[
https://issues.apache.org/jira/browse/SOLR-12666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17427021#comment-17427021
]
Jan Høydahl commented on SOLR-12666:
------------------------------------
I'm not entirely happy with the design choice of building Solr's security from
scratch. It means we get nothing "for free".
I wonder if we should re-consider integration of Apache Shiro, which has
build-in realms support, and a SecurityManager with pluggable
AuthenticationStrategy to decide how to consolidate reponses from each realm
(i.e. is it enough that one realm says the user is authenticated, or do we
require e.g. BasicAuth + IP realms to match). See
[http://shiro.apache.org/authentication.html#Authentication-sequence] for
details.
!ShiroAuthenticationSequence.png!
The re-write to multiple Realms (similar to Solr Auth Plugins) will be a big
one, requiring all Auth plugins to be updated, so perhaps migrating to Shiro is
not that much extra work. We'd get some realm implementations for free and
hopefully can throw out lots of our custom RBAC logic and delegate to Shiro. We
don't need to embrace the INI-style config of Shiro, I think we could keep and
extend security.json. It obviously needs more study and a SIP.
> Support multiple AuthenticationPlugin's simultaneoulsy
> ------------------------------------------------------
>
> Key: SOLR-12666
> URL: https://issues.apache.org/jira/browse/SOLR-12666
> Project: Solr
> Issue Type: New Feature
> Components: Authentication, security
> Reporter: Jan Høydahl
> Priority: Major
> Labels: authentication
> Attachments: ShiroAuthenticationSequence.png
>
>
> Solr is getting support for more authentication plugins year by year, and
> customers have developed their own in-house plugins as well.
> At the same time we see more and more JIRAs to add *BasicAuth* support for
> various clients and use cases, such as SOLR-12584 (Solr Exporter), SOLR-9779
> (Streaming expressions), SOLR-11356 (ConcurrentUpdateSolrClient), SOLR-8213
> (JDBC), SOLR-12583 (Subquery docTransformer) and SOLR-10322 (Streaming
> expression daemon), SOLR-12860 (metrics history), SOLR-11759
> (DocExpirationUpdateProcessor), SOLR-11959 (CDCR), SOLR-12359 (LIR) and
> probably more. Some of these may be bugs that can be fixed with PKI though...
> Currently the framework supports *only one active Auth method* (except PKI
> which is special). Which means that if you use something else than BasicAuth,
> you're lucky if you get any of the above features to work with your cluster.
> -Even the AdminUI only supports BasicAuth (implicit via browser).- Admin UI
> has explicit support for a few plugins only.
> I think the solution is to allow more than one auth plugin to be active at
> the same time, allowing people to use their custom fancy auth which is
> tightly integrated with their environment, and at the same time activate e.g.
> BasicAuth or JWTAuth for use with other clients that do not support the
> primary auth method.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
