lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <>
Subject [jira] [Commented] (SOLR-12131) Authorization plugin support for getting user's roles from the outside
Date Tue, 16 Apr 2019 13:35:00 GMT


Jan Høydahl commented on SOLR-12131:

The {{ExternalRoleRuleBasedAuthorizationPlugin}} class was not committed with SOLR-12121.
I pushed a new update to the PR, merging in the recent fixes in the authz code.

> Authorization plugin support for getting user's roles from the outside
> ----------------------------------------------------------------------
>                 Key: SOLR-12131
>                 URL:
>             Project: Solr
>          Issue Type: New Feature
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Major
>          Time Spent: 50m
>  Remaining Estimate: 0h
> Currently the {{RuleBasedAuthorizationPlugin}} relies on explicitly mapping users to
roles. However, when users are authenticated by an external Identity service (e.g. JWT as
implemented in SOLR-12121), that external service keeps track of the user's roles, and will
pass that as a "claim" in the token (JWT).
> In order for Solr to be able to Authorise requests based on those roles, the Authorization
plugin should be able to accept (verified) roles from the request instead of explicit mapping.
> Suggested approach is to create a new interface {{VerifiedUserRoles}} and a {{PrincipalWithUserRoles}}
which implements the interface. The Authorization plugin can then pull the roles from request.
By piggy-backing on the Principal, we have a seamless way to transfer extra external information,
and there is also a natural relationship:
> {code:java}
> User Authentication -> Role validation -> Creating a Principal{code}
> I plan to add the interface, the custom Principal class and restructure {{RuleBasedAuthorizationPlugin}}
in an abstract base class and two implementations: {{RuleBasedAuthorizationPlugin}} (as today)
and a new {{ExternalRoleRuleBasedAuthorizationPlugin.}}

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message