You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by sa...@apache.org on 2016/08/02 01:07:48 UTC
[28/40] lucene-solr:apiv2: SOLR-9200: Add Delegation Token Support to
Solr
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithDelegationTokens.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithDelegationTokens.java b/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithDelegationTokens.java
new file mode 100644
index 0000000..ae1c439
--- /dev/null
+++ b/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithDelegationTokens.java
@@ -0,0 +1,405 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.cloud;
+
+import junit.framework.Assert;
+import org.apache.hadoop.util.Time;
+import org.apache.lucene.util.LuceneTestCase;
+import org.apache.solr.SolrTestCaseJ4;
+import org.apache.solr.client.solrj.impl.HttpSolrClient;
+import org.apache.solr.client.solrj.SolrRequest;
+import org.apache.solr.client.solrj.embedded.JettySolrRunner;
+import org.apache.solr.client.solrj.request.CollectionAdminRequest;
+import org.apache.solr.client.solrj.request.DelegationTokenRequest;
+import org.apache.solr.client.solrj.response.DelegationTokenResponse;
+import org.apache.solr.common.SolrException.ErrorCode;
+import org.apache.solr.common.cloud.SolrZkClient;
+import org.apache.solr.common.params.SolrParams;
+import org.apache.solr.common.params.ModifiableSolrParams;
+import static org.apache.solr.security.HttpParamDelegationTokenAuthenticationHandler.USER_PARAM;
+
+import org.apache.http.HttpStatus;
+import org.apache.solr.security.HttpParamDelegationTokenAuthenticationHandler;
+import org.apache.solr.security.KerberosPlugin;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.lang.invoke.MethodHandles;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Test the delegation token support in the {@link org.apache.solr.security.KerberosPlugin}.
+ */
+@LuceneTestCase.Slow
+public class TestSolrCloudWithDelegationTokens extends SolrTestCaseJ4 {
+ private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+ private static final int NUM_SERVERS = 2;
+ private static MiniSolrCloudCluster miniCluster;
+ private static HttpSolrClient solrClientPrimary;
+ private static HttpSolrClient solrClientSecondary;
+
+ @BeforeClass
+ public static void startup() throws Exception {
+ System.setProperty("authenticationPlugin", KerberosPlugin.class.getName());
+ System.setProperty(KerberosPlugin.DELEGATION_TOKEN_ENABLED, "true");
+ System.setProperty(KerberosPlugin.AUTH_HANDLER_PARAM,
+ HttpParamDelegationTokenAuthenticationHandler.class.getName());
+ System.setProperty("solr.kerberos.cookie.domain", "127.0.0.1");
+
+ miniCluster = new MiniSolrCloudCluster(NUM_SERVERS, createTempDir(), buildJettyConfig("/solr"));
+ JettySolrRunner runnerPrimary = miniCluster.getJettySolrRunners().get(0);
+ solrClientPrimary =
+ new HttpSolrClient.Builder(runnerPrimary.getBaseUrl().toString())
+ .build();
+ JettySolrRunner runnerSecondary = miniCluster.getJettySolrRunners().get(1);
+ solrClientSecondary =
+ new HttpSolrClient.Builder(runnerSecondary.getBaseUrl().toString())
+ .build();
+ }
+
+ @AfterClass
+ public static void shutdown() throws Exception {
+ if (miniCluster != null) {
+ miniCluster.shutdown();
+ }
+ miniCluster = null;
+ solrClientPrimary.close();
+ solrClientPrimary = null;
+ solrClientSecondary.close();
+ solrClientSecondary = null;
+ System.clearProperty("authenticationPlugin");
+ System.clearProperty(KerberosPlugin.DELEGATION_TOKEN_ENABLED);
+ System.clearProperty(KerberosPlugin.AUTH_HANDLER_PARAM);
+ System.clearProperty("solr.kerberos.cookie.domain");
+ }
+
+ private String getDelegationToken(final String renewer, final String user, HttpSolrClient solrClient) throws Exception {
+ DelegationTokenRequest.Get get = new DelegationTokenRequest.Get(renewer) {
+ @Override
+ public SolrParams getParams() {
+ ModifiableSolrParams params = new ModifiableSolrParams(super.getParams());
+ params.set(USER_PARAM, user);
+ return params;
+ }
+ };
+ DelegationTokenResponse.Get getResponse = get.process(solrClient);
+ return getResponse.getDelegationToken();
+ }
+
+ private long renewDelegationToken(final String token, final int expectedStatusCode,
+ final String user, HttpSolrClient client) throws Exception {
+ DelegationTokenRequest.Renew renew = new DelegationTokenRequest.Renew(token) {
+ @Override
+ public SolrParams getParams() {
+ ModifiableSolrParams params = new ModifiableSolrParams(super.getParams());
+ params.set(USER_PARAM, user);
+ return params;
+ }
+
+ @Override
+ public Set<String> getQueryParams() {
+ Set<String> queryParams = super.getQueryParams();
+ queryParams.add(USER_PARAM);
+ return queryParams;
+ }
+ };
+ try {
+ DelegationTokenResponse.Renew renewResponse = renew.process(client);
+ assertEquals(HttpStatus.SC_OK, expectedStatusCode);
+ return renewResponse.getExpirationTime();
+ } catch (HttpSolrClient.RemoteSolrException ex) {
+ assertEquals(expectedStatusCode, ex.code());
+ return -1;
+ }
+ }
+
+ private void cancelDelegationToken(String token, int expectedStatusCode, HttpSolrClient client)
+ throws Exception {
+ DelegationTokenRequest.Cancel cancel = new DelegationTokenRequest.Cancel(token);
+ try {
+ cancel.process(client);
+ assertEquals(HttpStatus.SC_OK, expectedStatusCode);
+ } catch (HttpSolrClient.RemoteSolrException ex) {
+ assertEquals(expectedStatusCode, ex.code());
+ }
+ }
+
+ private void doSolrRequest(String token, int expectedStatusCode, HttpSolrClient client)
+ throws Exception {
+ doSolrRequest(token, expectedStatusCode, client, 1);
+ }
+
+ private void doSolrRequest(String token, int expectedStatusCode, HttpSolrClient client, int trials)
+ throws Exception {
+ int lastStatusCode = 0;
+ for (int i = 0; i < trials; ++i) {
+ lastStatusCode = getStatusCode(token, null, null, client);
+ if (lastStatusCode == expectedStatusCode) {
+ return;
+ }
+ Thread.sleep(1000);
+ }
+ assertEquals("Did not receieve excepted status code", expectedStatusCode, lastStatusCode);
+ }
+
+ private SolrRequest getAdminRequest(final SolrParams params) {
+ return new CollectionAdminRequest.List() {
+ @Override
+ public SolrParams getParams() {
+ ModifiableSolrParams p = new ModifiableSolrParams(super.getParams());
+ p.add(params);
+ return p;
+ }
+ };
+ }
+
+ private int getStatusCode(String token, final String user, final String op, HttpSolrClient client)
+ throws Exception {
+ HttpSolrClient delegationTokenServer =
+ new HttpSolrClient.Builder(client.getBaseURL().toString())
+ .withDelegationToken(token)
+ .withResponseParser(client.getParser())
+ .build();
+ try {
+ ModifiableSolrParams p = new ModifiableSolrParams();
+ if (user != null) p.set(USER_PARAM, user);
+ if (op != null) p.set("op", op);
+ SolrRequest req = getAdminRequest(p);
+ if (user != null || op != null) {
+ Set<String> queryParams = new HashSet<String>();
+ if (user != null) queryParams.add(USER_PARAM);
+ if (op != null) queryParams.add("op");
+ req.setQueryParams(queryParams);
+ }
+ try {
+ delegationTokenServer.request(req, null, null);
+ return HttpStatus.SC_OK;
+ } catch (HttpSolrClient.RemoteSolrException re) {
+ return re.code();
+ }
+ } finally {
+ delegationTokenServer.close();
+ }
+ }
+
+ private void doSolrRequest(HttpSolrClient client, SolrRequest request,
+ int expectedStatusCode) throws Exception {
+ try {
+ client.request(request);
+ assertEquals(HttpStatus.SC_OK, expectedStatusCode);
+ } catch (HttpSolrClient.RemoteSolrException ex) {
+ assertEquals(expectedStatusCode, ex.code());
+ }
+ }
+
+ private void verifyTokenValid(String token) throws Exception {
+ // pass with token
+ doSolrRequest(token, HttpStatus.SC_OK, solrClientPrimary);
+
+ // fail without token
+ doSolrRequest(null, ErrorCode.UNAUTHORIZED.code, solrClientPrimary);
+
+ // pass with token on other server
+ doSolrRequest(token, HttpStatus.SC_OK, solrClientSecondary);
+
+ // fail without token on other server
+ doSolrRequest(null, ErrorCode.UNAUTHORIZED.code, solrClientSecondary);
+ }
+
+ /**
+ * Test basic Delegation Token get/verify
+ */
+ @Test
+ public void testDelegationTokenVerify() throws Exception {
+ final String user = "bar";
+
+ // Get token
+ String token = getDelegationToken(null, user, solrClientPrimary);
+ assertNotNull(token);
+ verifyTokenValid(token);
+ }
+
+ private void verifyTokenCancelled(String token, HttpSolrClient client) throws Exception {
+ // fail with token on both servers. If cancelToOtherURL is true,
+ // the request went to other url, so FORBIDDEN should be returned immediately.
+ // The cancelled token may take awhile to propogate to the standard url (via ZK).
+ // This is of course the opposite if cancelToOtherURL is false.
+ doSolrRequest(token, ErrorCode.FORBIDDEN.code, client, 10);
+
+ // fail without token on both servers
+ doSolrRequest(null, ErrorCode.UNAUTHORIZED.code, solrClientPrimary);
+ doSolrRequest(null, ErrorCode.UNAUTHORIZED.code, solrClientSecondary);
+ }
+
+ @Test
+ public void testDelegationTokenCancel() throws Exception {
+ {
+ // Get token
+ String token = getDelegationToken(null, "user", solrClientPrimary);
+ assertNotNull(token);
+
+ // cancel token, note don't need to be authenticated to cancel (no user specified)
+ cancelDelegationToken(token, HttpStatus.SC_OK, solrClientPrimary);
+ verifyTokenCancelled(token, solrClientPrimary);
+ }
+
+ {
+ // cancel token on different server from where we got it
+ String token = getDelegationToken(null, "user", solrClientPrimary);
+ assertNotNull(token);
+
+ cancelDelegationToken(token, HttpStatus.SC_OK, solrClientSecondary);
+ verifyTokenCancelled(token, solrClientSecondary);
+ }
+ }
+
+ @Test
+ public void testDelegationTokenCancelFail() throws Exception {
+ // cancel a bogus token
+ cancelDelegationToken("BOGUS", ErrorCode.NOT_FOUND.code, solrClientPrimary);
+
+ {
+ // cancel twice, first on same server
+ String token = getDelegationToken(null, "bar", solrClientPrimary);
+ assertNotNull(token);
+ cancelDelegationToken(token, HttpStatus.SC_OK, solrClientPrimary);
+ cancelDelegationToken(token, ErrorCode.NOT_FOUND.code, solrClientSecondary);
+ cancelDelegationToken(token, ErrorCode.NOT_FOUND.code, solrClientPrimary);
+ }
+
+ {
+ // cancel twice, first on other server
+ String token = getDelegationToken(null, "bar", solrClientPrimary);
+ assertNotNull(token);
+ cancelDelegationToken(token, HttpStatus.SC_OK, solrClientSecondary);
+ cancelDelegationToken(token, ErrorCode.NOT_FOUND.code, solrClientSecondary);
+ cancelDelegationToken(token, ErrorCode.NOT_FOUND.code, solrClientPrimary);
+ }
+ }
+
+ private void verifyDelegationTokenRenew(String renewer, String user)
+ throws Exception {
+ {
+ // renew on same server
+ String token = getDelegationToken(renewer, user, solrClientPrimary);
+ assertNotNull(token);
+ long now = Time.now();
+ assertTrue(renewDelegationToken(token, HttpStatus.SC_OK, user, solrClientPrimary) > now);
+ verifyTokenValid(token);
+ }
+
+ {
+ // renew on different server
+ String token = getDelegationToken(renewer, user, solrClientPrimary);
+ assertNotNull(token);
+ long now = Time.now();
+ assertTrue(renewDelegationToken(token, HttpStatus.SC_OK, user, solrClientSecondary) > now);
+ verifyTokenValid(token);
+ }
+ }
+
+ @Test
+ public void testDelegationTokenRenew() throws Exception {
+ // test with specifying renewer
+ verifyDelegationTokenRenew("bar", "bar");
+
+ // test without specifying renewer
+ verifyDelegationTokenRenew(null, "bar");
+ }
+
+ @Test
+ public void testDelegationTokenRenewFail() throws Exception {
+ // don't set renewer and try to renew as an a different user
+ String token = getDelegationToken(null, "bar", solrClientPrimary);
+ assertNotNull(token);
+ renewDelegationToken(token, ErrorCode.FORBIDDEN.code, "foo", solrClientPrimary);
+ renewDelegationToken(token, ErrorCode.FORBIDDEN.code, "foo", solrClientSecondary);
+
+ // set renewer and try to renew as different user
+ token = getDelegationToken("renewUser", "bar", solrClientPrimary);
+ assertNotNull(token);
+ renewDelegationToken(token, ErrorCode.FORBIDDEN.code, "notRenewUser", solrClientPrimary);
+ renewDelegationToken(token, ErrorCode.FORBIDDEN.code, "notRenewUser", solrClientSecondary);
+ }
+
+ /**
+ * Test that a non-delegation-token "op" http param is handled correctly
+ */
+ @Test
+ public void testDelegationOtherOp() throws Exception {
+ assertEquals(HttpStatus.SC_OK, getStatusCode(null, "bar", "someSolrOperation", solrClientPrimary));
+ }
+
+ @Test
+ public void testZNodePaths() throws Exception {
+ getDelegationToken(null, "bar", solrClientPrimary);
+ SolrZkClient zkClient = new SolrZkClient(miniCluster.getZkServer().getZkAddress(), 1000);
+ try {
+ assertTrue(zkClient.exists("/security/zkdtsm", true));
+ assertTrue(zkClient.exists("/security/token", true));
+ } finally {
+ zkClient.close();
+ }
+ }
+
+ /**
+ * Test HttpSolrServer's delegation token support
+ */
+ @Test
+ public void testDelegationTokenSolrClient() throws Exception {
+ // Get token
+ String token = getDelegationToken(null, "bar", solrClientPrimary);
+ assertNotNull(token);
+
+ SolrRequest request = getAdminRequest(new ModifiableSolrParams());
+
+ // test without token
+ HttpSolrClient ss =
+ new HttpSolrClient.Builder(solrClientPrimary.getBaseURL().toString())
+ .withResponseParser(solrClientPrimary.getParser())
+ .build();
+ try {
+ doSolrRequest(ss, request, ErrorCode.UNAUTHORIZED.code);
+ } finally {
+ ss.close();
+ }
+
+ ss = new HttpSolrClient.Builder(solrClientPrimary.getBaseURL().toString())
+ .withDelegationToken(token)
+ .withResponseParser(solrClientPrimary.getParser())
+ .build();
+ try {
+ // test with token via property
+ doSolrRequest(ss, request, HttpStatus.SC_OK);
+
+ // test with param -- should throw an exception
+ ModifiableSolrParams tokenParam = new ModifiableSolrParams();
+ tokenParam.set("delegation", "invalidToken");
+ try {
+ doSolrRequest(ss, getAdminRequest(tokenParam), ErrorCode.FORBIDDEN.code);
+ Assert.fail("Expected exception");
+ } catch (IllegalArgumentException ex) {}
+ } finally {
+ ss.close();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithKerberosAlt.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithKerberosAlt.java b/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithKerberosAlt.java
index 6ac2254..c505b51 100644
--- a/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithKerberosAlt.java
+++ b/solr/core/src/test/org/apache/solr/cloud/TestSolrCloudWithKerberosAlt.java
@@ -17,15 +17,12 @@
package org.apache.solr.cloud;
import java.io.File;
+import java.lang.invoke.MethodHandles;
import java.nio.charset.StandardCharsets;
import java.util.List;
-import java.util.Locale;
import java.util.Properties;
-import javax.security.auth.login.Configuration;
-
import org.apache.commons.io.FileUtils;
-import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.lucene.index.TieredMergePolicy;
import org.apache.lucene.util.Constants;
import org.apache.lucene.util.LuceneTestCase;
@@ -49,6 +46,8 @@ import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.RuleChain;
import org.junit.rules.TestRule;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
@@ -67,7 +66,7 @@ import com.carrotsearch.randomizedtesting.rules.SystemPropertiesRestoreRule;
@LuceneTestCase.SuppressSysoutChecks(bugUrl = "Solr logs to JUL")
public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
- private final Configuration originalConfig = Configuration.getConfiguration();
+ private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
protected final int NUM_SERVERS;
protected final int NUM_SHARDS;
protected final int REPLICATION_FACTOR;
@@ -78,10 +77,8 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
REPLICATION_FACTOR = 1;
}
- private MiniKdc kdc;
+ private KerberosTestServices kerberosTestServices;
- private Locale savedLocale; // in case locale is broken and we need to fill in a working locale
-
@Rule
public TestRule solrTestRules = RuleChain
.outerRule(new SystemPropertiesRestoreRule());
@@ -98,7 +95,6 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
@Override
public void setUp() throws Exception {
- savedLocale = KerberosTestUtil.overrideLocaleIfNotSpportedByMiniKdc();
super.setUp();
setupMiniKdc();
}
@@ -106,12 +102,15 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
private void setupMiniKdc() throws Exception {
System.setProperty("solr.jaas.debug", "true");
String kdcDir = createTempDir()+File.separator+"minikdc";
- kdc = KerberosTestUtil.getKdc(new File(kdcDir));
+ String solrClientPrincipal = "solr";
File keytabFile = new File(kdcDir, "keytabs");
+ kerberosTestServices = KerberosTestServices.builder()
+ .withKdc(new File(kdcDir))
+ .withJaasConfiguration(solrClientPrincipal, keytabFile, "SolrClient")
+ .build();
String solrServerPrincipal = "HTTP/127.0.0.1";
- String solrClientPrincipal = "solr";
- kdc.start();
- kdc.createPrincipal(keytabFile, solrServerPrincipal, solrClientPrincipal);
+ kerberosTestServices.start();
+ kerberosTestServices.getKdc().createPrincipal(keytabFile, solrServerPrincipal, solrClientPrincipal);
String jaas = "SolrClient {\n"
+ " com.sun.security.auth.module.Krb5LoginModule required\n"
@@ -124,9 +123,6 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
+ " principal=\"" + solrClientPrincipal + "\";\n"
+ "};";
- Configuration conf = new KerberosTestUtil.JaasConfiguration(solrClientPrincipal, keytabFile, "SolrClient");
- Configuration.setConfiguration(conf);
-
String jaasFilePath = kdcDir+File.separator+"jaas-client.conf";
FileUtils.write(new File(jaasFilePath), jaas, StandardCharsets.UTF_8);
System.setProperty("java.security.auth.login.config", jaasFilePath);
@@ -135,6 +131,9 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
System.setProperty("solr.kerberos.principal", solrServerPrincipal);
System.setProperty("solr.kerberos.keytab", keytabFile.getAbsolutePath());
System.setProperty("authenticationPlugin", "org.apache.solr.security.KerberosPlugin");
+ boolean enableDt = random().nextBoolean();
+ log.info("Enable delegation token: " + enableDt);
+ System.setProperty("solr.kerberos.delegation.token.enabled", new Boolean(enableDt).toString());
// Extracts 127.0.0.1 from HTTP/127.0.0.1@EXAMPLE.COM
System.setProperty("solr.kerberos.name.rules", "RULE:[1:$1@$0](.*EXAMPLE.COM)s/@.*//"
+ "\nRULE:[2:$2@$0](.*EXAMPLE.COM)s/@.*//"
@@ -240,11 +239,7 @@ public class TestSolrCloudWithKerberosAlt extends LuceneTestCase {
System.clearProperty("authenticationPlugin");
System.clearProperty("solr.kerberos.name.rules");
System.clearProperty("solr.jaas.debug");
- Configuration.setConfiguration(this.originalConfig);
- if (kdc != null) {
- kdc.stop();
- }
- Locale.setDefault(savedLocale);
+ kerberosTestServices.stop();
super.tearDown();
}
}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/core/src/test/org/apache/solr/cloud/VMParamsZkACLAndCredentialsProvidersTest.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/cloud/VMParamsZkACLAndCredentialsProvidersTest.java b/solr/core/src/test/org/apache/solr/cloud/VMParamsZkACLAndCredentialsProvidersTest.java
index 31919a8..95422fa 100644
--- a/solr/core/src/test/org/apache/solr/cloud/VMParamsZkACLAndCredentialsProvidersTest.java
+++ b/solr/core/src/test/org/apache/solr/cloud/VMParamsZkACLAndCredentialsProvidersTest.java
@@ -21,6 +21,7 @@ import java.lang.invoke.MethodHandles;
import java.nio.charset.Charset;
import org.apache.solr.SolrTestCaseJ4;
+import org.apache.solr.common.cloud.SecurityAwareZkACLProvider;
import org.apache.solr.common.cloud.SolrZkClient;
import org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider;
import org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider;
@@ -76,6 +77,8 @@ public class VMParamsZkACLAndCredentialsProvidersTest extends SolrTestCaseJ4 {
zkClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
zkClient.create("/protectedCreateNode", "content".getBytes(DATA_ENCODING), CreateMode.PERSISTENT, false);
zkClient.makePath("/protectedMakePathNode", "content".getBytes(DATA_ENCODING), CreateMode.PERSISTENT, false);
+
+ zkClient.create(SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH, "content".getBytes(DATA_ENCODING), CreateMode.PERSISTENT, false);
zkClient.close();
clearSecuritySystemProperties();
@@ -106,7 +109,9 @@ public class VMParamsZkACLAndCredentialsProvidersTest extends SolrTestCaseJ4 {
SolrZkClient zkClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
try {
- doTest(zkClient, false, false, false, false, false);
+ doTest(zkClient,
+ false, false, false, false, false,
+ false, false, false, false, false);
} finally {
zkClient.close();
}
@@ -118,7 +123,9 @@ public class VMParamsZkACLAndCredentialsProvidersTest extends SolrTestCaseJ4 {
SolrZkClient zkClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
try {
- doTest(zkClient, false, false, false, false, false);
+ doTest(zkClient,
+ false, false, false, false, false,
+ false, false, false, false, false);
} finally {
zkClient.close();
}
@@ -130,7 +137,9 @@ public class VMParamsZkACLAndCredentialsProvidersTest extends SolrTestCaseJ4 {
SolrZkClient zkClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
try {
- doTest(zkClient, true, true, true, true, true);
+ doTest(zkClient,
+ true, true, true, true, true,
+ true, true, true, true, true);
} finally {
zkClient.close();
}
@@ -142,17 +151,23 @@ public class VMParamsZkACLAndCredentialsProvidersTest extends SolrTestCaseJ4 {
SolrZkClient zkClient = new SolrZkClient(zkServer.getZkAddress(), AbstractZkTestCase.TIMEOUT);
try {
- doTest(zkClient, true, true, false, false, false);
+ doTest(zkClient,
+ true, true, false, false, false,
+ false, false, false, false, false);
} finally {
zkClient.close();
}
}
- protected static void doTest(SolrZkClient zkClient, boolean getData, boolean list, boolean create, boolean setData, boolean delete) throws Exception {
+ protected static void doTest(
+ SolrZkClient zkClient,
+ boolean getData, boolean list, boolean create, boolean setData, boolean delete,
+ boolean secureGet, boolean secureList, boolean secureCreate, boolean secureSet, boolean secureDelete) throws Exception {
doTest(zkClient, "/protectedCreateNode", getData, list, create, setData, delete);
doTest(zkClient, "/protectedMakePathNode", getData, list, create, setData, delete);
doTest(zkClient, "/unprotectedCreateNode", true, true, true, true, delete);
doTest(zkClient, "/unprotectedMakePathNode", true, true, true, true, delete);
+ doTest(zkClient, SecurityAwareZkACLProvider.SECURITY_ZNODE_PATH, secureGet, secureList, secureCreate, secureSet, secureDelete);
}
protected static void doTest(SolrZkClient zkClient, String path, boolean getData, boolean list, boolean create, boolean setData, boolean delete) throws Exception {
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenAuthenticationHandler.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenAuthenticationHandler.java b/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenAuthenticationHandler.java
new file mode 100644
index 0000000..7c5c94a
--- /dev/null
+++ b/solr/core/src/test/org/apache/solr/security/HttpParamDelegationTokenAuthenticationHandler.java
@@ -0,0 +1,109 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.security;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.AuthenticationToken;
+import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler;
+
+import org.apache.http.NameValuePair;
+import org.apache.http.client.utils.URLEncodedUtils;
+
+/**
+ * AuthenticationHandler that supports delegation tokens and simple
+ * authentication via the "user" http parameter
+ */
+public class HttpParamDelegationTokenAuthenticationHandler extends
+ DelegationTokenAuthenticationHandler {
+
+ public static final String USER_PARAM = "user";
+
+ public HttpParamDelegationTokenAuthenticationHandler() {
+ super(new HttpParamAuthenticationHandler());
+ }
+
+ @Override
+ public void init(Properties config) throws ServletException {
+ Properties conf = new Properties();
+ for (Map.Entry entry : config.entrySet()) {
+ conf.setProperty((String) entry.getKey(), (String) entry.getValue());
+ }
+ conf.setProperty(TOKEN_KIND, KerberosPlugin.DELEGATION_TOKEN_TYPE_DEFAULT);
+ super.init(conf);
+ }
+
+ private static String getHttpParam(HttpServletRequest request, String param) {
+ List<NameValuePair> pairs =
+ URLEncodedUtils.parse(request.getQueryString(), Charset.forName("UTF-8"));
+ for (NameValuePair nvp : pairs) {
+ if(param.equals(nvp.getName())) {
+ return nvp.getValue();
+ }
+ }
+ return null;
+ }
+
+ private static class HttpParamAuthenticationHandler
+ implements AuthenticationHandler {
+
+ @Override
+ public String getType() {
+ return "dummy";
+ }
+
+ @Override
+ public void init(Properties config) throws ServletException {
+ }
+
+ @Override
+ public void destroy() {
+ }
+
+ @Override
+ public boolean managementOperation(AuthenticationToken token,
+ HttpServletRequest request, HttpServletResponse response)
+ throws IOException, AuthenticationException {
+ return false;
+ }
+
+ @Override
+ public AuthenticationToken authenticate(HttpServletRequest request,
+ HttpServletResponse response)
+ throws IOException, AuthenticationException {
+ AuthenticationToken token = null;
+ String userName = getHttpParam(request, USER_PARAM);
+ if (userName != null) {
+ return new AuthenticationToken(userName, userName, "test");
+ } else {
+ response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ response.setHeader("WWW-Authenticate", "dummy");
+ }
+ return token;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/core/src/test/org/apache/solr/security/MockAuthenticationPlugin.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/security/MockAuthenticationPlugin.java b/solr/core/src/test/org/apache/solr/security/MockAuthenticationPlugin.java
index e3cf7bd..3013086 100644
--- a/solr/core/src/test/org/apache/solr/security/MockAuthenticationPlugin.java
+++ b/solr/core/src/test/org/apache/solr/security/MockAuthenticationPlugin.java
@@ -20,11 +20,16 @@ import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
import java.io.IOException;
import java.security.Principal;
import java.util.Map;
+import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Predicate;
+import org.apache.http.auth.BasicUserPrincipal;
+
public class MockAuthenticationPlugin extends AuthenticationPlugin {
static Predicate<ServletRequest> predicate;
@@ -33,7 +38,7 @@ public class MockAuthenticationPlugin extends AuthenticationPlugin {
}
@Override
- public void doAuthenticate(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+ public boolean doAuthenticate(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
String user = null;
if (predicate != null) {
if (predicate.test(request)) {
@@ -41,9 +46,32 @@ public class MockAuthenticationPlugin extends AuthenticationPlugin {
request.removeAttribute(Principal.class.getName());
}
}
- forward(user, request, response, filterChain);
+
+ final FilterChain ffc = filterChain;
+ final AtomicBoolean requestContinues = new AtomicBoolean(false);
+ forward(user, request, response, new FilterChain() {
+ @Override
+ public void doFilter(ServletRequest req, ServletResponse res) throws IOException, ServletException {
+ ffc.doFilter(req, res);
+ requestContinues.set(true);
+ }
+ });
+ return requestContinues.get();
}
+ protected void forward(String user, ServletRequest req, ServletResponse rsp,
+ FilterChain chain) throws IOException, ServletException {
+ if(user != null) {
+ final Principal p = new BasicUserPrincipal(user);
+ req = new HttpServletRequestWrapper((HttpServletRequest) req) {
+ @Override
+ public Principal getUserPrincipal() {
+ return p;
+ }
+ };
+ }
+ chain.doFilter(req,rsp);
+ }
@Override
public void close() throws IOException {
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/licenses/curator-recipes-2.8.0.jar.sha1
----------------------------------------------------------------------
diff --git a/solr/licenses/curator-recipes-2.8.0.jar.sha1 b/solr/licenses/curator-recipes-2.8.0.jar.sha1
new file mode 100644
index 0000000..82d8946
--- /dev/null
+++ b/solr/licenses/curator-recipes-2.8.0.jar.sha1
@@ -0,0 +1 @@
+c563e25fb37f85a6b029bc9746e75573640474fb
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/licenses/curator-recipes-LICENSE-ASL.txt
----------------------------------------------------------------------
diff --git a/solr/licenses/curator-recipes-LICENSE-ASL.txt b/solr/licenses/curator-recipes-LICENSE-ASL.txt
new file mode 100644
index 0000000..7a4a3ea
--- /dev/null
+++ b/solr/licenses/curator-recipes-LICENSE-ASL.txt
@@ -0,0 +1,202 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/licenses/curator-recipes-NOTICE.txt
----------------------------------------------------------------------
diff --git a/solr/licenses/curator-recipes-NOTICE.txt b/solr/licenses/curator-recipes-NOTICE.txt
new file mode 100644
index 0000000..f568d0f
--- /dev/null
+++ b/solr/licenses/curator-recipes-NOTICE.txt
@@ -0,0 +1,5 @@
+Apache Curator
+Copyright 2013-2014 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/ivy.xml
----------------------------------------------------------------------
diff --git a/solr/solrj/ivy.xml b/solr/solrj/ivy.xml
index ceefcc3..f2296c5 100644
--- a/solr/solrj/ivy.xml
+++ b/solr/solrj/ivy.xml
@@ -1,3 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
@@ -40,6 +41,10 @@
<dependency org="org.slf4j" name="slf4j-log4j12" rev="${/org.slf4j/slf4j-log4j12}" conf="test"/>
+ <dependency org="com.fasterxml.jackson.core" name="jackson-annotations" rev="${/com.fasterxml.jackson.core/jackson-annotations}" conf="compile"/>
+ <dependency org="com.fasterxml.jackson.core" name="jackson-core" rev="${/com.fasterxml.jackson.core/jackson-core}" conf="compile"/>
+ <dependency org="com.fasterxml.jackson.core" name="jackson-databind" rev="${/com.fasterxml.jackson.core/jackson-databind}" conf="compile"/>
+ <dependency org="com.google.guava" name="guava" rev="${/com.google.guava/guava}" conf="compile"/>
<exclude org="*" ext="*" matcher="regexp" type="${ivy.exclude.types}"/>
</dependencies>
</ivy-module>
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
index 9b0cf8d..222119c 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
@@ -23,6 +23,7 @@ import java.lang.invoke.MethodHandles;
import java.net.ConnectException;
import java.net.SocketTimeoutException;
import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
@@ -30,6 +31,7 @@ import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Set;
+import java.util.TreeSet;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
@@ -743,7 +745,44 @@ public class HttpSolrClient extends SolrClient {
super(code, "Error from server at " + remoteHost + ": " + msg, th);
}
}
-
+
+ private static class DelegationTokenHttpSolrClient extends HttpSolrClient {
+ private final String DELEGATION_TOKEN_PARAM = "delegation";
+ private final String delegationToken;
+
+ public DelegationTokenHttpSolrClient(String baseURL,
+ HttpClient client,
+ ResponseParser parser,
+ boolean allowCompression,
+ String delegationToken) {
+ super(baseURL, client, parser, allowCompression);
+ if (delegationToken == null) {
+ throw new IllegalArgumentException("Delegation token cannot be null");
+ }
+ this.delegationToken = delegationToken;
+ setQueryParams(new TreeSet<String>(Arrays.asList(DELEGATION_TOKEN_PARAM)));
+ invariantParams = new ModifiableSolrParams();
+ invariantParams.set(DELEGATION_TOKEN_PARAM, delegationToken);
+ }
+
+ @Override
+ protected HttpRequestBase createMethod(final SolrRequest request, String collection) throws IOException, SolrServerException {
+ SolrParams params = request.getParams();
+ if (params.getParams(DELEGATION_TOKEN_PARAM) != null) {
+ throw new IllegalArgumentException(DELEGATION_TOKEN_PARAM + " parameter not supported");
+ }
+ return super.createMethod(request, collection);
+ }
+
+ @Override
+ public void setQueryParams(Set<String> queryParams) {
+ if (queryParams == null || !queryParams.contains(DELEGATION_TOKEN_PARAM)) {
+ throw new IllegalArgumentException("Query params must contain " + DELEGATION_TOKEN_PARAM);
+ }
+ super.setQueryParams(queryParams);
+ }
+ }
+
/**
* Constructs {@link HttpSolrClient} instances from provided configuration.
*/
@@ -752,6 +791,7 @@ public class HttpSolrClient extends SolrClient {
private HttpClient httpClient;
private ResponseParser responseParser;
private boolean compression;
+ private String delegationToken;
/**
* Create a Builder object, based on the provided Solr URL.
@@ -788,7 +828,14 @@ public class HttpSolrClient extends SolrClient {
this.compression = compression;
return this;
}
-
+
+ /**
+ * Use a delegation token for authenticating via the KerberosPlugin
+ */
+ public Builder withDelegationToken(String delegationToken) {
+ this.delegationToken = delegationToken;
+ return this;
+ }
/**
* Create a {@link HttpSolrClient} based on provided configuration.
*/
@@ -796,7 +843,11 @@ public class HttpSolrClient extends SolrClient {
if (baseSolrUrl == null) {
throw new IllegalArgumentException("Cannot create HttpSolrClient without a valid baseSolrUrl!");
}
- return new HttpSolrClient(baseSolrUrl, httpClient, responseParser, compression);
+ if (delegationToken == null) {
+ return new HttpSolrClient(baseSolrUrl, httpClient, responseParser, compression);
+ } else {
+ return new DelegationTokenHttpSolrClient(baseSolrUrl, httpClient, responseParser, compression, delegationToken);
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientBuilder.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientBuilder.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientBuilder.java
index 9d5a926..84fe5f9 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientBuilder.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientBuilder.java
@@ -26,6 +26,7 @@ import java.util.Set;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
+import com.google.common.annotations.VisibleForTesting;
import org.apache.http.HttpEntity;
import org.apache.http.HttpEntityEnclosingRequest;
import org.apache.http.HttpRequestInterceptor;
@@ -51,12 +52,21 @@ public class Krb5HttpClientBuilder {
public static final String LOGIN_CONFIG_PROP = "java.security.auth.login.config";
private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
- private static final Configuration jaasConfig = new SolrJaasConfiguration();
+ private static Configuration jaasConfig = new SolrJaasConfiguration();
public Krb5HttpClientBuilder() {
}
-
+
+ /**
+ * The jaasConfig is static, which makes it problematic for testing in the same jvm.
+ * Call this function to regenerate the static config (this is not thread safe).
+ */
+ @VisibleForTesting
+ public static void regenerateJaasConfiguration() {
+ jaasConfig = new SolrJaasConfiguration();
+ }
+
public SolrHttpClientBuilder getBuilder() {
return getBuilder(HttpClientUtil.getHttpClientBuilder());
}
@@ -104,9 +114,9 @@ public class Krb5HttpClientBuilder {
return null;
}
};
-
+
HttpClientUtil.setCookiePolicy(SolrPortAwareCookieSpecFactory.POLICY_NAME);
-
+
builder.setCookieSpecRegistryProvider(() -> {
SolrPortAwareCookieSpecFactory cookieFactory = new SolrPortAwareCookieSpecFactory();
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/java/org/apache/solr/client/solrj/request/DelegationTokenRequest.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/request/DelegationTokenRequest.java b/solr/solrj/src/java/org/apache/solr/client/solrj/request/DelegationTokenRequest.java
new file mode 100644
index 0000000..6d2f0cb
--- /dev/null
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/request/DelegationTokenRequest.java
@@ -0,0 +1,152 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.solr.client.solrj.request;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.apache.solr.client.solrj.SolrRequest;
+import org.apache.solr.client.solrj.SolrClient;
+import org.apache.solr.client.solrj.impl.NoOpResponseParser;
+import org.apache.solr.client.solrj.response.DelegationTokenResponse;
+
+import org.apache.solr.common.params.ModifiableSolrParams;
+import org.apache.solr.common.params.SolrParams;
+import org.apache.solr.common.util.ContentStream;
+
+/**
+ * Class for making Solr delegation token requests.
+ *
+ * @since Solr 6.2
+ */
+public abstract class DelegationTokenRequest
+ <Q extends DelegationTokenRequest<Q,R>, R extends DelegationTokenResponse>
+ extends SolrRequest<R> {
+
+ protected static final String OP_KEY = "op";
+ protected static final String TOKEN_KEY = "token";
+
+ public DelegationTokenRequest(METHOD m) {
+ // path doesn't really matter -- the filter will respond to any path.
+ // setting the path to admin/collections lets us pass through CloudSolrServer
+ // without having to specify a collection (that may not even exist yet).
+ super(m, "/admin/collections");
+ }
+
+ protected abstract Q getThis();
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public Collection<ContentStream> getContentStreams() throws IOException {
+ return null;
+ }
+
+ @Override
+ protected abstract R createResponse(SolrClient client);
+
+ public static class Get extends DelegationTokenRequest<Get, DelegationTokenResponse.Get> {
+ protected String renewer;
+
+ public Get() {
+ this(null);
+ }
+
+ public Get(String renewer) {
+ super(METHOD.GET);
+ this.renewer = renewer;
+ setResponseParser(new DelegationTokenResponse.JsonMapResponseParser());
+ setQueryParams(new TreeSet<String>(Arrays.asList(OP_KEY)));
+ }
+
+ @Override
+ protected Get getThis() {
+ return this;
+ }
+
+ @Override
+ public SolrParams getParams() {
+ ModifiableSolrParams params = new ModifiableSolrParams();
+ params.set(OP_KEY, "GETDELEGATIONTOKEN");
+ if (renewer != null) params.set("renewer", renewer);
+ return params;
+ }
+
+ @Override
+ public DelegationTokenResponse.Get createResponse(SolrClient client) { return new DelegationTokenResponse.Get(); }
+ }
+
+ public static class Renew extends DelegationTokenRequest<Renew, DelegationTokenResponse.Renew> {
+ protected String token;
+
+ @Override
+ protected Renew getThis() {
+ return this;
+ }
+
+ public Renew(String token) {
+ super(METHOD.PUT);
+ this.token = token;
+ setResponseParser(new DelegationTokenResponse.JsonMapResponseParser());
+ setQueryParams(new TreeSet<String>(Arrays.asList(OP_KEY, TOKEN_KEY)));
+ }
+
+ @Override
+ public SolrParams getParams() {
+ ModifiableSolrParams params = new ModifiableSolrParams();
+ params.set(OP_KEY, "RENEWDELEGATIONTOKEN");
+ params.set(TOKEN_KEY, token);
+ return params;
+ }
+
+ @Override
+ public DelegationTokenResponse.Renew createResponse(SolrClient client) { return new DelegationTokenResponse.Renew(); }
+ }
+
+ public static class Cancel extends DelegationTokenRequest<Cancel, DelegationTokenResponse.Cancel> {
+ protected String token;
+
+ public Cancel(String token) {
+ super(METHOD.PUT);
+ this.token = token;
+ setResponseParser(new NoOpResponseParser());
+ Set<String> queryParams = new TreeSet<String>();
+ setQueryParams(new TreeSet<String>(Arrays.asList(OP_KEY, TOKEN_KEY)));
+ }
+
+ @Override
+ protected Cancel getThis() {
+ return this;
+ }
+
+ @Override
+ public SolrParams getParams() {
+ ModifiableSolrParams params = new ModifiableSolrParams();
+ params.set(OP_KEY, "CANCELDELEGATIONTOKEN");
+ params.set(TOKEN_KEY, token);
+ return params;
+ }
+
+ @Override
+ public DelegationTokenResponse.Cancel createResponse(SolrClient client) { return new DelegationTokenResponse.Cancel(); }
+ }
+}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/java/org/apache/solr/client/solrj/response/DelegationTokenResponse.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/response/DelegationTokenResponse.java b/solr/solrj/src/java/org/apache/solr/client/solrj/response/DelegationTokenResponse.java
new file mode 100644
index 0000000..c80e2eb
--- /dev/null
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/response/DelegationTokenResponse.java
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.solr.client.solrj.response;
+
+import org.apache.solr.client.solrj.ResponseParser;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.util.NamedList;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.util.Map;
+
+/**
+ * Delegation Token responses
+ */
+public abstract class DelegationTokenResponse extends SolrResponseBase {
+
+ public static class Get extends DelegationTokenResponse {
+
+ /**
+ * Get the urlString to be used as the delegation token
+ */
+ public String getDelegationToken() {
+ try {
+ Map map = (Map)getResponse().get("Token");
+ if (map != null) {
+ return (String)map.get("urlString");
+ }
+ } catch (ClassCastException e) {
+ throw new SolrException (SolrException.ErrorCode.SERVER_ERROR,
+ "parsing error", e);
+ }
+ return null;
+ }
+ }
+
+ public static class Renew extends DelegationTokenResponse {
+ public Long getExpirationTime() {
+ try {
+ return (Long)getResponse().get("long");
+ } catch (ClassCastException e) {
+ throw new SolrException (SolrException.ErrorCode.SERVER_ERROR,
+ "parsing error", e);
+ }
+ }
+ }
+
+ public static class Cancel extends DelegationTokenResponse {
+ }
+
+ /**
+ * ResponseParser for JsonMaps. Used for Get and Renew DelegationToken responses.
+ */
+ public static class JsonMapResponseParser extends ResponseParser {
+ @Override
+ public String getWriterType() {
+ return "json";
+ }
+
+ @Override
+ public NamedList<Object> processResponse(InputStream body, String encoding) {
+ ObjectMapper mapper = new ObjectMapper();
+ Map map = null;
+ try {
+ map = mapper.readValue(body, Map.class);
+ } catch (IOException e) {
+ throw new SolrException (SolrException.ErrorCode.SERVER_ERROR,
+ "parsing error", e);
+ }
+ NamedList<Object> list = new NamedList<Object>();
+ list.addAll(map);
+ return list;
+ }
+
+ @Override
+ public NamedList<Object> processResponse(Reader reader) {
+ throw new RuntimeException("Cannot handle character stream");
+ }
+
+ @Override
+ public String getContentType() {
+ return "application/json";
+ }
+
+ @Override
+ public String getVersion() {
+ return "1";
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/java/org/apache/solr/common/cloud/SaslZkACLProvider.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/SaslZkACLProvider.java b/solr/solrj/src/java/org/apache/solr/common/cloud/SaslZkACLProvider.java
index eaccb8c..c67ad12 100644
--- a/solr/solrj/src/java/org/apache/solr/common/cloud/SaslZkACLProvider.java
+++ b/solr/solrj/src/java/org/apache/solr/common/cloud/SaslZkACLProvider.java
@@ -30,19 +30,22 @@ import org.apache.zookeeper.data.Id;
* configurations have already been set up and will not be modified, or
* where configuration changes are controlled via Solr APIs.
*/
-public class SaslZkACLProvider extends DefaultZkACLProvider {
+public class SaslZkACLProvider extends SecurityAwareZkACLProvider {
private static String superUser = System.getProperty("solr.authorization.superuser", "solr");
@Override
- protected List<ACL> createGlobalACLsToAdd() {
- List<ACL> result = new ArrayList<ACL>();
- result.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", superUser)));
- result.add(new ACL(ZooDefs.Perms.READ, ZooDefs.Ids.ANYONE_ID_UNSAFE));
+ protected List<ACL> createNonSecurityACLsToAdd() {
+ List<ACL> ret = new ArrayList<ACL>();
+ ret.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", superUser)));
+ ret.add(new ACL(ZooDefs.Perms.READ, ZooDefs.Ids.ANYONE_ID_UNSAFE));
+ return ret;
+ }
- if (result.isEmpty()) {
- result = super.createGlobalACLsToAdd();
- }
- return result;
+ @Override
+ protected List<ACL> createSecurityACLsToAdd() {
+ List<ACL> ret = new ArrayList<ACL>();
+ ret.add(new ACL(ZooDefs.Perms.ALL, new Id("sasl", superUser)));
+ return ret;
}
}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/java/org/apache/solr/common/cloud/SecurityAwareZkACLProvider.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/SecurityAwareZkACLProvider.java b/solr/solrj/src/java/org/apache/solr/common/cloud/SecurityAwareZkACLProvider.java
new file mode 100644
index 0000000..1c74d94
--- /dev/null
+++ b/solr/solrj/src/java/org/apache/solr/common/cloud/SecurityAwareZkACLProvider.java
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.common.cloud;
+
+import java.util.List;
+
+import org.apache.zookeeper.data.ACL;
+
+/**
+ * {@link ZkACLProvider} capable of returning a different set of
+ * {@link ACL}s for security-related znodes (default: subtree under /security)
+ * vs non-security-related znodes.
+ */
+public abstract class SecurityAwareZkACLProvider implements ZkACLProvider {
+ public static final String SECURITY_ZNODE_PATH = "/security";
+
+ private List<ACL> nonSecurityACLsToAdd;
+ private List<ACL> securityACLsToAdd;
+
+
+ @Override
+ public List<ACL> getACLsToAdd(String zNodePath) {
+ if (isSecurityZNodePath(zNodePath)) {
+ return getSecurityACLsToAdd();
+ } else {
+ return getNonSecurityACLsToAdd();
+ }
+ }
+
+ protected boolean isSecurityZNodePath(String zNodePath) {
+ if (zNodePath != null
+ && (zNodePath.equals(SECURITY_ZNODE_PATH) || zNodePath.startsWith(SECURITY_ZNODE_PATH + "/"))) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * @return Set of ACLs to return for non-security related znodes
+ */
+ protected abstract List<ACL> createNonSecurityACLsToAdd();
+
+ /**
+ * @return Set of ACLs to return security-related znodes
+ */
+ protected abstract List<ACL> createSecurityACLsToAdd();
+
+ private List<ACL> getNonSecurityACLsToAdd() {
+ if (nonSecurityACLsToAdd == null) {
+ synchronized (this) {
+ if (nonSecurityACLsToAdd == null) nonSecurityACLsToAdd = createNonSecurityACLsToAdd();
+ }
+ }
+ return nonSecurityACLsToAdd;
+ }
+
+ private List<ACL> getSecurityACLsToAdd() {
+ if (securityACLsToAdd == null) {
+ synchronized (this) {
+ if (securityACLsToAdd == null) securityACLsToAdd = createSecurityACLsToAdd();
+ }
+ }
+ return securityACLsToAdd;
+ }
+}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/java/org/apache/solr/common/cloud/SolrZkClient.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/SolrZkClient.java b/solr/solrj/src/java/org/apache/solr/common/cloud/SolrZkClient.java
index af6f9be..516b7b9 100644
--- a/solr/solrj/src/java/org/apache/solr/common/cloud/SolrZkClient.java
+++ b/solr/solrj/src/java/org/apache/solr/common/cloud/SolrZkClient.java
@@ -122,12 +122,12 @@ public class SolrZkClient implements Closeable {
public SolrZkClient(String zkServerAddress, int zkClientTimeout, int clientConnectTimeout,
ZkClientConnectionStrategy strat, final OnReconnect onReconnect, BeforeReconnect beforeReconnect, ZkACLProvider zkACLProvider) {
- this.zkClientConnectionStrategy = strat;
this.zkServerAddress = zkServerAddress;
if (strat == null) {
strat = new DefaultConnectionStrategy();
}
+ this.zkClientConnectionStrategy = strat;
if (!strat.hasZkCredentialsToAddAutomatically()) {
ZkCredentialsProvider zkCredentialsToAddAutomatically = createZkCredentialsToAddAutomatically();
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/java/org/apache/solr/common/cloud/VMParamsAllAndReadonlyDigestZkACLProvider.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/VMParamsAllAndReadonlyDigestZkACLProvider.java b/solr/solrj/src/java/org/apache/solr/common/cloud/VMParamsAllAndReadonlyDigestZkACLProvider.java
index f6f491b..8866245 100644
--- a/solr/solrj/src/java/org/apache/solr/common/cloud/VMParamsAllAndReadonlyDigestZkACLProvider.java
+++ b/solr/solrj/src/java/org/apache/solr/common/cloud/VMParamsAllAndReadonlyDigestZkACLProvider.java
@@ -20,13 +20,14 @@ import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.List;
+import com.google.common.annotations.VisibleForTesting;
import org.apache.solr.common.StringUtils;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
-public class VMParamsAllAndReadonlyDigestZkACLProvider extends DefaultZkACLProvider {
+public class VMParamsAllAndReadonlyDigestZkACLProvider extends SecurityAwareZkACLProvider {
public static final String DEFAULT_DIGEST_READONLY_USERNAME_VM_PARAM_NAME = "zkDigestReadonlyUsername";
public static final String DEFAULT_DIGEST_READONLY_PASSWORD_VM_PARAM_NAME = "zkDigestReadonlyPassword";
@@ -53,29 +54,56 @@ public class VMParamsAllAndReadonlyDigestZkACLProvider extends DefaultZkACLProvi
this.zkDigestReadonlyPasswordVMParamName = zkDigestReadonlyPasswordVMParamName;
}
+ /**
+ * @return Set of ACLs to return for non-security related znodes
+ */
+ @Override
+ protected List<ACL> createNonSecurityACLsToAdd() {
+ return createACLsToAdd(true);
+ }
+ /**
+ * @return Set of ACLs to return security-related znodes
+ */
@Override
- protected List<ACL> createGlobalACLsToAdd() {
- try {
+ protected List<ACL> createSecurityACLsToAdd() {
+ return createACLsToAdd(false);
+ }
+
+ protected List<ACL> createACLsToAdd(boolean includeReadOnly) {
+ String digestAllUsername = System.getProperty(zkDigestAllUsernameVMParamName);
+ String digestAllPassword = System.getProperty(zkDigestAllPasswordVMParamName);
+ String digestReadonlyUsername = System.getProperty(zkDigestReadonlyUsernameVMParamName);
+ String digestReadonlyPassword = System.getProperty(zkDigestReadonlyPasswordVMParamName);
+
+ return createACLsToAdd(includeReadOnly,
+ digestAllUsername, digestAllPassword,
+ digestReadonlyUsername, digestReadonlyPassword);
+ }
+
+ @VisibleForTesting
+ protected List<ACL> createACLsToAdd(boolean includeReadOnly,
+ String digestAllUsername, String digestAllPassword,
+ String digestReadonlyUsername, String digestReadonlyPassword) {
+
+ try {
List<ACL> result = new ArrayList<ACL>();
// Not to have to provide too much credentials and ACL information to the process it is assumed that you want "ALL"-acls
// added to the user you are using to connect to ZK (if you are using VMParamsSingleSetCredentialsDigestZkCredentialsProvider)
- String digestAllUsername = System.getProperty(zkDigestAllUsernameVMParamName);
- String digestAllPassword = System.getProperty(zkDigestAllPasswordVMParamName);
if (!StringUtils.isEmpty(digestAllUsername) && !StringUtils.isEmpty(digestAllPassword)) {
result.add(new ACL(ZooDefs.Perms.ALL, new Id("digest", DigestAuthenticationProvider.generateDigest(digestAllUsername + ":" + digestAllPassword))));
}
-
- // Besides that support for adding additional "READONLY"-acls for another user
- String digestReadonlyUsername = System.getProperty(zkDigestReadonlyUsernameVMParamName);
- String digestReadonlyPassword = System.getProperty(zkDigestReadonlyPasswordVMParamName);
- if (!StringUtils.isEmpty(digestReadonlyUsername) && !StringUtils.isEmpty(digestReadonlyPassword)) {
- result.add(new ACL(ZooDefs.Perms.READ, new Id("digest", DigestAuthenticationProvider.generateDigest(digestReadonlyUsername + ":" + digestReadonlyPassword))));
+
+ if (includeReadOnly) {
+ // Besides that support for adding additional "READONLY"-acls for another user
+ if (!StringUtils.isEmpty(digestReadonlyUsername) && !StringUtils.isEmpty(digestReadonlyPassword)) {
+ result.add(new ACL(ZooDefs.Perms.READ, new Id("digest", DigestAuthenticationProvider.generateDigest(digestReadonlyUsername + ":" + digestReadonlyPassword))));
+ }
}
if (result.isEmpty()) {
- result = super.createGlobalACLsToAdd();
+ result = ZooDefs.Ids.OPEN_ACL_UNSAFE;
}
return result;
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/java/org/apache/solr/common/cloud/ZkClientConnectionStrategy.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/ZkClientConnectionStrategy.java b/solr/solrj/src/java/org/apache/solr/common/cloud/ZkClientConnectionStrategy.java
index 43a2c52..acc5abf 100644
--- a/solr/solrj/src/java/org/apache/solr/common/cloud/ZkClientConnectionStrategy.java
+++ b/solr/solrj/src/java/org/apache/solr/common/cloud/ZkClientConnectionStrategy.java
@@ -97,7 +97,9 @@ public abstract class ZkClientConnectionStrategy {
public boolean hasZkCredentialsToAddAutomatically() {
return zkCredentialsToAddAutomatically != null;
}
-
+
+ public ZkCredentialsProvider getZkCredentialsToAddAutomatically() { return zkCredentialsToAddAutomatically; }
+
protected SolrZooKeeper createSolrZooKeeper(final String serverAddress, final int zkClientTimeout,
final Watcher watcher) throws IOException {
SolrZooKeeper result = new SolrZooKeeper(serverAddress, zkClientTimeout, watcher);
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/test/org/apache/solr/client/solrj/request/TestDelegationTokenRequest.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/request/TestDelegationTokenRequest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/request/TestDelegationTokenRequest.java
new file mode 100644
index 0000000..47b8385
--- /dev/null
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/request/TestDelegationTokenRequest.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.client.solrj.request;
+
+import org.apache.lucene.util.LuceneTestCase;
+
+import org.junit.Test;
+
+/**
+ * Test for DelegationTokenRequests
+ */
+public class TestDelegationTokenRequest extends LuceneTestCase {
+
+ @Test
+ public void testGetRequest() throws Exception {
+ // without renewer
+ DelegationTokenRequest.Get get = new DelegationTokenRequest.Get();
+ assertEquals("GETDELEGATIONTOKEN", get.getParams().get("op"));
+ assertNull(get.getParams().get("renewer"));
+
+
+ // with renewer
+ final String renewer = "test";
+ get = new DelegationTokenRequest.Get(renewer);
+ assertEquals("GETDELEGATIONTOKEN", get.getParams().get("op"));
+ assertEquals(renewer, get.getParams().get("renewer"));
+ }
+
+ @Test
+ public void testRenewRequest() throws Exception {
+ final String token = "testToken";
+ DelegationTokenRequest.Renew renew = new DelegationTokenRequest.Renew(token);
+ assertEquals("RENEWDELEGATIONTOKEN", renew.getParams().get("op"));
+ assertEquals(token, renew.getParams().get("token"));
+ assertTrue(renew.getQueryParams().contains("op"));
+ assertTrue(renew.getQueryParams().contains("token"));
+
+ // can handle null token
+ renew = new DelegationTokenRequest.Renew(null);
+ renew.getParams();
+ }
+
+ @Test
+ public void testCancelRequest() throws Exception {
+ final String token = "testToken";
+ DelegationTokenRequest.Cancel cancel = new DelegationTokenRequest.Cancel(token);
+ assertEquals("CANCELDELEGATIONTOKEN", cancel.getParams().get("op"));
+ assertEquals(token, cancel.getParams().get("token"));
+ assertTrue(cancel.getQueryParams().contains("op"));
+ assertTrue(cancel.getQueryParams().contains("token"));
+
+ // can handle null token
+ cancel = new DelegationTokenRequest.Cancel(null);
+ cancel.getParams();
+ }
+}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7bf019a9/solr/solrj/src/test/org/apache/solr/client/solrj/response/TestDelegationTokenResponse.java
----------------------------------------------------------------------
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/response/TestDelegationTokenResponse.java b/solr/solrj/src/test/org/apache/solr/client/solrj/response/TestDelegationTokenResponse.java
new file mode 100644
index 0000000..c376223
--- /dev/null
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/response/TestDelegationTokenResponse.java
@@ -0,0 +1,138 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.solr.client.solrj.response;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.io.IOUtils;
+
+import org.apache.lucene.util.LuceneTestCase;
+import org.apache.solr.client.solrj.ResponseParser;
+import org.apache.solr.client.solrj.request.DelegationTokenRequest;
+import org.apache.solr.common.SolrException;
+
+import org.junit.Test;
+
+import org.noggit.CharArr;
+import org.noggit.JSONWriter;
+
+public class TestDelegationTokenResponse extends LuceneTestCase {
+
+ private void delegationTokenResponse(DelegationTokenRequest request,
+ DelegationTokenResponse response, String responseBody) throws Exception {
+ ResponseParser parser = request.getResponseParser();
+ response.setResponse(parser.processResponse(
+ IOUtils.toInputStream(responseBody, "UTF-8"), "UTF-8"));
+ }
+
+ private String getNestedMapJson(String outerKey, String innerKey, Object innerValue) {
+ CharArr out = new CharArr();
+ JSONWriter w = new JSONWriter(out, 2);
+ Map<String, Object> innerMap = new HashMap<String, Object>();
+ innerMap.put(innerKey, innerValue);
+ Map<String, Map<String, Object>> outerMap = new HashMap<String, Map<String, Object>>();
+ outerMap.put(outerKey, innerMap);
+ w.write(outerMap);
+ return out.toString();
+ }
+
+ private String getMapJson(String key, Object value) {
+ CharArr out = new CharArr();
+ JSONWriter w = new JSONWriter(out, 2);
+ Map<String, Object> map = new HashMap<String, Object>();
+ map.put(key, value);
+ w.write(map);
+ return out.toString();
+ }
+
+ @Test
+ public void testGetResponse() throws Exception {
+ DelegationTokenRequest.Get getRequest = new DelegationTokenRequest.Get();
+ DelegationTokenResponse.Get getResponse = new DelegationTokenResponse.Get();
+
+ // not a map
+ try {
+ delegationTokenResponse(getRequest, getResponse, "");
+ getResponse.getDelegationToken();
+ fail("Expected SolrException");
+ } catch (SolrException se) {
+ }
+
+ // doesn't have Token outerMap
+ final String someToken = "someToken";
+ delegationTokenResponse(getRequest, getResponse, getNestedMapJson("NotToken", "urlString", someToken));
+ assertNull(getResponse.getDelegationToken());
+
+ // Token is not a map
+ try {
+ delegationTokenResponse(getRequest, getResponse, getMapJson("Token", someToken));
+ getResponse.getDelegationToken();
+ fail("Expected SolrException");
+ } catch (SolrException se) {
+ }
+
+ // doesn't have urlString
+ delegationTokenResponse(getRequest, getResponse, getNestedMapJson("Token", "notUrlString", someToken));
+ assertNull(getResponse.getDelegationToken());
+
+ // has Token + urlString
+ delegationTokenResponse(getRequest, getResponse, getNestedMapJson("Token", "urlString", someToken));
+ assertEquals(someToken, getResponse.getDelegationToken());
+ }
+
+ @Test
+ public void testRenewResponse() throws Exception {
+ DelegationTokenRequest.Renew renewRequest = new DelegationTokenRequest.Renew("token");
+ DelegationTokenResponse.Renew renewResponse = new DelegationTokenResponse.Renew();
+
+ // not a map
+ try {
+ delegationTokenResponse(renewRequest, renewResponse, "");
+ renewResponse.getExpirationTime();
+ fail("Expected SolrException");
+ } catch (SolrException se) {
+ }
+
+ // doesn't have long
+ delegationTokenResponse(renewRequest, renewResponse, getMapJson("notLong", "123"));
+ assertNull(renewResponse.getExpirationTime());
+
+ // long isn't valid
+ try {
+ delegationTokenResponse(renewRequest, renewResponse, getMapJson("long", "aaa"));
+ renewResponse.getExpirationTime();
+ fail("Expected SolrException");
+ } catch (SolrException se) {
+ }
+
+ // valid
+ Long expirationTime = new Long(Long.MAX_VALUE);
+ delegationTokenResponse(renewRequest, renewResponse,
+ getMapJson("long", expirationTime));
+ assertEquals(expirationTime, renewResponse.getExpirationTime());
+ }
+
+ @Test
+ public void testCancelResponse() throws Exception {
+ // expect empty response
+ DelegationTokenRequest.Cancel cancelRequest = new DelegationTokenRequest.Cancel("token");
+ DelegationTokenResponse.Cancel cancelResponse = new DelegationTokenResponse.Cancel();
+ delegationTokenResponse(cancelRequest, cancelResponse, "");
+ }
+}