Currently the RuleBasedAuthorizationPlugin relies on explicitly mapping users to roles. However, when users are authenticated by an external Identity service (e.g. JWT as implemented in
SOLR-12121), that external service keeps track of the user's roles, and will pass that as a "claim" in the token (JWT).
In order for Solr to be able to Authorise requests based on those roles, the Authorization plugin should be able to accept (verified) roles from the request instead of explicit mapping.
Suggested approach is to create a new interface VerifiedUserRoles and a PrincipalWithUserRoles which implements the interface. The Authorization plugin can then pull the roles from request. By piggy-backing on the Principal, we have a seamless way to transfer extra external information, and there is also a natural relationship:
I plan to add the interface, the custom Principal class and restructure RuleBasedAuthorizationPlugin in an abstract base class and two implementations: RuleBasedAuthorizationPlugin (as today) and a new ExternalRoleRuleBasedAuthorizationPlugin.