You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by is...@apache.org on 2019/03/19 11:32:01 UTC
[lucene-solr] branch branch_6_6 updated: SOLR-12514: Rule-base
Authorization plugin skips authorization if querying node does not have
collection replica
This is an automated email from the ASF dual-hosted git repository.
ishan pushed a commit to branch branch_6_6
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_6_6 by this push:
new add003f SOLR-12514: Rule-base Authorization plugin skips authorization if querying node does not have collection replica
add003f is described below
commit add003f217806afb4e1604f697cdb0a5a7115895
Author: Ishan Chattopadhyaya <is...@apache.org>
AuthorDate: Tue Mar 19 17:01:41 2019 +0530
SOLR-12514: Rule-base Authorization plugin skips authorization if querying node does not have collection replica
---
solr/CHANGES.txt | 5 +++++
.../org/apache/solr/request/SolrRequestInfo.java | 14 ++++++++++++++
.../solr/security/PKIAuthenticationPlugin.java | 2 +-
.../java/org/apache/solr/servlet/HttpSolrCall.java | 1 +
.../solr/security/BasicAuthIntegrationTest.java | 20 ++++++++++++++++++++
.../security/HttpParamDelegationTokenPlugin.java | 2 +-
6 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index f4574fa..5ab688c 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -29,10 +29,15 @@ Apache UIMA 2.3.1
Apache ZooKeeper 3.4.10
Jetty 9.3.14.v20161028
+Bug Fixes
+----------------------
* SOLR-10506: Fix memory leak (upon collection reload or ZooKeeper session expiry) in ZkIndexSchemaReader.
(Torsten Bøgh Köster, Christine Poerschke, Jörg Rathlev, Mike Drob)
+* SOLR-12514: Rule-base Authorization plugin skips authorization if querying node does not have collection
+ replica (noble)
+
================== 6.6.5 ==================
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
diff --git a/solr/core/src/java/org/apache/solr/request/SolrRequestInfo.java b/solr/core/src/java/org/apache/solr/request/SolrRequestInfo.java
index f759c91..25d6d78 100644
--- a/solr/core/src/java/org/apache/solr/request/SolrRequestInfo.java
+++ b/solr/core/src/java/org/apache/solr/request/SolrRequestInfo.java
@@ -16,8 +16,10 @@
*/
package org.apache.solr.request;
+import javax.servlet.http.HttpServletRequest;
import java.io.Closeable;
import java.lang.invoke.MethodHandles;
+import java.security.Principal;
import java.util.Date;
import java.util.LinkedList;
import java.util.List;
@@ -40,6 +42,7 @@ public class SolrRequestInfo {
protected SolrQueryRequest req;
protected SolrQueryResponse rsp;
protected Date now;
+ protected HttpServletRequest httpRequest;
protected TimeZone tz;
protected ResponseBuilder rb;
protected List<Closeable> closeHooks;
@@ -83,6 +86,17 @@ public class SolrRequestInfo {
this.req = req;
this.rsp = rsp;
}
+ public SolrRequestInfo(HttpServletRequest httpReq, SolrQueryResponse rsp) {
+ this.httpRequest = httpReq;
+ this.rsp = rsp;
+ }
+
+ public Principal getUserPrincipal() {
+ if (req != null) return req.getUserPrincipal();
+ if (httpRequest != null) return httpRequest.getUserPrincipal();
+ return null;
+ }
+
public Date getNOW() {
if (now != null) return now;
diff --git a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
index 845bf93..956297f 100644
--- a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
@@ -272,7 +272,7 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin implements Htt
SolrRequestInfo reqInfo = getRequestInfo();
String usr;
if (reqInfo != null) {
- Principal principal = reqInfo.getReq().getUserPrincipal();
+ Principal principal = reqInfo.getUserPrincipal();
if (principal == null) {
//this had a request but not authenticated
//so we don't not need to set a principal
diff --git a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
index c539fe4..03e18f5 100644
--- a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
+++ b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
@@ -510,6 +510,7 @@ public class HttpSolrCall {
handleAdminRequest();
return RETURN;
case REMOTEQUERY:
+ SolrRequestInfo.setRequestInfo(new SolrRequestInfo(req, new SolrQueryResponse()));
remoteQuery(coreUrl + path, resp);
return RETURN;
case PROCESS:
diff --git a/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java b/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
index 87bb4f5..c27790d 100644
--- a/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
+++ b/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
@@ -38,6 +38,7 @@ import org.apache.http.entity.ByteArrayEntity;
import org.apache.http.message.AbstractHttpMessage;
import org.apache.http.message.BasicHeader;
import org.apache.http.util.EntityUtils;
+import org.apache.solr.client.solrj.SolrClient;
import org.apache.solr.client.solrj.SolrRequest;
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
import org.apache.solr.client.solrj.impl.HttpClientUtil;
@@ -204,6 +205,25 @@ public class BasicAuthIntegrationTest extends SolrCloudTestCase {
update.setCommitWithin(100);
cluster.getSolrClient().request(update, COLLECTION);
+ //Test for SOLR-12514. Create a new jetty . This jetty does not have the collection.
+ //Make a request to that jetty and it should fail
+ JettySolrRunner aNewJetty = cluster.startJettySolrRunner();
+ SolrClient aNewClient = aNewJetty.newClient();
+ UpdateRequest delQuery = null;
+ delQuery = new UpdateRequest().deleteByQuery("*:*");
+ delQuery.setBasicAuthCredentials("harry","HarryIsUberCool");
+ delQuery.process(aNewClient, COLLECTION);//this should succeed
+ try {
+ delQuery = new UpdateRequest().deleteByQuery("*:*");
+ delQuery.process(aNewClient, COLLECTION);
+ fail("This should not have succeeded without credentials");
+ } catch (HttpSolrClient.RemoteSolrException e) {
+ assertTrue(e.getMessage().contains("Unauthorized request"));
+ } finally {
+ aNewClient.close();
+ aNewJetty.stop();
+ }
+
executeCommand(baseUrl + authcPrefix, cl, "{set-property : { blockUnknown: true}}", "harry", "HarryIsUberCool");
verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/blockUnknown", "true", 20, "harry", "HarryIsUberCool");
diff --git a/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenPlugin.java b/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenPlugin.java
index 42d99a2..1f160a2 100644
--- a/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenPlugin.java
+++ b/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenPlugin.java
@@ -77,7 +77,7 @@ public class HttpParamDelegationTokenPlugin extends KerberosPlugin {
SolrRequestInfo reqInfo = SolrRequestInfo.getRequestInfo();
String usr;
if (reqInfo != null) {
- Principal principal = reqInfo.getReq().getUserPrincipal();
+ Principal principal = reqInfo.getUserPrincipal();
if (principal == null) {
//this had a request but not authenticated
//so we don't not need to set a principal