[
https://issues.apache.org/jira/browse/SOLR-17309?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lamine updated SOLR-17309:
--------------------------
Description:
TL;DR
This the first part of a broader contribution to enhance CertAuthPlugin to
support _Principal_ resolution, identity resolution and validation.
This part deals with _Principal_ resolution.
—
Solr supports certificate-based authentication (mTLS) via the CertAuthPlugin.
However, the feature offers limited flexibility. In fact, the class contains
minimal code, primarily deferring certificate validation to Jetty and
extracting the _Principal_ from the subject's Distinguish Name (DN). The
Authorization plugin then maps the extracted _Principal_ to a role.
I've identified a couple of issues with this approach, as well as potential
areas for enhancement:
*1- Issues with Using DN*
- {*}Length and precision{*}: The DN is lengthy and requires an exact match
for roles mapping. Even a minor discrepancy, like an extra space, or order of
attributes (RDN), can break the mapping.
- {*}One DN per certificate{*}: If different certificates are used for
different hosts in a cluster, each DN has to be mapped separately to a
particular role, complicating role mapping and increasing risks of errors.
- {*}Not customizable{*}: The current implementation doesn't allow operators
to adapt the Principal extracting to their specific needs.
- {*}Bad user experience{*}: When logged into Solr Admin UI using
CertAuthPlugin the whole DN is displayed on the left menu as the 'username'.
_*Proposed Solution for DN Issues:*_
- Extraction flexibility: Grant operators the ability to specify the data they
wish to extract for the {_}Principal{_}, based on a defined path (for example:
_SUBJECT.DN_ (default), {_}SAN.URI{_}, {_}SAN.email{_}, etc.).
- Use of delimiters: Introduce optional delimiters (start and end) or
prefix/suffix to extract only the necessary data from a field, for example a
group ID.
**
was:
TL;DR
This the first part of a broader contribution to enhance CertAuthPlugin to
support _Principal_ resolution, identity resolution and validation.
This part deals with _Principal_ resolution.
—
Solr supports certificate-based authentication (mTLS) via the CertAuthPlugin.
However, the feature offers limited flexibility and probably poses a potential
security vulnerabilities. In fact, the class contains minimal code, primarily
deferring certificate validation to Jetty and extracting the _Principal_ from
the subject's Distinguish Name (DN). The Authorization plugin then maps the
extracted _Principal_ to a role.
I've identified a couple of issues with this approach, as well as potential
areas for enhancement:
*1- Issues with Using DN*
- {*}Length and precision{*}: The DN is lengthy and requires an exact match
for roles mapping. Even a minor discrepancy, like an extra space, or order of
attributes (RDN), can break the mapping.
- {*}One DN per certificate{*}: If different certificates are used for
different hosts in a cluster, each DN has to be mapped separately to a
particular role, complicating role mapping and increasing risks of errors.
- {*}Not customizable{*}: The current implementation doesn't allow operators
to adapt the Principal extracting to their specific needs.
- {*}Bad user experience{*}: When logged into Solr Admin UI using
CertAuthPlugin the whole DN is displayed on the left menu as the 'username'.
_*Proposed Solution for DN Issues:*_
- Extraction flexibility: Grant operators the ability to specify the data they
wish to extract for the {_}Principal{_}, based on a defined path (for example:
_SUBJECT.DN_ (default), {_}SAN.URI{_}, {_}SAN.email{_}, etc.).
- Use of delimiters: Introduce optional delimiters (start and end) or
prefix/suffix to extract only the necessary data from a field, for example a
group ID.
**
> Enhance Cert Authentication plugin with flexible cert principal resolution
> --------------------------------------------------------------------------
>
> Key: SOLR-17309
> URL: https://issues.apache.org/jira/browse/SOLR-17309
> Project: Solr
> Issue Type: Improvement
> Reporter: Lamine
> Priority: Minor
>
> TL;DR
> This the first part of a broader contribution to enhance CertAuthPlugin to
> support _Principal_ resolution, identity resolution and validation.
> This part deals with _Principal_ resolution.
> —
> Solr supports certificate-based authentication (mTLS) via the CertAuthPlugin.
> However, the feature offers limited flexibility. In fact, the class contains
> minimal code, primarily deferring certificate validation to Jetty and
> extracting the _Principal_ from the subject's Distinguish Name (DN). The
> Authorization plugin then maps the extracted _Principal_ to a role.
> I've identified a couple of issues with this approach, as well as potential
> areas for enhancement:
> *1- Issues with Using DN*
> - {*}Length and precision{*}: The DN is lengthy and requires an exact match
> for roles mapping. Even a minor discrepancy, like an extra space, or order of
> attributes (RDN), can break the mapping.
> - {*}One DN per certificate{*}: If different certificates are used for
> different hosts in a cluster, each DN has to be mapped separately to a
> particular role, complicating role mapping and increasing risks of errors.
> - {*}Not customizable{*}: The current implementation doesn't allow operators
> to adapt the Principal extracting to their specific needs.
> - {*}Bad user experience{*}: When logged into Solr Admin UI using
> CertAuthPlugin the whole DN is displayed on the left menu as the 'username'.
> _*Proposed Solution for DN Issues:*_
> - Extraction flexibility: Grant operators the ability to specify the data
> they wish to extract for the {_}Principal{_}, based on a defined path (for
> example: _SUBJECT.DN_ (default), {_}SAN.URI{_}, {_}SAN.email{_}, etc.).
> - Use of delimiters: Introduce optional delimiters (start and end) or
> prefix/suffix to extract only the necessary data from a field, for example a
> group ID.
> **
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
