You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/02 11:56:34 UTC
[lucene-solr] branch branch_8x updated: LUCENE-9076: give
replicator its own policy rather than reusing solr policy
This is an automated email from the ASF dual-hosted git repository.
rmuir pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8x by this push:
new 58473a0 LUCENE-9076: give replicator its own policy rather than reusing solr policy
58473a0 is described below
commit 58473a04b9efdfd108719a872bcd0adabfbebb71
Author: Robert Muir <rm...@apache.org>
AuthorDate: Mon Dec 2 06:55:02 2019 -0500
LUCENE-9076: give replicator its own policy rather than reusing solr policy
---
lucene/replicator/build.xml | 2 +-
lucene/tools/junit4/replicator-tests.policy | 91 +++++++++++++++++++++++++++++
2 files changed, 92 insertions(+), 1 deletion(-)
diff --git a/lucene/replicator/build.xml b/lucene/replicator/build.xml
index 53d4251..796bf27 100644
--- a/lucene/replicator/build.xml
+++ b/lucene/replicator/build.xml
@@ -22,7 +22,7 @@
</description>
<!-- TODO: go fix this in jetty, its stupid -->
- <property name="tests.policy" location="../tools/junit4/solr-tests.policy"/>
+ <property name="tests.policy" location="../tools/junit4/replicator-tests.policy"/>
<import file="../module-build.xml"/>
diff --git a/lucene/tools/junit4/replicator-tests.policy b/lucene/tools/junit4/replicator-tests.policy
new file mode 100644
index 0000000..476875a
--- /dev/null
+++ b/lucene/tools/junit4/replicator-tests.policy
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Policy file for lucene replicator tests. Please keep minimal and avoid wildcards.
+// this differs from the standard lucene policy in that it must allow read-write access
+// to all system properties, because of jetty
+
+grant {
+ // contain read access to only what we need:
+ // 3rd party jar resources (where symlinks are not supported), test-files/ resources
+ permission java.io.FilePermission "${common.dir}${/}-", "read";
+ // 3rd party jar resources (where symlinks are supported)
+ permission java.io.FilePermission "${user.home}${/}.ivy2${/}cache${/}-", "read";
+ // system jar resources, and let TestIndexWriterOnJRECrash fork its jvm
+ permission java.io.FilePermission "${java.home}${/}-", "read,execute";
+ // should be enclosed within common.dir, but just in case:
+ permission java.io.FilePermission "${junit4.childvm.cwd}", "read";
+
+ // write only to sandbox
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete";
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}jacoco.db", "write";
+ permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
+ permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
+ permission java.io.FilePermission "${tests.linedocsfile}", "read";
+
+ // misc HardlinkCopyDirectoryWrapper needs this to test if hardlinks can be created
+ permission java.nio.file.LinkPermission "hard";
+ // needed by SSD detection tests in TestIOUtils (creates symlinks)
+ permission java.nio.file.LinkPermission "symbolic";
+
+ // needed by gson serialization of junit4 runner: TODO clean that up
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+ // needed by junit4 runner to capture sysout/syserr:
+ permission java.lang.RuntimePermission "setIO";
+ // needed by randomized runner to catch failures from other threads:
+ permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
+ // needed by randomized runner getTopThreadGroup:
+ permission java.lang.RuntimePermission "modifyThreadGroup";
+ // needed by tests e.g. shutting down executors:
+ permission java.lang.RuntimePermission "modifyThread";
+ // needed for tons of test hacks etc
+ permission java.lang.RuntimePermission "getStackTrace";
+ // needed for mock filesystems in tests
+ permission java.lang.RuntimePermission "fileSystemProvider";
+ // needed for test of IOUtils.spins (maybe it can be avoided)
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
+ // analyzers/uima: needed by lucene expressions' JavascriptCompiler
+ permission java.lang.RuntimePermission "createClassLoader";
+ // needed to test unmap hack on platforms that support it
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+ // needed by cyberneko usage by benchmarks on J9
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.xerces.util";
+ // needed by jacoco to dump coverage
+ permission java.lang.RuntimePermission "shutdownHooks";
+ // needed by org.apache.logging.log4j
+ permission java.lang.RuntimePermission "getenv.*";
+ permission java.lang.RuntimePermission "getClassLoader";
+ permission java.lang.RuntimePermission "setContextClassLoader";
+
+ // read/write access to all system properties (required by jetty in these tests)
+ permission java.util.PropertyPermission "*", "read,write";
+
+ // replicator: jetty tests require some network permissions:
+ // all possibilities of accepting/binding/connecting on localhost with ports >= 1024:
+ permission java.net.SocketPermission "localhost:1024-", "accept,listen,connect,resolve";
+ permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen,connect,resolve";
+ permission java.net.SocketPermission "[::1]:1024-", "accept,listen,connect,resolve";
+
+ // SSL related properties for jetty
+ permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
+ permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm";
+
+ // allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission
+ permission java.security.SecurityPermission "createAccessControlContext";
+};