SOLR-8004: RuleBasedAuthorization plugin does not work for the collection-admin-edit permission

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1700784 13f79535-47bb-0310-9956-ffa450edef68
2015-09-02 12:21:11 +00:00 · 2015-09-02 12:21:11 +00:00 · 0baae2f832
parent 3bab6026b1
commit 0baae2f832
4 changed files with 38 additions and 2 deletions
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@ -188,6 +188,8 @@ Bug Fixes

 * SOLR-8000: security.json is not loaded on server start (noble)

+* SOLR-8004: RuleBasedAuthorization plugin does not work for the collection-admin-edit permission (noble)
+

 Optimizations
 ----------------------
--- a/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
@ -88,7 +88,7 @@ public class RuleBasedAuthorizationPlugin implements AuthorizationPlugin, Config
  @Override
  public AuthorizationResponse authorize(AuthorizationContext context) {
    List<AuthorizationContext.CollectionRequest> collectionRequests = context.getCollectionRequests();
-    if (collectionRequests.isEmpty()) {
+    if (context.getRequestType() == AuthorizationContext.RequestType.ADMIN) {
      MatchStatus flag = checkCollPerm(mapping.get(""), context);
      return flag.rsp;
    }
--- a/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
+++ b/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
@ -38,6 +38,7 @@ import org.apache.solr.client.solrj.SolrRequest;
 import org.apache.solr.client.solrj.embedded.JettySolrRunner;
 import org.apache.solr.client.solrj.impl.CloudSolrClient;
 import org.apache.solr.client.solrj.impl.HttpSolrClient;
+import org.apache.solr.client.solrj.request.CollectionAdminRequest;
 import org.apache.solr.client.solrj.request.GenericSolrRequest;
 import org.apache.solr.cloud.MiniSolrCloudCluster;
 import org.apache.solr.cloud.TestMiniSolrCloudCluster;
@ -144,6 +145,30 @@ public class BasicAuthIntegrationTest extends TestMiniSolrCloudCluster {

    verifySecurityStatus(cl, baseUrl+"/admin/authorization", "authorization/permissions[1]/collection", "x", 20);

+    httpPost = new HttpPost(baseUrl + "/admin/authorization");
+    setBasicAuthHeader(httpPost, "harry", "HarryIsUberCool");
+    httpPost.setEntity(new ByteArrayEntity(Utils.toJSON(singletonMap("set-permission", Utils.makeMap
+        ("name","collection-admin-edit", "role", "admin" )))));
+    r = cl.execute(httpPost);
+
+    verifySecurityStatus(cl, baseUrl+"/admin/authorization", "authorization/permissions[2]/name", "collection-admin-edit", 20);
+
+    CollectionAdminRequest.Reload reload = new CollectionAdminRequest.Reload();
+    reload.setCollectionName(cloudSolrClient.getDefaultCollection());
+
+    HttpSolrClient solrClient = new HttpSolrClient(baseUrl);
+    try {
+      rsp = solrClient.request(reload);
+      fail("must have failed");
+    } catch (HttpSolrClient.RemoteSolrException e) {
+
+    }
+
+    httpPost = new HttpPost(baseUrl + "/admin/authorization");
+    setBasicAuthHeader(httpPost, "harry", "HarryIsUberCool");
+    httpPost.setEntity(new ByteArrayEntity(Utils.toJSON(singletonMap("delete-permission", "collection-admin-edit"))));
+    r = cl.execute(httpPost);//cleanup so that the super class does not need to pass on credentials
+
  }

  public static void verifySecurityStatus(HttpClient cl, String url, String objPath, Object expected, int count) throws Exception {
@ -208,6 +233,11 @@ public class BasicAuthIntegrationTest extends TestMiniSolrCloudCluster {
  public void testErrorsInShutdown() throws Exception {
  }

+
+  @Override
+  public void testCollectionCreateWithoutCoresThenDelete() throws Exception {
+  }
+
  //the password is 'SolrRocks'
  //this could be generated everytime. But , then we will not know if there is any regression
  private static final String STD_CONF = "{\n" +
--- a/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
+++ b/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java
@ -95,7 +95,7 @@ public class TestRuleBasedAuthorizationPlugin extends SolrTestCaseJ4 {
    assertEquals(FORBIDDEN,authResp.statusCode);

    values.put("resource","/admin/collections");
-    values.put("collectionRequests",new ArrayList<>());
+    values.put("requestType", AuthorizationContext.RequestType.ADMIN);
    values.put("params", new MapSolrParams(Collections.singletonMap("action", "LIST")));
    values.put("httpMethod","GET");
    authResp = plugin.authorize(context);
@ -109,6 +109,10 @@ public class TestRuleBasedAuthorizationPlugin extends SolrTestCaseJ4 {
    authResp = plugin.authorize(context);
    assertEquals(PROMPT_FOR_CREDENTIALS, authResp.statusCode);

+    values.put("params", new MapSolrParams(Collections.singletonMap("action", "RELOAD")));
+    authResp = plugin.authorize(context);
+    assertEquals(PROMPT_FOR_CREDENTIALS, authResp.statusCode);
+
    values.put("userPrincipal", new BasicUserPrincipal("somebody"));
    authResp = plugin.authorize(context);
    assertEquals(FORBIDDEN,authResp.statusCode);