You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by no...@apache.org on 2015/09/02 14:26:31 UTC

svn commit: r1700786 - in /lucene/dev/branches/branch_5x: ./ solr/ solr/core/ solr/core/src/java/org/apache/solr/security/ solr/core/src/test/org/apache/solr/security/

Author: noble
Date: Wed Sep  2 12:26:31 2015
New Revision: 1700786

URL: http://svn.apache.org/r1700786
Log:
SOLR-8004: RuleBasedAuthorization plugin does not work for the collection-admin-edit permission

Modified:
    lucene/dev/branches/branch_5x/   (props changed)
    lucene/dev/branches/branch_5x/solr/   (props changed)
    lucene/dev/branches/branch_5x/solr/CHANGES.txt   (contents, props changed)
    lucene/dev/branches/branch_5x/solr/core/   (props changed)
    lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
    lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
    lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java

Modified: lucene/dev/branches/branch_5x/solr/CHANGES.txt
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/CHANGES.txt?rev=1700786&r1=1700785&r2=1700786&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/CHANGES.txt (original)
+++ lucene/dev/branches/branch_5x/solr/CHANGES.txt Wed Sep  2 12:26:31 2015
@@ -97,6 +97,8 @@ Bug Fixes
 
 * SOLR-8000: security.json is not loaded on server start (noble)
 
+* SOLR-8004: RuleBasedAuthorization plugin does not work for the collection-admin-edit permission (noble)
+
 
 Optimizations
 ----------------------

Modified: lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java?rev=1700786&r1=1700785&r2=1700786&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java (original)
+++ lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java Wed Sep  2 12:26:31 2015
@@ -87,7 +87,7 @@ public class RuleBasedAuthorizationPlugi
   @Override
   public AuthorizationResponse authorize(AuthorizationContext context) {
     List<AuthorizationContext.CollectionRequest> collectionRequests = context.getCollectionRequests();
-    if (collectionRequests.isEmpty()) {
+    if (context.getRequestType() == AuthorizationContext.RequestType.ADMIN) {
       MatchStatus flag = checkCollPerm(mapping.get(""), context);
       return flag.rsp;
     }

Modified: lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java?rev=1700786&r1=1700785&r2=1700786&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java (original)
+++ lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java Wed Sep  2 12:26:31 2015
@@ -37,6 +37,7 @@ import org.apache.solr.client.solrj.Solr
 import org.apache.solr.client.solrj.embedded.JettySolrRunner;
 import org.apache.solr.client.solrj.impl.CloudSolrClient;
 import org.apache.solr.client.solrj.impl.HttpSolrClient;
+import org.apache.solr.client.solrj.request.CollectionAdminRequest;
 import org.apache.solr.client.solrj.request.GenericSolrRequest;
 import org.apache.solr.cloud.MiniSolrCloudCluster;
 import org.apache.solr.cloud.TestMiniSolrCloudCluster;
@@ -144,6 +145,30 @@ public class BasicAuthIntegrationTest ex
 
     verifySecurityStatus(cl, baseUrl+"/admin/authorization", "authorization/permissions[1]/collection", "x", 20);
 
+    httpPost = new HttpPost(baseUrl + "/admin/authorization");
+    setBasicAuthHeader(httpPost, "harry", "HarryIsUberCool");
+    httpPost.setEntity(new ByteArrayEntity(Utils.toJSON(singletonMap("set-permission", Utils.makeMap
+        ("name","collection-admin-edit", "role", "admin" )))));
+    r = cl.execute(httpPost);
+
+    verifySecurityStatus(cl, baseUrl+"/admin/authorization", "authorization/permissions[2]/name", "collection-admin-edit", 20);
+
+    CollectionAdminRequest.Reload reload = new CollectionAdminRequest.Reload();
+    reload.setCollectionName(cloudSolrClient.getDefaultCollection());
+
+    HttpSolrClient solrClient = new HttpSolrClient(baseUrl);
+    try {
+      rsp = solrClient.request(reload);
+      fail("must have failed");
+    } catch (HttpSolrClient.RemoteSolrException e) {
+
+    }
+
+    httpPost = new HttpPost(baseUrl + "/admin/authorization");
+    setBasicAuthHeader(httpPost, "harry", "HarryIsUberCool");
+    httpPost.setEntity(new ByteArrayEntity(Utils.toJSON(singletonMap("delete-permission", "collection-admin-edit"))));
+    r = cl.execute(httpPost);//cleanup so that the super class does not need to pass on credentials
+
   }
 
   public static void verifySecurityStatus(HttpClient cl, String url, String objPath, Object expected, int count) throws Exception {
@@ -208,6 +233,11 @@ public class BasicAuthIntegrationTest ex
   public void testErrorsInShutdown() throws Exception {
   }
 
+
+  @Override
+  public void testCollectionCreateWithoutCoresThenDelete() throws Exception {
+  }
+
   //the password is 'SolrRocks'
   //this could be generated everytime. But , then we will not know if there is any regression
   private static final String STD_CONF = "{\n" +

Modified: lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java?rev=1700786&r1=1700785&r2=1700786&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java (original)
+++ lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java Wed Sep  2 12:26:31 2015
@@ -95,7 +95,7 @@ public class TestRuleBasedAuthorizationP
     assertEquals(FORBIDDEN,authResp.statusCode);
 
     values.put("resource","/admin/collections");
-    values.put("collectionRequests",new ArrayList<>());
+    values.put("requestType", AuthorizationContext.RequestType.ADMIN);
     values.put("params", new MapSolrParams(Collections.singletonMap("action", "LIST")));
     values.put("httpMethod","GET");
     authResp = plugin.authorize(context);
@@ -109,6 +109,10 @@ public class TestRuleBasedAuthorizationP
     authResp = plugin.authorize(context);
     assertEquals(PROMPT_FOR_CREDENTIALS, authResp.statusCode);
 
+    values.put("params", new MapSolrParams(Collections.singletonMap("action", "RELOAD")));
+    authResp = plugin.authorize(context);
+    assertEquals(PROMPT_FOR_CREDENTIALS, authResp.statusCode);
+
     values.put("userPrincipal", new BasicUserPrincipal("somebody"));
     authResp = plugin.authorize(context);
     assertEquals(FORBIDDEN,authResp.statusCode);