[GitHub] [geode] jinmeiliao commented on a change in pull request #6885: GEODE-9570: make sure re-authentication works with registered interests

Tue, 28 Sep 2021 09:20:14 -0700 


jinmeiliao commented on a change in pull request #6885:
URL: https://github.com/apache/geode/pull/6885#discussion_r717744350



##########
File path: 
geode-core/src/upgradeTest/java/org/apache/geode/security/AuthExpirationMultiServerDUnitTest.java
##########
@@ -174,10 +184,75 @@ public void 
clientConnectToLocatorShouldNotAllowOperationIfUserIsNotRefreshed()
             AuthenticationRequiredException.class, 
AuthenticationExpiredException.class);
       }
     }
-    ExpirableSecurityManager consolidated = 
combineSecurityManagerResults(server1, server2);
+    ExpirableSecurityManager consolidated = collectSecurityManagers(server1, 
server2);
     assertThat(consolidated.getAuthorizedOps().keySet()).isEmpty();
   }
 
+  @Test
+  public void cqWithMultiServer() throws Exception {
+    int locatorPort = locator.getPort();
+    UpdatableUserAuthInitialize.setUser("user1");
+    clientCacheRule
+        .withProperty(SECURITY_CLIENT_AUTH_INIT, 
UpdatableUserAuthInitialize.class.getName())
+        .withPoolSubscription(true)
+        .withLocatorConnection(locatorPort);
+    ClientCache cache = clientCacheRule.createCache();
+    EventsCqListner listener =
+        createAndExecuteCQ(cache.getQueryService(), "cq1", "select * from /" + 
PARTITION_REGION);
+
+    UpdatableUserAuthInitialize.setUser("user2");
+    expireUserOnAllVms("user1");
+    doPutsUsingAnotherClient(locatorPort, "user3", 100);
+
+    // make sure listener still gets all the events
+    await().untilAsserted(() -> assertThat(listener.getKeys()).hasSize(100));
+    ExpirableSecurityManager securityManager = 
collectSecurityManagers(server1, server2);
+    assertThat(securityManager.getAuthorizedOps().get("user1"))
+        .containsExactly("DATA:READ:partitionRegion");
+    assertThat(securityManager.getUnAuthorizedOps().get("user1"))
+        .containsExactly("DATA:READ:partitionRegion:key0");

Review comment:
       when `key0` is denied, the server will ask the client to 
re-authenticate, so client will sends in `user2` credentials, so all keys are 
authorized under `user2`.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to