[jira] [Created] (SOLR-17309) Enhance Cert Authentication plugin with flexible cert principal resolution

Thu, 23 May 2024 07:50:30 -0700 

Lamine created SOLR-17309:
-----------------------------

             Summary: Enhance Cert Authentication plugin with flexible cert 
principal resolution
                 Key: SOLR-17309
                 URL: https://issues.apache.org/jira/browse/SOLR-17309
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
            Reporter: Lamine


TL;DR

This the first part of a broader contribution to enhance CertAuthPlugin to 
support _Principal_ resolution, identity resolution and validation.
This part deals with _Principal_ resolution.

 —

Solr supports certificate-based authentication (mTLS) via the CertAuthPlugin. 
However, the feature offers limited flexibility and probably poses a potential 
security vulnerabilities. In fact, the class contains minimal code, primarily 
deferring certificate validation to Jetty and extracting the _Principal_ from 
the subject's Distinguish Name (DN). The Authorization plugin then maps the  
extracted _Principal_ to a role.

I've identified a couple of issues with this approach, as well as potential 
areas for enhancement:

*1- Issues with Using DN*
 - {*}Length and precision{*}: The DN is lengthy and requires an exact match 
for roles mapping. Even a minor discrepancy, like an extra space, or order of 
attributes (RDN), can break the mapping.

 - {*}One DN per certificate{*}: If different certificates are used for 
different hosts in a cluster, each DN has to be mapped separately to a 
particular role, complicating role mapping and increasing risks of errors.

 - {*}Not customizable{*}: The current implementation doesn't allow operators 
to adapt the Principal extracting to their specific needs.

 - {*}Bad user experience{*}: When logged into Solr Admin UI using 
CertAuthPlugin the whole DN is displayed on the left menu as the 'username'.

_*Proposed Solution for DN Issues:*_
 - Extraction flexibility: Grant operators the ability to specify the data they 
wish to extract for the {_}Principal{_}, based on a defined path (for example:  
_SUBJECT.DN_ (default), {_}SAN.URI{_}, {_}SAN.email{_}, etc.).

 - Use of delimiters: Introduce optional delimiters (start and end) or 
prefix/suffix to extract only the necessary data from a field, for example a 
group ID.

 ** 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to