Affects Version/s: None
Fix Version/s: 5.2
Solr needs an interface that makes it easy for different authorization systems to be plugged into it. Here's what I plan on doing:
Define an interface SolrAuthorizationPlugin with one single method isAuthorized. This would take in a SolrRequestContext object and return an SolrAuthorizationResponse object. The object as of now would only contain a single boolean value but in the future could contain more information e.g. ACL for document filtering etc.
The reason why we need a context object is so that the plugin doesn't need to understand Solr's capabilities e.g. how to extract the name of the collection or other information from the incoming request as there are multiple ways to specify the target collection for a request. Similarly request type can be specified by qt or /handler_name.
Request -> SolrDispatchFilter -> isAuthorized(context) -> Process/Return.
- Collection Level:
Using this framework, an implementation could be written for specific security systems e.g. Apache Ranger or Sentry. It would keep all the security system specific code out of Solr.