Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.2
    • Component/s: None
    • Labels:
      None

      Description

      Solr needs an interface that makes it easy for different authorization systems to be plugged into it. Here's what I plan on doing:

      Define an interface SolrAuthorizationPlugin with one single method isAuthorized. This would take in a SolrRequestContext object and return an SolrAuthorizationResponse object. The object as of now would only contain a single boolean value but in the future could contain more information e.g. ACL for document filtering etc.

      The reason why we need a context object is so that the plugin doesn't need to understand Solr's capabilities e.g. how to extract the name of the collection or other information from the incoming request as there are multiple ways to specify the target collection for a request. Similarly request type can be specified by qt or /handler_name.

      Flow:
      Request -> SolrDispatchFilter -> isAuthorized(context) -> Process/Return.

      public interface SolrAuthorizationPlugin {
        public SolrAuthorizationResponse isAuthorized(SolrRequestContext context);
      }
      
      public  class SolrRequestContext {
        UserInfo; // Will contain user context from the authentication layer.
        HTTPRequest request;
        Enum OperationType; // Correlated with user roles.
        String[] CollectionsAccessed;
        String[] FieldsAccessed;
        String Resource;
      }
      
      
      public class SolrAuthorizationResponse {
        boolean authorized;
      
        public boolean isAuthorized();
      }
      

      User Roles:

      • Admin
      • Collection Level:
      • Query
      • Update
      • Admin

      Using this framework, an implementation could be written for specific security systems e.g. Apache Ranger or Sentry. It would keep all the security system specific code out of Solr.

        Attachments

        1. SOLR-7275.patch
          32 kB
          Anshum Gupta
        2. SOLR-7275.patch
          35 kB
          Anshum Gupta
        3. SOLR-7275.patch
          27 kB
          Anshum Gupta
        4. SOLR-7275.patch
          27 kB
          Anshum Gupta
        5. SOLR-7275.patch
          26 kB
          Anshum Gupta
        6. SOLR-7275.patch
          26 kB
          Anshum Gupta
        7. SOLR-7275.patch
          25 kB
          Noble Paul
        8. SOLR-7275.patch
          25 kB
          Anshum Gupta
        9. SOLR-7275.patch
          24 kB
          Anshum Gupta
        10. SOLR-7275.patch
          24 kB
          Anshum Gupta
        11. SOLR-7275.patch
          22 kB
          Anshum Gupta
        12. SOLR-7275.patch
          21 kB
          Anshum Gupta
        13. SOLR-7275.patch
          18 kB
          Anshum Gupta
        14. SOLR-7275.patch
          19 kB
          Anshum Gupta
        15. SOLR-7275.patch
          18 kB
          Anshum Gupta
        16. SOLR-7275.patch
          16 kB
          Anshum Gupta
        17. SOLR-7275.patch
          20 kB
          Anshum Gupta

          Issue Links

            Activity

              People

              • Assignee:
                anshumg Anshum Gupta
                Reporter:
                anshumg Anshum Gupta
              • Votes:
                2 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: