sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vam...@apache.org
Subject git commit: SENTRY-192: Convert solr doc-level e2e test to be based on roles rather than groups (Gregory Chanan via Vamsee Yarlagadda)
Date Tue, 06 May 2014 19:41:40 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master 071861d30 -> 8f1ef00be


SENTRY-192: Convert solr doc-level e2e test to be based on roles rather than groups (Gregory
Chanan via Vamsee Yarlagadda)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/8f1ef00b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/8f1ef00b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/8f1ef00b

Branch: refs/heads/master
Commit: 8f1ef00bec397ecd83979e0fdbccc04a4829d3f1
Parents: 071861d
Author: Vamsee <vamsee@cloudera.com>
Authored: Tue May 6 12:40:59 2014 -0700
Committer: Vamsee <vamsee@cloudera.com>
Committed: Tue May 6 12:40:59 2014 -0700

----------------------------------------------------------------------
 .../tests/e2e/solr/TestDocLevelOperations.java  | 56 ++++++++++----------
 .../collection1/conf/solrconfig-doclevel.xml    | 12 ++---
 .../solr/collection1/conf/solrconfig.xml        | 21 +++++++-
 .../solr/sentry/test-authz-provider.ini         |  4 +-
 4 files changed, 54 insertions(+), 39 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
index 2c0914e..d4307ec 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java
@@ -91,13 +91,13 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase
{
       }
       // 50% of docs get "junit", 50% get "admin" as token
       if (i % 2 == 0) {
-        doc.addField(AUTH_FIELD, "junit");
+        doc.addField(AUTH_FIELD, "junit_role");
       } else {
-        doc.addField(AUTH_FIELD, "admin");
+        doc.addField(AUTH_FIELD, "admin_role");
       }
       // add a token to all docs so we can check that we can get all
       // documents returned
-      doc.addField(AUTH_FIELD, "docLevel");
+      doc.addField(AUTH_FIELD, "docLevel_role");
 
       docs.add(doc);
     }
@@ -138,20 +138,20 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase
{
       // test filter queries work as AND -- i.e. user can't avoid doc-level
       // checks by prefixing their own filterQuery
       setAuthenticationUser("junit");
-      String fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel}");
+      String fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel_role}");
       String path = "/" + collectionName + "/select?q=*:*&fq="+fq;
       String retValue = makeHttpRequest(server, "GET", path, null, null);
       assertTrue(retValue.contains("numFound=\"" + NUM_DOCS / 2 + "\" "));
 
       // test that user can't inject an "OR" into the query
       final String syntaxErrorMsg = "org.apache.solr.search.SyntaxError: Cannot parse";
-      fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel} OR ");
+      fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel_role} OR ");
       path = "/" + collectionName + "/select?q=*:*&fq="+fq;
       retValue = makeHttpRequest(server, "GET", path, null, null);
       assertTrue(retValue.contains(syntaxErrorMsg));
 
       // same test, prefix OR this time
-      fq = URLEncoder.encode(" OR {!raw f=" + AUTH_FIELD + " v=docLevel}");
+      fq = URLEncoder.encode(" OR {!raw f=" + AUTH_FIELD + " v=docLevel_role}");
       path = "/" + collectionName + "/select?q=*:*&fq="+fq;
       retValue = makeHttpRequest(server, "GET", path, null, null);
       assertTrue(retValue.contains(syntaxErrorMsg));
@@ -161,21 +161,21 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase
{
   }
 
   /**
-   * Test the allGroupsToken.  Make it a keyword in the query language ("OR")
+   * Test the allRolesToken.  Make it a keyword in the query language ("OR")
    * to make sure it is treated literally rather than interpreted.
    */
   @Test
-  public void testAllGroupsToken() throws Exception {
-    String allGroupsToken = "OR";
-    String collectionName = "allGroupsCollection";
+  public void testAllRolesToken() throws Exception {
+    String allRolesToken = "OR";
+    String collectionName = "allRolesCollection";
     setupCollectionWithDocSecurity(collectionName);
 
     int junitFactor = 2;
-    int allGroupsFactor  = 5;
+    int allRolesFactor  = 5;
 
     int totalJunitAdded = 0; // total docs added with junit token
-    int totalAllGroupsAdded = 0; // total number of docs with the allGroupsToken
-    int totalOnlyAllGroupsAdded = 0; // total number of docs with _only_ the allGroupsToken
+    int totalAllRolesAdded = 0; // total number of docs with the allRolesToken
+    int totalOnlyAllRolesAdded = 0; // total number of docs with _only_ the allRolesToken
 
     // create documents
     ArrayList<SolrInputDocument> docs = new ArrayList<SolrInputDocument>();
@@ -187,20 +187,20 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase
{
       doc.addField("description", "description" + iStr);
 
       if (i % junitFactor == 0) {
-        doc.addField(AUTH_FIELD, "junit");
+        doc.addField(AUTH_FIELD, "junit_role");
         addedViaJunit = true;
         ++totalJunitAdded;
-      } if (i % allGroupsFactor == 0) {
-        doc.addField(AUTH_FIELD, allGroupsToken);
-        ++totalAllGroupsAdded;
-        if (!addedViaJunit) ++totalOnlyAllGroupsAdded;
+      } if (i % allRolesFactor == 0) {
+        doc.addField(AUTH_FIELD, allRolesToken);
+        ++totalAllRolesAdded;
+        if (!addedViaJunit) ++totalOnlyAllRolesAdded;
       }
       docs.add(doc);
     }
     // make sure our factors give us interesting results --
-    // that some docs only have all groups and some only have junit
-    assert(totalOnlyAllGroupsAdded > 0);
-    assert(totalJunitAdded > totalAllGroupsAdded);
+    // that some docs only have all roles and some only have junit
+    assert(totalOnlyAllRolesAdded > 0);
+    assert(totalJunitAdded > totalAllRolesAdded);
 
     CloudSolrServer server = getCloudSolrServer(collectionName);
     try {
@@ -211,26 +211,26 @@ public class TestDocLevelOperations extends AbstractSolrSentryTestBase
{
       SolrQuery query = new SolrQuery();
       query.setQuery("*:*");
 
-      // as admin  -- should only get all groups token documents
+      // as admin  -- should only get all roles token documents
       setAuthenticationUser("admin");
       QueryResponse rsp = server.query(query);
       SolrDocumentList docList = rsp.getResults();
-      assertEquals(totalAllGroupsAdded, docList.getNumFound());
+      assertEquals(totalAllRolesAdded, docList.getNumFound());
       for (SolrDocument doc : docList) {
         String id = doc.getFieldValue("id").toString();
-        assertEquals(0, Long.valueOf(id) % allGroupsFactor);
+        assertEquals(0, Long.valueOf(id) % allRolesFactor);
       }
 
-      // as junit -- should get junit added + onlyAllGroupsAdded
+      // as junit -- should get junit added + onlyAllRolesAdded
       setAuthenticationUser("junit");
       rsp = server.query(query);
       docList = rsp.getResults();
-      assertEquals(totalJunitAdded + totalOnlyAllGroupsAdded, docList.getNumFound());
+      assertEquals(totalJunitAdded + totalOnlyAllRolesAdded, docList.getNumFound());
       for (SolrDocument doc : docList) {
         String id = doc.getFieldValue("id").toString();
         boolean addedJunit = (Long.valueOf(id) % junitFactor) == 0;
-        boolean onlyAllGroups = !addedJunit && (Long.valueOf(id) % allGroupsFactor)
== 0;
-        assertEquals(true, addedJunit || onlyAllGroups);
+        boolean onlyAllRoles = !addedJunit && (Long.valueOf(id) % allRolesFactor)
== 0;
+        assertEquals(true, addedJunit || onlyAllRoles);
       }
     } finally {
       server.shutdown();

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml
b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml
index 7c0d73f..af1184d 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig-doclevel.xml
@@ -1343,24 +1343,20 @@
       -->
   </searchComponent>
 
-    <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent"
>
+  <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent"
>
   </searchComponent>
 
-    <searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent"
>
+  <searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent"
>
     <!-- Set to true to enabled document-level authorization -->
     <bool name="enabled">true</bool>
 
     <!-- Field where the auth tokens are stored in the document -->
     <str name="sentryAuthField">sentry_auth</str>
 
-    <!-- Auth token defined to allow any group to access the document.
+    <!-- Auth token defined to allow any role to access the document.
          Uncomment to enable. -->
-    <str name="allGroupsToken">OR</str>
+    <str name="allRolesToken">OR</str>
   </searchComponent>
-  <!--<searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent"
>
-    <str name="sentryAuthField">sentry_auth</str>
-    <str name="allGroupsToken">OR</str>
-  </searchComponent>-->
 
   <!-- A request handler for demonstrating the spellcheck component.  
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
index 9e71f09..a8b63e6 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
@@ -876,6 +876,7 @@
       -->
       <arr name="first-components">
         <str>queryIndexAuthorization</str>
+        <str>queryDocAuthorization</str>
       </arr>
 
     </requestHandler>
@@ -890,6 +891,7 @@
      </lst>
      <arr name="first-components">
         <str>queryIndexAuthorization</str>
+        <str>queryDocAuthorization</str>
       </arr>
   </requestHandler>
 
@@ -905,6 +907,7 @@
      </lst>
      <arr name="first-components">
         <str>queryIndexAuthorization</str>
+        <str>queryDocAuthorization</str>
      </arr>
   </requestHandler>
 
@@ -1002,6 +1005,7 @@
 
       <arr name="first-components">
         <str>queryIndexAuthorization</str>
+        <str>queryDocAuthorization</str>
       </arr>
 
      <!-- append spellchecking to our list of components -->
@@ -1339,9 +1343,20 @@
       -->
   </searchComponent>
 
-    <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent"
>
+  <searchComponent name="queryIndexAuthorization" class="org.apache.solr.handler.component.QueryIndexAuthorizationComponent"
>
   </searchComponent>
 
+  <searchComponent name="queryDocAuthorization" class="org.apache.solr.handler.component.QueryDocAuthorizationComponent"
>
+    <!-- Set to true to enabled document-level authorization -->
+    <bool name="enabled">false</bool>
+
+    <!-- Field where the auth tokens are stored in the document -->
+    <str name="sentryAuthField">sentry_auth</str>
+
+    <!-- Auth token defined to allow any role to access the document.
+         Uncomment to enable. -->
+    <str name="allRolesToken">OR</str>
+  </searchComponent>
   <!-- A request handler for demonstrating the spellcheck component.  
 
        NOTE: This is purely as an example.  The whole purpose of the
@@ -1399,6 +1414,7 @@
     </lst>
     <arr name="first-components">
       <str>queryIndexAuthorization</str>
+      <str>queryDocAuthorization</str>
     </arr>
     <arr name="last-components">
       <str>tvComponent</str>
@@ -1510,6 +1526,7 @@
     </lst>     
     <arr name="first-components">
       <str>queryIndexAuthorization</str>
+      <str>queryDocAuthorization</str>
     </arr>
     <arr name="last-components">
       <str>clustering</str>
@@ -1533,6 +1550,7 @@
     </lst>
     <arr name="first-components">
       <str>queryIndexAuthorization</str>
+      <str>queryDocAuthorization</str>
     </arr>     
     <arr name="components">
       <str>terms</str>
@@ -1562,6 +1580,7 @@
     </lst>
     <arr name="first-components">
       <str>queryIndexAuthorization</str>
+      <str>queryDocAuthorization</str>
     </arr>
     <arr name="last-components">
       <str>elevator</str>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8f1ef00b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
index a07fb2d..b7aa0c8 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
@@ -29,9 +29,9 @@ admin_query_update_group = admin_query_update_role
 admin_all_group = admin_all_role
 
 [roles]
-junit_role = collection=admin, collection=collection1, collection=docLevelCollection, collection=allGroupsCollection
+junit_role = collection=admin, collection=collection1, collection=docLevelCollection, collection=allRolesCollection
 docLevel_role = collection=docLevelCollection
-admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1,
collection=sentryCollection_underlying2, collection=docLevelCollection, collection=allGroupsCollection,
collection=testInvariantCollection
+admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1,
collection=sentryCollection_underlying2, collection=docLevelCollection, collection=allRolesCollection,
collection=testInvariantCollection
 sentryCollection_query_role = collection=sentryCollection->action=query
 sentryCollection_update_role = collection=sentryCollection->action=update
 sentryCollection_query_update_role = collection=sentryCollection->action=query, collection=sentryCollection->action=update


Mime
View raw message