From 8162ba4534af12879a2da03d4c4d3239a6d3a8fb Mon Sep 17 00:00:00 2001 From: Noble Paul Date: Tue, 26 Apr 2016 19:24:23 +0530 Subject: [PATCH] SOLR-9041: 'core-admin-read' and 'core-admin-edit' are well known permissions --- solr/CHANGES.txt | 2 + .../handler/admin/CollectionsHandler.java | 2 +- .../solr/handler/admin/CoreAdminHandler.java | 18 ++++++++- .../solr/security/PermissionNameProvider.java | 2 + .../TestRuleBasedAuthorizationPlugin.java | 40 +++++++++++++++++++ .../solr/common/params/CoreAdminParams.java | 16 ++++++-- 6 files changed, 75 insertions(+), 5 deletions(-) diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index 32a8e5ba1a9..4328c8dafbc 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -77,6 +77,8 @@ New Features * SOLR-9020: Implement StatementImpl/ResultSetImpl get/set fetch* methods and proper errors for traversal methods (Kevin Risden) +* SOLR-9041: 'core-admin-read' and 'core-admin-edit' are well known permissions (noble) + Bug Fixes ---------------------- diff --git a/solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java b/solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java index 64b10ab0c0f..29a978f9f43 100644 --- a/solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java +++ b/solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java @@ -151,7 +151,7 @@ public class CollectionsHandler extends RequestHandlerBase implements Permission @Override public PermissionNameProvider.Name getPermissionName(AuthorizationContext ctx) { String action = ctx.getParams().get("action"); - if (action == null) return null; + if (action == null) return PermissionNameProvider.Name.COLL_READ_PERM; CollectionParams.CollectionAction collectionAction = CollectionParams.CollectionAction.get(action); if (collectionAction == null) return null; return collectionAction.isWrite ? diff --git a/solr/core/src/java/org/apache/solr/handler/admin/CoreAdminHandler.java b/solr/core/src/java/org/apache/solr/handler/admin/CoreAdminHandler.java index 9eeef105c67..6e295f79199 100644 --- a/solr/core/src/java/org/apache/solr/handler/admin/CoreAdminHandler.java +++ b/solr/core/src/java/org/apache/solr/handler/admin/CoreAdminHandler.java @@ -33,6 +33,7 @@ import org.apache.solr.cloud.ZkController; import org.apache.solr.common.SolrException; import org.apache.solr.common.SolrException.ErrorCode; import org.apache.solr.common.cloud.ZkStateReader; +import org.apache.solr.common.params.CollectionParams; import org.apache.solr.common.params.CommonAdminParams; import org.apache.solr.common.params.CoreAdminParams; import org.apache.solr.common.params.CoreAdminParams.CoreAdminAction; @@ -45,6 +46,8 @@ import org.apache.solr.core.CoreDescriptor; import org.apache.solr.handler.RequestHandlerBase; import org.apache.solr.request.SolrQueryRequest; import org.apache.solr.response.SolrQueryResponse; +import org.apache.solr.security.AuthorizationContext; +import org.apache.solr.security.PermissionNameProvider; import org.apache.solr.util.DefaultSolrThreadFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -52,12 +55,14 @@ import org.slf4j.MDC; import static org.apache.solr.common.params.CoreAdminParams.ACTION; import static org.apache.solr.common.params.CoreAdminParams.CoreAdminAction.STATUS; +import static org.apache.solr.security.PermissionNameProvider.Name.CORE_EDIT_PERM; +import static org.apache.solr.security.PermissionNameProvider.Name.CORE_READ_PERM; /** * * @since solr 1.3 */ -public class CoreAdminHandler extends RequestHandlerBase { +public class CoreAdminHandler extends RequestHandlerBase implements PermissionNameProvider { private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); protected final CoreContainer coreContainer; protected final Map> requestStatusMap; @@ -262,6 +267,17 @@ public class CoreAdminHandler extends RequestHandlerBase { return "Manage Multiple Solr Cores"; } + @Override + public Name getPermissionName(AuthorizationContext ctx) { + String action = ctx.getParams().get(CoreAdminParams.ACTION); + if (action == null) return CORE_READ_PERM; + CoreAdminParams.CoreAdminAction coreAction = CoreAdminParams.CoreAdminAction.get(action); + if (coreAction == null) return CORE_READ_PERM; + return coreAction.isRead ? + CORE_READ_PERM : + CORE_EDIT_PERM; + } + /** * Helper class to manage the tasks to be tracked. * This contains the taskId, request and the response (if available). diff --git a/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java b/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java index 2dec4333047..4b6af47d238 100644 --- a/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java +++ b/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java @@ -36,6 +36,8 @@ public interface PermissionNameProvider { enum Name { COLL_EDIT_PERM("collection-admin-edit", null), COLL_READ_PERM("collection-admin-read", null), + CORE_READ_PERM("core-admin-read", null), + CORE_EDIT_PERM("core-admin-edit", null), READ_PERM("read", "*"), UPDATE_PERM("update", "*"), CONFIG_EDIT_PERM("config-edit", "*"), diff --git a/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java b/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java index 7a92f8f567e..5abf21c78f8 100644 --- a/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java +++ b/solr/core/src/test/org/apache/solr/security/TestRuleBasedAuthorizationPlugin.java @@ -35,6 +35,7 @@ import org.apache.solr.handler.ReplicationHandler; import org.apache.solr.handler.SchemaHandler; import org.apache.solr.handler.UpdateRequestHandler; import org.apache.solr.handler.admin.CollectionsHandler; +import org.apache.solr.handler.admin.CoreAdminHandler; import org.apache.solr.handler.component.SearchHandler; import org.apache.solr.security.AuthorizationContext.CollectionRequest; import org.apache.solr.security.AuthorizationContext.RequestType; @@ -211,6 +212,45 @@ public class TestRuleBasedAuthorizationPlugin extends SolrTestCaseJ4 { "params", new MapSolrParams(singletonMap("action", "CREATE"))) , STATUS_OK, rules); + rules = (Map) Utils.fromJSONString(permissions); + ((List)rules.get("permissions")).add( makeMap("name", "core-admin-edit", "role", "su")); + ((List)rules.get("permissions")).add( makeMap("name", "core-admin-read", "role", "user")); + ((Map)rules.get("user-role")).put("cio","su"); + ((List)rules.get("permissions")).add( makeMap("name", "all", "role", "su")); + permissions = Utils.toJSONString(rules); + + checkRules(makeMap("resource", "/admin/cores", + "userPrincipal", null, + "requestType", RequestType.ADMIN, + "collectionRequests", null, + "handler", new CoreAdminHandler(null), + "params", new MapSolrParams(singletonMap("action", "CREATE"))) + , PROMPT_FOR_CREDENTIALS); + + checkRules(makeMap("resource", "/admin/cores", + "userPrincipal", "joe", + "requestType", RequestType.ADMIN, + "collectionRequests", null, + "handler", new CoreAdminHandler(null), + "params", new MapSolrParams(singletonMap("action", "CREATE"))) + , FORBIDDEN); + + checkRules(makeMap("resource", "/admin/cores", + "userPrincipal", "joe", + "requestType", RequestType.ADMIN, + "collectionRequests", null, + "handler", new CoreAdminHandler(null), + "params", new MapSolrParams(singletonMap("action", "STATUS"))) + , STATUS_OK); + + checkRules(makeMap("resource", "/admin/cores", + "userPrincipal", "cio", + "requestType", RequestType.ADMIN, + "collectionRequests", null, + "handler", new CoreAdminHandler(null), + "params", new MapSolrParams(singletonMap("action", "CREATE"))) + ,STATUS_OK ); + } public void testEditRules() throws IOException { diff --git a/solr/solrj/src/java/org/apache/solr/common/params/CoreAdminParams.java b/solr/solrj/src/java/org/apache/solr/common/params/CoreAdminParams.java index 0a9e749fe8e..f1728db11b5 100644 --- a/solr/solrj/src/java/org/apache/solr/common/params/CoreAdminParams.java +++ b/solr/solrj/src/java/org/apache/solr/common/params/CoreAdminParams.java @@ -109,7 +109,7 @@ public abstract class CoreAdminParams public static final String NODE = "node"; public enum CoreAdminAction { - STATUS, + STATUS(true), UNLOAD, RELOAD, CREATE, @@ -118,18 +118,28 @@ public abstract class CoreAdminParams MERGEINDEXES, SPLIT, PREPRECOVERY, - REQUESTRECOVERY, + REQUESTRECOVERY, REQUESTSYNCSHARD, DELETEALIAS, REQUESTBUFFERUPDATES, REQUESTAPPLYUPDATES, OVERSEEROP, - REQUESTSTATUS, + REQUESTSTATUS(true), REJOINLEADERELECTION, //internal API used by force shard leader election FORCEPREPAREFORLEADERSHIP, INVOKE; + public final boolean isRead; + + CoreAdminAction(boolean isRead) { + this.isRead = isRead; + } + + CoreAdminAction() { + this.isRead = false; + } + public static CoreAdminAction get( String p ) { if (p != null) { try {