[
https://issues.apache.org/jira/browse/SOLR-7755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14615176#comment-14615176
]
Noble Paul commented on SOLR-7755:
----------------------------------
bq. Can't all this be a wrapper around the /security.json in ZK and made
available as a command line tool similar to zkcli?
I don't think exposing ZK to users is a good/safe practice
bq.admin might want to plan and setup security parameters in a cluster even
before starting Solr
That is pretty simple , You start with a standard no-edit permission
{{security.json}}. it will be a part of this ticket . Which gives the admin
user the privilege to edit the security parameters
bq.Also, authc/authz plugins in an already started up Solr cluster can add
watches to the /security.json in ZK to monitor changes made through such a
command line tool
NO. We want the the authc/authz plugins to just deal with security instead of
screwing up/editing ZK nodes
bq.that way, this API or "framework" wouldn't need to know what all to expect
(i.e. "create-permission" or "add-user" or anything plugin specific).
The framework has no idea of what is {{create-permission}} it is the plugin's
responsibility to interpret this stuff. Wait for the first patch to see how it
is done
bq.Another challenge, that comes to mind, with having an endpoint like this:
how would we secure this endpoint itself?
Isn't the same way it is done in all data stores? They give admin privileges
to to the admin and he can do further edits
> An API to edit the security params
> ----------------------------------
>
> Key: SOLR-7755
> URL: https://issues.apache.org/jira/browse/SOLR-7755
> Project: Solr
> Issue Type: Sub-task
> Components: security
> Reporter: Noble Paul
> Assignee: Noble Paul
>
> example
> {code}
> curl http://localhost:8983/solr/admin/authorization -H
> 'Content-type:application/json' -d '{
> "add-user" : {"name" : "tom",
> "role": ["admin","dev"]
> },
> "create-permission" :{"name":"mycoll-update",
> "before" :"some-other-permission",
> "path":"/update/*"
> "role":["dev","admin"]
> }
> }'
> {code}
> Please note that the set of parameters required for a basic ZK based impl
> will be completely different from that of a Kerberos implementation. However
> the framework would remain the same. The end point will remain the same,
> though
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
