[ 
https://issues.apache.org/jira/browse/SOLR-11781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16402083#comment-16402083
 ] 

Hrishikesh Gadre edited comment on SOLR-11781 at 3/16/18 4:04 PM:
------------------------------------------------------------------

[~janhoy] Typically audit logging is closely related to authorization as we 
want to identify which "authenticated" user tried to perform an operation that 
was not authorized. I enhanced AuthorizationContext to explicitly pass the 
impersonator username (please find attached patch) and implemented audit 
logging inside the authorization plugin.
{quote}Is there any method to pass information (except for the user principle) 
from Authentication to authorization? Can Auth plugin fill information in 
AuthorizationContext?
{quote}
While authentication plugin can pass any arbitrary information via 
HttpServletRequest object (e.g. using custom attributes), authorization context 
does not provide access to raw HttpServletRequest object. In my case, 
KerberosPlugin is already passing impersonator user name. I just had to add 
another method in AuthorizationContext to forward this info to the 
Authorization plugin. I wonder if it would make more sense to expose 
HttpServletRequest object directly to authorization plugin? This way 
authentication and authorization plugins can pass any information via 
HttpServletRequest object. I am not sure if the original design did not support 
it intentionally. What do you think?


was (Author: hgadre):
[~janhoy] Typically audit logging is closely related to authorization as we 
want to identify which "authenticated" user tried to perform an operation that 
was not authorized. I enhanced AuthorizationContext to explicitly pass the 
impersonator username (please find attached patch) and implemented audit 
logging inside the authorization plugin.
{quote}Is there any method to pass information (except for the user principle) 
from Authentication to authorization? Can Auth plugin fill information in 
AuthorizationContext?
{quote}
While authentication plugin can pass any arbitrary information via 
HttpServletRequest object (e.g. using custom attributes), authorization context 
does not provide access to raw HttpServletRequest object. In my case, 
KerberosPlugin is already passing impersonator user name. I just had to add 
another method in AuthorizationContext to forward this info to the 
Authorization plugin. I wonder if it would make more sense to expose 
HttpServletRequest object directly to authorization plugin? This way 
authentication and authorization plugins can pass any information via 
HttpServletRequest object. I am not sure if the original design did not support 
it intentionally. What do you think?

 

 

 

 

> Pass impersonator info to the authorization plugin
> --------------------------------------------------
>
>                 Key: SOLR-11781
>                 URL: https://issues.apache.org/jira/browse/SOLR-11781
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.0
>            Reporter: Hrishikesh Gadre
>            Priority: Minor
>         Attachments: SOLR-11781-00.patch
>
>
> SENTRY-1475 implemented Solr authorization plugin based on Sentry. This also 
> includes the audit log functionality in Sentry. Currently authorization 
> context is not providing the impersonator information which is required for 
> the audit logs. We should improve Solr authorization framework to pass this 
> extra information.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to