Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-14430

Authorization plugins should check roles from request

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • security
    • None

    Description

      The AuthorizationContext exposes getUserPrincipal to the plugin, but it does not allow the plugin to interrogate the request for isUserInRole. If we trust the request enough to get a principal from it, then we should trust it enough to ask about roles, as those could have been defined and verified by an authentication plugin.

      This model would be an alternative to the current model where RuleBasedAuthorizationPlugin maintains its own user->role mapping.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            mdrob Mike Drob

            Dates

              Created:
              Updated:

              Slack

                Issue deployment