[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege

Mon, 13 Mar 2017 12:07:18 -0700 

    [ 
https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15922735#comment-15922735
 ] 

Jinmei Liao edited comment on GEODE-2605 at 3/13/17 7:06 PM:
-------------------------------------------------------------

Created this dunit test to verify the behavior. 
{quote}
public class LuceneSecuritydUnitTest {

  @Rule
  public LocatorServerStartupRule lsRule = new LocatorServerStartupRule();

  @Rule
  public GfshShellConnectionRule gfsh = new GfshShellConnectionRule();

  @Test
  public void test() throws Exception{

    Properties locatorProps = new Properties();
    locatorProps.setProperty(SECURITY_MANAGER, 
SimpleTestSecurityManager.class.getName());
    MemberVM locator = lsRule.startLocatorVM(0, locatorProps);

    Properties serverProps = new Properties();
    serverProps.setProperty("security-username", "cluster");
    serverProps.setProperty("security-password", "cluster");
    MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort());

    gfsh.connectAndVerify(locator, "user", "data", "password", "data");

    gfsh.executeAndVerifyCommand("create lucene index --name=testIndex 
--region=testRegion --field=__REGION_VALUE_FIELD");
    gfsh.executeAndVerifyCommand("create region --name=testRegion 
--type=PARTITION_PERSISTENT");
    gfsh.executeAndVerifyCommand("put --key=1 --value=value1 
--region=testRegion");
    String result = gfsh.execute("search lucene --name=testIndex 
--region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD");

    assertThat(result).contains("Unauthorized. Reason : data not authorized for 
CLUSTER:READ");
  }
}

{quote}

This passes because in LuceneIndexCommand, the searchIndex command is annotated 
as requiring "cluster:read" permission:

{quote}
  @ResourceOperation(resource = Resource.CLUSTER, operation = Operation.READ)
{quote}



was (Author: jinmeiliao):
Created this dunit test to verify the behavior. 
{quote}
public class LuceneSecuritydUnitTest {

  @Rule
  public LocatorServerStartupRule lsRule = new LocatorServerStartupRule();

  @Rule
  public GfshShellConnectionRule gfsh = new GfshShellConnectionRule();

  @Test
  public void test() throws Exception{

    Properties locatorProps = new Properties();
    locatorProps.setProperty(SECURITY_MANAGER, 
SimpleTestSecurityManager.class.getName());
    MemberVM locator = lsRule.startLocatorVM(0, locatorProps);

    Properties serverProps = new Properties();
    serverProps.setProperty("security-username", "cluster");
    serverProps.setProperty("security-password", "cluster");
    MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort());

    gfsh.connectAndVerify(locator, "user", "data", "password", "data");

    gfsh.executeAndVerifyCommand("create lucene index --name=testIndex 
--region=testRegion --field=__REGION_VALUE_FIELD");
    gfsh.executeAndVerifyCommand("create region --name=testRegion 
--type=PARTITION_PERSISTENT");
    gfsh.executeAndVerifyCommand("put --key=1 --value=value1 
--region=testRegion");
    String result = gfsh.execute("search lucene --name=testIndex 
--region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD");

    assertThat(result).contains("Unauthorized. Reason : data not authorized for 
CLUSTER:READ");
  }
}

{quote}

This passes because in LuceneIndexCommand, the searchIndex command is annotated 
as requiring "cluster:read" permission:

{quote}
  @CliCommand(value = LuceneCliStrings.LUCENE_DESTROY_INDEX,
      help = LuceneCliStrings.LUCENE_DESTROY_INDEX__HELP)
  @CliMetaData(shellOnly = false,
      relatedTopic = {CliStrings.TOPIC_GEODE_REGION, 
CliStrings.TOPIC_GEODE_DATA})
  @ResourceOperation(resource = Resource.CLUSTER, operation = Operation.READ)
{quote}


> Unable to do a Lucene query without CLUSTER:READ privilege
> ----------------------------------------------------------
>
>                 Key: GEODE-2605
>                 URL: https://issues.apache.org/jira/browse/GEODE-2605
>             Project: Geode
>          Issue Type: Bug
>          Components: docs, lucene, security
>            Reporter: Diane Hardman
>         Attachments: security.json
>
>
> I have configured a small cluster with security and am testing the privileges 
> I need for creating a Lucene index and then executing a query/search using 
> Lucene. 
> I have confirmed that DATA:MANAGE privilege allows me to create a lucene 
> index (similar to creating OQL indexes).
> I assumed I needed DATA:WRITE privilege to execute 'search lucene' because 
> the implementation uses a function. Instead, I am getting an error that I 
> need CLUSTER:READ privilege. I don't know why.
> As an aside, we may want to document that all DATA privileges automatically 
> include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but 
> could not list the indexes I created without CLUSTER:READ... go figure.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to