[
https://issues.apache.org/jira/browse/SOLR-12131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16439330#comment-16439330
]
Noble Paul commented on SOLR-12131:
-----------------------------------
OK got it . In that case I would recommend you change the testcase with an
AuthenticationPlugin that returns a \{{PrincipalWithUserRoles}}.
and change the following documentation as well
{code:java}
ExternalRoleRuleBasedAuthorizationPlugin: The role-to-user mappings are managed
externally. This plugin expects the user’s roles to be present on the Principal
object which is part of the request.
{code}
to
{code:java}
ExternalRoleRuleBasedAuthorizationPlugin: The role-to-user mappings are managed
externally. This plugin expects the AuthenticationPlugin to provide a Principal
that has the roles information as well
{code}
I can't figure out why the {{PrincipalWithUserRoles}} implement {{Serializable}}
rest all looks fine.
+1 from my side
> Authorization plugin support for getting user's roles from the outside
> ----------------------------------------------------------------------
>
> Key: SOLR-12131
> URL: https://issues.apache.org/jira/browse/SOLR-12131
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Fix For: 7.4, master (8.0)
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Currently the {{RuleBasedAuthorizationPlugin}} relies on explicitly mapping
> users to roles. However, when users are authenticated by an external Identity
> service (e.g. JWT as implemented in SOLR-12121), that external service keeps
> track of the user's roles, and will pass that as a "claim" in the token (JWT).
> In order for Solr to be able to Authorise requests based on those roles, the
> Authorization plugin should be able to accept (verified) roles from the
> request instead of explicit mapping.
> Suggested approach is to create a new interface {{VerifiedUserRoles}} and a
> {{PrincipalWithUserRoles}} which implements the interface. The Authorization
> plugin can then pull the roles from request. By piggy-backing on the
> Principal, we have a seamless way to transfer extra external information, and
> there is also a natural relationship:
> {code:java}
> User Authentication -> Role validation -> Creating a Principal{code}
> I plan to add the interface, the custom Principal class and restructure
> {{RuleBasedAuthorizationPlugin}} in an abstract base class and two
> implementations: {{RuleBasedAuthorizationPlugin}} (as today) and a new
> {{ExternalRoleRuleBasedAuthorizationPlugin.}}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
