[jira] [Created] (SOLR-7275) Pluggable authorization module in Solr

Thu, 19 Mar 2015 17:15:52 -0700 

Anshum Gupta created SOLR-7275:
----------------------------------

             Summary: Pluggable authorization module in Solr
                 Key: SOLR-7275
                 URL: https://issues.apache.org/jira/browse/SOLR-7275
             Project: Solr
          Issue Type: Sub-task
            Reporter: Anshum Gupta
            Assignee: Anshum Gupta


Solr needs an interface that makes it easy for different authorization systems 
to be plugged into it. Here's what I plan on doing:

Define an interface {{SolrAuthorizationPlugin}} with one single method 
{{isAuthorized}}. This would take in a {{SolrRequestContext}} object and return 
an {{SolrAuthorizationResponse}} object. The object as of now would only 
contain a single boolean value but in the future could contain more information 
e.g. ACL for document filtering etc.

The reason why we need a context object is so that the plugin doesn't need to 
understand Solr's capabilities e.g. how to extract the name of the collection 
or other information from the incoming request as there are multiple ways to 
specify the target collection for a request. Similarly request type can be 
specified by {{qt}} or {{/handler_name}}.

Flow:
Request -> SolrDispatchFilter -> isAuthorized(context) -> Process/Return.

{code}
public interface SolrAuthorizationPlugin {
  public AuthResponse isAuthorized();
}
{code}

{code}
public  class SolrRequestContext {
  UserInfo; // Will contain user context from the authentication layer.
  HTTPRequest request;
  Enum OperationType; // Correlated with user roles.
  String[] CollectionsAccessed;
  String[] FieldsAccessed;
  String Resource;
}

{code}

{code}
public class SolrAuthorizationResponse {
  boolean authorized;

  public boolean isAuthorized();
}
{code}

User Roles: 
* Admin
* Collection Level:
  * Query
  * Update
  * Admin

Using this framework, an implementation could be written for specific security 
systems e.g. Apache Ranger or Sentry. It would keep all the security system 
specific code out of Solr.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to