From 0233765c274ec9d308ca4eb621f26bd4ed9d0a39 Mon Sep 17 00:00:00 2001
From: Noble Paul <noble@apache.org>
Date: Tue, 26 Apr 2016 19:24:23 +0530
Subject: [PATCH] SOLR-9041: 'core-admin-read' and 'core-admin-edit' are well
 known permissions

---
 solr/CHANGES.txt                              |  2 +
 .../handler/admin/CollectionsHandler.java     |  2 +-
 .../solr/handler/admin/CoreAdminHandler.java  | 18 ++++++++-
 .../solr/security/PermissionNameProvider.java |  2 +
 .../TestRuleBasedAuthorizationPlugin.java     | 40 +++++++++++++++++++
 .../solr/common/params/CoreAdminParams.java   | 16 ++++++--
 6 files changed, 75 insertions(+), 5 deletions(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 6034851e949..905c38d1c76 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -111,6 +111,8 @@ New Features
 
 * SOLR-9020: Implement StatementImpl/ResultSetImpl get/set fetch* methods and proper errors for traversal methods (Kevin Risden)
 
+* SOLR-9041: 'core-admin-read' and 'core-admin-edit' are well known permissions (noble)
+
 Bug Fixes
 ----------------------
 
diff --git a/solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java b/solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java
index 64b10ab0c0f..29a978f9f43 100644
--- a/solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java
+++ b/solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java
@@ -151,7 +151,7 @@ public class CollectionsHandler extends RequestHandlerBase implements Permission
   @Override
   public PermissionNameProvider.Name getPermissionName(AuthorizationContext ctx) {
     String action = ctx.getParams().get("action");
-    if (action == null) return null;
+    if (action == null) return PermissionNameProvider.Name.COLL_READ_PERM;
     CollectionParams.CollectionAction collectionAction = CollectionParams.CollectionAction.get(action);
     if (collectionAction == null) return null;
     return collectionAction.isWrite ?
diff --git a/solr/core/src/java/org/apache/solr/handler/admin/CoreAdminHandler.java b/solr/core/src/java/org/apache/solr/handler/admin/CoreAdminHandler.java
index 9eeef105c67..6e295f79199 100644
--- a/solr/core/src/java/org/apache/solr/handler/admin/CoreAdminHandler.java
+++ b/solr/core/src/java/org/apache/solr/handler/admin/CoreAdminHandler.java
@@ -33,6 +33,7 @@ import org.apache.solr.cloud.ZkController;
 import org.apache.solr.common.SolrException;
 import org.apache.solr.common.SolrException.ErrorCode;
 import org.apache.solr.common.cloud.ZkStateReader;
+import org.apache.solr.common.params.CollectionParams;
 import org.apache.solr.common.params.CommonAdminParams;
 import org.apache.solr.common.params.CoreAdminParams;
 import org.apache.solr.common.params.CoreAdminParams.CoreAdminAction;
@@ -45,6 +46,8 @@ import org.apache.solr.core.CoreDescriptor;
 import org.apache.solr.handler.RequestHandlerBase;
 import org.apache.solr.request.SolrQueryRequest;
 import org.apache.solr.response.SolrQueryResponse;
+import org.apache.solr.security.AuthorizationContext;
+import org.apache.solr.security.PermissionNameProvider;
 import org.apache.solr.util.DefaultSolrThreadFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -52,12 +55,14 @@ import org.slf4j.MDC;
 
 import static org.apache.solr.common.params.CoreAdminParams.ACTION;
 import static org.apache.solr.common.params.CoreAdminParams.CoreAdminAction.STATUS;
+import static org.apache.solr.security.PermissionNameProvider.Name.CORE_EDIT_PERM;
+import static org.apache.solr.security.PermissionNameProvider.Name.CORE_READ_PERM;
 
 /**
  *
  * @since solr 1.3
  */
-public class CoreAdminHandler extends RequestHandlerBase {
+public class CoreAdminHandler extends RequestHandlerBase implements PermissionNameProvider {
   private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
   protected final CoreContainer coreContainer;
   protected final Map<String, Map<String, TaskObject>> requestStatusMap;
@@ -262,6 +267,17 @@ public class CoreAdminHandler extends RequestHandlerBase {
     return "Manage Multiple Solr Cores";
   }
 
+  @Override
+  public Name getPermissionName(AuthorizationContext ctx) {
+    String action = ctx.getParams().get(CoreAdminParams.ACTION);
+    if (action == null) return CORE_READ_PERM;
+    CoreAdminParams.CoreAdminAction coreAction = CoreAdminParams.CoreAdminAction.get(action);
+    if (coreAction == null) return CORE_READ_PERM;
+    return coreAction.isRead ?
+        CORE_READ_PERM :
+        CORE_EDIT_PERM;
+  }
+
   /**
    * Helper class to manage the tasks to be tracked.
    * This contains the taskId, request and the response (if available).
diff --git a/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java b/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java
index 2dec4333047..4b6af47d238 100644
--- a/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java
+++ b/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java
@@ -36,6 +36,8 @@ public interface PermissionNameProvider {
   enum Name {
     COLL_EDIT_PERM("collection-admin-edit", null),
     COLL_READ_PERM("collection-admin-read", null),
+    CORE_READ_PERM("core-admin-read", null),
+    CORE_EDIT_PERM("core-admin-edit", null),
     READ_PERM("read", "*"),
     UPDATE_PERM("update", "*"),
     CONFIG_EDIT_PERM("config-edit", "*"),
diff --git a/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java b/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
index 7a92f8f567e..5abf21c78f8 100644
--- a/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
+++ b/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
@@ -35,6 +35,7 @@ import org.apache.solr.handler.ReplicationHandler;
 import org.apache.solr.handler.SchemaHandler;
 import org.apache.solr.handler.UpdateRequestHandler;
 import org.apache.solr.handler.admin.CollectionsHandler;
+import org.apache.solr.handler.admin.CoreAdminHandler;
 import org.apache.solr.handler.component.SearchHandler;
 import org.apache.solr.security.AuthorizationContext.CollectionRequest;
 import org.apache.solr.security.AuthorizationContext.RequestType;
@@ -211,6 +212,45 @@ public class TestRuleBasedAuthorizationPlugin extends SolrTestCaseJ4 {
         "params", new MapSolrParams(singletonMap("action", "CREATE")))
         , STATUS_OK, rules);
 
+    rules = (Map) Utils.fromJSONString(permissions);
+    ((List)rules.get("permissions")).add( makeMap("name", "core-admin-edit", "role", "su"));
+    ((List)rules.get("permissions")).add( makeMap("name", "core-admin-read", "role", "user"));
+    ((Map)rules.get("user-role")).put("cio","su");
+    ((List)rules.get("permissions")).add( makeMap("name", "all", "role", "su"));
+    permissions = Utils.toJSONString(rules);
+
+    checkRules(makeMap("resource", "/admin/cores",
+        "userPrincipal", null,
+        "requestType", RequestType.ADMIN,
+        "collectionRequests", null,
+        "handler", new CoreAdminHandler(null),
+        "params", new MapSolrParams(singletonMap("action", "CREATE")))
+        , PROMPT_FOR_CREDENTIALS);
+
+    checkRules(makeMap("resource", "/admin/cores",
+        "userPrincipal", "joe",
+        "requestType", RequestType.ADMIN,
+        "collectionRequests", null,
+        "handler", new CoreAdminHandler(null),
+        "params", new MapSolrParams(singletonMap("action", "CREATE")))
+        , FORBIDDEN);
+
+  checkRules(makeMap("resource", "/admin/cores",
+        "userPrincipal", "joe",
+        "requestType", RequestType.ADMIN,
+        "collectionRequests", null,
+        "handler", new CoreAdminHandler(null),
+        "params", new MapSolrParams(singletonMap("action", "STATUS")))
+        , STATUS_OK);
+
+    checkRules(makeMap("resource", "/admin/cores",
+        "userPrincipal", "cio",
+        "requestType", RequestType.ADMIN,
+        "collectionRequests", null,
+        "handler", new CoreAdminHandler(null),
+        "params", new MapSolrParams(singletonMap("action", "CREATE")))
+        ,STATUS_OK );
+
   }
 
   public void testEditRules() throws IOException {
diff --git a/solr/solrj/src/java/org/apache/solr/common/params/CoreAdminParams.java b/solr/solrj/src/java/org/apache/solr/common/params/CoreAdminParams.java
index 0a9e749fe8e..f1728db11b5 100644
--- a/solr/solrj/src/java/org/apache/solr/common/params/CoreAdminParams.java
+++ b/solr/solrj/src/java/org/apache/solr/common/params/CoreAdminParams.java
@@ -109,7 +109,7 @@ public abstract class CoreAdminParams
   public static final String NODE = "node";
 
   public enum CoreAdminAction {
-    STATUS,
+    STATUS(true),
     UNLOAD,
     RELOAD,
     CREATE,
@@ -118,18 +118,28 @@ public abstract class CoreAdminParams
     MERGEINDEXES,
     SPLIT,
     PREPRECOVERY,
-    REQUESTRECOVERY, 
+    REQUESTRECOVERY,
     REQUESTSYNCSHARD,
     DELETEALIAS,
     REQUESTBUFFERUPDATES,
     REQUESTAPPLYUPDATES,
     OVERSEEROP,
-    REQUESTSTATUS,
+    REQUESTSTATUS(true),
     REJOINLEADERELECTION,
     //internal API used by force shard leader election
     FORCEPREPAREFORLEADERSHIP,
     INVOKE;
 
+    public final boolean isRead;
+
+    CoreAdminAction(boolean isRead) {
+      this.isRead = isRead;
+    }
+
+    CoreAdminAction() {
+      this.isRead = false;
+    }
+
     public static CoreAdminAction get( String p ) {
       if (p != null) {
         try {