Repository: sentry Updated Branches: refs/heads/master 8a80d60bb -> e62fa28d0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java deleted file mode 100644 index 2b246b5..0000000 --- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java +++ /dev/null @@ -1,168 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.tests.e2e.solr; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import org.junit.Test; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; - -import org.apache.solr.update.processor.DistributedUpdateProcessor.DistribPhase; -import org.apache.solr.client.solrj.impl.CloudSolrServer; -import org.apache.solr.common.cloud.ClusterState; -import org.apache.solr.common.cloud.Slice; - -import java.io.File; -import java.io.PrintWriter; -import java.io.StringWriter; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; - -import org.apache.solr.common.SolrInputDocument; - -public class TestUpdateOperations extends AbstractSolrSentryTestBase { - - private static final Logger LOG = LoggerFactory - .getLogger(TestUpdateOperations.class); - private static final String COLLECTION_NAME = "sentryCollection"; - private static final List<Boolean> BOOLEAN_VALUES = Arrays.asList(new Boolean[]{true, false}); - private static final String DEFAULT_COLLECTION = "collection1"; - - @Test - public void testUpdateOperations() throws Exception { - // Upload configs to ZK - uploadConfigDirToZk(RESOURCES_DIR + File.separator + DEFAULT_COLLECTION - + File.separator + "conf"); - setupCollection(COLLECTION_NAME); - ArrayList<String> testFailures = new ArrayList<String>(); - - for (boolean query : BOOLEAN_VALUES) { - for (boolean update : BOOLEAN_VALUES) { - for (boolean all : BOOLEAN_VALUES) { - String test_user = getUsernameForPermissions(COLLECTION_NAME, query, update, all); - LOG.info("TEST_USER: " + test_user); - - try { - if (all || update) { - cleanSolrCollection(COLLECTION_NAME); - SolrInputDocument solrInputDoc = createSolrTestDoc(); - verifyUpdatePass(test_user, COLLECTION_NAME, solrInputDoc); - - cleanSolrCollection(COLLECTION_NAME); - uploadSolrDoc(COLLECTION_NAME, null); - verifyDeletedocsPass(test_user, COLLECTION_NAME, false); - } else { - cleanSolrCollection(COLLECTION_NAME); - SolrInputDocument solrInputDoc = createSolrTestDoc(); - verifyUpdateFail(test_user, COLLECTION_NAME, solrInputDoc); - - cleanSolrCollection(COLLECTION_NAME); - uploadSolrDoc(COLLECTION_NAME, null); - verifyDeletedocsFail(test_user, COLLECTION_NAME, false); - } - } catch (Throwable testException) { - StringWriter stringWriter = new StringWriter(); - PrintWriter printWriter = new PrintWriter(stringWriter); - testException.printStackTrace(printWriter); - testFailures.add("\n\nTestFailure: User -> " + test_user + "\n" - + stringWriter.toString()); - } - } - } - } - - assertEquals("Total test failures: " + testFailures.size() + " \n\n" - + testFailures.toString() + "\n\n\n", 0, testFailures.size()); - } - - @Test - public void testInvariantProcessor() throws Exception { - String collectionName = "testInvariantCollection"; - // Upload configs to ZK - uploadConfigDirToZk(RESOURCES_DIR + File.separator + DEFAULT_COLLECTION - + File.separator + "conf"); - setupCollection(collectionName); - - // Send a update request and try to set the update.chain to skip the - // index-authorization checks - setAuthenticationUser("junit"); - CloudSolrServer server = getCloudSolrServer(collectionName); - try { - String path = "/" + collectionName + "/update?update.chain=skipUpdateIndexAuthorization&commit=true"; - String body = "<add><doc><field name=\"id\">testInvariantDoc</field></doc></add>"; - String ret = makeHttpRequest(server, "POST", path, body.getBytes("UTF-8"), "text/xml"); - assertTrue("Expected sentry exception", ret.contains("SentrySolrAuthorizationException: User junit" - + " does not have privileges for testInvariantCollection")); - } finally { - server.shutdown(); - } - } - - private void checkUpdateDistribPhase(CloudSolrServer server, String collectionName, - String userName, DistribPhase distribPhase) throws Exception { - String path = "/" + collectionName + "/update?commit=true"; - String updateDistribParam=""; - if (distribPhase != null) { - updateDistribParam = distribPhase.toString(); - path += "&update.distrib="+updateDistribParam; - } - String docId = "testUpdateDistribDoc"+updateDistribParam; - String body = "<add><doc><field name=\"id\">"+docId+"</field></doc></add>"; - - String node = null; - ClusterState clusterState = server.getZkStateReader().getClusterState(); - for (Slice slice : clusterState.getActiveSlices(collectionName)) { - if(slice.getRange().includes(docId.hashCode())) { - node = slice.getLeader().getNodeName().replace("_solr", "/solr"); - } - } - assertNotNull("Expected to find leader node for document", node); - - String ret = makeHttpRequest(server, node, "POST", path, body.getBytes("UTF-8"), "text/xml"); - assertTrue("Expected sentry exception", - ret.contains("SentrySolrAuthorizationException: " + - "User " + userName + " does not have privileges for " + collectionName)); - } - - @Test - public void testUpdateDistribPhase() throws Exception { - final String collectionName = "testUpdateDistribPhase"; - final String userName = "junit"; - // Upload configs to ZK - uploadConfigDirToZk(RESOURCES_DIR + File.separator + DEFAULT_COLLECTION - + File.separator + "conf"); - setupCollection(collectionName); - - setAuthenticationUser(userName); - CloudSolrServer server = getCloudSolrServer(collectionName); - try { - // ensure user can't update collection - checkUpdateDistribPhase(server, collectionName, userName, null); - - // now, try to update collection, setting update.distrib to possible values - for ( DistribPhase phase : DistribPhase.values() ) { - checkUpdateDistribPhase(server, collectionName, userName, phase); - } - } finally { - server.shutdown(); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/AbstractSolrSentryTestWithDbProvider.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/AbstractSolrSentryTestWithDbProvider.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/AbstractSolrSentryTestWithDbProvider.java deleted file mode 100644 index 71c3cb6..0000000 --- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/AbstractSolrSentryTestWithDbProvider.java +++ /dev/null @@ -1,324 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.tests.e2e.solr.db.integration; - - -import static org.apache.sentry.core.model.search.SearchModelAuthorizable.AuthorizableType.Collection; - -import java.io.File; -import java.io.FileOutputStream; -import java.util.Comparator; -import java.util.List; -import java.util.TreeMap; -import java.util.UUID; -import java.util.concurrent.TimeoutException; - -import org.apache.commons.io.FileUtils; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.CommonConfigurationKeys; -import org.apache.hadoop.fs.FileSystem; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.net.NetUtils; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.binding.solr.HdfsTestUtil; -import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars; -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.model.search.SearchConstants; -import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; -import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFile; -import org.apache.sentry.service.thrift.SentryService; -import org.apache.sentry.service.thrift.SentryServiceFactory; -import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; -import org.apache.sentry.tests.e2e.solr.AbstractSolrSentryTestBase; -import org.apache.sentry.tests.e2e.solr.ModifiableUserAuthenticationFilter; -import org.apache.solr.cloud.MiniSolrCloudCluster; -import org.junit.AfterClass; -import org.junit.BeforeClass; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.collect.Lists; -import com.google.common.collect.Sets; - -/** - * This class used to test the Solr integration with DB store. - * It will set up a miniSolrCloud, miniHDFS and Sentry service in a JVM process. - */ -public class AbstractSolrSentryTestWithDbProvider extends AbstractSolrSentryTestBase{ - private static final Logger LOGGER = LoggerFactory - .getLogger(AbstractSolrSentryTestWithDbProvider.class); - - protected static final String SERVER_HOST = NetUtils - .createSocketAddr("localhost:80").getAddress().getCanonicalHostName(); - protected static final int PORT = 8038; - protected static final String ADMIN_GROUP = "admin_group"; - protected static final String ADMIN_ROLE = "admin_role"; - protected static final String ADMIN_COLLECTION_NAME = "admin"; - protected static final String COMPONENT_SOLR = "solr"; - protected static final String SERVICE_NAME = SearchConstants.SENTRY_SEARCH_SERVICE_DEFAULT; - - protected static final Configuration conf = new Configuration(false); - - protected static SentryService server; - protected static SentryGenericServiceClient client; - - protected static File baseDir; - protected static File hdfsDir; - protected static File dbDir; - protected static File policyFilePath; - protected static File sentrySitePath; - - protected static PolicyFile policyFile; - - /** - * Overwrite the method from super class AbstractSolrSentryTestBase - * take over the management of miniSolrCloudCluster and dfsCluster - */ - @BeforeClass - public static void beforeTestSimpleSolrEndToEnd() throws Exception { - setupConf(); - startHDFS(); - startSolrWithDbProvider(); - startSentryService(); - connectToSentryService(); - setGroupsAndRoles(); - } - - @AfterClass - public static void teardownClass() throws Exception { - stopAllService(); - FileUtils.deleteDirectory(baseDir); - unsetSystemProperties(); - } - - public static void setupConf() throws Exception { - baseDir = createTempDir(); - hdfsDir = new File(baseDir, "hdfs"); - dbDir = new File(baseDir, "sentry_policy_db"); - policyFilePath = new File(baseDir, "local_policy_file.ini"); - sentrySitePath = new File(baseDir, "sentry-site.xml"); - policyFile = new PolicyFile(); - - conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE); - conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); - conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP + ",solr"); - conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST); - conf.set(ServerConfig.RPC_PORT, String.valueOf(PORT)); - conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, - "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true"); - conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy"); - conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, - policyFilePath.getPath()); - server = SentryServiceFactory.create(conf); - - conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName()); - conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort())); - conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, - ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING); - conf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), - LocalGroupResourceAuthorizationProvider.class.getName()); - conf.set(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), - SentryGenericProviderBackend.class.getName()); - conf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), policyFilePath.getPath()); - } - - public static File createTempDir() { - File baseDir = new File(System.getProperty("java.io.tmpdir")); - String baseName = "solr-integration-db-"; - File tempDir = new File(baseDir, baseName + UUID.randomUUID().toString()); - if (tempDir.mkdir()) { - return tempDir; - } - throw new IllegalStateException("Failed to create temp directory"); - } - - public static void configureWithSolr() throws Exception { - conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); - //save configuration to sentry-site.xml - conf.writeXml(new FileOutputStream(sentrySitePath)); - setSystemProperties(); - extraRequestFilters = new TreeMap<Class, String>(new Comparator<Class>() { - // There's only one class, make this as simple as possible - @Override - public int compare(Class o1, Class o2) { - return 0; - } - @Override - public boolean equals(Object obj) { - return true; - } - - @Override - public int hashCode() { - return 17; - } - }); - extraRequestFilters.put(ModifiableUserAuthenticationFilter.class, "*"); - - //set the solr for the loginUser and belongs to solr group - addGroupsToUser("solr", "solr"); - UserGroupInformation.setLoginUser(UserGroupInformation.createUserForTesting("solr", new String[]{"solr"})); - } - - public static void startHDFS() throws Exception { - dfsCluster = HdfsTestUtil.setupClass(hdfsDir.getPath()); - conf.set( - CommonConfigurationKeys.FS_DEFAULT_NAME_KEY, - dfsCluster.getFileSystem().getConf() - .get(CommonConfigurationKeys.FS_DEFAULT_NAME_KEY)); - } - - public static void startSolrWithDbProvider() throws Exception { - LOGGER.info("starting Solr authorization via Sentry Service"); - configureWithSolr(); - miniSolrCloudCluster = new MiniSolrCloudCluster(NUM_SERVERS, null, - new File(RESOURCES_DIR, "solr-no-core.xml"), null, extraRequestFilters); - } - - public static void startSentryService() throws Exception { - server.start(); - final long start = System.currentTimeMillis(); - while(!server.isRunning()) { - Thread.sleep(1000); - if(System.currentTimeMillis() - start > 60000L) { - throw new TimeoutException("Server did not start after 60 seconds"); - } - } - } - - public static void connectToSentryService() throws Exception { - client = SentryGenericServiceClientFactory.create(conf); - } - - public static void stopAllService() throws Exception { - if (miniSolrCloudCluster != null) { - miniSolrCloudCluster.shutdown(); - miniSolrCloudCluster = null; - } - if (dfsCluster != null) { - HdfsTestUtil.teardownClass(dfsCluster); - dfsCluster = null; - } - if (client != null) { - client.close(); - client = null; - } - if (server != null) { - server.stop(); - server = null; - } - } - - public static void addGroupsToUser(String user, String... groupNames) { - policyFile.addGroupsToUser(user, groupNames); - } - - public static void writePolicyFile() throws Exception { - policyFile.write(policyFilePath); - FileSystem clusterFs = dfsCluster.getFileSystem(); - clusterFs.copyFromLocalFile(false, - new Path(policyFilePath.getPath()), - new Path(policyFilePath.getPath())); - } - - public static void setSystemProperties() throws Exception { - System.setProperty("solr.xml.persist", "true"); - // Disable the block cache because we can run out of memory - // on a MiniCluster. - System.setProperty("solr.hdfs.blockcache.enabled", "false"); - System.setProperty("solr.hdfs.home", dfsCluster.getURI().toString() + "/solr"); - System.setProperty("solr.authorization.sentry.site", sentrySitePath.toURI().toURL().toString().substring("file:".length())); - } - - public static void unsetSystemProperties() { - System.clearProperty("solr.xml.persist"); - System.clearProperty("solr.hdfs.blockcache.enabled"); - System.clearProperty("solr.hdfs.home"); - System.clearProperty("solr.authorization.sentry.site"); - } - - public static void setGroupsAndRoles() throws Exception { - /**set local group mapping - * user0->group0->role0 - * user1->group1->role1 - * user2->group2->role2 - * user3->group3->role3 - */ - String[] users = {"user0","user1","user2","user3"}; - String[] groups = {"group0","group1","group2","group3"}; - String[] roles = {"role0","role1","role2","role3"}; - - for (int i = 0; i < users.length; i++) { - addGroupsToUser(users[i], groups[i]); - } - addGroupsToUser(ADMIN_USER, ADMIN_GROUP); - writePolicyFile(); - - for (int i = 0; i < roles.length; i++) { - client.createRole(ADMIN_USER, roles[i], COMPONENT_SOLR); - client.grantRoleToGroups(ADMIN_USER, roles[i], COMPONENT_SOLR, Sets.newHashSet(groups[i])); - } - - /** - * user[admin]->group[admin]->role[admin] - * grant ALL privilege on collection ALL to role admin - */ - client.createRole(ADMIN_USER, ADMIN_ROLE, COMPONENT_SOLR); - client.grantRoleToGroups(ADMIN_USER, ADMIN_ROLE, COMPONENT_SOLR, Sets.newHashSet(ADMIN_GROUP)); - grantCollectionPrivilege(SearchConstants.ALL, ADMIN_USER, ADMIN_ROLE, SearchConstants.ALL); - } - - protected static void grantCollectionPrivilege(String collection, String requestor, - String roleName, String action) throws SentryUserException { - TSentryPrivilege tPrivilege = toTSentryPrivilege(collection, action); - client.grantPrivilege(requestor, roleName, COMPONENT_SOLR, tPrivilege); - } - - protected static void revokeCollectionPrivilege(String collection, String requestor, - String roleName, String action) throws SentryUserException { - TSentryPrivilege tPrivilege = toTSentryPrivilege(collection, action); - client.revokePrivilege(requestor, roleName, COMPONENT_SOLR, tPrivilege); - } - - protected static void dropCollectionPrivilege(String collection, String requestor) - throws SentryUserException { - final TSentryPrivilege tPrivilege = toTSentryPrivilege(collection, Action.ALL); - client.dropPrivilege(requestor, COMPONENT_SOLR, tPrivilege); - } - - private static TSentryPrivilege toTSentryPrivilege(String collection, String action) { - TSentryPrivilege tPrivilege = new TSentryPrivilege(); - tPrivilege.setComponent(COMPONENT_SOLR); - tPrivilege.setServiceName(SERVICE_NAME); - tPrivilege.setAction(action); - tPrivilege.setGrantOption(TSentryGrantOption.FALSE); - - List<TAuthorizable> authorizables = Lists.newArrayList(new TAuthorizable(Collection.name(), - collection)); - tPrivilege.setAuthorizables(authorizables); - return tPrivilege; - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrAdminOperations.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrAdminOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrAdminOperations.java deleted file mode 100644 index c07b3b8..0000000 --- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrAdminOperations.java +++ /dev/null @@ -1,242 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.tests.e2e.solr.db.integration; - - -import static org.junit.Assert.assertTrue; - -import java.io.File; -import java.util.Arrays; - -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchConstants; -import org.apache.solr.common.params.CollectionParams.CollectionAction; -import org.junit.Test; - -public class TestSolrAdminOperations extends AbstractSolrSentryTestWithDbProvider { - private static final String TEST_COLLECTION_NAME1 = "collection1"; - private static final String COLLECTION_CONFIG_DIR = RESOURCES_DIR + File.separator + "collection1" + File.separator + "conf"; - - @Test - public void testAdminOperations() throws Exception { - /** - * Upload configs to ZK for create collection - */ - uploadConfigDirToZk(COLLECTION_CONFIG_DIR); - - /** - * verify admin user has all privileges - */ - verifyCollectionAdminOpPass(ADMIN_USER, CollectionAction.CREATE, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(ADMIN_USER, CollectionAction.DELETE, TEST_COLLECTION_NAME1); - - String grantor = "user0"; - /** - * user0->group0->role0 - * grant ALL privilege on collection admin and collection1 to role0 - */ - grantCollectionPrivilege(ADMIN_COLLECTION_NAME, ADMIN_USER, "role0", SearchConstants.ALL); - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role0", SearchConstants.ALL); - - verifyCollectionAdminOpPass(grantor, CollectionAction.CREATE, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.RELOAD, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.CREATEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.DELETEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.DELETE, TEST_COLLECTION_NAME1); - - //revoke UPDATE privilege on collection collection1 from role1, create collection1 will be failed - revokeCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role0", SearchConstants.UPDATE); - - verifyCollectionAdminOpFail(grantor, CollectionAction.CREATE, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.RELOAD, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.CREATEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.DELETEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.DELETE, TEST_COLLECTION_NAME1); - - /** - * user1->group1->role1 - * grant UPDATE privilege on collection admin and collection1 to role1 - */ - grantor = "user1"; - grantCollectionPrivilege(ADMIN_COLLECTION_NAME, ADMIN_USER, "role1", SearchConstants.UPDATE); - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role1", SearchConstants.UPDATE); - - verifyCollectionAdminOpPass(grantor, CollectionAction.CREATE, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.RELOAD, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.CREATEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.DELETEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.DELETE, TEST_COLLECTION_NAME1); - - //revoke UPDATE privilege on collection admin from role1, create collection1 will be failed - revokeCollectionPrivilege(ADMIN_COLLECTION_NAME, ADMIN_USER, "role1", SearchConstants.UPDATE); - verifyCollectionAdminOpFail(grantor, CollectionAction.CREATE, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.RELOAD, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.CREATEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.DELETEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.DELETE, TEST_COLLECTION_NAME1); - - - /** - * user2->group2->role2 - * grant QUERY privilege on collection admin and collection1 to role2 - */ - grantor = "user2"; - grantCollectionPrivilege(ADMIN_COLLECTION_NAME, ADMIN_USER, "role2", SearchConstants.QUERY); - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role2", SearchConstants.QUERY); - - verifyCollectionAdminOpFail(grantor, CollectionAction.CREATE, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.RELOAD, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.CREATEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.DELETEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.DELETE, TEST_COLLECTION_NAME1); - - //grant UPDATE privilege on collection collection1 to role2, create collection1 will be failed - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role2", SearchConstants.UPDATE); - verifyCollectionAdminOpFail(grantor, CollectionAction.CREATE, TEST_COLLECTION_NAME1); - - //grant UPDATE privilege on collection admin to role2, create collection1 will be successful. - grantCollectionPrivilege(ADMIN_COLLECTION_NAME, ADMIN_USER, "role2", SearchConstants.UPDATE); - - verifyCollectionAdminOpPass(grantor, CollectionAction.CREATE, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.RELOAD, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.CREATEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.DELETEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.DELETE, TEST_COLLECTION_NAME1); - - grantor = "user3"; - - verifyCollectionAdminOpFail(grantor, CollectionAction.CREATE, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.RELOAD, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.CREATEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.DELETEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpFail(grantor, CollectionAction.DELETE, TEST_COLLECTION_NAME1); - - /** - * user3->group3->role3 - * grant UPDATE privilege on collection admin to role3 - * grant QUERY privilege on collection collection1 to role3 - */ - grantCollectionPrivilege(ADMIN_COLLECTION_NAME, ADMIN_USER, "role3", SearchConstants.ALL); - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role3", SearchConstants.ALL); - - verifyCollectionAdminOpPass(grantor, CollectionAction.CREATE, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.RELOAD, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.CREATEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.DELETEALIAS, TEST_COLLECTION_NAME1); - verifyCollectionAdminOpPass(grantor, CollectionAction.DELETE, TEST_COLLECTION_NAME1); - } - - /** - * Test when the collection has been deleted, the privileges in the sentry service also should be deleted - * @throws Exception - */ - @Test - public void testSyncPrivilegesWithDeleteCollection() throws Exception { - /** - * Upload configs to ZK for create collection - */ - uploadConfigDirToZk(COLLECTION_CONFIG_DIR); - /** - * user0->group0->role0 - * Grant ALL privilege on collection collection1 to role0 - * Grant ALL privilege on collection admin to role0 - * user0 can execute create & delete collection1 operation - */ - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role0", SearchConstants.ALL); - grantCollectionPrivilege(ADMIN_COLLECTION_NAME, ADMIN_USER, "role0", SearchConstants.ALL); - - assertTrue("user0 has one privilege on collection admin", - client.listPrivilegesByRoleName("user0", "role0", COMPONENT_SOLR, SERVICE_NAME, - Arrays.asList(new Collection(ADMIN_COLLECTION_NAME))).size() == 1); - - assertTrue("user0 has one privilege on collection collection1", - client.listPrivilegesByRoleName("user0", "role0", COMPONENT_SOLR, SERVICE_NAME, - Arrays.asList(new Collection(TEST_COLLECTION_NAME1))).size() == 1); - - /** - * user1->group1->role1 - * grant QUERY privilege on collection collection1 to role1 - */ - - client.listPrivilegesByRoleName("user0", "role0", COMPONENT_SOLR, SERVICE_NAME, null); - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role1", SearchConstants.ALL); - assertTrue("user1 has one privilege record", - client.listPrivilegesByRoleName("user1", "role1", COMPONENT_SOLR, SERVICE_NAME, - Arrays.asList(new Collection(TEST_COLLECTION_NAME1))).size() == 1); - - /** - * create collection collection1 - */ - setupCollection(TEST_COLLECTION_NAME1); - /** - * delete the collection1 - */ - deleteCollection(TEST_COLLECTION_NAME1); - - //check the user0 - assertTrue("user0 has one privilege on collection admin", - client.listPrivilegesByRoleName("user0", "role0", COMPONENT_SOLR, SERVICE_NAME, - Arrays.asList(new Collection(ADMIN_COLLECTION_NAME))).size() == 1); - - assertTrue("user0 has no privilege on collection collection1", - client.listPrivilegesByRoleName("user0", "role0", COMPONENT_SOLR, SERVICE_NAME, - Arrays.asList(new Collection(TEST_COLLECTION_NAME1))).size() == 0); - - //check the user1 - assertTrue("user1 has no privilege on collection collection1", - client.listPrivilegesByRoleName("user1", "role1", COMPONENT_SOLR, SERVICE_NAME, - Arrays.asList(new Collection(TEST_COLLECTION_NAME1))).size() == 0); - - /** - * user2->group2->role2 - * Grant UPDATE privilege on collection collection1 to role2 - */ - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role2", SearchConstants.UPDATE); - - assertTrue("user2 has one privilege on collection collection1", - client.listPrivilegesByRoleName("user2", "role2", COMPONENT_SOLR, SERVICE_NAME, - Arrays.asList(new Collection(TEST_COLLECTION_NAME1))).size() == 1); - - /** - * user3->group3->role3 - * grant QUERY privilege on collection collection1 to role3 - */ - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role3", SearchConstants.QUERY); - assertTrue("user1 has one privilege record", - client.listPrivilegesByRoleName("user3", "role3", COMPONENT_SOLR, SERVICE_NAME, - Arrays.asList(new Collection(TEST_COLLECTION_NAME1))).size() == 1); - - /** - * create collection collection1 - */ - setupCollection(TEST_COLLECTION_NAME1); - /** - * delete the collection1 - */ - deleteCollection(TEST_COLLECTION_NAME1); - - //check the user2 - assertTrue("user2 has no privilege on collection collection1", - client.listPrivilegesByRoleName("user2", "role2", COMPONENT_SOLR, SERVICE_NAME, - Arrays.asList(new Collection(TEST_COLLECTION_NAME1))).size() == 0); - - //check the user3 - assertTrue("user3 has no privilege on collection collection1", - client.listPrivilegesByRoleName("user3", "role3", COMPONENT_SOLR, SERVICE_NAME, - Arrays.asList(new Collection(TEST_COLLECTION_NAME1))).size() == 0); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrDocLevelOperations.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrDocLevelOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrDocLevelOperations.java deleted file mode 100644 index 7f1fdfd..0000000 --- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrDocLevelOperations.java +++ /dev/null @@ -1,204 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.tests.e2e.solr.db.integration; - -import static org.junit.Assert.assertEquals; - -import java.io.File; -import java.util.ArrayList; - -import org.apache.sentry.core.model.search.SearchConstants; -import org.apache.solr.client.solrj.SolrQuery; -import org.apache.solr.client.solrj.impl.CloudSolrServer; -import org.apache.solr.client.solrj.response.QueryResponse; -import org.apache.solr.common.SolrDocumentList; -import org.apache.solr.common.SolrInputDocument; -import org.junit.Test; - -public class TestSolrDocLevelOperations extends AbstractSolrSentryTestWithDbProvider { - private static final String TEST_COLLECTION_NAME1 = "collection1"; - private static final String AUTH_FIELD = "sentry_auth"; - private static final int NUM_DOCS = 100; - - private void setupCollectionWithDocSecurity(String name) throws Exception { - String configDir = RESOURCES_DIR + File.separator + "collection1" - + File.separator + "conf"; - uploadConfigDirToZk(configDir); - // replace solrconfig.xml with solrconfig-doc-level.xml - uploadConfigFileToZk(configDir + File.separator + "solrconfig-doclevel.xml", - "solrconfig.xml"); - setupCollection(name); - } - - @Test - public void testDocLevelOperations() throws Exception { - setupCollectionWithDocSecurity(TEST_COLLECTION_NAME1); - - createDocument(TEST_COLLECTION_NAME1); - - CloudSolrServer server = getCloudSolrServer(TEST_COLLECTION_NAME1); - try { - // queries - SolrQuery query = new SolrQuery(); - query.setQuery("*:*"); - - // as admin - setAuthenticationUser(ADMIN_USER); - QueryResponse rsp = server.query(query); - SolrDocumentList docList = rsp.getResults(); - assertEquals(NUM_DOCS, docList.getNumFound()); - - // as user0 - setAuthenticationUser("user0"); - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role0", SearchConstants.QUERY); - rsp = server.query(query); - docList = rsp.getResults(); - assertEquals(NUM_DOCS/4, rsp.getResults().getNumFound()); - - //as user1 - setAuthenticationUser("user1"); - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role1", SearchConstants.QUERY); - rsp = server.query(query); - docList = rsp.getResults(); - assertEquals(NUM_DOCS/4, rsp.getResults().getNumFound()); docList = rsp.getResults(); - assertEquals(NUM_DOCS/4, rsp.getResults().getNumFound()); - - //as user2 - setAuthenticationUser("user2"); - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role2", SearchConstants.QUERY); - rsp = server.query(query); - docList = rsp.getResults(); - assertEquals(NUM_DOCS/4, rsp.getResults().getNumFound()); - - //as user3 - setAuthenticationUser("user3"); - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role3", SearchConstants.QUERY); - rsp = server.query(query); - docList = rsp.getResults(); - assertEquals(NUM_DOCS/4, rsp.getResults().getNumFound()); - } finally { - server.shutdown(); - } - - deleteCollection(TEST_COLLECTION_NAME1); - } - - @Test - public void updateDocsTest() throws Exception { - setupCollectionWithDocSecurity(TEST_COLLECTION_NAME1); - - createDocument(TEST_COLLECTION_NAME1); - - CloudSolrServer server = getCloudSolrServer(TEST_COLLECTION_NAME1); - try { - setAuthenticationUser("user0"); - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role0", SearchConstants.QUERY); - String docIdStr = Long.toString(1); - - // verify we can't view one of the odd documents - SolrQuery query = new SolrQuery(); - query.setQuery("id:"+docIdStr); - QueryResponse rsp = server.query(query); - assertEquals(0, rsp.getResults().getNumFound()); - - // overwrite the document that we can't see - setAuthenticationUser(ADMIN_USER); - ArrayList<SolrInputDocument> docs = new ArrayList<SolrInputDocument>(); - SolrInputDocument doc = new SolrInputDocument(); - doc.addField("id", docIdStr); - doc.addField("description", "description" + docIdStr); - doc.addField(AUTH_FIELD, "role0"); - docs.add(doc); - server.add(docs); - server.commit(); - - // verify we can now view the document - setAuthenticationUser("user0"); - rsp = server.query(query); - assertEquals(1, rsp.getResults().getNumFound()); - } finally { - server.shutdown(); - } - - deleteCollection(TEST_COLLECTION_NAME1); - } - - /** - * Test to validate doc level security on collections without perm for Index level auth. - * @throws Exception - */ - @Test - public void indexDocAuthTests() throws Exception { - setupCollectionWithDocSecurity(TEST_COLLECTION_NAME1); - try { - createDocument(TEST_COLLECTION_NAME1); - // test query for "*:*" fails as user0 (user0 doesn't have index level permissions but has doc level permissions set) - verifyQueryFail("user0", TEST_COLLECTION_NAME1, ALL_DOCS); - verifyQueryFail("user1", TEST_COLLECTION_NAME1, ALL_DOCS); - verifyQueryFail("user2", TEST_COLLECTION_NAME1, ALL_DOCS); - verifyQueryFail("user3", TEST_COLLECTION_NAME1, ALL_DOCS); - - } finally { - deleteCollection(TEST_COLLECTION_NAME1); - } - } - - /** - * Creates docs as follows and verifies queries work as expected: - * - creates NUM_DOCS documents, where the document id equals the order - * it was created in, starting at 0 - * - when id % 4 == 0, documents get "role0" auth token - * - when id % 4 == 1, documents get "role1" auth token - * - when id % 4 == 2, documents get "role2" auth token - * - when id % 4 == 3, documents get "role3" auth token - * - all documents get a admin role - */ - private void createDocument(String collectionName) throws Exception { - // ensure no current documents - verifyDeletedocsPass(ADMIN_USER, collectionName, true); - - // create documents - ArrayList<SolrInputDocument> docs = new ArrayList<SolrInputDocument>(); - for (int i = 0; i < NUM_DOCS; ++i) { - SolrInputDocument doc = new SolrInputDocument(); - String iStr = Long.toString(i); - doc.addField("id", iStr); - doc.addField("description", "description" + iStr); - - if (i % 4 == 0) { - doc.addField(AUTH_FIELD, "role0"); - } else if (i % 4 ==1) { - doc.addField(AUTH_FIELD, "role1"); - } else if (i % 4 ==2) { - doc.addField(AUTH_FIELD, "role2"); - } else { - doc.addField(AUTH_FIELD, "role3"); - } - doc.addField(AUTH_FIELD, ADMIN_ROLE); - docs.add(doc); - } - - setAuthenticationUser(ADMIN_USER); - CloudSolrServer server = getCloudSolrServer(collectionName); - try { - server.add(docs); - server.commit(true, true); - } finally { - server.shutdown(); - } - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrQueryOperations.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrQueryOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrQueryOperations.java deleted file mode 100644 index 3eb6c0f..0000000 --- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrQueryOperations.java +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.tests.e2e.solr.db.integration; - -import java.io.File; - -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchConstants; -import org.apache.solr.common.SolrInputDocument; -import org.junit.Test; - -import com.google.common.collect.Lists; - -public class TestSolrQueryOperations extends AbstractSolrSentryTestWithDbProvider { - private static final String TEST_COLLECTION_NAME1 = "collection1"; - private static final String COLLECTION_CONFIG_DIR = RESOURCES_DIR + File.separator + "collection1" + File.separator + "conf"; - - @Test - public void testQueryOperations() throws Exception { - /** - * Upload configs to ZK for create collection - */ - uploadConfigDirToZk(COLLECTION_CONFIG_DIR); - /** - * create collection collection1 as admin user - * and clean all document in the collection1 - */ - setupCollection(TEST_COLLECTION_NAME1); - cleanSolrCollection(TEST_COLLECTION_NAME1); - /** - * add a new document into collection1 for testing - */ - SolrInputDocument solrInputDoc = createSolrTestDoc(); - uploadSolrDoc(TEST_COLLECTION_NAME1, solrInputDoc); - - /** - * user0->group0->role0 - * grant ALL privilege on collection collection1 to role0 - */ - String grantor = "user0"; - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role0", SearchConstants.ALL); - verifyQueryPass(grantor, TEST_COLLECTION_NAME1, ALL_DOCS); - - revokeCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role0", SearchConstants.UPDATE); - verifyQueryPass(grantor, TEST_COLLECTION_NAME1, ALL_DOCS); - - revokeCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role0", SearchConstants.QUERY); - verifyQueryFail(grantor, TEST_COLLECTION_NAME1, ALL_DOCS); - - /** - * user1->group1->role1 - * grant QUERY privilege on collection collection1 to role1 - */ - grantor = "user1"; - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role1", SearchConstants.QUERY); - verifyQueryPass(grantor, TEST_COLLECTION_NAME1, ALL_DOCS); - - revokeCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role1", SearchConstants.QUERY); - verifyQueryFail(grantor, TEST_COLLECTION_NAME1, ALL_DOCS); - - /** - * user2->group2->role2 - * grant UPDATE privilege on collection collection1 to role2 - */ - grantor = "user2"; - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role2", SearchConstants.UPDATE); - verifyQueryFail(grantor, TEST_COLLECTION_NAME1, ALL_DOCS); - - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role2", SearchConstants.QUERY); - verifyQueryPass(grantor, TEST_COLLECTION_NAME1, ALL_DOCS); - - client.renamePrivilege(ADMIN_USER, COMPONENT_SOLR, SERVICE_NAME, - Lists.newArrayList(new Collection(TEST_COLLECTION_NAME1)), - Lists.newArrayList(new Collection("new_" + TEST_COLLECTION_NAME1))); - verifyQueryFail(grantor, TEST_COLLECTION_NAME1, ALL_DOCS); - - grantor = "user3"; - verifyQueryFail(grantor, TEST_COLLECTION_NAME1, ALL_DOCS); - - deleteCollection(TEST_COLLECTION_NAME1); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrUpdateOperations.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrUpdateOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrUpdateOperations.java deleted file mode 100644 index 9412325..0000000 --- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/TestSolrUpdateOperations.java +++ /dev/null @@ -1,100 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.tests.e2e.solr.db.integration; - -import java.io.File; - -import org.apache.sentry.core.model.search.SearchConstants; -import org.apache.solr.common.SolrInputDocument; -import org.junit.Test; - -public class TestSolrUpdateOperations extends AbstractSolrSentryTestWithDbProvider { - private static final String TEST_COLLECTION_NAME1 = "collection1"; - private static final String COLLECTION_CONFIG_DIR = RESOURCES_DIR + File.separator + "collection1" + File.separator + "conf"; - - @Test - public void testUpdateOperations() throws Exception { - /** - * Upload configs to ZK for create collection - */ - uploadConfigDirToZk(COLLECTION_CONFIG_DIR); - /** - * create collection collection1 as admin user - * and clean all document in the collection1 - */ - setupCollection(TEST_COLLECTION_NAME1); - cleanSolrCollection(TEST_COLLECTION_NAME1); - - SolrInputDocument solrInputDoc = createSolrTestDoc(); - - /** - * user0->group0->role0 - * grant ALL privilege on collection collection1 to role0 - */ - String grantor = "user0"; - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role0", SearchConstants.ALL); - cleanSolrCollection(TEST_COLLECTION_NAME1); - verifyUpdatePass(grantor, TEST_COLLECTION_NAME1, solrInputDoc); - verifyDeletedocsPass(grantor, TEST_COLLECTION_NAME1, false); - - //drop privilege - dropCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER); - verifyUpdateFail(grantor, TEST_COLLECTION_NAME1, solrInputDoc); - uploadSolrDoc(TEST_COLLECTION_NAME1, solrInputDoc); - verifyDeletedocsFail(grantor, TEST_COLLECTION_NAME1, false); - - /** - * user1->group1->role1 - * grant UPDATE privilege on collection collection1 to role1 - */ - grantor = "user1"; - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role1", SearchConstants.UPDATE); - cleanSolrCollection(TEST_COLLECTION_NAME1); - verifyUpdatePass(grantor, TEST_COLLECTION_NAME1, solrInputDoc); - verifyDeletedocsPass(grantor, TEST_COLLECTION_NAME1, false); - - //revoke privilege - revokeCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role1", SearchConstants.ALL); - verifyUpdateFail(grantor, TEST_COLLECTION_NAME1, solrInputDoc); - uploadSolrDoc(TEST_COLLECTION_NAME1, solrInputDoc); - verifyDeletedocsFail(grantor, TEST_COLLECTION_NAME1, false); - - /** - * user2->group2->role2 - * grant QUERY privilege on collection collection1 to role2 - */ - grantor = "user2"; - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role2", SearchConstants.QUERY); - cleanSolrCollection(TEST_COLLECTION_NAME1); - verifyUpdateFail(grantor, TEST_COLLECTION_NAME1, solrInputDoc); - uploadSolrDoc(TEST_COLLECTION_NAME1, solrInputDoc); - verifyDeletedocsFail(grantor, TEST_COLLECTION_NAME1, false); - - grantCollectionPrivilege(TEST_COLLECTION_NAME1, ADMIN_USER, "role2", SearchConstants.ALL); - cleanSolrCollection(TEST_COLLECTION_NAME1); - verifyUpdatePass(grantor, TEST_COLLECTION_NAME1, solrInputDoc); - verifyDeletedocsPass(grantor, TEST_COLLECTION_NAME1, false); - - grantor = "user3"; - cleanSolrCollection(TEST_COLLECTION_NAME1); - verifyUpdateFail(grantor, TEST_COLLECTION_NAME1, solrInputDoc); - uploadSolrDoc(TEST_COLLECTION_NAME1, solrInputDoc); - verifyDeletedocsFail(grantor, TEST_COLLECTION_NAME1, false); - - deleteCollection(TEST_COLLECTION_NAME1); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-managed/conf/managed-schema ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-managed/conf/managed-schema b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-managed/conf/managed-schema new file mode 100644 index 0000000..1d97a2a --- /dev/null +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-managed/conf/managed-schema @@ -0,0 +1,27 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<schema name="minimal" version="1.1"> + <fieldType name="string" class="solr.StrField"/> + <fieldType name="int" class="solr.TrieIntField" precisionStep="0" omitNorms="true" positionIncrementGap="0"/> + <fieldType name="long" class="solr.TrieLongField" precisionStep="0" omitNorms="true" positionIncrementGap="0"/> + <!-- for versioning --> + <field name="_version_" type="long" indexed="true" stored="true"/> + <field name="_root_" type="string" indexed="true" stored="true" multiValued="false" required="false"/> + <field name="id" type="string" indexed="true" stored="true"/> + <uniqueKey>id</uniqueKey> +</schema> http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-managed/conf/solrconfig.xml ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-managed/conf/solrconfig.xml b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-managed/conf/solrconfig.xml new file mode 100644 index 0000000..f1395b1 --- /dev/null +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-managed/conf/solrconfig.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" ?> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<!-- Minimal solrconfig.xml with /select, /admin and /update only --> + +<config> + + <dataDir>${solr.data.dir:}</dataDir> + + <directoryFactory name="DirectoryFactory" + class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/> + + <schemaFactory class="ManagedIndexSchemaFactory"> + <bool name="mutable">true</bool> + <str name="managedSchemaResourceName">managed-schema</str> + </schemaFactory> + + <luceneMatchVersion>${tests.luceneMatchVersion:LATEST}</luceneMatchVersion> + + <updateHandler class="solr.DirectUpdateHandler2"> + <commitWithin> + <softCommit>${solr.commitwithin.softcommit:true}</softCommit> + </commitWithin> + <updateLog></updateLog> + </updateHandler> + + <requestHandler name="/select" class="solr.SearchHandler"> + <lst name="defaults"> + <str name="echoParams">explicit</str> + <str name="indent">true</str> + <str name="df">text</str> + </lst> + + </requestHandler> +</config> http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal/conf/schema.xml ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal/conf/schema.xml b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal/conf/schema.xml new file mode 100644 index 0000000..7b8b690 --- /dev/null +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal/conf/schema.xml @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<schema name="minimal" version="1.1"> + <fieldType name="string" class="solr.StrField"/> + <fieldType name="int" class="solr.TrieIntField" precisionStep="0" omitNorms="true" positionIncrementGap="0"/> + <fieldType name="long" class="solr.TrieLongField" precisionStep="0" omitNorms="true" positionIncrementGap="0"/> + <dynamicField name="*" type="string" indexed="true" stored="true"/> + <!-- for versioning --> + <field name="_version_" type="long" indexed="true" stored="true"/> + <field name="_root_" type="string" indexed="true" stored="true" multiValued="false" required="false"/> + <field name="id" type="string" indexed="true" stored="true"/> + <uniqueKey>id</uniqueKey> +</schema> http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal/conf/solrconfig.xml ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal/conf/solrconfig.xml b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal/conf/solrconfig.xml new file mode 100644 index 0000000..52bd098 --- /dev/null +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal/conf/solrconfig.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" ?> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<!-- Minimal solrconfig.xml with /select, /admin and /update only --> + +<config> + + <dataDir>${solr.data.dir:}</dataDir> + + <directoryFactory name="DirectoryFactory" + class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/> + <schemaFactory class="ClassicIndexSchemaFactory"/> + + <luceneMatchVersion>${tests.luceneMatchVersion:LATEST}</luceneMatchVersion> + + <updateHandler class="solr.DirectUpdateHandler2"> + <commitWithin> + <softCommit>${solr.commitwithin.softcommit:true}</softCommit> + </commitWithin> + <updateLog></updateLog> + </updateHandler> + + <requestHandler name="/select" class="solr.SearchHandler"> + <lst name="defaults"> + <str name="echoParams">explicit</str> + <str name="indent">true</str> + <str name="df">text</str> + </lst> + + </requestHandler> +</config> http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal_doc_level_security/conf/schema.xml ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal_doc_level_security/conf/schema.xml b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal_doc_level_security/conf/schema.xml new file mode 100644 index 0000000..98a8c72 --- /dev/null +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal_doc_level_security/conf/schema.xml @@ -0,0 +1,29 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<schema name="minimal" version="1.1"> + <fieldType name="string" class="solr.StrField"/> + <fieldType name="int" class="solr.TrieIntField" precisionStep="0" omitNorms="true" positionIncrementGap="0"/> + <fieldType name="long" class="solr.TrieLongField" precisionStep="0" omitNorms="true" positionIncrementGap="0"/> + <dynamicField name="*" type="string" indexed="true" stored="true"/> + <!-- for versioning --> + <field name="_version_" type="long" indexed="true" stored="true"/> + <field name="_root_" type="string" indexed="true" stored="true" multiValued="false" required="false"/> + <field name="id" type="string" indexed="true" stored="true"/> + <field name="sentry_auth" type="string" indexed="true" stored="false" multiValued="true"/> + <uniqueKey>id</uniqueKey> +</schema> http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal_doc_level_security/conf/solrconfig.xml ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal_doc_level_security/conf/solrconfig.xml b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal_doc_level_security/conf/solrconfig.xml new file mode 100644 index 0000000..584a456 --- /dev/null +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/configsets/cloud-minimal_doc_level_security/conf/solrconfig.xml @@ -0,0 +1,82 @@ +<?xml version="1.0" ?> + +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<!-- Minimal solrconfig.xml with /select, /admin and /update only --> + +<config> + + <dataDir>${solr.data.dir:}</dataDir> + + <directoryFactory name="DirectoryFactory" + class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/> + <schemaFactory class="ClassicIndexSchemaFactory"/> + + <luceneMatchVersion>${tests.luceneMatchVersion:LATEST}</luceneMatchVersion> + + <updateHandler class="solr.DirectUpdateHandler2"> + <commitWithin> + <softCommit>${solr.commitwithin.softcommit:true}</softCommit> + </commitWithin> + <updateLog></updateLog> + </updateHandler> + + <requestDispatcher handleSelect="false" > + <requestParsers enableRemoteStreaming="true" + multipartUploadLimitInKB="2048000" + formdataUploadLimitInKB="2048" + addHttpRequestToContext="true"/> + + <httpCaching never304="true" /> + </requestDispatcher> + + <requestHandler name="/select" class="solr.SearchHandler"> + <lst name="defaults"> + <str name="echoParams">explicit</str> + <str name="indent">true</str> + <str name="df">text</str> + </lst> + <arr name="first-components"> + <str>queryDocAuthorization</str> + </arr> + </requestHandler> + + <requestHandler name="/get" class="solr.RealTimeGetHandler"> + <lst name="defaults"> + <str name="omitHeader">true</str> + <str name="wt">json</str> + <str name="indent">true</str> + </lst> + <arr name="first-components"> + <str>queryDocAuthorization</str> + </arr> + </requestHandler> + + <searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent" > + <!-- Set to true to enabled document-level authorization --> + <bool name="enabled">true</bool> + + <!-- Field where the auth tokens are stored in the document --> + <str name="sentryAuthField">sentry_auth</str> + + <!-- Auth token defined to allow any role to access the document. + Uncomment to enable. --> + <str name="allRolesToken">OR</str> + </searchComponent> + +</config> http://git-wip-us.apache.org/repos/asf/sentry/blob/e62fa28d/sentry-tests/sentry-tests-solr/src/test/resources/solr/security/security.json ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/security/security.json b/sentry-tests/sentry-tests-solr/src/test/resources/solr/security/security.json new file mode 100644 index 0000000..ebc9bbd --- /dev/null +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/security/security.json @@ -0,0 +1,18 @@ +{ + "authentication": { + "class": "org.apache.sentry.tests.e2e.solr.DummyAuthPluginImpl" + }, + "authorization": { + "class": "org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl", + "sysPropPrefix": "solr.", + "authConfigs": [ + "authorization.sentry.site", + "authorization.superuser", + "authorization.enable.auditlog" + ], + "defaultConfigs": { + "authorization.superuser" : "solr", + "authorization.enable.auditlog" : "true" + } + } +}