[
https://issues.apache.org/jira/browse/SOLR-14430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17348200#comment-17348200
]
Jan Høydahl commented on SOLR-14430:
------------------------------------
[~mdrob] can this be closed, now that SOLR-12131 implements
ExternalRoleRuleBasedAuthorizationPlugin? See
https://solr.apache.org/guide/8_8/rule-based-authorization-plugin.html#example-for-external-role-rulebasedauthorizationplugin-with-jwt-auth
> Authorization plugins should check roles from request
> -----------------------------------------------------
>
> Key: SOLR-14430
> URL: https://issues.apache.org/jira/browse/SOLR-14430
> Project: Solr
> Issue Type: Improvement
> Components: security
> Reporter: Mike Drob
> Priority: Major
>
> The AuthorizationContext exposes {{getUserPrincipal}} to the plugin, but it
> does not allow the plugin to interrogate the request for {{isUserInRole}}. If
> we trust the request enough to get a principal from it, then we should trust
> it enough to ask about roles, as those could have been defined and verified
> by an authentication plugin.
> This model would be an alternative to the current model where
> RuleBasedAuthorizationPlugin maintains its own user->role mapping.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
