You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by va...@apache.org on 2014/05/06 21:41:40 UTC
git commit: SENTRY-192: Convert solr doc-level e2e test to be based
on roles rather than groups (Gregory Chanan via Vamsee Yarlagadda)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 071861d30 -> 8f1ef00be
SENTRY-192: Convert solr doc-level e2e test to be based on roles rather than groups (Gregory Chanan via Vamsee Yarlagadda)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/8f1ef00b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/8f1ef00b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/8f1ef00b
Branch: refs/heads/master
Commit: 8f1ef00bec397ecd83979e0fdbccc04a4829d3f1
Parents: 071861d
Author: Vamsee <va...@cloudera.com>
Authored: Tue May 6 12:40:59 2014 -0700
Committer: Vamsee <va...@cloudera.com>
Committed: Tue May 6 12:40:59 2014 -0700
----------------------------------------------------------------------
.../tests/e2e/solr/TestDocLevelOperations.java | 56 ++++++++++----------
.../collection1/conf/solrconfig-doclevel.xml | 12 ++---
.../solr/collection1/conf/solrconfig.xml | 21 +++++++-
.../solr/sentry/test-authz-provider.ini | 4 +-
4 files changed, 54 insertions(+), 39 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
index 2c0914e..d4307ec 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
@@ -91,13 +91,13 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
}
// 50% of docs get "junit", 50% get "admin" as token
if (i % 2 == 0) {
- doc.addField(AUTH_FIELD, "junit");
+ doc.addField(AUTH_FIELD, "junit_role");
} else {
- doc.addField(AUTH_FIELD, "admin");
+ doc.addField(AUTH_FIELD, "admin_role");
}
// add a token to all docs so we can check that we can get all
// documents returned
- doc.addField(AUTH_FIELD, "docLevel");
+ doc.addField(AUTH_FIELD, "docLevel_role");
docs.add(doc);
}
@@ -138,20 +138,20 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
// test filter queries work as AND -- i.e. user can't avoid doc-level
// checks by prefixing their own filterQuery
setAuthenticationUser("junit");
- String fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel}");
+ String fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel_role}");
String path = "/" + collectionName + "/select?q=*:*&fq="+fq;
String retValue = makeHttpRequest(server, "GET", path, null, null);
assertTrue(retValue.contains("numFound=\"" + NUM_DOCS / 2 + "\" "));
// test that user can't inject an "OR" into the query
final String syntaxErrorMsg = "org.apache.solr.search.SyntaxError: Cannot parse";
- fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel} OR ");
+ fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel_role} OR ");
path = "/" + collectionName + "/select?q=*:*&fq="+fq;
retValue = makeHttpRequest(server, "GET", path, null, null);
assertTrue(retValue.contains(syntaxErrorMsg));
// same test, prefix OR this time
- fq = URLEncoder.encode(" OR {!raw f=" + AUTH_FIELD + " v=docLevel}");
+ fq = URLEncoder.encode(" OR {!raw f=" + AUTH_FIELD + " v=docLevel_role}");
path = "/" + collectionName + "/select?q=*:*&fq="+fq;
retValue = makeHttpRequest(server, "GET", path, null, null);
assertTrue(retValue.contains(syntaxErrorMsg));
@@ -161,21 +161,21 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
}
/**
- * Test the allGroupsToken. Make it a keyword in the query language ("OR")
+ * Test the allRolesToken. Make it a keyword in the query language ("OR")
* to make sure it is treated literally rather than interpreted.
*/
@Test
- public void testAllGroupsToken() throws Exception {
- String allGroupsToken = "OR";
- String collectionName = "allGroupsCollection";
+ public void testAllRolesToken() throws Exception {
+ String allRolesToken = "OR";
+ String collectionName = "allRolesCollection";
setupCollectionWithDocSecurity(collectionName);
int junitFactor = 2;
- int allGroupsFactor = 5;
+ int allRolesFactor = 5;
int totalJunitAdded = 0; // total docs added with junit token
- int totalAllGroupsAdded = 0; // total number of docs with the allGroupsToken
- int totalOnlyAllGroupsAdded = 0; // total number of docs with _only_ the allGroupsToken
+ int totalAllRolesAdded = 0; // total number of docs with the allRolesToken
+ int totalOnlyAllRolesAdded = 0; // total number of docs with _only_ the allRolesToken
// create documents
ArrayList<SolrInputDocument> docs = new ArrayList<SolrInputDocument>();
@@ -187,20 +187,20 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
doc.addField("description", "description" + iStr);
if (i % junitFactor == 0) {
- doc.addField(AUTH_FIELD, "junit");
+ doc.addField(AUTH_FIELD, "junit_role");
addedViaJunit = true;
++totalJunitAdded;
- } if (i % allGroupsFactor == 0) {
- doc.addField(AUTH_FIELD, allGroupsToken);
- ++totalAllGroupsAdded;
- if (!addedViaJunit) ++totalOnlyAllGroupsAdded;
+ } if (i % allRolesFactor == 0) {
+ doc.addField(AUTH_FIELD, allRolesToken);
+ ++totalAllRolesAdded;
+ if (!addedViaJunit) ++totalOnlyAllRolesAdded;
}
docs.add(doc);
}
// make sure our factors give us interesting results --
- // that some docs only have all groups and some only have junit
- assert(totalOnlyAllGroupsAdded > 0);
- assert(totalJunitAdded > totalAllGroupsAdded);
+ // that some docs only have all roles and some only have junit
+ assert(totalOnlyAllRolesAdded > 0);
+ assert(totalJunitAdded > totalAllRolesAdded);
CloudSolrServer server = getCloudSolrServer(collectionName);
try {
@@ -211,26 +211,26 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase {
SolrQuery query = new SolrQuery();
query.setQuery("*:*");
- // as admin -- should only get all groups token documents
+ // as admin -- should only get all roles token documents
setAuthenticationUser("admin");
QueryResponse rsp = server.query(query);
SolrDocumentList docList = rsp.getResults();
- assertEquals(totalAllGroupsAdded, docList.getNumFound());
+ assertEquals(totalAllRolesAdded, docList.getNumFound());
for (SolrDocument doc : docList) {
String id = doc.getFieldValue("id").toString();
- assertEquals(0, Long.valueOf(id) % allGroupsFactor);
+ assertEquals(0, Long.valueOf(id) % allRolesFactor);
}
- // as junit -- should get junit added + onlyAllGroupsAdded
+ // as junit -- should get junit added + onlyAllRolesAdded
setAuthenticationUser("junit");
rsp = server.query(query);
docList = rsp.getResults();
- assertEquals(totalJunitAdded + totalOnlyAllGroupsAdded, docList.getNumFound());
+ assertEquals(totalJunitAdded + totalOnlyAllRolesAdded, docList.getNumFound());
for (SolrDocument doc : docList) {
String id = doc.getFieldValue("id").toString();
boolean addedJunit = (Long.valueOf(id) % junitFactor) == 0;
- boolean onlyAllGroups = !addedJunit && (Long.valueOf(id) % allGroupsFactor) == 0;
- assertEquals(true, addedJunit || onlyAllGroups);
+ boolean onlyAllRoles = !addedJunit && (Long.valueOf(id) % allRolesFactor) == 0;
+ assertEquals(true, addedJunit || onlyAllRoles);
}
} finally {
server.shutdown();
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml
index 7c0d73f..af1184d 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml
@@ -1343,24 +1343,20 @@
-->
</searchComponent>
- <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent" >
+ <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent" >
</searchComponent>
- <searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent" >
+ <searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent" >
<!-- Set to true to enabled document-level authorization -->
<bool name="enabled">true</bool>
<!-- Field where the auth tokens are stored in the document -->
<str name="sentryAuthField">sentry_auth</str>
- <!-- Auth token defined to allow any group to access the document.
+ <!-- Auth token defined to allow any role to access the document.
Uncomment to enable. -->
- <str name="allGroupsToken">OR</str>
+ <str name="allRolesToken">OR</str>
</searchComponent>
- <!--<searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent" >
- <str name="sentryAuthField">sentry_auth</str>
- <str name="allGroupsToken">OR</str>
- </searchComponent>-->
<!-- A request handler for demonstrating the spellcheck component.
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
index 9e71f09..a8b63e6 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
@@ -876,6 +876,7 @@
-->
<arr name="first-components">
<str>queryIndexAuthorization</str>
+ <str>queryDocAuthorization</str>
</arr>
</requestHandler>
@@ -890,6 +891,7 @@
</lst>
<arr name="first-components">
<str>queryIndexAuthorization</str>
+ <str>queryDocAuthorization</str>
</arr>
</requestHandler>
@@ -905,6 +907,7 @@
</lst>
<arr name="first-components">
<str>queryIndexAuthorization</str>
+ <str>queryDocAuthorization</str>
</arr>
</requestHandler>
@@ -1002,6 +1005,7 @@
<arr name="first-components">
<str>queryIndexAuthorization</str>
+ <str>queryDocAuthorization</str>
</arr>
<!-- append spellchecking to our list of components -->
@@ -1339,9 +1343,20 @@
-->
</searchComponent>
- <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent" >
+ <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent" >
</searchComponent>
+ <searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent" >
+ <!-- Set to true to enabled document-level authorization -->
+ <bool name="enabled">false</bool>
+
+ <!-- Field where the auth tokens are stored in the document -->
+ <str name="sentryAuthField">sentry_auth</str>
+
+ <!-- Auth token defined to allow any role to access the document.
+ Uncomment to enable. -->
+ <str name="allRolesToken">OR</str>
+ </searchComponent>
<!-- A request handler for demonstrating the spellcheck component.
NOTE: This is purely as an example. The whole purpose of the
@@ -1399,6 +1414,7 @@
</lst>
<arr name="first-components">
<str>queryIndexAuthorization</str>
+ <str>queryDocAuthorization</str>
</arr>
<arr name="last-components">
<str>tvComponent</str>
@@ -1510,6 +1526,7 @@
</lst>
<arr name="first-components">
<str>queryIndexAuthorization</str>
+ <str>queryDocAuthorization</str>
</arr>
<arr name="last-components">
<str>clustering</str>
@@ -1533,6 +1550,7 @@
</lst>
<arr name="first-components">
<str>queryIndexAuthorization</str>
+ <str>queryDocAuthorization</str>
</arr>
<arr name="components">
<str>terms</str>
@@ -1562,6 +1580,7 @@
</lst>
<arr name="first-components">
<str>queryIndexAuthorization</str>
+ <str>queryDocAuthorization</str>
</arr>
<arr name="last-components">
<str>elevator</str>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
index a07fb2d..b7aa0c8 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
@@ -29,9 +29,9 @@ admin_query_update_group = admin_query_update_role
admin_all_group = admin_all_role
[roles]
-junit_role = collection=admin, collection=collection1, collection=docLevelCollection, collection=allGroupsCollection
+junit_role = collection=admin, collection=collection1, collection=docLevelCollection, collection=allRolesCollection
docLevel_role = collection=docLevelCollection
-admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1, collection=sentryCollection_underlying2, collection=docLevelCollection, collection=allGroupsCollection, collection=testInvariantCollection
+admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1, collection=sentryCollection_underlying2, collection=docLevelCollection, collection=allRolesCollection, collection=testInvariantCollection
sentryCollection_query_role = collection=sentryCollection->action=query
sentryCollection_update_role = collection=sentryCollection->action=update
sentryCollection_query_update_role = collection=sentryCollection->action=query, collection=sentryCollection->action=update