[jira] [Commented] (SOLR-10814) Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[jira] [Commented] (SOLR-10814) Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos authentication

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/SOLR-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16124178#comment-16124178 ]

Hrishikesh Gadre commented on SOLR-10814:
-----------------------------------------

[~noble.paul] OK I filed SOLR-11230 for introducing the HTTP APIs for configuring global properties in security.json. If you get a chance, can you please review (and commit) the patch for this jira?

> Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos authentication
> ---------------------------------------------------------------------------------------
>
>                 Key: SOLR-10814
>                 URL: https://issues.apache.org/jira/browse/SOLR-10814
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public)
>    Affects Versions: 6.2
>            Reporter: Hrishikesh Gadre
>
> Solr allows configuring roles to control user access to the system. This is accomplished through rule-based permission definitions which are assigned to users.
> The authorization framework in Solr passes the information about the request (to be authorized) using an instance of AuthorizationContext class. Currently the only way to extract authenticated user is via getUserPrincipal() method which returns an instance of java.security.Principal class. The RuleBasedAuthorizationPlugin implementation invokes getName() method on the Principal instance to fetch the list of associated roles.
> https://github.com/apache/lucene-solr/blob/2271e73e763b17f971731f6f69d6ffe46c40b944/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L156
> In case of basic authentication mechanism, the principal is the userName. Hence it works fine. But in case of kerberos authentication, the user principal also contains the RELM information e.g. instead of foo, it would return [hidden email]. This means if the user changes the authentication mechanism, he would also need to change the user-role mapping in authorization section to use [hidden email] instead of foo. This is not good from usability perspective.  



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...