lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hrishikesh Gadre (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-10814) Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos authentication
Date Tue, 08 Aug 2017 20:21:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16118958#comment-16118958
] 

Hrishikesh Gadre commented on SOLR-10814:
-----------------------------------------

Thanks [~noble.paul] and [~bosco] for your feedback!

I have updated the pull request based on our discussion: https://github.com/apache/lucene-solr/pull/210

BTW I found that SecurityConfHandler in Solr does not support configuring top-level elements
of the security.json file. Users are expected to upload the security.json file manually to
Zookeeper. Once this is done, the individual authentication/authorization plugins can edit
their own configuration via Solr HTTP APIs. Hence I think the ability to update this flag
(as well as initial configuration of plugins) via HTTP API should be handled as part of a
separate jira. Does that make sense?

[~noble.paul] [~anshumg] Please include this fix in the Solr 7.0 branch as it will simplify
the Solr/Sentry integration. 



> Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos authentication
> ---------------------------------------------------------------------------------------
>
>                 Key: SOLR-10814
>                 URL: https://issues.apache.org/jira/browse/SOLR-10814
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 6.2
>            Reporter: Hrishikesh Gadre
>
> Solr allows configuring roles to control user access to the system. This is accomplished
through rule-based permission definitions which are assigned to users.
> The authorization framework in Solr passes the information about the request (to be authorized)
using an instance of AuthorizationContext class. Currently the only way to extract authenticated
user is via getUserPrincipal() method which returns an instance of java.security.Principal
class. The RuleBasedAuthorizationPlugin implementation invokes getName() method on the Principal
instance to fetch the list of associated roles.
> https://github.com/apache/lucene-solr/blob/2271e73e763b17f971731f6f69d6ffe46c40b944/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L156
> In case of basic authentication mechanism, the principal is the userName. Hence it works
fine. But in case of kerberos authentication, the user principal also contains the RELM information
e.g. instead of foo, it would return foo@EXAMPLE.COM. This means if the user changes the authentication
mechanism, he would also need to change the user-role mapping in authorization section to
use foo@EXAMPLE.COM instead of foo. This is not good from usability perspective.   



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message