Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
epugh merged PR #3029: URL: https://github.com/apache/solr/pull/3029 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
laminelam commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2707040472 > @laminelam updating from main fixed things. Can you confirm the `security.hadoop` change? So in main we no longer have Hadoop, so I don't think it's needed. Is it required for backporting to 9x to make this work? If we don't need it, it would simplify things to not have it! Yes we don't need it. Removed it. No errors in the pre-commit. Thanks for the merge. :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
epugh commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2706364784 @laminelam updating from main fixed things. Can you confirm the `security.hadoop` change? So in main we no longer have Hadoop, so I don't think it's needed. Is it required for backporting to 9x to make this work? If we don't need it, it would simplify things to not have it! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
epugh commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2706209133 @laminelam thanks for the ping. I am going to take a look at the precommit error.. Can you check the tests as well? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
laminelam commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2704941460 Hi @epugh Could you merge this when you get a chance? I have another PR built on top of this one that I'd like to push upstream -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
epugh commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2672811726 I assigned this to myself to not forget. I will leave this open for another day or so and then merge it. I can take care of the CHANGES.txt as that always seems to have merge challenges! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
laminelam commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2672611692 Thank @epugh for your time on this. When you're ready to merge let me know will update the CHANGES file (or feel free to do it). I you think we could have another pair of eyes that would be great. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
laminelam commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2672567020 > thanks for the ref guide improvments! Attached is a PDF version for better review experience [CertificateAuthenticationPlugin _ RefGuide_PDF.pdf](https://github.com/user-attachments/files/18894177/CertificateAuthenticationPlugin._.RefGuide_PDF.pdf) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
epugh commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2672563684 thanks for the ref guide improvments! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
epugh commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2662631556 @laminelam if you do't mind updating this PR I'd love to get this in! I normally prefer the ref guide commit to go in along wiht the source code commit, so we don't forget to add it, but happy to skip that. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
laminelam commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2596843533 @epugh 1. Yes planning to add some new entries to the ref guide. 2. Yes you can use it to login to the Admin UI. This is already the case right now. The only thing this PR does is to make the _principal_ extraction more flexible. For ex instead of seeing "_CN=Solr User,OU=Engineering,O=Example Inc.,C=US_" on the left menu when you login to admin, you’d have an email or a username that you have extracted from the cert, which means a better user experience as well. BTW, you can also use this to authenticate from the CLI, or a terminal, etc. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
epugh commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2596190916 Thanks for supplying some context. I looked at the code, and it all made sense, though I confess to not being an expert in this area! 1) Do we need additional Ref Guide docs at this point for folks to take advantage of this capability? 2) Is there any impact on the Admin UI? Can you set up a client certifcate (I presume in your browser?) and use it to log into Solr? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
laminelam commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2593359376 @epugh Actually, this is not a new type of authentication. Solr already has a [Certificate Authentication Plugin](https://solr.apache.org/guide/solr/latest/deployment-guide/cert-authentication-plugin.html) but it offers a very basic support. In fact, the existing code is merely more than [one of line](https://github.com/apache/solr/blob/6d838cb3de9774e1a17208a78210f8968ce4e959/solr/core/src/java/org/apache/solr/security/CertAuthPlugin.java#L44) that extracts the whole subject DN (ex: "_CN=Solr User,OU=Engineering,O=Example Inc.,C=US_") from the cert and use it as the _principal_ (kind of username) of the received request This PR is an enhancement to the existing plugin. It is a part of a bigger contribution to support: - 1- Flexible Principal extraction - 2- Identity extraction - 3- Identity validation More details in these 2 JIRAs: [SOLR-17308](https://issues.apache.org/jira/browse/SOLR-17308) and [SOLR-17309](https://issues.apache.org/jira/browse/SOLR-17309) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] SOLR-17309: Enhance certificate based authentication plugin with flexible cert principal resolution [solr]
epugh commented on PR #3029: URL: https://github.com/apache/solr/pull/3029#issuecomment-2589605275 Could you explain a bit more what the general use case is? I read the code, and I see lots of complex words I don't understand ;-).Maybe the Ref Guide docs would make it all clear! I do like having Solr support more types of authentications! One concern is that is this a place we should leverage another project that would insulate us from the specifics of various auth tools? (maybe something for a larger discussion). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
