From commits-return-111516-archive-asf-public=cust-asf.ponee.io@lucene.apache.org Mon Dec 2 11:56:35 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 70C4818064E for ; Mon, 2 Dec 2019 12:56:35 +0100 (CET) Received: (qmail 47964 invoked by uid 500); 2 Dec 2019 11:56:34 -0000 Mailing-List: contact commits-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@lucene.apache.org Delivered-To: mailing list commits@lucene.apache.org Received: (qmail 47955 invoked by uid 99); 2 Dec 2019 11:56:34 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Dec 2019 11:56:34 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 94DFC8B690; Mon, 2 Dec 2019 11:56:34 +0000 (UTC) Date: Mon, 02 Dec 2019 11:56:34 +0000 To: "commits@lucene.apache.org" Subject: [lucene-solr] branch branch_8x updated: LUCENE-9076: give replicator its own policy rather than reusing solr policy MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <157528779434.27707.15849772142583811531@gitbox.apache.org> From: rmuir@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: lucene-solr X-Git-Refname: refs/heads/branch_8x X-Git-Reftype: branch X-Git-Oldrev: 3de517b2869d0d7664dbe1b55f6f803091c92bff X-Git-Newrev: 58473a04b9efdfd108719a872bcd0adabfbebb71 X-Git-Rev: 58473a04b9efdfd108719a872bcd0adabfbebb71 X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. rmuir pushed a commit to branch branch_8x in repository https://gitbox.apache.org/repos/asf/lucene-solr.git The following commit(s) were added to refs/heads/branch_8x by this push: new 58473a0 LUCENE-9076: give replicator its own policy rather than reusing solr policy 58473a0 is described below commit 58473a04b9efdfd108719a872bcd0adabfbebb71 Author: Robert Muir AuthorDate: Mon Dec 2 06:55:02 2019 -0500 LUCENE-9076: give replicator its own policy rather than reusing solr policy --- lucene/replicator/build.xml | 2 +- lucene/tools/junit4/replicator-tests.policy | 91 +++++++++++++++++++++++++++++ 2 files changed, 92 insertions(+), 1 deletion(-) diff --git a/lucene/replicator/build.xml b/lucene/replicator/build.xml index 53d4251..796bf27 100644 --- a/lucene/replicator/build.xml +++ b/lucene/replicator/build.xml @@ -22,7 +22,7 @@ - + diff --git a/lucene/tools/junit4/replicator-tests.policy b/lucene/tools/junit4/replicator-tests.policy new file mode 100644 index 0000000..476875a --- /dev/null +++ b/lucene/tools/junit4/replicator-tests.policy @@ -0,0 +1,91 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// Policy file for lucene replicator tests. Please keep minimal and avoid wildcards. +// this differs from the standard lucene policy in that it must allow read-write access +// to all system properties, because of jetty + +grant { + // contain read access to only what we need: + // 3rd party jar resources (where symlinks are not supported), test-files/ resources + permission java.io.FilePermission "${common.dir}${/}-", "read"; + // 3rd party jar resources (where symlinks are supported) + permission java.io.FilePermission "${user.home}${/}.ivy2${/}cache${/}-", "read"; + // system jar resources, and let TestIndexWriterOnJRECrash fork its jvm + permission java.io.FilePermission "${java.home}${/}-", "read,execute"; + // should be enclosed within common.dir, but just in case: + permission java.io.FilePermission "${junit4.childvm.cwd}", "read"; + + // write only to sandbox + permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete"; + permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete"; + permission java.io.FilePermission "${junit4.childvm.cwd}${/}jacoco.db", "write"; + permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete"; + permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete"; + permission java.io.FilePermission "${tests.linedocsfile}", "read"; + + // misc HardlinkCopyDirectoryWrapper needs this to test if hardlinks can be created + permission java.nio.file.LinkPermission "hard"; + // needed by SSD detection tests in TestIOUtils (creates symlinks) + permission java.nio.file.LinkPermission "symbolic"; + + // needed by gson serialization of junit4 runner: TODO clean that up + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + // needed by junit4 runner to capture sysout/syserr: + permission java.lang.RuntimePermission "setIO"; + // needed by randomized runner to catch failures from other threads: + permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; + // needed by randomized runner getTopThreadGroup: + permission java.lang.RuntimePermission "modifyThreadGroup"; + // needed by tests e.g. shutting down executors: + permission java.lang.RuntimePermission "modifyThread"; + // needed for tons of test hacks etc + permission java.lang.RuntimePermission "getStackTrace"; + // needed for mock filesystems in tests + permission java.lang.RuntimePermission "fileSystemProvider"; + // needed for test of IOUtils.spins (maybe it can be avoided) + permission java.lang.RuntimePermission "getFileStoreAttributes"; + // analyzers/uima: needed by lucene expressions' JavascriptCompiler + permission java.lang.RuntimePermission "createClassLoader"; + // needed to test unmap hack on platforms that support it + permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; + // needed by cyberneko usage by benchmarks on J9 + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.xerces.util"; + // needed by jacoco to dump coverage + permission java.lang.RuntimePermission "shutdownHooks"; + // needed by org.apache.logging.log4j + permission java.lang.RuntimePermission "getenv.*"; + permission java.lang.RuntimePermission "getClassLoader"; + permission java.lang.RuntimePermission "setContextClassLoader"; + + // read/write access to all system properties (required by jetty in these tests) + permission java.util.PropertyPermission "*", "read,write"; + + // replicator: jetty tests require some network permissions: + // all possibilities of accepting/binding/connecting on localhost with ports >= 1024: + permission java.net.SocketPermission "localhost:1024-", "accept,listen,connect,resolve"; + permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen,connect,resolve"; + permission java.net.SocketPermission "[::1]:1024-", "accept,listen,connect,resolve"; + + // SSL related properties for jetty + permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm"; + permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm"; + + // allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission + permission java.security.SecurityPermission "createAccessControlContext"; +};