[
https://issues.apache.org/jira/browse/SOLR-14430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17097593#comment-17097593
]
Jan Høydahl commented on SOLR-14430:
------------------------------------
I’m not currently working on this feature, so feel free to build on and
improve/simplify my ideas.
> Authorization plugins should check roles from request
> -----------------------------------------------------
>
> Key: SOLR-14430
> URL: https://issues.apache.org/jira/browse/SOLR-14430
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Mike Drob
> Priority: Major
>
> The AuthorizationContext exposes {{getUserPrincipal}} to the plugin, but it
> does not allow the plugin to interrogate the request for {{isUserInRole}}. If
> we trust the request enough to get a principal from it, then we should trust
> it enough to ask about roles, as those could have been defined and verified
> by an authentication plugin.
> This model would be an alternative to the current model where
> RuleBasedAuthorizationPlugin maintains its own user->role mapping.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
