Re: Review Request 42612: SENTRY-989: RealTimeGet with explicit ids can bypass document level authorization

Thu, 18 Feb 2016 18:19:39 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/42612/
-----------------------------------------------------------

(Updated Feb. 19, 2016, 2:19 a.m.)


Review request for sentry, Hao Hao and Vamsee Yarlagadda.


Changes
-------

Updated for Hao's comments.


Repository: sentry


Description
-------

RealTimeGet just ignores filter queries currently in Solr (see SOLR-8436) which 
is how document level security is implemented, so if you can guess the document 
ids, you can access them.

Since we probably don't want to wait for a solr version with SOLR-8436 to be 
released, this is a "temporary" workaround and some necessary testing.

At a high level this works as follows:
- Run the normal RealTimeGet component
- Filter the responses from the component through the Filter generated from the 
doc-level component

Most of this is low-level solr/lucene code; most of the meat is in the testing 
(TestRealTimeGet.java).


Diffs (updated)
-----

  
sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/SecureRealTimeGetHandler.java
 PRE-CREATION 
  
sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java
 666c0889e07ff329e30773518b28222c8420a510 
  
sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/SecureRealTimeGetComponent.java
 PRE-CREATION 
  
sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
 2495a9eecc00e8de4b297022625b33a98ad7323a 
  
sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/DocLevelGenerator.java
 PRE-CREATION 
  
sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
 ff508e12898ab0bf9e79f0cc8e1108e4a5ef82ad 
  
sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestRealTimeGet.java
 PRE-CREATION 
  
sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/schema.xml
 66449ffe59b459352f8a735a208f020e48f0d9b4 
  
sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml
 4459c0d04c62aa39c096da0faba7ff04fc2bf21b 
  
sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
 bccc63eeeab503f7e5d3655771eb0c7bef926bba 

Diff: https://reviews.apache.org/r/42612/diff/


Testing
-------

Ran the unit tests.


Thanks,

Gregory Chanan

Reply via email to