You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by is...@apache.org on 2020/04/29 17:05:32 UTC

[lucene-solr] branch branch_8x updated: SOLR-14237: A new panel with security info in admin UI's dashboard

This is an automated email from the ASF dual-hosted git repository.

ishan pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/branch_8x by this push:
     new 66a9bb0  SOLR-14237: A new panel with security info in admin UI's dashboard
66a9bb0 is described below

commit 66a9bb09ca1d2611ce2047671d797ee681de8932
Author: Ishan Chattopadhyaya <is...@apache.org>
AuthorDate: Wed Apr 29 22:34:13 2020 +0530

    SOLR-14237: A new panel with security info in admin UI's dashboard
---
 solr/CHANGES.txt                                   |  1 +
 .../solr/handler/admin/SystemInfoHandler.java      | 35 +++++++++++++++++++++-
 .../security/RuleBasedAuthorizationPlugin.java     |  5 ++++
 solr/webapp/web/css/angular/index.css              |  3 ++
 solr/webapp/web/js/angular/controllers/index.js    |  6 ++++
 solr/webapp/web/partials/index.html                | 34 +++++++++++++++++++++
 6 files changed, 83 insertions(+), 1 deletion(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 6951f2e..b09c868 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -15,6 +15,7 @@ New Features
 
 * SOLR-13942: A read API at /api/cluster/zk/* to fetch raw ZK data and view contents of a ZK direcory (noble)
 
+* SOLR-14237: A new panel with security info in admin UI's dashboard (Ishan Chattopadhyaya, Moshe Bla)
 
 Improvements
 ---------------------
diff --git a/solr/core/src/java/org/apache/solr/handler/admin/SystemInfoHandler.java b/solr/core/src/java/org/apache/solr/handler/admin/SystemInfoHandler.java
index f31ae65..81edb4f 100644
--- a/solr/core/src/java/org/apache/solr/handler/admin/SystemInfoHandler.java
+++ b/solr/core/src/java/org/apache/solr/handler/admin/SystemInfoHandler.java
@@ -29,6 +29,7 @@ import java.util.Date;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Locale;
+import java.util.Set;
 
 import com.codahale.metrics.Gauge;
 import org.apache.lucene.LucenePackage;
@@ -39,6 +40,8 @@ import org.apache.solr.handler.RequestHandlerBase;
 import org.apache.solr.request.SolrQueryRequest;
 import org.apache.solr.response.SolrQueryResponse;
 import org.apache.solr.schema.IndexSchema;
+import org.apache.solr.security.AuthorizationPlugin;
+import org.apache.solr.security.RuleBasedAuthorizationPlugin;
 import org.apache.solr.util.RTimer;
 import org.apache.solr.util.RedactionUtils;
 import org.apache.solr.util.stats.MetricUtils;
@@ -140,6 +143,7 @@ public class SystemInfoHandler extends RequestHandlerBase
       rsp.add( "solr_home", cc.getSolrHome());
     rsp.add( "lucene", getLuceneInfo() );
     rsp.add( "jvm", getJvmInfo() );
+    rsp.add( "user", getSecurityInfo(req) );
     rsp.add( "system", getSystemInfo() );
     if (solrCloudMode) {
       rsp.add("node", getCoreContainer(req, core).getZkController().getNodeName());
@@ -311,7 +315,36 @@ public class SystemInfoHandler extends RequestHandlerBase
     jvm.add( "jmx", jmx );
     return jvm;
   }
-  
+
+  /**
+   * Get Security Info
+   */
+  public SimpleOrderedMap<Object> getSecurityInfo(SolrQueryRequest req)
+  {
+    SimpleOrderedMap<Object> info = new SimpleOrderedMap<>();
+
+    if (cc.getAuthenticationPlugin() != null) info.add("authenticationPlugin", cc.getAuthenticationPlugin().getName());
+    if (cc.getAuthorizationPlugin() != null) info.add("authorizationPlugin", cc.getAuthorizationPlugin().getClass().getName());
+
+    // User principal
+    String username = null;
+    if (req.getUserPrincipal() != null) {
+      username = req.getUserPrincipal().getName();
+      info.add("username", username);
+
+      // Mapped roles for this principal
+      AuthorizationPlugin auth = cc.getAuthorizationPlugin();
+      if (auth != null) {
+        RuleBasedAuthorizationPlugin rbap = (RuleBasedAuthorizationPlugin) auth;
+        Set<String> roles = rbap.getRoles(username);
+        info.add("roles", roles);
+      }
+    }
+
+    return info;
+  }
+
+
   private static SimpleOrderedMap<Object> getLuceneInfo() {
     SimpleOrderedMap<Object> info = new SimpleOrderedMap<>();
 
diff --git a/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java b/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
index d2ce0e9..eceb0a1 100644
--- a/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
@@ -240,6 +240,11 @@ public class RuleBasedAuthorizationPlugin implements AuthorizationPlugin, Config
     return MatchStatus.FORBIDDEN;
   }
 
+  public Set<String> getRoles(String user) {
+    Set<String> roles = usersVsRoles.get(user);
+    return roles;
+  }
+
   public boolean doesUserHavePermission(String user, PermissionNameProvider.Name permission) {
     Set<String> roles = usersVsRoles.get(user);
     if (roles != null) {
diff --git a/solr/webapp/web/css/angular/index.css b/solr/webapp/web/css/angular/index.css
index c53e323..62386c6 100644
--- a/solr/webapp/web/css/angular/index.css
+++ b/solr/webapp/web/css/angular/index.css
@@ -214,3 +214,6 @@ limitations under the License.
 {
   margin-top: 20px;
 }
+
+#content #index #security h2 { background-image: url( ../../img/ico/prohibition.png ); }
+#content #index #security div { text-align: right; }
\ No newline at end of file
diff --git a/solr/webapp/web/js/angular/controllers/index.js b/solr/webapp/web/js/angular/controllers/index.js
index d8052d4..f8b0747 100644
--- a/solr/webapp/web/js/angular/controllers/index.js
+++ b/solr/webapp/web/js/angular/controllers/index.js
@@ -21,6 +21,12 @@ solrAdminApp.controller('IndexController', function($scope, System, Cores, Const
     System.get(function(data) {
       $scope.system = data;
 
+      if (username in data.security) {
+        // Needed for Kerberos, since this is the only place from where
+        // Kerberos username can be obtained.
+        sessionStorage.setItem("auth.username", data.security.username);
+      }
+
       // load average, unless its negative (means n/a on windows, etc)
       if (data.system.systemLoadAverage >= 0) {
         $scope.load_average = data.system.systemLoadAverage.toFixed(2);
diff --git a/solr/webapp/web/partials/index.html b/solr/webapp/web/partials/index.html
index 8fe0b66..5f77bff 100644
--- a/solr/webapp/web/partials/index.html
+++ b/solr/webapp/web/partials/index.html
@@ -253,6 +253,40 @@ limitations under the License.
           </div>
 
       </div>
+      <div class="block" id="security">
+
+          <h2>Security</h2>
+
+          <div class="content">
+
+            <ul class="data">
+
+              <li class="authentication_plugin"><dl class="clearfix">
+                <dt><span>Authentication Plugin</span></dt>
+                  <dd>{{system.security["authenticationPlugin"]}}</dd>
+              </dl></li>
+
+              <li class="authorization_plugin"><dl class="clearfix">
+                <dt><span>Authorization Plugin</span></dt>
+                  <dd>{{system.security["authorizationPlugin"]}}</dd>
+              </dl></li>
+
+              <li class="username"><dl class="clearfix">
+                <dt><span>Current Username</span></dt>
+                  <dd>{{system.security["username"]}}</dd>
+              </dl></li>
+
+              <li class="user_roles"><dl class="clearfix">
+                <dt><span>User Roles</span></dt>
+                  <dd>{{system.security["roles"]}}</dd>
+              </dl></li>
+
+            </ul>
+
+
+          </div>
+
+      </div>
 
     </div>