You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geode.apache.org by "Diane Hardman (JIRA)" <ji...@apache.org> on 2017/03/07 23:40:37 UTC

[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege

    [ https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900383#comment-15900383 ] 

Diane Hardman edited comment on GEODE-2605 at 3/7/17 11:40 PM:
---------------------------------------------------------------

Here are the gfsh commands to reproduce this behavior:
In first VM using gfsh, start up the cluster with 1 locator and 1 server configured with security as ‘super-user’ (all cluster and data privileges):
      start locator --name=loc2 --J=-Dgemfire.security-manager=org.apache.geode.examples.security.ExampleSecurityManager --classpath=.
      start server --name=serv2 --start-rest-api --http-service-port=8080 --http-service-bind-address=localhost --locators=localhost[10334] --classpath=. --user=super-user
      connect
      list members

In second VM using gfsh, connect to running cluster as ‘dataAdmin’ (all data privileges):
      connect
      create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD
      list lucene indexes --with-stats=true  **** NOTE: This will fail as it needs CLUSTER:READ privilege. I can however execute this command on the first VM ****
      create region --name=testRegion --type=PARTITION_PERSISTENT
      put --key=1 --value=value1 --region=testRegion
      put --key=2 --value=value2 --region=testRegion
      put --key=3 --value=value3 --region=testRegion
      search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD
     **** NOTE: This fails with message that I need CLUSTER:READ privilege ****

The Lucene query will execute a function so I assumed that I needed DATA:WRITE privilege and am surprised that I need CLUSTER:READ.
Here is a link to the Lucene Integration spec, illustrating the implementation: 
    https://cwiki.apache.org/confluence/display/GEODE/Text+Search+With+Lucene


was (Author: dhardman):
Here are the gfsh commands to reproduce this behavior:
In first VM using gfsh, start up the cluster with 1 locator and 1 server configured with security as ‘super-user’ (all cluster and data privileges):
  start locator --name=loc2 --J=-Dgemfire.security-manager=org.apache.geode.examples.security.ExampleSecurityManager --classpath=.
  start server --name=serv2 --start-rest-api --http-service-port=8080 --http-service-bind-address=localhost --locators=localhost[10334] --classpath=. --user=super-user
  connect
  list members

In second VM using gfsh, connect to running cluster as ‘dataAdmin’ (all data privileges):
  connect
  create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD
  list lucene indexes --with-stats=true  **** NOTE: This will fail as it needs CLUSTER:READ privilege. I can however execute this command on the first VM ****
  create region --name=testRegion --type=PARTITION_PERSISTENT
  put --key=1 --value=value1 --region=testRegion
  put --key=2 --value=value2 --region=testRegion
  put --key=3 --value=value3 --region=testRegion
  search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD
     **** NOTE: This fails with message that I need CLUSTER:READ privilege ****

The Lucene query will execute a function so I assumed that I needed DATA:WRITE privilege and am surprised that I need CLUSTER:READ.
Here is a link to the Lucene Integration spec, illustrating the implementation: 
https://cwiki.apache.org/confluence/display/GEODE/Text+Search+With+Lucene

> Unable to do a Lucene query without CLUSTER:READ privilege
> ----------------------------------------------------------
>
>                 Key: GEODE-2605
>                 URL: https://issues.apache.org/jira/browse/GEODE-2605
>             Project: Geode
>          Issue Type: Bug
>          Components: lucene, security
>            Reporter: Diane Hardman
>         Attachments: security.json
>
>
> I have configured a small cluster with security and am testing the privileges I need for creating a Lucene index and then executing a query/search using Lucene. 
> I have confirmed that DATA:MANAGE privilege allows me to create a lucene index (similar to creating OQL indexes).
> I assumed I needed DATA:WRITE privilege to execute 'search lucene' because the implementation uses a function. Instead, I am getting an error that I need CLUSTER:READ privilege. I don't know why.
> As an aside, we may want to document that all DATA privileges automatically include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but could not list the indexes I created without CLUSTER:READ... go figure.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)