Hi. I have started work with some new contributions to the security framework, and hope you will have a look and comment on them :)
The first is introduction of a brand new plugin type; AuditLoggerPlugin: https://issues.apache.org/jira/plugins/servlet/mobile#issue/SOLR-12120 along with one implementation logging to solr.log Then there is a new JWT Authentication plugin: https://issues.apache.org/jira/plugins/servlet/mobile#issue/SOLR-12121 It allows for validating tokens issued and signed by a 3rd party, and also validating claims present in the token. This plugin can also pass a “roles” claim on to the new authorization plugin described next. The third contrib is an Authorization plugin with support for getting user's roles from the request: https://issues.apache.org/jira/plugins/servlet/mobile#issue/SOLR-12131 This is a subclass of rule based authz and share all features features except you will not provide a user-role map in config, instead you trust a list of roles passed from the JWT plugin (or any other Auth plugin). The final part of the puzzle is adding login support to Admin UI: https://issues.apache.org/jira/plugins/servlet/mobile#issue/SOLR-7896 I don’t have any path for this but discussion about how to best solve it is highly welcome at this stage! Jan Høydahl