Rule-Based Authorization Plugins with JWT Authentication Plugin

Sat, 02 Apr 2022 06:16:17 -0700 

Hi,

I am testing JWT Authentication Plugin with a keycloak IPD.


Rule-Based Authorization Plugins deny access to some Solr end points.
According to logs, I don't understand why.

For example, in this log line we see that
requested role are either "solr", "solr:admin", "consoleread"
user roles are [profile, solr, admin, email]

The determineIfPermissionPermitsPrincipal method in
RuleBasedAuthorizationPluginBase.java should allow access.

    Set<String> userRoles = getUserRoles(principal);
    for (String role : governingPermission.role) {
      if (userRoles != null && userRoles.contains(role)) {
        log.debug("Governing permission [{}] allows access to role [{}];
permitting access", governingPermission, role);
        return MatchStatus.PERMITTED;
      }
    }
    log.info("This resource is configured to have a permission {}, The
principal {} does not have the right role ", governingPermission,
principal);
    return MatchStatus.FORBIDDEN;

governingPermission.role = "solr", "solr:admin", "consoleread"
userRoles = profile, solr, admin, email

"solr" role should match !?


2022-04-02 12:33:12.693 INFO  (qtp1406253491-27) [   ]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to
have a permission {
  "collection":null,
  "path":[
    "/admin/info",
    "/admin/info/threads",
    "/admin/info/system",
    "/admin/info/properties"],
  "role":[
    "solr",
    "solr:admin",
    "consoleread"],
  "index":7}, The principal
JWTPrincipalWithUserRoles{username='89c48f69-eead-44ee-bf37-741e2d661b77',
token='*****', claims={exp=1648903285, iat=1648902385,
auth_time=1648902256, jti=1838b4df-801a-410e-903a-f4b9ced085fc, iss=
https://localhost:8443/auth/realms/solr,
sub=89c48f69-eead-44ee-bf37-741e2d661b77, typ=Bearer, azp=solr-app,
nonce=25kzdeinhb9dqflogqy4id8a8zmiyvpkg,
session_state=34ed4051-8cc1-45da-a25e-67054087af34, acr=0,
realm_access={roles=[solr:admin]},
resource_access={solr-app={roles=[solr:admin]}}, scope=openid profile solr
admin email, sid=34ed4051-8cc1-45da-a25e-67054087af34, email_verified=true,
preferred_username=solradmin, given_name=, family_name=}, roles=[profile,
solr, admin, email]} does not have the right role

Any suggestions ?

Regards

Dominique

Reply via email to