janhoy opened a new issue #331: URL: https://github.com/apache/solr-operator/issues/331
The Operator already has support for configuring Solr with BasicAuth, and the Operator is given BasicAuth credentials to be able to access `/solr/admin/info/system`, `/solr/admin/collections` and `/solr/admin/{backup,restore}`. The operator should also work when [JWTAuthPlugin](https://solr.apache.org/guide/8_10/jwt-authentication-plugin.html) is used for the cluster. The Operator will then need to obtain and use a JWT token as an `Authorization: Bearer xxxx` header for all requests to Solr endpoints, analogous to how it uses `Authorization: Basic xxxx` today. What I propose is * Operator can be configured to setup `security.json` for JWT * Operator can be configured to obtain a JWT token from an OIDC server to talk to Solr The security.json is not that different from the BasicAuth one, something like: ```json { "authentication": { "blockUnknown": false, "class": "solr.JWTAuthPlugin", "redirectUris": "https://my.solr.server:8983/solr/,https://my.other.solr.server:8983/solr/", "rolesClaim": "roles", "issuers": [ { "wellKnownUrl": "https://idp.example.com/.well-known/openid-configuration", "clientId": "<MY_CLIENT_ID>", } ] }, "authorization": { "class": "solr.ExternalRoleRuleBasedAuthorizationPlugin", "permissions": [ ... ] } } ``` The permissions will mostly be the same, and the mapping from users to their roles will happen in the OIDC server, so we'll not care about usernames in security.json, just roles. To generate this, we need some more config values to operator: ```yaml spec: ... solrSecurity: authenticationType: JWT jwt: wellKnownUrl: <url> solrClientId: <solr client-id as registered with OIDC> rolesClaim: <jwt claim key where role name is stored> oper-role: k8s admin-role: admin operClientId: <operator client-id as registered with OIDC> operClientSecretName: <name of k8s secret where operator's client secret for OIDC is stored> ``` The user will ahead of time register Solr and SolrOperator with OIDC server to obtain client-ID and secret. The Operator will generate and provision `security.json` and connect to OIDC's token endpoint to obtain a JWT token for Solr. The user should probably also be able to provision `security.json` manually, and in that case, only `wellKnownUrl`, `operClientId` and `operClientSecretName` would need to be configured. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org