You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by no...@apache.org on 2015/09/02 14:26:31 UTC
svn commit: r1700786 - in /lucene/dev/branches/branch_5x: ./ solr/
solr/core/ solr/core/src/java/org/apache/solr/security/
solr/core/src/test/org/apache/solr/security/
Author: noble
Date: Wed Sep 2 12:26:31 2015
New Revision: 1700786
URL: http://svn.apache.org/r1700786
Log:
SOLR-8004: RuleBasedAuthorization plugin does not work for the collection-admin-edit permission
Modified:
lucene/dev/branches/branch_5x/ (props changed)
lucene/dev/branches/branch_5x/solr/ (props changed)
lucene/dev/branches/branch_5x/solr/CHANGES.txt (contents, props changed)
lucene/dev/branches/branch_5x/solr/core/ (props changed)
lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
Modified: lucene/dev/branches/branch_5x/solr/CHANGES.txt
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/CHANGES.txt?rev=1700786&r1=1700785&r2=1700786&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/CHANGES.txt (original)
+++ lucene/dev/branches/branch_5x/solr/CHANGES.txt Wed Sep 2 12:26:31 2015
@@ -97,6 +97,8 @@ Bug Fixes
* SOLR-8000: security.json is not loaded on server start (noble)
+* SOLR-8004: RuleBasedAuthorization plugin does not work for the collection-admin-edit permission (noble)
+
Optimizations
----------------------
Modified: lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java?rev=1700786&r1=1700785&r2=1700786&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java (original)
+++ lucene/dev/branches/branch_5x/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java Wed Sep 2 12:26:31 2015
@@ -87,7 +87,7 @@ public class RuleBasedAuthorizationPlugi
@Override
public AuthorizationResponse authorize(AuthorizationContext context) {
List<AuthorizationContext.CollectionRequest> collectionRequests = context.getCollectionRequests();
- if (collectionRequests.isEmpty()) {
+ if (context.getRequestType() == AuthorizationContext.RequestType.ADMIN) {
MatchStatus flag = checkCollPerm(mapping.get(""), context);
return flag.rsp;
}
Modified: lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java?rev=1700786&r1=1700785&r2=1700786&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java (original)
+++ lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java Wed Sep 2 12:26:31 2015
@@ -37,6 +37,7 @@ import org.apache.solr.client.solrj.Solr
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
import org.apache.solr.client.solrj.impl.CloudSolrClient;
import org.apache.solr.client.solrj.impl.HttpSolrClient;
+import org.apache.solr.client.solrj.request.CollectionAdminRequest;
import org.apache.solr.client.solrj.request.GenericSolrRequest;
import org.apache.solr.cloud.MiniSolrCloudCluster;
import org.apache.solr.cloud.TestMiniSolrCloudCluster;
@@ -144,6 +145,30 @@ public class BasicAuthIntegrationTest ex
verifySecurityStatus(cl, baseUrl+"/admin/authorization", "authorization/permissions[1]/collection", "x", 20);
+ httpPost = new HttpPost(baseUrl + "/admin/authorization");
+ setBasicAuthHeader(httpPost, "harry", "HarryIsUberCool");
+ httpPost.setEntity(new ByteArrayEntity(Utils.toJSON(singletonMap("set-permission", Utils.makeMap
+ ("name","collection-admin-edit", "role", "admin" )))));
+ r = cl.execute(httpPost);
+
+ verifySecurityStatus(cl, baseUrl+"/admin/authorization", "authorization/permissions[2]/name", "collection-admin-edit", 20);
+
+ CollectionAdminRequest.Reload reload = new CollectionAdminRequest.Reload();
+ reload.setCollectionName(cloudSolrClient.getDefaultCollection());
+
+ HttpSolrClient solrClient = new HttpSolrClient(baseUrl);
+ try {
+ rsp = solrClient.request(reload);
+ fail("must have failed");
+ } catch (HttpSolrClient.RemoteSolrException e) {
+
+ }
+
+ httpPost = new HttpPost(baseUrl + "/admin/authorization");
+ setBasicAuthHeader(httpPost, "harry", "HarryIsUberCool");
+ httpPost.setEntity(new ByteArrayEntity(Utils.toJSON(singletonMap("delete-permission", "collection-admin-edit"))));
+ r = cl.execute(httpPost);//cleanup so that the super class does not need to pass on credentials
+
}
public static void verifySecurityStatus(HttpClient cl, String url, String objPath, Object expected, int count) throws Exception {
@@ -208,6 +233,11 @@ public class BasicAuthIntegrationTest ex
public void testErrorsInShutdown() throws Exception {
}
+
+ @Override
+ public void testCollectionCreateWithoutCoresThenDelete() throws Exception {
+ }
+
//the password is 'SolrRocks'
//this could be generated everytime. But , then we will not know if there is any regression
private static final String STD_CONF = "{\n" +
Modified: lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
URL: http://svn.apache.org/viewvc/lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java?rev=1700786&r1=1700785&r2=1700786&view=diff
==============================================================================
--- lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java (original)
+++ lucene/dev/branches/branch_5x/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java Wed Sep 2 12:26:31 2015
@@ -95,7 +95,7 @@ public class TestRuleBasedAuthorizationP
assertEquals(FORBIDDEN,authResp.statusCode);
values.put("resource","/admin/collections");
- values.put("collectionRequests",new ArrayList<>());
+ values.put("requestType", AuthorizationContext.RequestType.ADMIN);
values.put("params", new MapSolrParams(Collections.singletonMap("action", "LIST")));
values.put("httpMethod","GET");
authResp = plugin.authorize(context);
@@ -109,6 +109,10 @@ public class TestRuleBasedAuthorizationP
authResp = plugin.authorize(context);
assertEquals(PROMPT_FOR_CREDENTIALS, authResp.statusCode);
+ values.put("params", new MapSolrParams(Collections.singletonMap("action", "RELOAD")));
+ authResp = plugin.authorize(context);
+ assertEquals(PROMPT_FOR_CREDENTIALS, authResp.statusCode);
+
values.put("userPrincipal", new BasicUserPrincipal("somebody"));
authResp = plugin.authorize(context);
assertEquals(FORBIDDEN,authResp.statusCode);