[jira] [Commented] (SOLR-15296) Provide allowlisting mechanism in the JWT auth plugin to ignore paths like login

[Jira]

    [ 
https://issues.apache.org/jira/browse/SOLR-15296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309557#comment-17309557
 ] 

Jan Høydahl commented on SOLR-15296:
------------------------------------

You are right that we have disabled auth on the backend explicitly for /solr/ 
since the backend knows that it serves the Admin UI which is always just static 
files.

If you are serving YASA from /v2/plugin/yasa/whatever then there should be some 
generic way for a plugin to tell Solr that one or more of its paths should not 
need authentication. This is independent from what auth plugin is active.

I guess it is somewhat related to SOLR-14216 in which we add a configurable 
list of allow-paths. But that is still manual (solr.in.sh). What we need here 
is for a plugin to tell Solr that it should add more paths to that list... I 
wonder whether the PermissionNameProvider interface can be put on the handler 
and set some special permission? But not sure if we can use that to completely 
bypass auth since I believe these permissions are part of RBAC.  [~noble.paul]? 
 [~dep4b]

> Provide allowlisting mechanism in the JWT auth plugin to ignore paths like 
> login
> --------------------------------------------------------------------------------
>
>                 Key: SOLR-15296
>                 URL: https://issues.apache.org/jira/browse/SOLR-15296
>             Project: Solr
>          Issue Type: Wish
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authorization, Plugin system
>            Reporter: Zhenxu Ke
>            Priority: Major
>
> I'm recently working (with [~epugh] ) on YASA to make it work under the auth 
> plugins.
>  
> I saw in the codes that the authenticator allowlists the Admin login path 
> `{{/solr/` explicitly}}, while for YASA, its path must start with `{{/v2`}} , 
> not matching the whitelisted paths and will be intercepted, hence the login 
> page won't be reached and redirected, I also didn't find a allowlisting 
> mechanism in the JWT auth plugin, and 
> [RBAP|https://nightlies.apache.org/Solr/Solr-reference-guide-main/rule-based-authorization-plugin.html]
>  doesn't seem to fit this case either. So I'm wondering if it's possible to 
> provide allowlisting mechanism in the JWT auth plugin, so that users can 
> configure the login paths for plugins like YASA to work?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org