You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by gc...@apache.org on 2014/05/24 01:11:23 UTC

git commit: SENTRY-230: e2e test for doc level security to cover failure scenarios around Index level auth (Vamsee Yarlagadda via Gregory Chanan)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 3ea19d86d -> c6f50f122


SENTRY-230: e2e test for doc level security to cover failure scenarios around Index level auth (Vamsee Yarlagadda via Gregory Chanan)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/c6f50f12
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/c6f50f12
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/c6f50f12

Branch: refs/heads/master
Commit: c6f50f122d63b44dfae29cbed470bbf5b41f83f2
Parents: 3ea19d8
Author: Gregory Chanan <gr...@gmail.com>
Authored: Fri May 23 16:07:15 2014 -0700
Committer: Gregory Chanan <gr...@gmail.com>
Committed: Fri May 23 16:07:15 2014 -0700

----------------------------------------------------------------------
 .../tests/e2e/solr/TestDocLevelOperations.java  | 70 +++++++++++++-------
 .../solr/sentry/test-authz-provider.ini         |  2 +-
 2 files changed, 48 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c6f50f12/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
index 31ecd5b..ff508e1 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
@@ -26,7 +26,6 @@ import static org.junit.Assert.assertTrue;
 import org.apache.solr.client.solrj.SolrQuery;
 import org.apache.solr.client.solrj.impl.CloudSolrServer;
 import org.apache.solr.client.solrj.response.QueryResponse;
-import org.apache.solr.client.solrj.response.UpdateResponse;
 
 import org.apache.solr.common.SolrDocument;
 import org.apache.solr.common.SolrDocumentList;
@@ -80,7 +79,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
    * - all documents get some bogus auth tokens
    * - all documents get a docLevel_role auth token
    */
-  private void createDocsAndQuerySimple(String collectionName) throws Exception {
+  private void createDocsAndQuerySimple(String collectionName, boolean checkNonAdminUsers) throws Exception {
 
     // ensure no current documents
     verifyDeletedocsPass(ADMIN_USER, collectionName, true);
@@ -118,30 +117,32 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
       SolrQuery query = new SolrQuery();
       query.setQuery("*:*");
 
-      // as junit -- should get half the documents
-      setAuthenticationUser("junit");
-      QueryResponse rsp = server.query(query);
-      SolrDocumentList docList = rsp.getResults();
-      assertEquals(NUM_DOCS / 2, docList.getNumFound());
-      for (SolrDocument doc : docList) {
-        String id = doc.getFieldValue("id").toString();
-        assertEquals(0, Long.valueOf(id) % 2);
-      }
-
       // as admin  -- should get the other half
       setAuthenticationUser("admin");
-      rsp = server.query(query);
-      docList = rsp.getResults();
+      QueryResponse  rsp = server.query(query);
+      SolrDocumentList docList = rsp.getResults();
       assertEquals(NUM_DOCS / 2, docList.getNumFound());
       for (SolrDocument doc : docList) {
         String id = doc.getFieldValue("id").toString();
         assertEquals(1, Long.valueOf(id) % 2);
       }
 
-      // as docLevel -- should get all
-      setAuthenticationUser("docLevel");
-      rsp = server.query(query);
-      assertEquals(NUM_DOCS, rsp.getResults().getNumFound());
+      if (checkNonAdminUsers) {
+        // as junit -- should get half the documents
+        setAuthenticationUser("junit");
+        rsp = server.query(query);
+        docList = rsp.getResults();
+        assertEquals(NUM_DOCS / 2, docList.getNumFound());
+        for (SolrDocument doc : docList) {
+          String id = doc.getFieldValue("id").toString();
+          assertEquals(0, Long.valueOf(id) % 2);
+        }
+
+        // as docLevel -- should get all
+        setAuthenticationUser("docLevel");
+        rsp = server.query(query);
+        assertEquals(NUM_DOCS, rsp.getResults().getNumFound());
+      }
     } finally {
       server.shutdown();
     }
@@ -156,7 +157,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
     setupCollectionWithDocSecurity(collectionName);
 
     try {
-      createDocsAndQuerySimple(collectionName);
+      createDocsAndQuerySimple(collectionName, true);
       CloudSolrServer server = getCloudSolrServer(collectionName);
       try {
         // test filter queries work as AND -- i.e. user can't avoid doc-level
@@ -276,7 +277,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
    */
   private void deleteByQueryTest(String collectionName, String deleteUser,
       String deleteByQueryStr, String queryUser, int expectedQueryDocs) throws Exception {
-    createDocsAndQuerySimple(collectionName);
+    createDocsAndQuerySimple(collectionName, true);
     CloudSolrServer server = getCloudSolrServer(collectionName);
     try {
       SolrQuery query = new SolrQuery();
@@ -299,7 +300,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
   }
 
   private void deleteByIdTest(String collectionName) throws Exception {
-    createDocsAndQuerySimple(collectionName);
+    createDocsAndQuerySimple(collectionName, true);
     CloudSolrServer server = getCloudSolrServer(collectionName);
     try {
       SolrQuery query = new SolrQuery();
@@ -327,7 +328,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
   }
 
   private void updateDocsTest(String collectionName) throws Exception {
-    createDocsAndQuerySimple(collectionName);
+    createDocsAndQuerySimple(collectionName, true);
     CloudSolrServer server = getCloudSolrServer(collectionName);
     try {
       setAuthenticationUser("junit");
@@ -363,7 +364,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
 
     setupCollectionWithDocSecurity(collectionName);
     try {
-      createDocsAndQuerySimple(collectionName);
+      createDocsAndQuerySimple(collectionName, true);
 
       // test deleteByQuery "*:*"
       deleteByQueryTest(collectionName, "junit", "*:*", "docLevel", 0);
@@ -379,4 +380,27 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
       deleteCollection(collectionName);
     }
   }
+
+  /**
+   * Test to validate doc level security on collections without perm for Index level auth.
+   * @throws Exception
+   */
+  @Test
+  public void indexDocAuthTests() throws Exception {
+    String collectionName = "testIndexlevelDoclevelOperations";
+
+    setupCollectionWithDocSecurity(collectionName);
+    try {
+      createDocsAndQuerySimple(collectionName, false);
+
+      // test query for "*:*" fails as junit user (junit user doesn't have index level permissions but has doc level permissions set)
+      verifyQueryFail("junit", collectionName, ALL_DOCS);
+
+      // test query for "*:*" fails as docLevel user (docLevel user has neither index level permissions nor doc level permissions set)
+      verifyQueryFail("docLevel", collectionName, ALL_DOCS);
+
+    } finally {
+      deleteCollection(collectionName);
+    }
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c6f50f12/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
index 96ab0d4..702cd5a 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
@@ -31,7 +31,7 @@ admin_all_group = admin_all_role
 [roles]
 junit_role = collection=admin, collection=collection1, collection=docLevelCollection, collection=allRolesCollection, collection=testUpdateDeleteOperations
 docLevel_role = collection=docLevelCollection, collection=testUpdateDeleteOperations
-admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1, collection=sentryCollection_underlying2, collection=docLevelCollection, collection=allRolesCollection, collection=testInvariantCollection, collection=testUpdateDeleteOperations
+admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1, collection=sentryCollection_underlying2, collection=docLevelCollection, collection=allRolesCollection, collection=testInvariantCollection, collection=testUpdateDeleteOperations, collection=testIndexlevelDoclevelOperations
 sentryCollection_query_role = collection=sentryCollection->action=query
 sentryCollection_update_role = collection=sentryCollection->action=update
 sentryCollection_query_update_role = collection=sentryCollection->action=query, collection=sentryCollection->action=update