You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by br...@apache.org on 2024/01/24 13:52:51 UTC
(solr-sandbox) branch main updated: Refactor EncryptionRequestHandlerTest and update encryption.md about jdk 17. (#99)
This is an automated email from the ASF dual-hosted git repository.
broustant pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-sandbox.git
The following commit(s) were added to refs/heads/main by this push:
new 50b8f9b Refactor EncryptionRequestHandlerTest and update encryption.md about jdk 17. (#99)
50b8f9b is described below
commit 50b8f9bf740cba4161dd7e0d01edba9677bb5769
Author: Bruno Roustant <33...@users.noreply.github.com>
AuthorDate: Wed Jan 24 14:52:45 2024 +0100
Refactor EncryptionRequestHandlerTest and update encryption.md about jdk 17. (#99)
---
ENCRYPTION.md | 7 ++-
.../encryption/EncryptionRequestHandlerTest.java | 51 ++++++++++------------
2 files changed, 27 insertions(+), 31 deletions(-)
diff --git a/ENCRYPTION.md b/ENCRYPTION.md
index 72c7b14..759f77b 100644
--- a/ENCRYPTION.md
+++ b/ENCRYPTION.md
@@ -22,7 +22,8 @@ per-directory, making multi-tenant use-cases possible. If you can use OS-level e
Java-level encryption.
- Java-level encryption can be used when the OS-level encryption management is not possible (e.g. host machine managed
-by a cloud provider). It has an impact on performance: expect -20% on most queries, -60% on multi-term queries.
+by a cloud provider), or when even admin rights should not allow to get clear access to the index files. It has an
+impact on performance: expect -20% on most queries, -60% on multi-term queries.
[1] https://wiki.archlinux.org/title/Fscrypt
@@ -88,7 +89,9 @@ the specified folder.
`encrypterFactory` is an optional parameter to specify the `org.apache.solr.encryption.crypto.AesCtrEncrypterFactory`
to use. By default `CipherAesCtrEncrypter$Factory` is used. You can change to `LightAesCtrEncrypter$Factory` for a
more lightweight and efficient implementation (+10% perf), but it calls an internal com.sun.crypto.provider.AESCrypt()
-constructor which logs a JDK warning (Illegal reflective access).
+constructor which either logs a JDK warning (Illegal reflective access) with JDK 16 and below, or with JDK 17 and above
+requires to open the access to the com.sun.crypto.provider package with the jvm arg
+`--add-opens=java.base/com.sun.crypto.provider=ALL-UNNAMED`.
`EncryptionUpdateHandler` replaces the standard `DirectUpdateHandler2` (which it extends) to store persistently the
encryption key id in the commit metadata. It supports all the configuration parameters of `DirectUpdateHandler2`.
diff --git a/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java b/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java
index 5b70650..f2515af 100644
--- a/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java
+++ b/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java
@@ -88,9 +88,7 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
@Test
public void testEncryptionFromNoKeysToOneKey_NoIndex() throws Exception {
// Send an encrypt request with a key id on an empty index.
- EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_1);
- assertTrue(encryptionStatus.isSuccess());
- assertTrue(encryptionStatus.isComplete());
+ encryptAndExpectCompletion(KEY_ID_1);
// Index some documents to create a first segment.
testUtil.indexDocsAndCommit("weather broadcast");
@@ -106,14 +104,10 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
@Test
public void testEncryptionFromNoKeysToOneKeyToNoKeys_NoIndex() throws Exception {
// Send an encrypt request with a key id on an empty index.
- EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_1);
- assertTrue(encryptionStatus.isSuccess());
- assertTrue(encryptionStatus.isComplete());
+ encryptAndExpectCompletion(KEY_ID_1);
// Send another encrypt request with no key id, still on the empty index.
- encryptionStatus = testUtil.encrypt(NO_KEY_ID);
- assertTrue(encryptionStatus.isSuccess());
- assertTrue(encryptionStatus.isComplete());
+ encryptAndExpectCompletion(NO_KEY_ID);
// Index some documents to create a first segment.
testUtil.indexDocsAndCommit("weather broadcast");
@@ -140,11 +134,7 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
forceClearText = false;
// Send an encrypt request with a key id.
- EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_1);
- assertTrue(encryptionStatus.isSuccess());
- assertFalse(encryptionStatus.isComplete());
-
- testUtil.waitUntilEncryptionIsComplete(KEY_ID_1);
+ encryptAndWaitForCompletion(KEY_ID_1);
// Verify that the segment is encrypted.
forceClearText = true;
@@ -164,11 +154,7 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
testUtil.indexDocsAndCommit("foggy weather");
// Send an encrypt request with another key id.
- EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_2);
- assertTrue(encryptionStatus.isSuccess());
- assertFalse(encryptionStatus.isComplete());
-
- testUtil.waitUntilEncryptionIsComplete(KEY_ID_2);
+ encryptAndWaitForCompletion(KEY_ID_2);
// Verify that the segment is encrypted.
forceClearText = true;
@@ -187,11 +173,7 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
testUtil.indexDocsAndCommit("foggy weather");
// Send an encrypt request with no key id.
- EncryptionStatus encryptionStatus = testUtil.encrypt(NO_KEY_ID);
- assertTrue(encryptionStatus.isSuccess());
- assertFalse(encryptionStatus.isComplete());
-
- testUtil.waitUntilEncryptionIsComplete(NO_KEY_ID);
+ encryptAndWaitForCompletion(NO_KEY_ID);
// Verify that the segment is cleartext.
forceClearText = true;
@@ -203,11 +185,7 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
testUtil.indexDocsAndCommit("cloudy weather");
// Send an encrypt request with another key id.
- encryptionStatus = testUtil.encrypt(KEY_ID_2);
- assertTrue(encryptionStatus.isSuccess());
- assertFalse(encryptionStatus.isComplete());
-
- testUtil.waitUntilEncryptionIsComplete(KEY_ID_2);
+ encryptAndWaitForCompletion(KEY_ID_2);
// Verify that the segment is encrypted.
forceClearText = true;
@@ -218,6 +196,21 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
testUtil.assertQueryReturns("weather", 4);
}
+ private void encryptAndExpectCompletion(String keyId) {
+ encrypt(keyId, true);
+ }
+
+ private void encryptAndWaitForCompletion(String keyId) throws InterruptedException {
+ encrypt(keyId, false);
+ testUtil.waitUntilEncryptionIsComplete(keyId);
+ }
+
+ private void encrypt(String keyId, boolean expectComplete) {
+ EncryptionStatus encryptionStatus = testUtil.encrypt(keyId);
+ assertTrue(encryptionStatus.isSuccess());
+ assertEquals(expectComplete, encryptionStatus.isComplete());
+ }
+
private static void clearMockValues() {
forceClearText = false;
soleKeyIdAllowed = null;