You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geode.apache.org by "Diane Hardman (JIRA)" <ji...@apache.org> on 2017/03/07 23:40:37 UTC
[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query
without CLUSTER:READ privilege
[ https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900383#comment-15900383 ]
Diane Hardman edited comment on GEODE-2605 at 3/7/17 11:40 PM:
---------------------------------------------------------------
Here are the gfsh commands to reproduce this behavior:
In first VM using gfsh, start up the cluster with 1 locator and 1 server configured with security as ‘super-user’ (all cluster and data privileges):
start locator --name=loc2 --J=-Dgemfire.security-manager=org.apache.geode.examples.security.ExampleSecurityManager --classpath=.
start server --name=serv2 --start-rest-api --http-service-port=8080 --http-service-bind-address=localhost --locators=localhost[10334] --classpath=. --user=super-user
connect
list members
In second VM using gfsh, connect to running cluster as ‘dataAdmin’ (all data privileges):
connect
create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD
list lucene indexes --with-stats=true **** NOTE: This will fail as it needs CLUSTER:READ privilege. I can however execute this command on the first VM ****
create region --name=testRegion --type=PARTITION_PERSISTENT
put --key=1 --value=value1 --region=testRegion
put --key=2 --value=value2 --region=testRegion
put --key=3 --value=value3 --region=testRegion
search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD
**** NOTE: This fails with message that I need CLUSTER:READ privilege ****
The Lucene query will execute a function so I assumed that I needed DATA:WRITE privilege and am surprised that I need CLUSTER:READ.
Here is a link to the Lucene Integration spec, illustrating the implementation:
https://cwiki.apache.org/confluence/display/GEODE/Text+Search+With+Lucene
was (Author: dhardman):
Here are the gfsh commands to reproduce this behavior:
In first VM using gfsh, start up the cluster with 1 locator and 1 server configured with security as ‘super-user’ (all cluster and data privileges):
start locator --name=loc2 --J=-Dgemfire.security-manager=org.apache.geode.examples.security.ExampleSecurityManager --classpath=.
start server --name=serv2 --start-rest-api --http-service-port=8080 --http-service-bind-address=localhost --locators=localhost[10334] --classpath=. --user=super-user
connect
list members
In second VM using gfsh, connect to running cluster as ‘dataAdmin’ (all data privileges):
connect
create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD
list lucene indexes --with-stats=true **** NOTE: This will fail as it needs CLUSTER:READ privilege. I can however execute this command on the first VM ****
create region --name=testRegion --type=PARTITION_PERSISTENT
put --key=1 --value=value1 --region=testRegion
put --key=2 --value=value2 --region=testRegion
put --key=3 --value=value3 --region=testRegion
search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD
**** NOTE: This fails with message that I need CLUSTER:READ privilege ****
The Lucene query will execute a function so I assumed that I needed DATA:WRITE privilege and am surprised that I need CLUSTER:READ.
Here is a link to the Lucene Integration spec, illustrating the implementation:
https://cwiki.apache.org/confluence/display/GEODE/Text+Search+With+Lucene
> Unable to do a Lucene query without CLUSTER:READ privilege
> ----------------------------------------------------------
>
> Key: GEODE-2605
> URL: https://issues.apache.org/jira/browse/GEODE-2605
> Project: Geode
> Issue Type: Bug
> Components: lucene, security
> Reporter: Diane Hardman
> Attachments: security.json
>
>
> I have configured a small cluster with security and am testing the privileges I need for creating a Lucene index and then executing a query/search using Lucene.
> I have confirmed that DATA:MANAGE privilege allows me to create a lucene index (similar to creating OQL indexes).
> I assumed I needed DATA:WRITE privilege to execute 'search lucene' because the implementation uses a function. Instead, I am getting an error that I need CLUSTER:READ privilege. I don't know why.
> As an aside, we may want to document that all DATA privileges automatically include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but could not list the indexes I created without CLUSTER:READ... go figure.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)