Hrishikesh Gadre created SOLR-10814:
---------------------------------------
Summary: Solr RuleBasedAuthorization config doesn't work
seamlessly with kerberos authentication
Key: SOLR-10814
URL: https://issues.apache.org/jira/browse/SOLR-10814
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 6.2
Reporter: Hrishikesh Gadre
Solr allows configuring roles to control user access to the system. This is
accomplished through rule-based permission definitions which are assigned to
users.
The authorization framework in Solr passes the information about the request
(to be authorized) using an instance of AuthorizationContext class. Currently
the only way to extract authenticated user is via getUserPrincipal() method
which returns an instance of java.security.Principal class. The
RuleBasedAuthorizationPlugin implementation invokes getName() method on the
Principal instance to fetch the list of associated roles.
https://github.com/apache/lucene-solr/blob/2271e73e763b17f971731f6f69d6ffe46c40b944/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L156
In case of basic authentication mechanism, the principal is the userName. Hence
it works fine. But in case of kerberos authentication, the user principal also
contains the RELM information e.g. instead of foo, it would return
f...@example.com. This means if the user changes the authentication mechanism,
he would also need to changed the user-role mapping in authorization section to
use f...@example.com instead of foo. This is not good from usability
perspective.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
