You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Vamsee Yarlagadda <va...@cloudera.com> on 2015/02/25 07:27:53 UTC
Re: Review Request 30017: SENTRY-588:The Solr schema protection with
Sentry
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/30017/#review73986
-----------------------------------------------------------
I couldn't remember why we didn't cover it in the first place? May be for the reason that all the configs are stored in ZK and we didn't have Sentry protecting zk access so the users could anyway get access to all the configs (schema and etc), even without talking with Solr schema API.
@Greg - Any thoughts?
- Vamsee Yarlagadda
On Jan. 19, 2015, 1:11 a.m., shen guoquan wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/30017/
> -----------------------------------------------------------
>
> (Updated Jan. 19, 2015, 1:11 a.m.)
>
>
> Review request for sentry and Vamsee Yarlagadda.
>
>
> Repository: sentry
>
>
> Description
> -------
>
> The Solr schema API allows using a REST API to get schema about the each collection, including defined field types, fields, dynamic fields, and copy field declarations. There exists a risk that user can get the collection schema they does not access to. For example, user1 has no query privilege on collection collection1, but currently the user1 can get the schema metadata about collection1 as running the command: curl http://localhost:8983/solr/collection1/schema It’s should deny the users get the schema information that they haven’t query privilege on.
>
>
> Diffs
> -----
>
> pom.xml 60a9f4a
> sentry-solr/solr-sentry-handlers/pom.xml 8ca1cb3
> sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/rest/SecureSolrSchemaRestApi.java PRE-CREATION
> sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/rest/SentryAuthorizerFilter.java PRE-CREATION
> sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/rest/SentryAuthorizerFilterException.java PRE-CREATION
> sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini 8f48a8c
> sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/handler/rest/TestSentryAuthorizerFilter.java PRE-CREATION
> sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/rest/RestTestHarness.java PRE-CREATION
> sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/rest/SolrSentryRestTestBase.java PRE-CREATION
> sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/rest/TestSchemaProtection.java PRE-CREATION
>
> Diff: https://reviews.apache.org/r/30017/diff/
>
>
> Testing
> -------
>
>
> Thanks,
>
> shen guoquan
>
>