Mike Drob created SOLR-14430: -------------------------------- Summary: Authorization plugins should check roles from request Key: SOLR-14430 URL: https://issues.apache.org/jira/browse/SOLR-14430 Project: Solr Issue Type: Improvement Security Level: Public (Default Security Level. Issues are Public) Components: security Reporter: Mike Drob
The AuthorizationContext exposes {{getUserPrincipal}} to the plugin, but it does not allow the plugin to interrogate the request for {{isUserInRole}}. If we trust the request enough to get a principal from it, then we should trust it enough to ask about roles, as those could have been defined and verified by an authentication plugin. This model would be an alternative to the current model where RuleBasedAuthorizationPlugin maintains its own user->role mapping. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org