[
https://issues.apache.org/jira/browse/SOLR-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16100222#comment-16100222
]
Hrishikesh Gadre commented on SOLR-10814:
-----------------------------------------
[~noble.paul]
bq. can you tell us which is the latest pull request
I have only one pull request. (Updated the same with the review feedback).
https://github.com/apache/lucene-solr/pull/210
bq. KerBerosPlugin will emit a KerberoPrincipal which has 2 extra methods
getRealm() and getFullName() .
BTW KerberosPlugin is not the only option for using kerberos with Solr. We have
recently added HadoopAuthPlugin which allows configuring any authentication
mechanism provided by underlying Hadoop framework (e.g. LDAP, OAuth etc.). Your
suggestion will not work in that case (without adding hacks to identify
Kerberos auth type).
What are your thoughts on adding getUserName() method to AuthorizationContext ?
Since we are keeping getPrincipal() method as well, the latest patch is
perfectly backwards compatible. Please review the pull request and let me know
what you think.
> Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos
> authentication
> ---------------------------------------------------------------------------------------
>
> Key: SOLR-10814
> URL: https://issues.apache.org/jira/browse/SOLR-10814
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 6.2
> Reporter: Hrishikesh Gadre
>
> Solr allows configuring roles to control user access to the system. This is
> accomplished through rule-based permission definitions which are assigned to
> users.
> The authorization framework in Solr passes the information about the request
> (to be authorized) using an instance of AuthorizationContext class. Currently
> the only way to extract authenticated user is via getUserPrincipal() method
> which returns an instance of java.security.Principal class. The
> RuleBasedAuthorizationPlugin implementation invokes getName() method on the
> Principal instance to fetch the list of associated roles.
> https://github.com/apache/lucene-solr/blob/2271e73e763b17f971731f6f69d6ffe46c40b944/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L156
> In case of basic authentication mechanism, the principal is the userName.
> Hence it works fine. But in case of kerberos authentication, the user
> principal also contains the RELM information e.g. instead of foo, it would
> return f...@example.com. This means if the user changes the authentication
> mechanism, he would also need to change the user-role mapping in
> authorization section to use f...@example.com instead of foo. This is not
> good from usability perspective.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
