Repository: incubator-sentry Updated Branches: refs/heads/master 071861d30 -> 8f1ef00be
SENTRY-192: Convert solr doc-level e2e test to be based on roles rather than groups (Gregory Chanan via Vamsee Yarlagadda) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/8f1ef00b Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/8f1ef00b Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/8f1ef00b Branch: refs/heads/master Commit: 8f1ef00bec397ecd83979e0fdbccc04a4829d3f1 Parents: 071861d Author: Vamsee <[email protected]> Authored: Tue May 6 12:40:59 2014 -0700 Committer: Vamsee <[email protected]> Committed: Tue May 6 12:40:59 2014 -0700 ---------------------------------------------------------------------- .../tests/e2e/solr/TestDocLevelOperations.java | 56 ++++++++++---------- .../collection1/conf/solrconfig-doclevel.xml | 12 ++--- .../solr/collection1/conf/solrconfig.xml | 21 +++++++- .../solr/sentry/test-authz-provider.ini | 4 +- 4 files changed, 54 insertions(+), 39 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java index 2c0914e..d4307ec 100644 --- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java +++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java @@ -91,13 +91,13 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase { } // 50% of docs get "junit", 50% get "admin" as token if (i % 2 == 0) { - doc.addField(AUTH_FIELD, "junit"); + doc.addField(AUTH_FIELD, "junit_role"); } else { - doc.addField(AUTH_FIELD, "admin"); + doc.addField(AUTH_FIELD, "admin_role"); } // add a token to all docs so we can check that we can get all // documents returned - doc.addField(AUTH_FIELD, "docLevel"); + doc.addField(AUTH_FIELD, "docLevel_role"); docs.add(doc); } @@ -138,20 +138,20 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase { // test filter queries work as AND -- i.e. user can't avoid doc-level // checks by prefixing their own filterQuery setAuthenticationUser("junit"); - String fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel}"); + String fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel_role}"); String path = "/" + collectionName + "/select?q=*:*&fq="+fq; String retValue = makeHttpRequest(server, "GET", path, null, null); assertTrue(retValue.contains("numFound=\"" + NUM_DOCS / 2 + "\" ")); // test that user can't inject an "OR" into the query final String syntaxErrorMsg = "org.apache.solr.search.SyntaxError: Cannot parse"; - fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel} OR "); + fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel_role} OR "); path = "/" + collectionName + "/select?q=*:*&fq="+fq; retValue = makeHttpRequest(server, "GET", path, null, null); assertTrue(retValue.contains(syntaxErrorMsg)); // same test, prefix OR this time - fq = URLEncoder.encode(" OR {!raw f=" + AUTH_FIELD + " v=docLevel}"); + fq = URLEncoder.encode(" OR {!raw f=" + AUTH_FIELD + " v=docLevel_role}"); path = "/" + collectionName + "/select?q=*:*&fq="+fq; retValue = makeHttpRequest(server, "GET", path, null, null); assertTrue(retValue.contains(syntaxErrorMsg)); @@ -161,21 +161,21 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase { } /** - * Test the allGroupsToken. Make it a keyword in the query language ("OR") + * Test the allRolesToken. Make it a keyword in the query language ("OR") * to make sure it is treated literally rather than interpreted. */ @Test - public void testAllGroupsToken() throws Exception { - String allGroupsToken = "OR"; - String collectionName = "allGroupsCollection"; + public void testAllRolesToken() throws Exception { + String allRolesToken = "OR"; + String collectionName = "allRolesCollection"; setupCollectionWithDocSecurity(collectionName); int junitFactor = 2; - int allGroupsFactor = 5; + int allRolesFactor = 5; int totalJunitAdded = 0; // total docs added with junit token - int totalAllGroupsAdded = 0; // total number of docs with the allGroupsToken - int totalOnlyAllGroupsAdded = 0; // total number of docs with _only_ the allGroupsToken + int totalAllRolesAdded = 0; // total number of docs with the allRolesToken + int totalOnlyAllRolesAdded = 0; // total number of docs with _only_ the allRolesToken // create documents ArrayList<SolrInputDocument> docs = new ArrayList<SolrInputDocument>(); @@ -187,20 +187,20 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase { doc.addField("description", "description" + iStr); if (i % junitFactor == 0) { - doc.addField(AUTH_FIELD, "junit"); + doc.addField(AUTH_FIELD, "junit_role"); addedViaJunit = true; ++totalJunitAdded; - } if (i % allGroupsFactor == 0) { - doc.addField(AUTH_FIELD, allGroupsToken); - ++totalAllGroupsAdded; - if (!addedViaJunit) ++totalOnlyAllGroupsAdded; + } if (i % allRolesFactor == 0) { + doc.addField(AUTH_FIELD, allRolesToken); + ++totalAllRolesAdded; + if (!addedViaJunit) ++totalOnlyAllRolesAdded; } docs.add(doc); } // make sure our factors give us interesting results -- - // that some docs only have all groups and some only have junit - assert(totalOnlyAllGroupsAdded > 0); - assert(totalJunitAdded > totalAllGroupsAdded); + // that some docs only have all roles and some only have junit + assert(totalOnlyAllRolesAdded > 0); + assert(totalJunitAdded > totalAllRolesAdded); CloudSolrServer server = getCloudSolrServer(collectionName); try { @@ -211,26 +211,26 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase { SolrQuery query = new SolrQuery(); query.setQuery("*:*"); - // as admin -- should only get all groups token documents + // as admin -- should only get all roles token documents setAuthenticationUser("admin"); QueryResponse rsp = server.query(query); SolrDocumentList docList = rsp.getResults(); - assertEquals(totalAllGroupsAdded, docList.getNumFound()); + assertEquals(totalAllRolesAdded, docList.getNumFound()); for (SolrDocument doc : docList) { String id = doc.getFieldValue("id").toString(); - assertEquals(0, Long.valueOf(id) % allGroupsFactor); + assertEquals(0, Long.valueOf(id) % allRolesFactor); } - // as junit -- should get junit added + onlyAllGroupsAdded + // as junit -- should get junit added + onlyAllRolesAdded setAuthenticationUser("junit"); rsp = server.query(query); docList = rsp.getResults(); - assertEquals(totalJunitAdded + totalOnlyAllGroupsAdded, docList.getNumFound()); + assertEquals(totalJunitAdded + totalOnlyAllRolesAdded, docList.getNumFound()); for (SolrDocument doc : docList) { String id = doc.getFieldValue("id").toString(); boolean addedJunit = (Long.valueOf(id) % junitFactor) == 0; - boolean onlyAllGroups = !addedJunit && (Long.valueOf(id) % allGroupsFactor) == 0; - assertEquals(true, addedJunit || onlyAllGroups); + boolean onlyAllRoles = !addedJunit && (Long.valueOf(id) % allRolesFactor) == 0; + assertEquals(true, addedJunit || onlyAllRoles); } } finally { server.shutdown(); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml index 7c0d73f..af1184d 100644 --- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml @@ -1343,24 +1343,20 @@ --> </searchComponent> - <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent" > + <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent" > </searchComponent> - <searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent" > + <searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent" > <!-- Set to true to enabled document-level authorization --> <bool name="enabled">true</bool> <!-- Field where the auth tokens are stored in the document --> <str name="sentryAuthField">sentry_auth</str> - <!-- Auth token defined to allow any group to access the document. + <!-- Auth token defined to allow any role to access the document. Uncomment to enable. --> - <str name="allGroupsToken">OR</str> + <str name="allRolesToken">OR</str> </searchComponent> - <!--<searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent" > - <str name="sentryAuthField">sentry_auth</str> - <str name="allGroupsToken">OR</str> - </searchComponent>--> <!-- A request handler for demonstrating the spellcheck component. http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml index 9e71f09..a8b63e6 100644 --- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml @@ -876,6 +876,7 @@ --> <arr name="first-components"> <str>queryIndexAuthorization</str> + <str>queryDocAuthorization</str> </arr> </requestHandler> @@ -890,6 +891,7 @@ </lst> <arr name="first-components"> <str>queryIndexAuthorization</str> + <str>queryDocAuthorization</str> </arr> </requestHandler> @@ -905,6 +907,7 @@ </lst> <arr name="first-components"> <str>queryIndexAuthorization</str> + <str>queryDocAuthorization</str> </arr> </requestHandler> @@ -1002,6 +1005,7 @@ <arr name="first-components"> <str>queryIndexAuthorization</str> + <str>queryDocAuthorization</str> </arr> <!-- append spellchecking to our list of components --> @@ -1339,9 +1343,20 @@ --> </searchComponent> - <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent" > + <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent" > </searchComponent> + <searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent" > + <!-- Set to true to enabled document-level authorization --> + <bool name="enabled">false</bool> + + <!-- Field where the auth tokens are stored in the document --> + <str name="sentryAuthField">sentry_auth</str> + + <!-- Auth token defined to allow any role to access the document. + Uncomment to enable. --> + <str name="allRolesToken">OR</str> + </searchComponent> <!-- A request handler for demonstrating the spellcheck component. NOTE: This is purely as an example. The whole purpose of the @@ -1399,6 +1414,7 @@ </lst> <arr name="first-components"> <str>queryIndexAuthorization</str> + <str>queryDocAuthorization</str> </arr> <arr name="last-components"> <str>tvComponent</str> @@ -1510,6 +1526,7 @@ </lst> <arr name="first-components"> <str>queryIndexAuthorization</str> + <str>queryDocAuthorization</str> </arr> <arr name="last-components"> <str>clustering</str> @@ -1533,6 +1550,7 @@ </lst> <arr name="first-components"> <str>queryIndexAuthorization</str> + <str>queryDocAuthorization</str> </arr> <arr name="components"> <str>terms</str> @@ -1562,6 +1580,7 @@ </lst> <arr name="first-components"> <str>queryIndexAuthorization</str> + <str>queryDocAuthorization</str> </arr> <arr name="last-components"> <str>elevator</str> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini index a07fb2d..b7aa0c8 100644 --- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini +++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini @@ -29,9 +29,9 @@ admin_query_update_group = admin_query_update_role admin_all_group = admin_all_role [roles] -junit_role = collection=admin, collection=collection1, collection=docLevelCollection, collection=allGroupsCollection +junit_role = collection=admin, collection=collection1, collection=docLevelCollection, collection=allRolesCollection docLevel_role = collection=docLevelCollection -admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1, collection=sentryCollection_underlying2, collection=docLevelCollection, collection=allGroupsCollection, collection=testInvariantCollection +admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1, collection=sentryCollection_underlying2, collection=docLevelCollection, collection=allRolesCollection, collection=testInvariantCollection sentryCollection_query_role = collection=sentryCollection->action=query sentryCollection_update_role = collection=sentryCollection->action=update sentryCollection_query_update_role = collection=sentryCollection->action=query, collection=sentryCollection->action=update
