[
https://issues.apache.org/jira/browse/SOLR-15738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17551206#comment-17551206
]
Jason Gerlowski commented on SOLR-15738:
----------------------------------------
I started on this in earnest this morning and wanted to jot down a few notes on
how SecurityConfHandler makes use of the various security apispec files:
* SecurityConfHandler is unique in how it registers its v2 APIs. It uses
different {{Api}} implementation and {{Spec}}s based on the plugins that are
(or aren't) loaded.
** This allows Solr to offer plugin-specific request-body validation. (e.g.
BasicAuthPlugin might support different 'commands' than JWTAuthPlugin)
* Generally speaking, the api/spec registration logic looks like this:
** {{cluster.security.authentication}} and {{cluster.security.authorization}}
are always loaded to serve {{GET /cluster/security/authentication}} and {{GET
/cluster/security/authorization}}.
** if an authc plugin has been configured, and that plugin is a
{{SpecProvider}}, Solr registers a {{ReqHandlerToApi}} wrapper based on the
spec that the plugin provides. (Ditto for authz plugins)
*** Most Authc/Authz plugins built into Solr _are_ SpecProviders, and have a
corresponding apispec file (e.g. cluster.security.JwtAuth.Commands)
** if an authc plugin has NOT been configured, then register
{{cluster.security.authentication.Commands}} as a fallback to serve the {{POST
/cluster/security/authentication}} endpoint. (Ditto for authz plugins, but with
{{cluster.security.authentication.Commands}} and {{POST
/cluster/security/authorization}}.)
Some of these apispecs make for straightforward conversions: I already have a
draft-PR [here|https://github.com/apache/solr/pull/897] that converts
{{cluster.security.authentication}} and {{cluster.security.authorization}}.
But a few raise interesting questions that I'd love feedback/answers to.
1. I suspect that {{cluster.security.authentication.Commands}} and
{{cluster.security.authorization.Commands}} (the ones loaded for POST when no
plugins are configured) _are_ in fact needed. Without them, there wouldn't be
any v2 API registered to configure authc/z once Solr was started up without it.
Does that theory make sense to you [~noble.paul]? I asked you about this [a
while back|https://lists.apache.org/thread/sg8j7f8sls7oycfnzbz1gqwqymcrl3sg]
and you suspected that they might not do anything. Figured I'd get your
thoughts.
2. JWTAuthPlugin, RuleBasedAuthorizationPlugin and others popular plugins in
core implement {{SpecProvider}} today. This won't make nearly as much sense if
we convert from the plugin-specific apispec files over to annotations, but are
we under any back-compat obligation to keep the {{implements SpecProvider}}
around? Or would the 'experimental' designation of v2 cover this change, since
SpecProvider is specific to the v2 framework?
> Rewrite security APIs using annotation framework
> ------------------------------------------------
>
> Key: SOLR-15738
> URL: https://issues.apache.org/jira/browse/SOLR-15738
> Project: Solr
> Issue Type: Sub-task
> Components: v2 API
> Reporter: Jason Gerlowski
> Assignee: Jason Gerlowski
> Priority: Major
> Labels: V2
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Solr's v2 APIs can be implemented in 1 of 2 possible ways: an apispec (i.e.
> JSON file) based approach that was originally conceived when the v2 APIs were
> created, and an approach that relies on annotated POJO objects which has come
> into favor more recently as it results in less duplication and inches our
> APIs ones step towards a more strongly-typed future.
> The consensus has emerged across several JIRAs that the annotated-POJO
> approach is the one that should be used going forward, and that existing v2
> APIs should be cut over as convenient.
> It's worth noting that this will cause the introspection output to lose the
> "description" text for these APIs and their parameters, as there's no support
> for this yet for annotation-based v2 APIs. See SOLR-15117 for more details.
> This ticket aims to tackle this conversion for the Solr's various
> security-related APIs.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
