[ https://issues.apache.org/jira/browse/SOLR-17309?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ASF GitHub Bot updated SOLR-17309: ---------------------------------- Labels: pull-request-available (was: ) > Enhance Cert Authentication plugin with flexible cert principal resolution > -------------------------------------------------------------------------- > > Key: SOLR-17309 > URL: https://issues.apache.org/jira/browse/SOLR-17309 > Project: Solr > Issue Type: Improvement > Reporter: Lamine > Priority: Minor > Labels: pull-request-available > Time Spent: 10m > Remaining Estimate: 0h > > TL;DR > This the first part of a broader contribution to enhance CertAuthPlugin to > support _Principal_ resolution, identity resolution and validation. > This part deals with _Principal_ resolution. > — > Solr supports certificate-based authentication (mTLS) via the CertAuthPlugin. > However, the feature offers limited flexibility. In fact, the class contains > minimal code, primarily deferring certificate validation to Jetty and > extracting the _Principal_ from the subject's Distinguish Name (DN). The > Authorization plugin then maps the extracted _Principal_ to a role. > I've identified a couple of issues with this approach, as well as potential > areas for enhancement: > *1- Issues with Using DN* > - {*}Length and precision{*}: The DN is lengthy and requires an exact match > for roles mapping. Even a minor discrepancy, like an extra space, or order of > attributes (RDN), can break the mapping. > - {*}One DN per certificate{*}: If different certificates are used for > different hosts in a cluster, each DN has to be mapped separately to a > particular role, complicating role mapping and increasing risks of errors. > - {*}Not customizable{*}: The current implementation doesn't allow operators > to adapt the Principal extracting to their specific needs. > - {*}Bad user experience{*}: When logged into Solr Admin UI using > CertAuthPlugin the whole DN is displayed on the left menu as the 'username'. > _*Proposed Solution for DN Issues:*_ > - Extraction flexibility: Grant operators the ability to specify the data > they wish to extract for the {_}Principal{_}, based on a defined path (for > example: _SUBJECT.DN_ (default), {_}SAN.URI{_}, {_}SAN.email{_}, etc.). > - Use of delimiters: Introduce optional delimiters (start and end) or > prefix/suffix to extract only the necessary data from a field, for example a > group ID. > ** -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org