[
https://issues.apache.org/jira/browse/SOLR-14430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17090943#comment-17090943
]
Jan Høydahl commented on SOLR-14430:
------------------------------------
The JWTAuth plugin wraps the user principal in the class
{{JWTPrincipalWithUserRoles}} which implements
{{org.apache.solr.security.VerifiedUserRoles}}
{code:java}
Set<String> getVerifiedRoles();
{code}
Currently that class is not used other than in tests but my next idea was to
implement SOLR-12131 which adds a new class
[ExternalRoleRuleBasedAuthorizationPlugin|https://github.com/apache/lucene-solr/pull/341/files#diff-1605e924a4ccb6bddd1f776e54b8f2cd]
which reads the roles from the request (VerifiedUserRoles) instead of from a
user->role mapping.
Hope you can review my PR and tell what you think about that approach.
> Authorization plugins should check roles from request
> -----------------------------------------------------
>
> Key: SOLR-14430
> URL: https://issues.apache.org/jira/browse/SOLR-14430
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Mike Drob
> Priority: Major
>
> The AuthorizationContext exposes {{getUserPrincipal}} to the plugin, but it
> does not allow the plugin to interrogate the request for {{isUserInRole}}. If
> we trust the request enough to get a principal from it, then we should trust
> it enough to ask about roles, as those could have been defined and verified
> by an authentication plugin.
> This model would be an alternative to the current model where
> RuleBasedAuthorizationPlugin maintains its own user->role mapping.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
