[jira] [Commented] (SOLR-9702) Authentication & Authorization based on Jetty security

2016-10-30 Thread Thomas Quinot (JIRA)

[ 
https://issues.apache.org/jira/browse/SOLR-9702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15620036#comment-15620036
 ] 

Thomas Quinot commented on SOLR-9702:
-

I see, thanks for the explanations! I guess this issue could be usefully 
reformulated into an actionable one by making it a suggestion for a Solr 
Auth/Authz plugin based on JAAS. We'd thus get a variety of backend options 
(including LDAP) for a single one-time development effort.

> Authentication & Authorization based on Jetty security
> --
>
> Key: SOLR-9702
> URL: https://issues.apache.org/jira/browse/SOLR-9702
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: security
>Affects Versions: 6.2.1
>Reporter: Thomas Quinot
>
> (following up on comments initially posted on SOLR-7275).
> Back in Solr 4 days, user authentication could be handled by Jetty, and some 
> level of authorization could be implemented using request regexp rules. This 
> was explicitly documented in the SolrSecurity page:
> http://wiki.apache.org/solr/SolrSecurity?action=recall=35#Jetty_realm_example
> In particular, authentication could thus be performed against a variety of 
> services implemented in Jetty, such as HashLoginService (mentioned explicitly 
> in the above documentation, tested in production, does work) or possibly 
> JAASLoginService, which in turn would open up the possibility to use a whole 
> range of auth services (in particular LDAP servers).
> I see that the usage of Jetty is now "an implementation detail". Does this 
> mean that the feature listed above is not supported anymore? (This is quite 
> unfortunate IMO, as even just the HashLoginService would be useful to 
> authenticate users against a database of UNIX crypt(3) passwords)
> The new login services that are apparently being reimplemented in Solr itself 
> seem to be much less flexible and limited.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org



[jira] [Commented] (SOLR-9702) Authentication & Authorization based on Jetty security

2016-10-30 Thread Anshum Gupta (JIRA)

[ 
https://issues.apache.org/jira/browse/SOLR-9702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15619655#comment-15619655
 ] 

Anshum Gupta commented on SOLR-9702:


[~janhoy] I agree with you on that and think we should be able to close this 
out as Won't Fix. 

Jetty being an implementation detail basically translates to - we should be 
able to swap it out (when needed) without worrying about any back-compat w.r.t. 
users hacking or relying on it directly.

Also, any further discussions on 'how to do X' should be a part of the mailing 
list instead of a JIRA and we should create an issue for a concrete use case 
that needs to be handled by Solr.

> Authentication & Authorization based on Jetty security
> --
>
> Key: SOLR-9702
> URL: https://issues.apache.org/jira/browse/SOLR-9702
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: security
>Affects Versions: 6.2.1
>Reporter: Thomas Quinot
>
> (following up on comments initially posted on SOLR-7275).
> Back in Solr 4 days, user authentication could be handled by Jetty, and some 
> level of authorization could be implemented using request regexp rules. This 
> was explicitly documented in the SolrSecurity page:
> http://wiki.apache.org/solr/SolrSecurity?action=recall=35#Jetty_realm_example
> In particular, authentication could thus be performed against a variety of 
> services implemented in Jetty, such as HashLoginService (mentioned explicitly 
> in the above documentation, tested in production, does work) or possibly 
> JAASLoginService, which in turn would open up the possibility to use a whole 
> range of auth services (in particular LDAP servers).
> I see that the usage of Jetty is now "an implementation detail". Does this 
> mean that the feature listed above is not supported anymore? (This is quite 
> unfortunate IMO, as even just the HashLoginService would be useful to 
> authenticate users against a database of UNIX crypt(3) passwords)
> The new login services that are apparently being reimplemented in Solr itself 
> seem to be much less flexible and limited.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org



[jira] [Commented] (SOLR-9702) Authentication & Authorization based on Jetty security

2016-10-29 Thread Hrishikesh Gadre (JIRA)

[ 
https://issues.apache.org/jira/browse/SOLR-9702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15618844#comment-15618844
 ] 

Hrishikesh Gadre commented on SOLR-9702:


bq. which in turn would open up the possibility to use a whole range of auth 
services (in particular LDAP servers).

I recently contributed LDAP authentication support in hadoop authentication 
framework (HADOOP-12082). SOLR-9513 is tracking the changes required to expose 
this functionality in Solr. May be you can use that ?

> Authentication & Authorization based on Jetty security
> --
>
> Key: SOLR-9702
> URL: https://issues.apache.org/jira/browse/SOLR-9702
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: security
>Affects Versions: 6.2.1
>Reporter: Thomas Quinot
>
> (following up on comments initially posted on SOLR-7275).
> Back in Solr 4 days, user authentication could be handled by Jetty, and some 
> level of authorization could be implemented using request regexp rules. This 
> was explicitly documented in the SolrSecurity page:
> http://wiki.apache.org/solr/SolrSecurity?action=recall=35#Jetty_realm_example
> In particular, authentication could thus be performed against a variety of 
> services implemented in Jetty, such as HashLoginService (mentioned explicitly 
> in the above documentation, tested in production, does work) or possibly 
> JAASLoginService, which in turn would open up the possibility to use a whole 
> range of auth services (in particular LDAP servers).
> I see that the usage of Jetty is now "an implementation detail". Does this 
> mean that the feature listed above is not supported anymore? (This is quite 
> unfortunate IMO, as even just the HashLoginService would be useful to 
> authenticate users against a database of UNIX crypt(3) passwords)
> The new login services that are apparently being reimplemented in Solr itself 
> seem to be much less flexible and limited.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org



[jira] [Commented] (SOLR-9702) Authentication & Authorization based on Jetty security

2016-10-29 Thread JIRA

[ 
https://issues.apache.org/jira/browse/SOLR-9702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15618754#comment-15618754
 ] 

Jan Høydahl commented on SOLR-9702:
---

The old wiki article you refer to was a user-contributed recipe and was never 
"supported" as such.
The Solr/Lucene project will not officially endorse hacking the internal Jetty 
settings for the reasons you mention yourself.
That does not mean that you cannot get it working in your own environment by 
adding the missing JARs and setting things up -- it is still Jetty. But you 
will be on your own for the next upgrade or if/when we stop using Jetty to 
power Solr.

Your best action forward would be to describe what you are not able to do with 
our current Auth/Authz plugins, and see if there is interest in adding what you 
need, e.g. HashLogin. It is actually not very difficult to write your own 
security custom plugin either, perhaps wrapping the functionality from an 
existing library.

This issue will probably be closed as Won't fix :(

> Authentication & Authorization based on Jetty security
> --
>
> Key: SOLR-9702
> URL: https://issues.apache.org/jira/browse/SOLR-9702
> Project: Solr
>  Issue Type: Bug
>  Security Level: Public(Default Security Level. Issues are Public) 
>  Components: security
>Affects Versions: 6.2.1
>Reporter: Thomas Quinot
>
> (following up on comments initially posted on SOLR-7275).
> Back in Solr 4 days, user authentication could be handled by Jetty, and some 
> level of authorization could be implemented using request regexp rules. This 
> was explicitly documented in the SolrSecurity page:
> http://wiki.apache.org/solr/SolrSecurity?action=recall=35#Jetty_realm_example
> In particular, authentication could thus be performed against a variety of 
> services implemented in Jetty, such as HashLoginService (mentioned explicitly 
> in the above documentation, tested in production, does work) or possibly 
> JAASLoginService, which in turn would open up the possibility to use a whole 
> range of auth services (in particular LDAP servers).
> I see that the usage of Jetty is now "an implementation detail". Does this 
> mean that the feature listed above is not supported anymore? (This is quite 
> unfortunate IMO, as even just the HashLoginService would be useful to 
> authenticate users against a database of UNIX crypt(3) passwords)
> The new login services that are apparently being reimplemented in Solr itself 
> seem to be much less flexible and limited.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org