You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by gc...@apache.org on 2014/05/24 01:11:23 UTC
git commit: SENTRY-230: e2e test for doc level security to cover
failure scenarios around Index level auth (Vamsee Yarlagadda via Gregory
Chanan)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 3ea19d86d -> c6f50f122
SENTRY-230: e2e test for doc level security to cover failure scenarios around Index level auth (Vamsee Yarlagadda via Gregory Chanan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/c6f50f12
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/c6f50f12
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/c6f50f12
Branch: refs/heads/master
Commit: c6f50f122d63b44dfae29cbed470bbf5b41f83f2
Parents: 3ea19d8
Author: Gregory Chanan <gr...@gmail.com>
Authored: Fri May 23 16:07:15 2014 -0700
Committer: Gregory Chanan <gr...@gmail.com>
Committed: Fri May 23 16:07:15 2014 -0700
----------------------------------------------------------------------
.../tests/e2e/solr/TestDocLevelOperations.java | 70 +++++++++++++-------
.../solr/sentry/test-authz-provider.ini | 2 +-
2 files changed, 48 insertions(+), 24 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c6f50f12/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
index 31ecd5b..ff508e1 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
@@ -26,7 +26,6 @@ import static org.junit.Assert.assertTrue;
import org.apache.solr.client.solrj.SolrQuery;
import org.apache.solr.client.solrj.impl.CloudSolrServer;
import org.apache.solr.client.solrj.response.QueryResponse;
-import org.apache.solr.client.solrj.response.UpdateResponse;
import org.apache.solr.common.SolrDocument;
import org.apache.solr.common.SolrDocumentList;
@@ -80,7 +79,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
* - all documents get some bogus auth tokens
* - all documents get a docLevel_role auth token
*/
- private void createDocsAndQuerySimple(String collectionName) throws Exception {
+ private void createDocsAndQuerySimple(String collectionName, boolean checkNonAdminUsers) throws Exception {
// ensure no current documents
verifyDeletedocsPass(ADMIN_USER, collectionName, true);
@@ -118,30 +117,32 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
SolrQuery query = new SolrQuery();
query.setQuery("*:*");
- // as junit -- should get half the documents
- setAuthenticationUser("junit");
- QueryResponse rsp = server.query(query);
- SolrDocumentList docList = rsp.getResults();
- assertEquals(NUM_DOCS / 2, docList.getNumFound());
- for (SolrDocument doc : docList) {
- String id = doc.getFieldValue("id").toString();
- assertEquals(0, Long.valueOf(id) % 2);
- }
-
// as admin -- should get the other half
setAuthenticationUser("admin");
- rsp = server.query(query);
- docList = rsp.getResults();
+ QueryResponse rsp = server.query(query);
+ SolrDocumentList docList = rsp.getResults();
assertEquals(NUM_DOCS / 2, docList.getNumFound());
for (SolrDocument doc : docList) {
String id = doc.getFieldValue("id").toString();
assertEquals(1, Long.valueOf(id) % 2);
}
- // as docLevel -- should get all
- setAuthenticationUser("docLevel");
- rsp = server.query(query);
- assertEquals(NUM_DOCS, rsp.getResults().getNumFound());
+ if (checkNonAdminUsers) {
+ // as junit -- should get half the documents
+ setAuthenticationUser("junit");
+ rsp = server.query(query);
+ docList = rsp.getResults();
+ assertEquals(NUM_DOCS / 2, docList.getNumFound());
+ for (SolrDocument doc : docList) {
+ String id = doc.getFieldValue("id").toString();
+ assertEquals(0, Long.valueOf(id) % 2);
+ }
+
+ // as docLevel -- should get all
+ setAuthenticationUser("docLevel");
+ rsp = server.query(query);
+ assertEquals(NUM_DOCS, rsp.getResults().getNumFound());
+ }
} finally {
server.shutdown();
}
@@ -156,7 +157,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
setupCollectionWithDocSecurity(collectionName);
try {
- createDocsAndQuerySimple(collectionName);
+ createDocsAndQuerySimple(collectionName, true);
CloudSolrServer server = getCloudSolrServer(collectionName);
try {
// test filter queries work as AND -- i.e. user can't avoid doc-level
@@ -276,7 +277,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
*/
private void deleteByQueryTest(String collectionName, String deleteUser,
String deleteByQueryStr, String queryUser, int expectedQueryDocs) throws Exception {
- createDocsAndQuerySimple(collectionName);
+ createDocsAndQuerySimple(collectionName, true);
CloudSolrServer server = getCloudSolrServer(collectionName);
try {
SolrQuery query = new SolrQuery();
@@ -299,7 +300,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
}
private void deleteByIdTest(String collectionName) throws Exception {
- createDocsAndQuerySimple(collectionName);
+ createDocsAndQuerySimple(collectionName, true);
CloudSolrServer server = getCloudSolrServer(collectionName);
try {
SolrQuery query = new SolrQuery();
@@ -327,7 +328,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
}
private void updateDocsTest(String collectionName) throws Exception {
- createDocsAndQuerySimple(collectionName);
+ createDocsAndQuerySimple(collectionName, true);
CloudSolrServer server = getCloudSolrServer(collectionName);
try {
setAuthenticationUser("junit");
@@ -363,7 +364,7 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
setupCollectionWithDocSecurity(collectionName);
try {
- createDocsAndQuerySimple(collectionName);
+ createDocsAndQuerySimple(collectionName, true);
// test deleteByQuery "*:*"
deleteByQueryTest(collectionName, "junit", "*:*", "docLevel", 0);
@@ -379,4 +380,27 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
deleteCollection(collectionName);
}
}
+
+ /**
+ * Test to validate doc level security on collections without perm for Index level auth.
+ * @throws Exception
+ */
+ @Test
+ public void indexDocAuthTests() throws Exception {
+ String collectionName = "testIndexlevelDoclevelOperations";
+
+ setupCollectionWithDocSecurity(collectionName);
+ try {
+ createDocsAndQuerySimple(collectionName, false);
+
+ // test query for "*:*" fails as junit user (junit user doesn't have index level permissions but has doc level permissions set)
+ verifyQueryFail("junit", collectionName, ALL_DOCS);
+
+ // test query for "*:*" fails as docLevel user (docLevel user has neither index level permissions nor doc level permissions set)
+ verifyQueryFail("docLevel", collectionName, ALL_DOCS);
+
+ } finally {
+ deleteCollection(collectionName);
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c6f50f12/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
index 96ab0d4..702cd5a 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
@@ -31,7 +31,7 @@ admin_all_group = admin_all_role
[roles]
junit_role = collection=admin, collection=collection1, collection=docLevelCollection, collection=allRolesCollection, collection=testUpdateDeleteOperations
docLevel_role = collection=docLevelCollection, collection=testUpdateDeleteOperations
-admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1, collection=sentryCollection_underlying2, collection=docLevelCollection, collection=allRolesCollection, collection=testInvariantCollection, collection=testUpdateDeleteOperations
+admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1, collection=sentryCollection_underlying2, collection=docLevelCollection, collection=allRolesCollection, collection=testInvariantCollection, collection=testUpdateDeleteOperations, collection=testIndexlevelDoclevelOperations
sentryCollection_query_role = collection=sentryCollection->action=query
sentryCollection_update_role = collection=sentryCollection->action=update
sentryCollection_query_update_role = collection=sentryCollection->action=query, collection=sentryCollection->action=update