[jira] [Commented] (SOLR-11623) Every request handler in Solr should implement PermissionNameProvider interface

Chris M. Hostetter (Jira) Fri, 19 Nov 2021 13:36:30 -0800


    [ 
https://issues.apache.org/jira/browse/SOLR-11623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446667#comment-17446667
 ]


Chris M. Hostetter commented on SOLR-11623:
-------------------------------------------

This seems to related to a lot of constantly failing tests (both in jenkins and 
locally for me) ...

 
{noformat}
> Task :solr:core:test FAILEDERROR: The following test(s) have failed:
  - 
org.apache.solr.common.cloud.TestCloudCollectionsListeners.testCollectionDeletion
 (:solr:solrj)
    Test output: 
/home/hossman/lucene/solr/solr/solrj/build/test-results/test/outputs/OUTPUT-org.apache.solr.common.cloud.TestCloudCollectionsListeners.txt
    Reproduce with: gradlew :solr:solrj:test --tests 
"org.apache.solr.common.cloud.TestCloudCollectionsListeners.testCollectionDeletion"
 -Ptests.jvms=5 -Ptests.jvmargs=-XX:TieredStopAtLevel=1 
-Ptests.seed=7AACF1A83CDAD4CD -Ptests.file.encoding=UTF-8  - 
org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.testBasicPermissions
 (:solr:core)
    Test output: 
/home/hossman/lucene/solr/solr/core/build/test-results/test/outputs/OUTPUT-org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.txt
    Reproduce with: gradlew :solr:core:test --tests 
"org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.testBasicPermissions"
 -Ptests.jvms=5 -Ptests.jvmargs=-XX:TieredStopAtLevel=1 
-Ptests.seed=7AACF1A83CDAD4CD -Ptests.file.encoding=UTF-8  - 
org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.testAllPermissionAllowsActionsWhenUserHasCorrectRole
 (:solr:core)
    Test output: 
/home/hossman/lucene/solr/solr/core/build/test-results/test/outputs/OUTPUT-org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.txt
    Reproduce with: gradlew :solr:core:test --tests 
"org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.testAllPermissionAllowsActionsWhenUserHasCorrectRole"
 -Ptests.jvms=5 -Ptests.jvmargs=-XX:TieredStopAtLevel=1 
-Ptests.seed=7AACF1A83CDAD4CD -Ptests.file.encoding=UTF-8  - 
org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.testAllPermissionDeniesActionsWhenUserIsNotCorrectRole
 (:solr:core)
    Test output: 
/home/hossman/lucene/solr/solr/core/build/test-results/test/outputs/OUTPUT-org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.txt
    Reproduce with: gradlew :solr:core:test --tests 
"org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.testAllPermissionDeniesActionsWhenUserIsNotCorrectRole"
 -Ptests.jvms=5 -Ptests.jvmargs=-XX:TieredStopAtLevel=1 
-Ptests.seed=7AACF1A83CDAD4CD -Ptests.file.encoding=UTF-8  - 
org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.testAllPermissionAllowsActionsWhenAssociatedRoleIsWildcard
 (:solr:core)
    Test output: 
/home/hossman/lucene/solr/solr/core/build/test-results/test/outputs/OUTPUT-org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.txt
    Reproduce with: gradlew :solr:core:test --tests 
"org.apache.solr.security.BaseTestRuleBasedAuthorizationPlugin.testAllPermissionAllowsActionsWhenAssociatedRoleIsWildcard"
 -Ptests.jvms=5 -Ptests.jvmargs=-XX:TieredStopAtLevel=1 
-Ptests.seed=7AACF1A83CDAD4CD -Ptests.file.encoding=UTF-8  - 
org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.testBasicPermissions
 (:solr:core)
    Test output: 
/home/hossman/lucene/solr/solr/core/build/test-results/test/outputs/OUTPUT-org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.txt
    Reproduce with: gradlew :solr:core:test --tests 
"org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.testBasicPermissions"
 -Ptests.jvms=5 -Ptests.jvmargs=-XX:TieredStopAtLevel=1 
-Ptests.seed=7AACF1A83CDAD4CD -Ptests.file.encoding=UTF-8  - 
org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.testAllPermissionAllowsActionsWhenUserHasCorrectRole
 (:solr:core)
    Test output: 
/home/hossman/lucene/solr/solr/core/build/test-results/test/outputs/OUTPUT-org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.txt
    Reproduce with: gradlew :solr:core:test --tests 
"org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.testAllPermissionAllowsActionsWhenUserHasCorrectRole"
 -Ptests.jvms=5 -Ptests.jvmargs=-XX:TieredStopAtLevel=1 
-Ptests.seed=7AACF1A83CDAD4CD -Ptests.file.encoding=UTF-8  - 
org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.testAllPermissionDeniesActionsWhenUserIsNotCorrectRole
 (:solr:core)
    Test output: 
/home/hossman/lucene/solr/solr/core/build/test-results/test/outputs/OUTPUT-org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.txt
    Reproduce with: gradlew :solr:core:test --tests 
"org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.testAllPermissionDeniesActionsWhenUserIsNotCorrectRole"
 -Ptests.jvms=5 -Ptests.jvmargs=-XX:TieredStopAtLevel=1 
-Ptests.seed=7AACF1A83CDAD4CD -Ptests.file.encoding=UTF-8  - 
org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.testAllPermissionAllowsActionsWhenAssociatedRoleIsWildcard
 (:solr:core)
    Test output: 
/home/hossman/lucene/solr/solr/core/build/test-results/test/outputs/OUTPUT-org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.txt
    Reproduce with: gradlew :solr:core:test --tests 
"org.apache.solr.security.TestExternalRoleRuleBasedAuthorizationPlugin.testAllPermissionAllowsActionsWhenAssociatedRoleIsWildcard"
 -Ptests.jvms=5 -Ptests.jvmargs=-XX:TieredStopAtLevel=1 
-Ptests.seed=7AACF1A83CDAD4CD -Ptests.file.encoding=UTF-8
{noformat}



> Every request handler in Solr should implement PermissionNameProvider 
> interface
> -------------------------------------------------------------------------------
>
>                 Key: SOLR-11623
>                 URL: https://issues.apache.org/jira/browse/SOLR-11623
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 7.1
>            Reporter: Hrishikesh Gadre
>            Assignee: Jan Høydahl
>            Priority: Blocker
>             Fix For: main (9.0)
>
>          Time Spent: 7h
>  Remaining Estimate: 0h
>
> Solr authorization framework expects request handler to implement 
> PermissionNameProvider interface so that the type of the permission for the 
> request can be extracted. Currently not all request handlers implement 
> PermissionNameProvider, requiring authorization plugin implementation to 
> check this case explicitly and return OK. During code review of SENTRY-1475, 
> this issue was discussed. Since  PermissionNameProvider.Name enum provides 
> "ALL" permission type, it should be possible to have every request handler to 
> implement PermissionNameProvider interface and provide "ALL" permission type 
> if no authorization checks are necessary.
> The secondary benefit of this work would be that we can review all the 
> request handlers and ensure that we aren't missing authorization support for 
> any request handlers which provide sensitive information.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (SOLR-11623) Every request handler in Solr should implement PermissionNameProvider interface

Reply via email to