----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/20813/ -----------------------------------------------------------
Review request for sentry and Vamsee Yarlagadda. Repository: sentry Description ------- NOTE: this requires SENTRY-159 and SENTRY-186. we use "defaults" rather than "invariants" for our update index authorization checks. It's possible, if another updateRequestProcessorChain is defined in the solrconfig.xml, that a user could override the default processor chain in order to bypass the update index authorization checks. There aren't any other updateRequestProcessorChains defined in our generated solrconfig.xml/solrconfig.xml.secure, so this shouldn't be a common issue. This adds a test that demonstrates the vulnerability and changes the solrconfigs to use invariants. You'll notice the test fails if you don't apply the invariants changes. Diffs ----- sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java bc36967 sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java PRE-CREATION sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java d4855da sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml PRE-CREATION sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml 4276cda sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini 3e02699 Diff: https://reviews.apache.org/r/20813/diff/ Testing ------- Ran the solr e2e tests. Thanks, Gregory Chanan
