upthewaterspout commented on a change in pull request #7029:
URL: https://github.com/apache/geode/pull/7029#discussion_r735980504
##########
File path:
geode-for-redis/src/integrationTest/java/org/apache/geode/redis/internal/executor/connection/AuthIntegrationTest.java
##########
@@ -131,6 +131,25 @@ public void
givenSecurity_accessWithCorrectAuthorization_passes() throws Excepti
assertThat(jedis.set("foo", "bar")).isEqualTo("OK");
}
+ @Test
+ public void givenSecurity_readOpWithReadAuthorization_passes() throws
Exception {
+ setupCacheWithSecurity();
+
+ jedis.auth("dataRead", "dataRead");
+
+ assertThat(jedis.get("foo")).isNull();
+ }
+
+ @Test
+ public void givenSecurity_readOpWithWriteAuthorization_fails() throws
Exception {
Review comment:
Would it be worth adding a test that a user with only read authorization
can't write?
##########
File path:
geode-for-redis/src/main/java/org/apache/geode/redis/internal/netty/ExecutionHandlerContext.java
##########
@@ -327,13 +320,15 @@ public boolean isAuthenticated() {
return (!securityService.isEnabled()) || subject != null;
}
- public boolean isAuthorized() {
+ public boolean isAuthorized(RedisCommandType commandType) {
if (subject == null) {
return true;
}
Review comment:
This isn't your change, but can we change this early return to check
`!securityService.isEnabled` rather than `subject==null`. It seems scary to me
that this method returns true (the command is authorized) if the subject is
null. I think this check is really trying to say that if we aren't using
security then the command is authorized...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
