lucene-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From no...@apache.org
Subject svn commit: r1721097 - in /lucene/dev/trunk/solr: CHANGES.txt core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
Date Mon, 21 Dec 2015 07:11:15 GMT
Author: noble
Date: Mon Dec 21 07:11:14 2015
New Revision: 1721097

URL: http://svn.apache.org/viewvc?rev=1721097&view=rev
Log:
SOLR-8428: RuleBasedAuthorizationPlugin adds an 'all' permission

Modified:
    lucene/dev/trunk/solr/CHANGES.txt
    lucene/dev/trunk/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
    lucene/dev/trunk/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java

Modified: lucene/dev/trunk/solr/CHANGES.txt
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/solr/CHANGES.txt?rev=1721097&r1=1721096&r2=1721097&view=diff
==============================================================================
--- lucene/dev/trunk/solr/CHANGES.txt (original)
+++ lucene/dev/trunk/solr/CHANGES.txt Mon Dec 21 07:11:14 2015
@@ -238,6 +238,8 @@ New Features
 * SOLR-8230: JSON Facet API: add "facet-info" into debug section of response when debugQuery=true
   (Michael Sun, yonik)
 
+* SOLR-8428: RuleBasedAuthorizationPlugin adds an 'all' permission (noble)
+
 
 Bug Fixes
 ----------------------

Modified: lucene/dev/trunk/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java?rev=1721097&r1=1721096&r2=1721097&view=diff
==============================================================================
--- lucene/dev/trunk/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
(original)
+++ lucene/dev/trunk/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
Mon Dec 21 07:11:14 2015
@@ -90,7 +90,7 @@ public class RuleBasedAuthorizationPlugi
   public AuthorizationResponse authorize(AuthorizationContext context) {
     List<AuthorizationContext.CollectionRequest> collectionRequests = context.getCollectionRequests();
     if (context.getRequestType() == AuthorizationContext.RequestType.ADMIN) {
-      MatchStatus flag = checkCollPerm(mapping.get(""), context);
+      MatchStatus flag = checkCollPerm(mapping.get(null), context);
       return flag.rsp;
     }
 
@@ -99,8 +99,8 @@ public class RuleBasedAuthorizationPlugi
       MatchStatus flag = checkCollPerm(mapping.get(collreq.collectionName), context);
       if (flag != MatchStatus.NO_PERMISSIONS_FOUND) return flag.rsp;
     }
-    //check global permissions.
-    MatchStatus flag = checkCollPerm(mapping.get(null), context);
+    //check wildcard (all=*) permissions.
+    MatchStatus flag = checkCollPerm(mapping.get("*"), context);
     return flag.rsp;
   }
 
@@ -212,7 +212,7 @@ public class RuleBasedAuthorizationPlugi
       if("collection".equals(key)){
         //for collection collection: null means a core admin/ collection admin request
         // otherwise it means a request where collection name is ignored
-        return m.containsKey(key) ?  singleton("") : singleton(null);
+        return m.containsKey(key) ? singleton(null) : singleton("*");
       }
       return null;
     }
@@ -469,7 +469,9 @@ public class RuleBasedAuthorizationPlugi
           "      path:['/select', '/get','/browse','/tvrh','/terms','/clustering','/elevate',
'/export','/spell','/clustering']}," +
           "    config-edit:{" +
           "      method:POST," +
-          "      path:'/config/*'}}");
+              "      path:'/config/*'}," +
+              "    all:{collection:['*', null]}" +
+              "}");
 
   static {
     ((Map) well_known_permissions.get("collection-admin-edit")).put(Predicate.class.getName(),
getCollectionActionPredicate(true));

Modified: lucene/dev/trunk/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java?rev=1721097&r1=1721096&r2=1721097&view=diff
==============================================================================
--- lucene/dev/trunk/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
(original)
+++ lucene/dev/trunk/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
Mon Dec 21 07:11:14 2015
@@ -24,6 +24,8 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import com.carrotsearch.ant.tasks.junit4.dependencies.com.google.common.collect.ImmutableMap;
+import jdk.nashorn.internal.ir.annotations.Immutable;
 import org.apache.http.auth.BasicUserPrincipal;
 import org.apache.solr.SolrTestCaseJ4;
 import org.apache.solr.common.params.MapSolrParams;
@@ -159,15 +161,40 @@ public class TestRuleBasedAuthorizationP
         "userPrincipal", "joe")
         , FORBIDDEN);
 
-  }
 
+    Map rules = (Map) Utils.fromJSONString(permissions);
+    ((Map)rules.get("user-role")).put("cio","su");
+    ((List)rules.get("permissions")).add( makeMap("name", "all", "role", "su"));
 
+    checkRules(makeMap("resource", "/replication",
+        "httpMethod", "POST",
+        "userPrincipal", "tim",
+        "collectionRequests", singletonList(new CollectionRequest("mycoll")) )
+        , FORBIDDEN, rules);
+
+    checkRules(makeMap("resource", "/replication",
+        "httpMethod", "POST",
+        "userPrincipal", "cio",
+        "collectionRequests", singletonList(new CollectionRequest("mycoll")) )
+        , STATUS_OK, rules);
+
+    checkRules(makeMap("resource", "/admin/collections",
+        "userPrincipal", "tim",
+        "requestType", AuthorizationContext.RequestType.ADMIN,
+        "collectionRequests", null,
+        "params", new MapSolrParams(singletonMap("action", "CREATE")))
+        , STATUS_OK, rules);
+
+  }
 
   private void checkRules(Map<String, Object> values, int expected) {
+    checkRules(values,expected,(Map) Utils.fromJSONString(permissions));
+  }
 
+  private void checkRules(Map<String, Object> values, int expected, Map<String ,Object>
permissions) {
     AuthorizationContext context = new MockAuthorizationContext(values);
     RuleBasedAuthorizationPlugin plugin = new RuleBasedAuthorizationPlugin();
-    plugin.init((Map) Utils.fromJSONString(permissions));
+    plugin.init(permissions);
     AuthorizationResponse authResp = plugin.authorize(context);
     assertEquals(expected, authResp.statusCode);
   }



Mime
View raw message