Mike Drob created SOLR-14430:
--------------------------------
Summary: Authorization plugins should check roles from request
Key: SOLR-14430
URL: https://issues.apache.org/jira/browse/SOLR-14430
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Components: security
Reporter: Mike Drob
The AuthorizationContext exposes {{getUserPrincipal}} to the plugin, but it
does not allow the plugin to interrogate the request for {{isUserInRole}}. If
we trust the request enough to get a principal from it, then we should trust it
enough to ask about roles, as those could have been defined and verified by an
authentication plugin.
This model would be an alternative to the current model where
RuleBasedAuthorizationPlugin maintains its own user->role mapping.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
