Jan Høydahl created SOLR-12131:
----------------------------------
Summary: Authorization plugin support for getting user's roles
from the outside
Key: SOLR-12131
URL: https://issues.apache.org/jira/browse/SOLR-12131
Project: Solr
Issue Type: New Feature
Security Level: Public (Default Security Level. Issues are Public)
Components: security
Reporter: Jan Høydahl
Currently the {{RuleBasedAuthorizationPlugin}} relies on explicitly mapping
users to roles. However, when users are authenticated by an external Identity
service (e.g. JWT as implemented in SOLR-12121), that external service keeps
track of the user's roles, and will pass that as a "claim" in the token (JWT).
In order for Solr to be able to Authorise requests based on those roles, the
Authorization plugin should be able to accept (verified) roles from the request
instead of explicit mapping.
Suggested approach is to create a new interface {{VerifiedUserRoles}} and a
{{PrincipalWithUserRoles}} which implements the interface. The Authorization
plugin can then pull the roles from request. By piggy-backing on the Principal,
we have a seamless way to transfer extra external information, and there is
also a natural relationship:
{code:java}
User Authentication -> Role validation -> Creating a Principal{code}
I plan to add the interface, the custom Principal class and restructure
{{RuleBasedAuthorizationPlugin}} in an abstract base class and two
implementations: {{RuleBasedAuthorizationPlugin}} (as today) and a new
{{ExternalRoleRuleBasedAuthorizationPlugin.}}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
