization metadata every time
authentication mechanism is changed from/to kerberos. Hence most likely
everyone will end up using getUserName() and will leave getPrincipal() unused
for most part.
*option (b)* Expose short user-name and deprecate getPrincipal() method
Advantages
(a) No confusion with respect to which APIs to use.
(b) The API result will be consistent across authentication mechanisms.
Disadvantages
(a) May have backwards incompatibility concerns further down the line (e.g.
during Solr 8.0 release).
Let me know your thoughts and I will update the patch accordingly.
> Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos
> authentication
> ---------------------------------------------------------------------------------------
>
> Key: SOLR-10814
> URL: https://issues.apache.org/jira/browse/SOLR-10814
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 6.2
> Reporter: Hrishikesh Gadre
>
> Solr allows configuring roles to control user access to the system. This is
> accomplished through rule-based permission definitions which are assigned to
> users.
> The authorization framework in Solr passes the information about the request
> (to be authorized) using an instance of AuthorizationContext class. Currently
> the only way to extract authenticated user is via getUserPrincipal() method
> which returns an instance of java.security.Principal class. The
> RuleBasedAuthorizationPlugin implementation invokes getName() method on the
> Principal instance to fetch the list of associated roles.
> https://github.com/apache/lucene-solr/blob/2271e73e763b17f971731f6f69d6ffe46c40b944/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L156
> In case of basic authentication mechanism, the principal is the userName.
> Hence it works fine. But in case of kerberos authentication, the user
> principal also contains the RELM information e.g. instead of foo, it would
> return f...@example.com. This means if the user changes the authentication
> mechanism, he would also need to change the user-role mapping in
> authorization section to use f...@example.com instead of foo. This is not
> good from usability perspective.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
