[
https://issues.apache.org/jira/browse/SOLR-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16101408#comment-16101408
]
Don Bosco Durai commented on SOLR-10814:
----------------------------------------
After going again through the discussion, I personally feel, option A is a good
option.
> option (a) Expose both short user-name and principal
It should be the authentication plugins responsibility to set/derive the short
name, but also expose the security Principal, so that the authorization module
(or others) if it wants to, it can process the Principals as it wishes.
So in the future, if we start supporting certificate based two way SSL
authentication, then the SSLAuthPlugin will be responsible for getting the CN
from the certificate and derive the shortUserName from it, but also make the
entire DN available in the getPrincipal() API.
In most cases, all the code should use getShortName(), which should be user
friendly and printable string. So that we can use it in logs and other places.
This approach will give provide both backward compatibility and also we don't
have to do any property hacks. And make it future proof for any new
authentication plugins.
> Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos
> authentication
> ---------------------------------------------------------------------------------------
>
> Key: SOLR-10814
> URL: https://issues.apache.org/jira/browse/SOLR-10814
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 6.2
> Reporter: Hrishikesh Gadre
>
> Solr allows configuring roles to control user access to the system. This is
> accomplished through rule-based permission definitions which are assigned to
> users.
> The authorization framework in Solr passes the information about the request
> (to be authorized) using an instance of AuthorizationContext class. Currently
> the only way to extract authenticated user is via getUserPrincipal() method
> which returns an instance of java.security.Principal class. The
> RuleBasedAuthorizationPlugin implementation invokes getName() method on the
> Principal instance to fetch the list of associated roles.
> https://github.com/apache/lucene-solr/blob/2271e73e763b17f971731f6f69d6ffe46c40b944/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L156
> In case of basic authentication mechanism, the principal is the userName.
> Hence it works fine. But in case of kerberos authentication, the user
> principal also contains the RELM information e.g. instead of foo, it would
> return [email protected]. This means if the user changes the authentication
> mechanism, he would also need to change the user-role mapping in
> authorization section to use [email protected] instead of foo. This is not
> good from usability perspective.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
