[
https://issues.apache.org/jira/browse/SOLR-11781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16402083#comment-16402083
]
Hrishikesh Gadre edited comment on SOLR-11781 at 3/16/18 4:04 PM:
------------------------------------------------------------------
[~janhoy] Typically audit logging is closely related to authorization as we
want to identify which "authenticated" user tried to perform an operation that
was not authorized. I enhanced AuthorizationContext to explicitly pass the
impersonator username (please find attached patch) and implemented audit
logging inside the authorization plugin.
{quote}Is there any method to pass information (except for the user principle)
from Authentication to authorization? Can Auth plugin fill information in
AuthorizationContext?
{quote}
While authentication plugin can pass any arbitrary information via
HttpServletRequest object (e.g. using custom attributes), authorization context
does not provide access to raw HttpServletRequest object. In my case,
KerberosPlugin is already passing impersonator user name. I just had to add
another method in AuthorizationContext to forward this info to the
Authorization plugin. I wonder if it would make more sense to expose
HttpServletRequest object directly to authorization plugin? This way
authentication and authorization plugins can pass any information via
HttpServletRequest object. I am not sure if the original design did not support
it intentionally. What do you think?
was (Author: hgadre):
[~janhoy] Typically audit logging is closely related to authorization as we
want to identify which "authenticated" user tried to perform an operation that
was not authorized. I enhanced AuthorizationContext to explicitly pass the
impersonator username (please find attached patch) and implemented audit
logging inside the authorization plugin.
{quote}Is there any method to pass information (except for the user principle)
from Authentication to authorization? Can Auth plugin fill information in
AuthorizationContext?
{quote}
While authentication plugin can pass any arbitrary information via
HttpServletRequest object (e.g. using custom attributes), authorization context
does not provide access to raw HttpServletRequest object. In my case,
KerberosPlugin is already passing impersonator user name. I just had to add
another method in AuthorizationContext to forward this info to the
Authorization plugin. I wonder if it would make more sense to expose
HttpServletRequest object directly to authorization plugin? This way
authentication and authorization plugins can pass any information via
HttpServletRequest object. I am not sure if the original design did not support
it intentionally. What do you think?
> Pass impersonator info to the authorization plugin
> --------------------------------------------------
>
> Key: SOLR-11781
> URL: https://issues.apache.org/jira/browse/SOLR-11781
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 7.0
> Reporter: Hrishikesh Gadre
> Priority: Minor
> Attachments: SOLR-11781-00.patch
>
>
> SENTRY-1475 implemented Solr authorization plugin based on Sentry. This also
> includes the audit log functionality in Sentry. Currently authorization
> context is not providing the impersonator information which is required for
> the audit logs. We should improve Solr authorization framework to pass this
> extra information.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
