SOLR-9041: 'core-admin-read' and 'core-admin-edit' are well known permissions

This commit is contained in:
Noble Paul 2016-04-26 19:24:23 +05:30
parent 111107b3bd
commit 8162ba4534
6 changed files with 75 additions and 5 deletions

View File

@ -77,6 +77,8 @@ New Features
* SOLR-9020: Implement StatementImpl/ResultSetImpl get/set fetch* methods and proper errors for traversal methods (Kevin Risden)
* SOLR-9041: 'core-admin-read' and 'core-admin-edit' are well known permissions (noble)
Bug Fixes
----------------------

View File

@ -151,7 +151,7 @@ public class CollectionsHandler extends RequestHandlerBase implements Permission
@Override
public PermissionNameProvider.Name getPermissionName(AuthorizationContext ctx) {
String action = ctx.getParams().get("action");
if (action == null) return null;
if (action == null) return PermissionNameProvider.Name.COLL_READ_PERM;
CollectionParams.CollectionAction collectionAction = CollectionParams.CollectionAction.get(action);
if (collectionAction == null) return null;
return collectionAction.isWrite ?

View File

@ -33,6 +33,7 @@ import org.apache.solr.cloud.ZkController;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.SolrException.ErrorCode;
import org.apache.solr.common.cloud.ZkStateReader;
import org.apache.solr.common.params.CollectionParams;
import org.apache.solr.common.params.CommonAdminParams;
import org.apache.solr.common.params.CoreAdminParams;
import org.apache.solr.common.params.CoreAdminParams.CoreAdminAction;
@ -45,6 +46,8 @@ import org.apache.solr.core.CoreDescriptor;
import org.apache.solr.handler.RequestHandlerBase;
import org.apache.solr.request.SolrQueryRequest;
import org.apache.solr.response.SolrQueryResponse;
import org.apache.solr.security.AuthorizationContext;
import org.apache.solr.security.PermissionNameProvider;
import org.apache.solr.util.DefaultSolrThreadFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -52,12 +55,14 @@ import org.slf4j.MDC;
import static org.apache.solr.common.params.CoreAdminParams.ACTION;
import static org.apache.solr.common.params.CoreAdminParams.CoreAdminAction.STATUS;
import static org.apache.solr.security.PermissionNameProvider.Name.CORE_EDIT_PERM;
import static org.apache.solr.security.PermissionNameProvider.Name.CORE_READ_PERM;
/**
*
* @since solr 1.3
*/
public class CoreAdminHandler extends RequestHandlerBase {
public class CoreAdminHandler extends RequestHandlerBase implements PermissionNameProvider {
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
protected final CoreContainer coreContainer;
protected final Map<String, Map<String, TaskObject>> requestStatusMap;
@ -262,6 +267,17 @@ public class CoreAdminHandler extends RequestHandlerBase {
return "Manage Multiple Solr Cores";
}
@Override
public Name getPermissionName(AuthorizationContext ctx) {
String action = ctx.getParams().get(CoreAdminParams.ACTION);
if (action == null) return CORE_READ_PERM;
CoreAdminParams.CoreAdminAction coreAction = CoreAdminParams.CoreAdminAction.get(action);
if (coreAction == null) return CORE_READ_PERM;
return coreAction.isRead ?
CORE_READ_PERM :
CORE_EDIT_PERM;
}
/**
* Helper class to manage the tasks to be tracked.
* This contains the taskId, request and the response (if available).

View File

@ -36,6 +36,8 @@ public interface PermissionNameProvider {
enum Name {
COLL_EDIT_PERM("collection-admin-edit", null),
COLL_READ_PERM("collection-admin-read", null),
CORE_READ_PERM("core-admin-read", null),
CORE_EDIT_PERM("core-admin-edit", null),
READ_PERM("read", "*"),
UPDATE_PERM("update", "*"),
CONFIG_EDIT_PERM("config-edit", "*"),

View File

@ -35,6 +35,7 @@ import org.apache.solr.handler.ReplicationHandler;
import org.apache.solr.handler.SchemaHandler;
import org.apache.solr.handler.UpdateRequestHandler;
import org.apache.solr.handler.admin.CollectionsHandler;
import org.apache.solr.handler.admin.CoreAdminHandler;
import org.apache.solr.handler.component.SearchHandler;
import org.apache.solr.security.AuthorizationContext.CollectionRequest;
import org.apache.solr.security.AuthorizationContext.RequestType;
@ -211,6 +212,45 @@ public class TestRuleBasedAuthorizationPlugin extends SolrTestCaseJ4 {
"params", new MapSolrParams(singletonMap("action", "CREATE")))
, STATUS_OK, rules);
rules = (Map) Utils.fromJSONString(permissions);
((List)rules.get("permissions")).add( makeMap("name", "core-admin-edit", "role", "su"));
((List)rules.get("permissions")).add( makeMap("name", "core-admin-read", "role", "user"));
((Map)rules.get("user-role")).put("cio","su");
((List)rules.get("permissions")).add( makeMap("name", "all", "role", "su"));
permissions = Utils.toJSONString(rules);
checkRules(makeMap("resource", "/admin/cores",
"userPrincipal", null,
"requestType", RequestType.ADMIN,
"collectionRequests", null,
"handler", new CoreAdminHandler(null),
"params", new MapSolrParams(singletonMap("action", "CREATE")))
, PROMPT_FOR_CREDENTIALS);
checkRules(makeMap("resource", "/admin/cores",
"userPrincipal", "joe",
"requestType", RequestType.ADMIN,
"collectionRequests", null,
"handler", new CoreAdminHandler(null),
"params", new MapSolrParams(singletonMap("action", "CREATE")))
, FORBIDDEN);
checkRules(makeMap("resource", "/admin/cores",
"userPrincipal", "joe",
"requestType", RequestType.ADMIN,
"collectionRequests", null,
"handler", new CoreAdminHandler(null),
"params", new MapSolrParams(singletonMap("action", "STATUS")))
, STATUS_OK);
checkRules(makeMap("resource", "/admin/cores",
"userPrincipal", "cio",
"requestType", RequestType.ADMIN,
"collectionRequests", null,
"handler", new CoreAdminHandler(null),
"params", new MapSolrParams(singletonMap("action", "CREATE")))
,STATUS_OK );
}
public void testEditRules() throws IOException {

View File

@ -109,7 +109,7 @@ public abstract class CoreAdminParams
public static final String NODE = "node";
public enum CoreAdminAction {
STATUS,
STATUS(true),
UNLOAD,
RELOAD,
CREATE,
@ -124,12 +124,22 @@ public abstract class CoreAdminParams
REQUESTBUFFERUPDATES,
REQUESTAPPLYUPDATES,
OVERSEEROP,
REQUESTSTATUS,
REQUESTSTATUS(true),
REJOINLEADERELECTION,
//internal API used by force shard leader election
FORCEPREPAREFORLEADERSHIP,
INVOKE;
public final boolean isRead;
CoreAdminAction(boolean isRead) {
this.isRead = isRead;
}
CoreAdminAction() {
this.isRead = false;
}
public static CoreAdminAction get( String p ) {
if (p != null) {
try {