[ https://issues.apache.org/jira/browse/SOLR-15738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17551206#comment-17551206 ]
Jason Gerlowski commented on SOLR-15738: ---------------------------------------- I started on this in earnest this morning and wanted to jot down a few notes on how SecurityConfHandler makes use of the various security apispec files: * SecurityConfHandler is unique in how it registers its v2 APIs. It uses different {{Api}} implementation and {{Spec}}s based on the plugins that are (or aren't) loaded. ** This allows Solr to offer plugin-specific request-body validation. (e.g. BasicAuthPlugin might support different 'commands' than JWTAuthPlugin) * Generally speaking, the api/spec registration logic looks like this: ** {{cluster.security.authentication}} and {{cluster.security.authorization}} are always loaded to serve {{GET /cluster/security/authentication}} and {{GET /cluster/security/authorization}}. ** if an authc plugin has been configured, and that plugin is a {{SpecProvider}}, Solr registers a {{ReqHandlerToApi}} wrapper based on the spec that the plugin provides. (Ditto for authz plugins) *** Most Authc/Authz plugins built into Solr _are_ SpecProviders, and have a corresponding apispec file (e.g. cluster.security.JwtAuth.Commands) ** if an authc plugin has NOT been configured, then register {{cluster.security.authentication.Commands}} as a fallback to serve the {{POST /cluster/security/authentication}} endpoint. (Ditto for authz plugins, but with {{cluster.security.authentication.Commands}} and {{POST /cluster/security/authorization}}.) Some of these apispecs make for straightforward conversions: I already have a draft-PR [here|https://github.com/apache/solr/pull/897] that converts {{cluster.security.authentication}} and {{cluster.security.authorization}}. But a few raise interesting questions that I'd love feedback/answers to. 1. I suspect that {{cluster.security.authentication.Commands}} and {{cluster.security.authorization.Commands}} (the ones loaded for POST when no plugins are configured) _are_ in fact needed. Without them, there wouldn't be any v2 API registered to configure authc/z once Solr was started up without it. Does that theory make sense to you [~noble.paul]? I asked you about this [a while back|https://lists.apache.org/thread/sg8j7f8sls7oycfnzbz1gqwqymcrl3sg] and you suspected that they might not do anything. Figured I'd get your thoughts. 2. JWTAuthPlugin, RuleBasedAuthorizationPlugin and others popular plugins in core implement {{SpecProvider}} today. This won't make nearly as much sense if we convert from the plugin-specific apispec files over to annotations, but are we under any back-compat obligation to keep the {{implements SpecProvider}} around? Or would the 'experimental' designation of v2 cover this change, since SpecProvider is specific to the v2 framework? > Rewrite security APIs using annotation framework > ------------------------------------------------ > > Key: SOLR-15738 > URL: https://issues.apache.org/jira/browse/SOLR-15738 > Project: Solr > Issue Type: Sub-task > Components: v2 API > Reporter: Jason Gerlowski > Assignee: Jason Gerlowski > Priority: Major > Labels: V2 > Time Spent: 10m > Remaining Estimate: 0h > > Solr's v2 APIs can be implemented in 1 of 2 possible ways: an apispec (i.e. > JSON file) based approach that was originally conceived when the v2 APIs were > created, and an approach that relies on annotated POJO objects which has come > into favor more recently as it results in less duplication and inches our > APIs ones step towards a more strongly-typed future. > The consensus has emerged across several JIRAs that the annotated-POJO > approach is the one that should be used going forward, and that existing v2 > APIs should be cut over as convenient. > It's worth noting that this will cause the introspection output to lose the > "description" text for these APIs and their parameters, as there's no support > for this yet for annotation-based v2 APIs. See SOLR-15117 for more details. > This ticket aims to tackle this conversion for the Solr's various > security-related APIs. -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org