[jira] [Commented] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege

Barry Oglesby (JIRA) Fri, 14 Apr 2017 16:19:57 -0700

    [ 
https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15969659#comment-15969659
 ]


Barry Oglesby commented on GEODE-2605:
--------------------------------------

I went through the 4 gfsh commands and compared them to the equivalent client 
commands.

*Search Index*
To search an index, a client requires DATA:WRITE because of the 
ExecuteRegionFunction66 command:
{noformat}
Exception in thread "main" 
org.apache.geode.cache.client.ServerOperationException: 
org.apache.geode.security.NotAuthorizedException: 
TestPrincipal[username=locator] not authorized for DATA:WRITE
        at 
org.apache.geode.cache.client.internal.OpExecutorImpl.handleException(OpExecutorImpl.java:678)
        at 
org.apache.geode.cache.client.internal.OpExecutorImpl.handleException(OpExecutorImpl.java:754)
        at 
org.apache.geode.cache.client.internal.OpExecutorImpl.handleException(OpExecutorImpl.java:623)
        at 
org.apache.geode.cache.client.internal.OpExecutorImpl.execute(OpExecutorImpl.java:167)
        at 
org.apache.geode.cache.client.internal.PoolImpl.execute(PoolImpl.java:751)
        at 
org.apache.geode.cache.client.internal.ExecuteRegionFunctionOp.execute(ExecuteRegionFunctionOp.java:98)
        at 
org.apache.geode.cache.client.internal.ServerRegionProxy.executeFunction(ServerRegionProxy.java:689)
        at 
org.apache.geode.internal.cache.execute.ServerRegionFunctionExecutor.executeOnServer(ServerRegionFunctionExecutor.java:210)
        at 
org.apache.geode.internal.cache.execute.ServerRegionFunctionExecutor.executeFunction(ServerRegionFunctionExecutor.java:164)
        at 
org.apache.geode.internal.cache.execute.ServerRegionFunctionExecutor.execute(ServerRegionFunctionExecutor.java:378)
        at 
org.apache.geode.cache.lucene.internal.LuceneQueryImpl.findTopEntries(LuceneQueryImpl.java:115)
        at 
org.apache.geode.cache.lucene.internal.LuceneQueryImpl.findPages(LuceneQueryImpl.java:95)
        at 
org.apache.geode.cache.lucene.internal.LuceneQueryImpl.findPages(LuceneQueryImpl.java:91)
        at QueryHelper.executeQuery(QueryHelper.java:35)
        at QueryHelper.executeQuery(QueryHelper.java:31)
        at TestClient.executeQuery(TestClient.java:47)
        at TestClient.main(TestClient.java:30)
Caused by: org.apache.geode.security.NotAuthorizedException: 
TestPrincipal[username=locator] not authorized for DATA:WRITE
        at 
org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:279)
        at 
org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:257)
        at 
org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:252)
        at 
org.apache.geode.internal.security.IntegratedSecurityService.authorize(IntegratedSecurityService.java:248)
        at 
org.apache.geode.internal.security.IntegratedSecurityService.authorizeDataWrite(IntegratedSecurityService.java:216)
        at 
org.apache.geode.internal.cache.tier.sockets.command.ExecuteRegionFunction66.cmdExecute(ExecuteRegionFunction66.java:210)
        at 
org.apache.geode.internal.cache.tier.sockets.BaseCommand.execute(BaseCommand.java:141)
        at 
org.apache.geode.internal.cache.tier.sockets.ServerConnection.doNormalMsg(ServerConnection.java:783)
        at 
org.apache.geode.internal.cache.tier.sockets.ServerConnection.doOneMessage(ServerConnection.java:914)
        at 
org.apache.geode.internal.cache.tier.sockets.ServerConnection.run(ServerConnection.java:1171)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at 
org.apache.geode.internal.cache.tier.sockets.AcceptorImpl$1$1.run(AcceptorImpl.java:519)
        at java.lang.Thread.run(Thread.java:745)
{noformat}
So, now gfsh matches that permission requirement:
{noformat}
./runlucenequery.sh 
(2) Executing - search lucene --name=cusip_index --region=data 
--queryStrings=AAPL --defaultField=cusip

Unauthorized. Reason : TestPrincipal[username=locator] not authorized for 
DATA:WRITE
{noformat}
I think this needs to be re-examined at some point so that the permission on 
searching a lucene index match that of an OQL query (DATA:READ:\[region\]). 
That would require adding a client operation and server command rather than 
using a function.
*Create Index*
gfsh list lucene indexes requires DATA:MANAGE\[region\]:
{noformat}
./createluceneindex.sh 
(2) Executing - create lucene index --name=cusip_index --region=data2 
--field=cusip

Unauthorized. Reason : TestPrincipal[username=locator] not authorized for 
DATA:MANAGE:data2
{noformat}
Creating an OQL index through gfsh requires the same permission.

Creating either a lucene or OQL index on the server through a function only 
requires DATA:WRITE (for the function call). *Is this correct behavior?*

*Describe Index*
gfsh list lucene indexes requires CLUSTER:READ.
{noformat}
./listluceneindexes.sh 
(2) Executing - list lucene indexes

Unauthorized. Reason : TestPrincipal[username=locator] not authorized for 
CLUSTER:READ
{noformat}
List OQL indexes through gfsh requires the same permission.

*Destroy Index*
gfsh destroy lucene index requires  DATA:MANAGE:\[region\]:
{noformat}
./destroyluceneindex.sh 
(2) Executing - destroy lucene index --name=cusip_index --region=data

Unauthorized. Reason : TestPrincipal[username=locator] not authorized for 
DATA:MANAGE:data
{noformat}
Destroying an OQL index through gfsh requires the same permission.

Destroying either a lucene or OQL index on the server through a function only 
requires DATA:WRITE (for the function call). *Is this correct behavior?*


> Unable to do a Lucene query without CLUSTER:READ privilege
> ----------------------------------------------------------
>
>                 Key: GEODE-2605
>                 URL: https://issues.apache.org/jira/browse/GEODE-2605
>             Project: Geode
>          Issue Type: Bug
>          Components: docs, lucene, security
>            Reporter: Diane Hardman
>         Attachments: security.json
>
>
> I have configured a small cluster with security and am testing the privileges 
> I need for creating a Lucene index and then executing a query/search using 
> Lucene. 
> I have confirmed that DATA:MANAGE privilege allows me to create a lucene 
> index (similar to creating OQL indexes).
> I assumed I needed DATA:WRITE privilege to execute 'search lucene' because 
> the implementation uses a function. Instead, I am getting an error that I 
> need CLUSTER:READ privilege. I don't know why.
> As an aside, we may want to document that all DATA privileges automatically 
> include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but 
> could not list the indexes I created without CLUSTER:READ... go figure.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege

Reply via email to