[jira] [Commented] (SOLR-12666) Support multiple AuthenticationPlugin's simultaneoulsy

Tue, 23 Mar 2021 09:29:05 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-12666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17307207#comment-17307207
 ] 

Jan Høydahl commented on SOLR-12666:
------------------------------------

If we have a "chain" of auth plugins and a framework that will attempt each in 
turn before returning 401, then you could add BasicAuth or some simple 
IP-address-whitelist-Auth and ALL places that currently supports that scheme 
(like Prometheus Exporter, bin/solr, CDCR, whatever) would be happy. I think 
that is an easier goal to achieve than rewrite all of those to support *every* 
possible auth scheme that solr has or may have in the future.

> Support multiple AuthenticationPlugin's simultaneoulsy
> ------------------------------------------------------
>
>                 Key: SOLR-12666
>                 URL: https://issues.apache.org/jira/browse/SOLR-12666
>             Project: Solr
>          Issue Type: New Feature
>          Components: Authentication, security
>            Reporter: Jan Høydahl
>            Priority: Major
>              Labels: authentication
>
> Solr is getting support for more authentication plugins year by year, and 
> customers have developed their own in-house plugins as well.
> At the same time we see more and more JIRAs to add *BasicAuth* support for 
> various clients and use cases, such as SOLR-12584 (Solr Exporter), SOLR-9779 
> (Streaming expressions), SOLR-11356 (ConcurrentUpdateSolrClient), SOLR-8213 
> (JDBC), SOLR-12583 (Subquery docTransformer) and SOLR-10322 (Streaming 
> expression daemon), SOLR-12860 (metrics history), SOLR-11759 
> (DocExpirationUpdateProcessor), SOLR-11959 (CDCR), SOLR-12359 (LIR) and 
> probably more. Some of these may be bugs that can be fixed with PKI though...
> Currently the framework supports *only one active Auth method* (except PKI 
> which is special). Which means that if you use something else than BasicAuth, 
> you're lucky if you get any of the above features to work with your cluster. 
> -Even the AdminUI only supports BasicAuth (implicit via browser).- Admin UI 
> has explicit support for a few plugins only.
> I think the solution is to allow more than one auth plugin to be active at 
> the same time, allowing people to use their custom fancy auth which is 
> tightly integrated with their environment, and at the same time activate e.g. 
> BasicAuth or JWTAuth for use with other clients that do not support the 
> primary auth method.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to