[GitHub] [solr] epugh commented on a diff in pull request #1851: SOLR-15771: bin/solr auth enable should model best practices for security.json

Tue, 29 Aug 2023 02:39:48 -0700 


epugh commented on code in PR #1851:
URL: https://github.com/apache/solr/pull/1851#discussion_r1308500729


##########
solr/core/src/java/org/apache/solr/cli/AuthTool.java:
##########
@@ -347,37 +352,21 @@ private int handleBasicAuth(CommandLine cli) throws 
Exception {
 
         boolean blockUnknown = 
Boolean.parseBoolean(cli.getOptionValue("blockUnknown", "true"));
 
-        String securityJson =
-            "{"
-                + "\n  \"authentication\":{"
-                + "\n   \"blockUnknown\": "
-                + blockUnknown
-                + ","
-                + "\n   \"class\":\"solr.BasicAuthPlugin\","
-                + "\n   \"credentials\":{\""
-                + username
-                + "\":\""
-                + Sha256AuthenticationProvider.getSaltedHashedValue(password)
-                + "\"}"
-                + "\n  },"
-                + "\n  \"authorization\":{"
-                + "\n   \"class\":\"solr.RuleBasedAuthorizationPlugin\","
-                + "\n   \"permissions\":["
-                + "\n {\"name\":\"security-edit\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"security-read\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"config-edit\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"config-read\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"collection-admin-edit\", 
\"role\":\"admin\"},"
-                + "\n {\"name\":\"collection-admin-read\", 
\"role\":\"admin\"},"
-                + "\n {\"name\":\"core-admin-edit\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"core-admin-read\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"all\", \"role\":\"admin\"}"
-                + "\n   ],"
-                + "\n   \"user-role\":{\""
-                + username
-                + "\":\"admin\"}"
-                + "\n  }"
-                + "\n}";
+        String resourceName = "security.json";
+        final URL resource = 
SolrCore.class.getClassLoader().getResource(resourceName);
+        if (null == resource) {
+          throw new IllegalArgumentException("invalid resource name: " + 
resourceName);
+        }
+
+        ObjectMapper mapper = new ObjectMapper();
+        JsonNode securityJson1 = mapper.readTree(resource.openStream());
+        ((ObjectNode) securityJson1).put("blockUnknown", blockUnknown);
+        JsonNode credentialsNode = 
securityJson1.get("authentication").get("credentials");
+        ((ObjectNode) credentialsNode)
+            .put(username, 
Sha256AuthenticationProvider.getSaltedHashedValue(password));
+        JsonNode userRoleNode = 
securityJson1.get("authorization").get("user-role");
+        ((ObjectNode) userRoleNode).put(username, "admin");

Review Comment:
   I like this idea....     So, at some point I am hoping that as the v2 API's 
come online, we move the CLI to using them.   And that at that point adding a 
command like "adduser" or "deleteuser" becomes super easy because we have nice 
clean SolrJ client objects (methods?) that map to the v2 apis with all the 
docs, and that we don't add more custom logic on the auth tool....     



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to