SENTRY-805: Reclassify CoreAdminHandler Actions (Gregory Chanan, Reviewed by: Vamsee Yarlagadda)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/7c2da749 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/7c2da749 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/7c2da749 Branch: refs/heads/hive_plugin_v2 Commit: 7c2da749d3de908f77178a2ea2f409f45f640169 Parents: 77ac995 Author: Vamsee Yarlagadda <[email protected]> Authored: Mon Jul 20 11:06:07 2015 -0700 Committer: Vamsee Yarlagadda <[email protected]> Committed: Mon Jul 20 11:06:07 2015 -0700 ---------------------------------------------------------------------- .../handler/admin/SecureCoreAdminHandler.java | 19 ++++++++++--------- .../admin/SecureCoreAdminHandlerTest.java | 15 +++++++-------- 2 files changed, 17 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7c2da749/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/admin/SecureCoreAdminHandler.java ---------------------------------------------------------------------- diff --git a/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/admin/SecureCoreAdminHandler.java b/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/admin/SecureCoreAdminHandler.java index c1bde31..36ef6d0 100644 --- a/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/admin/SecureCoreAdminHandler.java +++ b/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/admin/SecureCoreAdminHandler.java @@ -87,15 +87,13 @@ public class SecureCoreAdminHandler extends CoreAdminHandler { collection = getCollectionFromCoreName(cname); break; } - case REQUESTAPPLYUPDATES: { + case CREATE: + case REQUESTAPPLYUPDATES: + case REQUESTBUFFERUPDATES: { String cname = params.get(CoreAdminParams.NAME, ""); collection = getCollectionFromCoreName(cname); break; } - case CREATE: { - collection = params.get(CoreAdminParams.COLLECTION); - break; - } case STATUS: // CORE is an optional param for STATUS, but since the // non-parameterized version returns all the core info, it doesn't @@ -103,8 +101,11 @@ public class SecureCoreAdminHandler extends CoreAdminHandler { case PERSIST: case CREATEALIAS: case DELETEALIAS: + case LOAD: case LOAD_ON_STARTUP: case TRANSIENT: + case REQUESTSTATUS: + case OVERSEEROP: default: { // these are actions that are not core related or not actually // handled by the CoreAdminHandler @@ -114,7 +115,8 @@ public class SecureCoreAdminHandler extends CoreAdminHandler { } switch (action) { - case STATUS: { + case STATUS: + case REQUESTSTATUS: { SecureRequestHandlerUtil.checkSentryAdmin(req, SecureRequestHandlerUtil.QUERY_ONLY, checkCollection, collection); break; } @@ -136,10 +138,9 @@ public class SecureCoreAdminHandler extends CoreAdminHandler { case CREATEALIAS: case DELETEALIAS: case LOAD_ON_STARTUP: + case TRANSIENT: case REQUESTBUFFERUPDATES: - case OVERSEEROP: - case REQUESTSTATUS: - case TRANSIENT: { + case OVERSEEROP: { SecureRequestHandlerUtil.checkSentryAdmin(req, SecureRequestHandlerUtil.UPDATE_ONLY, checkCollection, collection); break; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7c2da749/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/handler/admin/SecureCoreAdminHandlerTest.java ---------------------------------------------------------------------- diff --git a/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/handler/admin/SecureCoreAdminHandlerTest.java b/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/handler/admin/SecureCoreAdminHandlerTest.java index 1857feb..0dbb271 100644 --- a/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/handler/admin/SecureCoreAdminHandlerTest.java +++ b/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/handler/admin/SecureCoreAdminHandlerTest.java @@ -39,8 +39,8 @@ public class SecureCoreAdminHandlerTest extends SentryTestBase { private static CloudDescriptor cloudDescriptor; public final static List<CoreAdminAction> QUERY_ACTIONS = Arrays.asList( - CoreAdminAction.STATUS - ); + CoreAdminAction.STATUS, + CoreAdminAction.REQUESTSTATUS); public final static List<CoreAdminAction> UPDATE_ACTIONS = Arrays.asList( CoreAdminAction.LOAD, CoreAdminAction.UNLOAD, @@ -60,7 +60,6 @@ public class SecureCoreAdminHandlerTest extends SentryTestBase { CoreAdminAction.LOAD_ON_STARTUP, CoreAdminAction.TRANSIENT, CoreAdminAction.OVERSEEROP, - CoreAdminAction.REQUESTSTATUS, // RELOAD needs to go last, because our bogus calls leaves things in a bad state for later calls. // We could handle this more cleanly at the cost of a lot more creating and deleting cores. CoreAdminAction.RELOAD @@ -73,6 +72,8 @@ public class SecureCoreAdminHandlerTest extends SentryTestBase { // actions which don't check the actual collection public final static List<CoreAdminAction> NO_CHECK_COLLECTIONS = Arrays.asList( + CoreAdminAction.STATUS, + CoreAdminAction.REQUESTSTATUS, CoreAdminAction.LOAD, CoreAdminAction.PERSIST, CoreAdminAction.CREATEALIAS, @@ -80,7 +81,6 @@ public class SecureCoreAdminHandlerTest extends SentryTestBase { CoreAdminAction.LOAD_ON_STARTUP, CoreAdminAction.REQUESTBUFFERUPDATES, CoreAdminAction.OVERSEEROP, - CoreAdminAction.REQUESTSTATUS, CoreAdminAction.TRANSIENT ); @@ -130,12 +130,11 @@ public class SecureCoreAdminHandlerTest extends SentryTestBase { return req; } - private void verifyQueryAccess(CoreAdminAction action) throws Exception { + private void verifyQueryAccess(CoreAdminAction action, boolean checkCollection) throws Exception { CoreAdminHandler handler = new SecureCoreAdminHandler(h.getCoreContainer()); verifyAuthorized(handler, getCoreAdminRequest("collection1", "junit", action)); verifyAuthorized(handler, getCoreAdminRequest("queryCollection", "junit", action)); - if (action.equals(CoreAdminAction.STATUS)) { - // STATUS doesn't check collection permissions + if (!checkCollection) { verifyAuthorized(handler, getCoreAdminRequest("bogusCollection", "junit", action)); verifyAuthorized(handler, getCoreAdminRequest("updateCollection", "junit", action)); } else { @@ -157,7 +156,7 @@ public class SecureCoreAdminHandlerTest extends SentryTestBase { @Test public void testSecureAdminHandler() throws Exception { for (CoreAdminAction action : QUERY_ACTIONS) { - verifyQueryAccess(action); + verifyQueryAccess(action, !NO_CHECK_COLLECTIONS.contains(action)); } for (CoreAdminAction action : UPDATE_ACTIONS) { verifyUpdateAccess(action, !NO_CHECK_COLLECTIONS.contains(action));
