[
https://issues.apache.org/jira/browse/SOLR-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037673#comment-16037673
]
ASF GitHub Bot commented on SOLR-10814:
---------------------------------------
GitHub user hgadre opened a pull request:
https://github.com/apache/lucene-solr/pull/210
[SOLR-10814] Solr RuleBasedAuthorizationPlugin works seamlessly with …
…Kerberos authentication
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/hgadre/lucene-solr solr10814
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/lucene-solr/pull/210.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #210
----
commit c76333f221ab927904d3e4f07e06c83b56e8e007
Author: Hrishikesh Gadre <[email protected]>
Date: 2017-06-05T20:14:07Z
[SOLR-10814] Solr RuleBasedAuthorizationPlugin works seamlessly with
Kerberos authentication
----
> Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos
> authentication
> ---------------------------------------------------------------------------------------
>
> Key: SOLR-10814
> URL: https://issues.apache.org/jira/browse/SOLR-10814
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 6.2
> Reporter: Hrishikesh Gadre
>
> Solr allows configuring roles to control user access to the system. This is
> accomplished through rule-based permission definitions which are assigned to
> users.
> The authorization framework in Solr passes the information about the request
> (to be authorized) using an instance of AuthorizationContext class. Currently
> the only way to extract authenticated user is via getUserPrincipal() method
> which returns an instance of java.security.Principal class. The
> RuleBasedAuthorizationPlugin implementation invokes getName() method on the
> Principal instance to fetch the list of associated roles.
> https://github.com/apache/lucene-solr/blob/2271e73e763b17f971731f6f69d6ffe46c40b944/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L156
> In case of basic authentication mechanism, the principal is the userName.
> Hence it works fine. But in case of kerberos authentication, the user
> principal also contains the RELM information e.g. instead of foo, it would
> return [email protected]. This means if the user changes the authentication
> mechanism, he would also need to change the user-role mapping in
> authorization section to use [email protected] instead of foo. This is not
> good from usability perspective.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
