[
https://issues.apache.org/jira/browse/GEODE-3974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16322862#comment-16322862
]
ASF GitHub Bot commented on GEODE-3974:
---------------------------------------
PurelyApplied closed pull request #1262: GEODE-3974: Improve permissions for
geode-lucene functions
URL: https://github.com/apache/geode/pull/1262
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneCreateIndexFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneCreateIndexFunction.java
index b1b974d1b4..df8bf303d3 100644
---
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneCreateIndexFunction.java
+++
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneCreateIndexFunction.java
@@ -18,6 +18,9 @@
import static
org.apache.geode.cache.lucene.internal.LuceneServiceImpl.validateCommandParameters.INDEX_NAME;
import static
org.apache.geode.cache.lucene.internal.LuceneServiceImpl.validateCommandParameters.REGION_PATH;
+import java.util.Collection;
+import java.util.Collections;
+
import org.apache.commons.lang.StringUtils;
import org.apache.lucene.analysis.Analyzer;
import org.apache.lucene.analysis.standard.StandardAnalyzer;
@@ -33,11 +36,15 @@
import org.apache.geode.cache.lucene.internal.cli.LuceneCliStrings;
import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails;
import org.apache.geode.cache.lucene.internal.cli.LuceneIndexInfo;
+import org.apache.geode.cache.lucene.internal.security.LucenePermission;
import org.apache.geode.internal.InternalEntity;
import org.apache.geode.management.internal.cli.CliUtil;
import org.apache.geode.management.internal.cli.functions.CliFunctionResult;
import org.apache.geode.management.internal.cli.i18n.CliStrings;
import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
/**
@@ -110,6 +117,12 @@ public void execute(final FunctionContext context) {
}
}
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String
regionName) {
+ return Collections.singleton(
+ new ResourcePermission(Resource.CLUSTER, Operation.MANAGE,
LucenePermission.TARGET));
+ }
+
private LuceneSerializer toSerializer(String serializerName)
throws InstantiationException, IllegalAccessException,
ClassNotFoundException {
String trimmedName = StringUtils.trim(serializerName);
@@ -136,5 +149,4 @@ private Analyzer toAnalyzer(String className) {
CliUtil.forName(className,
LuceneCliStrings.LUCENE_CREATE_INDEX__ANALYZER);
return CliUtil.newInstance(clazz,
LuceneCliStrings.LUCENE_CREATE_INDEX__ANALYZER);
}
-
}
diff --git
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDescribeIndexFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDescribeIndexFunction.java
index dd90116856..8f9bac37ed 100755
---
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDescribeIndexFunction.java
+++
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDescribeIndexFunction.java
@@ -15,6 +15,9 @@
package org.apache.geode.cache.lucene.internal.cli.functions;
+import java.util.Collection;
+import java.util.Collections;
+
import org.apache.geode.cache.Cache;
import org.apache.geode.cache.execute.Function;
import org.apache.geode.cache.execute.FunctionContext;
@@ -25,7 +28,11 @@
import org.apache.geode.cache.lucene.internal.LuceneServiceImpl;
import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails;
import org.apache.geode.cache.lucene.internal.cli.LuceneIndexInfo;
+import org.apache.geode.cache.lucene.internal.security.LucenePermission;
import org.apache.geode.internal.InternalEntity;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
/**
* The LuceneDescribeIndexFunction class is a function used to collect the
information on a
@@ -66,4 +73,10 @@ public void execute(final FunctionContext context) {
}
context.getResultSender().lastResult(result);
}
+
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String
regionName) {
+ return Collections.singleton(
+ new ResourcePermission(Resource.CLUSTER, Operation.READ,
LucenePermission.TARGET));
+ }
}
diff --git
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDestroyIndexFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDestroyIndexFunction.java
index 9803192e3f..1a12894fda 100644
---
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDestroyIndexFunction.java
+++
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDestroyIndexFunction.java
@@ -14,6 +14,9 @@
*/
package org.apache.geode.cache.lucene.internal.cli.functions;
+import java.util.Collection;
+import java.util.Collections;
+
import org.apache.commons.lang.StringUtils;
import org.apache.geode.cache.execute.Function;
@@ -22,16 +25,19 @@
import org.apache.geode.cache.lucene.LuceneServiceProvider;
import org.apache.geode.cache.lucene.internal.LuceneServiceImpl;
import org.apache.geode.cache.lucene.internal.cli.LuceneDestroyIndexInfo;
+import org.apache.geode.cache.lucene.internal.security.LucenePermission;
import org.apache.geode.cache.lucene.internal.xml.LuceneXmlConstants;
import org.apache.geode.internal.InternalEntity;
import org.apache.geode.internal.cache.xmlcache.CacheXml;
import org.apache.geode.management.internal.cli.functions.CliFunctionResult;
import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
public class LuceneDestroyIndexFunction implements Function, InternalEntity {
-
public void execute(final FunctionContext context) {
- CliFunctionResult result = null;
+ CliFunctionResult result;
String memberId =
context.getCache().getDistributedSystem().getDistributedMember().getId();
try {
LuceneDestroyIndexInfo indexInfo = (LuceneDestroyIndexInfo)
context.getArguments();
@@ -66,4 +72,10 @@ protected XmlEntity getXmlEntity(String indexName, String
regionPath) {
return new XmlEntity(CacheXml.REGION, "name", regionName,
LuceneXmlConstants.PREFIX,
LuceneXmlConstants.NAMESPACE, LuceneXmlConstants.INDEX, "name",
indexName);
}
+
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String
regionName) {
+ return Collections.singleton(
+ new ResourcePermission(Resource.CLUSTER, Operation.MANAGE,
LucenePermission.TARGET));
+ }
}
diff --git
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneListIndexFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneListIndexFunction.java
index 34d445b22b..31c8122d36 100755
---
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneListIndexFunction.java
+++
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneListIndexFunction.java
@@ -15,6 +15,8 @@
package org.apache.geode.cache.lucene.internal.cli.functions;
+import java.util.Collection;
+import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
@@ -27,7 +29,11 @@
import org.apache.geode.cache.lucene.internal.LuceneIndexImpl;
import org.apache.geode.cache.lucene.internal.LuceneServiceImpl;
import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails;
+import org.apache.geode.cache.lucene.internal.security.LucenePermission;
import org.apache.geode.internal.InternalEntity;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
/**
* The LuceneListIndexFunction class is a function used to collect the
information on all lucene
@@ -64,4 +70,10 @@ public void execute(final FunctionContext context) {
}
context.getResultSender().lastResult(indexDetailsSet);
}
+
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String
regionName) {
+ return Collections.singleton(
+ new ResourcePermission(Resource.CLUSTER, Operation.READ,
LucenePermission.TARGET));
+ }
}
diff --git
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneSearchIndexFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneSearchIndexFunction.java
index 0a6cc3ec3e..c0433881b7 100755
---
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneSearchIndexFunction.java
+++
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneSearchIndexFunction.java
@@ -15,14 +15,14 @@
package org.apache.geode.cache.lucene.internal.cli.functions;
+import java.util.Collection;
+import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.CacheFactory;
import org.apache.geode.cache.execute.Function;
-import org.apache.geode.cache.execute.FunctionAdapter;
import org.apache.geode.cache.execute.FunctionContext;
import org.apache.geode.cache.lucene.LuceneQuery;
import org.apache.geode.cache.lucene.LuceneQueryException;
@@ -35,6 +35,9 @@
import org.apache.geode.cache.lucene.internal.cli.LuceneQueryInfo;
import org.apache.geode.cache.lucene.internal.cli.LuceneSearchResults;
import org.apache.geode.internal.InternalEntity;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
/**
* The LuceneSearchIndexFunction class is a function used to collect the
information on a particular
@@ -95,4 +98,9 @@ public void execute(final FunctionContext context) {
context.getResultSender().lastResult(result);
}
}
+
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String
regionName) {
+ return Collections.singleton(new ResourcePermission(Resource.DATA,
Operation.READ, regionName));
+ }
}
diff --git
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/directory/DumpDirectoryFiles.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/directory/DumpDirectoryFiles.java
index 910f50f23c..4d720da3db 100644
---
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/directory/DumpDirectoryFiles.java
+++
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/directory/DumpDirectoryFiles.java
@@ -17,6 +17,8 @@
import java.io.File;
import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.index.IndexWriter;
@@ -35,6 +37,9 @@
import org.apache.geode.internal.InternalEntity;
import org.apache.geode.internal.cache.BucketNotFoundException;
import org.apache.geode.internal.logging.LogService;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
public class DumpDirectoryFiles implements Function, InternalEntity {
private static final long serialVersionUID = 1L;
@@ -96,4 +101,12 @@ public String getId() {
public boolean optimizeForWrite() {
return true;
}
+
+ @Override
+ public Collection<ResourcePermission> getRequiredPermissions(String
regionName) {
+ Set<ResourcePermission> required = new HashSet<>();
+ required.add(new ResourcePermission(Resource.DATA, Operation.READ,
regionName));
+ required.add(new ResourcePermission(Resource.CLUSTER, Operation.MANAGE));
+ return required;
+ }
}
diff --git
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/LuceneQueryFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/LuceneQueryFunction.java
index 0b104a3152..bc5ced6134 100644
---
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/LuceneQueryFunction.java
+++
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/LuceneQueryFunction.java
@@ -19,7 +19,6 @@
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
-import java.util.Optional;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.search.Query;
diff --git
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/WaitUntilFlushedFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/WaitUntilFlushedFunction.java
index c9e10d9daa..f0c88a4f6f 100644
---
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/WaitUntilFlushedFunction.java
+++
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/WaitUntilFlushedFunction.java
@@ -17,7 +17,6 @@
import java.util.Collection;
import java.util.Collections;
-import java.util.Optional;
import java.util.concurrent.TimeUnit;
import org.apache.geode.cache.Cache;
diff --git
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/results/LuceneGetPageFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/results/LuceneGetPageFunction.java
index 07dc1ad27e..8e2bfcc02a 100644
---
a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/results/LuceneGetPageFunction.java
+++
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/results/LuceneGetPageFunction.java
@@ -18,7 +18,6 @@
import java.util.Collection;
import java.util.Collections;
import java.util.List;
-import java.util.Optional;
import java.util.Set;
import org.apache.logging.log4j.Logger;
diff --git
a/geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java
b/geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java
new file mode 100644
index 0000000000..2fa054eef4
--- /dev/null
+++
b/geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java
@@ -0,0 +1,485 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
contributor license
+ * agreements. See the NOTICE file distributed with this work for additional
information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache
License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the
License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express
+ * or implied. See the License for the specific language governing permissions
and limitations under
+ * the License.
+ */
+
+package org.apache.geode.cache.lucene.test;
+
+import static
org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_MANAGE;
+import static
org.apache.geode.management.internal.security.ResourcePermissions.DATA_READ;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+
+import java.util.function.Predicate;
+
+import org.assertj.core.api.Condition;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.mockito.Mockito;
+
+import org.apache.geode.cache.RegionShortcut;
+import org.apache.geode.cache.execute.Function;
+import org.apache.geode.cache.execute.FunctionService;
+import
org.apache.geode.cache.lucene.internal.cli.functions.LuceneCreateIndexFunction;
+import
org.apache.geode.cache.lucene.internal.cli.functions.LuceneDescribeIndexFunction;
+import
org.apache.geode.cache.lucene.internal.cli.functions.LuceneDestroyIndexFunction;
+import
org.apache.geode.cache.lucene.internal.cli.functions.LuceneListIndexFunction;
+import
org.apache.geode.cache.lucene.internal.cli.functions.LuceneSearchIndexFunction;
+import org.apache.geode.cache.lucene.internal.directory.DumpDirectoryFiles;
+import org.apache.geode.cache.lucene.internal.distributed.LuceneQueryFunction;
+import
org.apache.geode.cache.lucene.internal.distributed.WaitUntilFlushedFunction;
+import org.apache.geode.cache.lucene.internal.results.LuceneGetPageFunction;
+import org.apache.geode.cache.lucene.internal.security.LucenePermission;
+import org.apache.geode.examples.SimpleSecurityManager;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
+import org.apache.geode.test.junit.categories.IntegrationTest;
+import org.apache.geode.test.junit.categories.SecurityTest;
+import org.apache.geode.test.junit.rules.ConnectionConfiguration;
+import org.apache.geode.test.junit.rules.GfshCommandRule;
+import org.apache.geode.test.junit.rules.ServerStarterRule;
+
+@Category({IntegrationTest.class, SecurityTest.class})
+public class LuceneFunctionSecurityTest {
+ // Note: this region name is embedded below in several
@ConnectionConfiguration inputs,
+ // which is itself case-sensitive in parsing.
+ private static String regionName = "this_test_region";
+
+ private static ResourcePermission CLUSTER_MANAGE_LUCENE =
+ new ResourcePermission(Resource.CLUSTER, Operation.MANAGE,
LucenePermission.TARGET);
+ private static ResourcePermission CLUSTER_READ_LUCENE =
+ new ResourcePermission(Resource.CLUSTER, Operation.READ,
LucenePermission.TARGET);
+ private static ResourcePermission DATA_READ_REGION =
+ new ResourcePermission(Resource.DATA, Operation.READ, regionName);
+
+ private static Function luceneCreateIndexFunction = Mockito.spy(new
LuceneCreateIndexFunction());
+ private static Function luceneDescribeIndexFunction =
+ Mockito.spy(new LuceneDescribeIndexFunction());
+ private static Function luceneDestroyIndexFunction =
+ Mockito.spy(new LuceneDestroyIndexFunction());
+ private static Function luceneListIndexFunction = Mockito.spy(new
LuceneListIndexFunction());
+ private static Function luceneSearchIndexFunction = Mockito.spy(new
LuceneSearchIndexFunction());
+ private static Function dumpDirectoryFiles = Mockito.spy(new
DumpDirectoryFiles());
+ private static Function luceneQueryFunction = Mockito.spy(new
LuceneQueryFunction());
+ private static Function waitUntilFlushedFunction = Mockito.spy(new
WaitUntilFlushedFunction());
+ private static Function luceneGetPageFunction = Mockito.spy(new
LuceneGetPageFunction());
+
+ static {
+ Mockito.doNothing().when(luceneCreateIndexFunction).execute(any());
+ Mockito.doNothing().when(luceneDescribeIndexFunction).execute(any());
+ Mockito.doNothing().when(luceneDestroyIndexFunction).execute(any());
+ Mockito.doNothing().when(luceneListIndexFunction).execute(any());
+ Mockito.doNothing().when(luceneSearchIndexFunction).execute(any());
+ Mockito.doNothing().when(dumpDirectoryFiles).execute(any());
+ Mockito.doNothing().when(luceneQueryFunction).execute(any());
+ Mockito.doNothing().when(waitUntilFlushedFunction).execute(any());
+ Mockito.doNothing().when(luceneGetPageFunction).execute(any());
+ }
+
+ @ClassRule
+ public static ServerStarterRule server =
+ new
ServerStarterRule().withJMXManager().withSecurityManager(SimpleSecurityManager.class)
+ .withRegion(RegionShortcut.PARTITION, regionName).withAutoStart();
+
+ @Rule
+ public GfshCommandRule gfsh =
+ new GfshCommandRule(server::getJmxPort,
GfshCommandRule.PortType.jmxManager);
+
+ @BeforeClass
+ public static void setupClass() {
+ FunctionService.registerFunction(luceneCreateIndexFunction);
+ FunctionService.registerFunction(luceneDescribeIndexFunction);
+ FunctionService.registerFunction(luceneDestroyIndexFunction);
+ FunctionService.registerFunction(luceneListIndexFunction);
+ FunctionService.registerFunction(luceneSearchIndexFunction);
+ FunctionService.registerFunction(dumpDirectoryFiles);
+ FunctionService.registerFunction(luceneQueryFunction);
+ FunctionService.registerFunction(waitUntilFlushedFunction);
+ FunctionService.registerFunction(luceneGetPageFunction);
+ }
+
+ /* Command authorized tests */
+ @Test
+ @ConnectionConfiguration(user = "clusterManageLucene", password =
"clusterManageLucene")
+ public void testValidPermissionsForLuceneCreateIndexFunction() throws
Exception {
+ Function thisFunction = luceneCreateIndexFunction;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "clusterReadLucene", password =
"clusterReadLucene")
+ public void testValidPermissionsForLuceneDescribeIndexFunction() throws
Exception {
+ Function thisFunction = luceneDescribeIndexFunction;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "clusterManageLucene", password =
"clusterManageLucene")
+ public void testValidPermissionsForLuceneDestroyIndexFunction() throws
Exception {
+ Function thisFunction = luceneDestroyIndexFunction;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "clusterReadLucene", password =
"clusterReadLucene")
+ public void testValidPermissionsForLuceneListIndexFunction() throws
Exception {
+ Function thisFunction = luceneListIndexFunction;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataReadThis_test_region,clusterManage",
+ password = "dataReadThis_test_region,clusterManage")
+ public void testValidPermissionsForDumpDirectoryFilesWithRegionParameter()
throws Exception {
+ Function thisFunction = dumpDirectoryFiles;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataRead,clusterManage", password =
"dataRead,clusterManage")
+ public void
testValidPermissionsForDumpDirectoryFilesWithoutRegionParameter() throws
Exception {
+ Function thisFunction = dumpDirectoryFiles;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+
+ @Test
+ @ConnectionConfiguration(user = "dataRead", password = "dataRead")
+ public void
testValidPermissionsForLuceneSearchIndexFunctionWithoutRegionParameter()
+ throws Exception {
+ Function thisFunction = luceneSearchIndexFunction;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataReadThis_test_region", password =
"dataReadThis_test_region")
+ public void
testValidPermissionsForLuceneSearchIndexFunctionWithRegionParameter()
+ throws Exception {
+ Function thisFunction = luceneSearchIndexFunction;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataRead", password = "dataRead")
+ public void
testValidPermissionsForLuceneQueryFunctionWithoutRegionParameter() throws
Exception {
+ Function thisFunction = luceneQueryFunction;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataReadThis_test_region", password =
"dataReadThis_test_region")
+ public void testValidPermissionsForLuceneQueryFunctionWithRegionParameter()
throws Exception {
+ Function thisFunction = luceneQueryFunction;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataRead", password = "dataRead")
+ public void
testValidPermissionsForWaitUntilFlushedFunctionWithoutRegionParameter()
+ throws Exception {
+ Function thisFunction = waitUntilFlushedFunction;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataReadThis_test_region", password =
"dataReadThis_test_region")
+ public void
testValidPermissionsForWaitUntilFlushedFunctionWithRegionParameter()
+ throws Exception {
+ Function thisFunction = waitUntilFlushedFunction;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataRead", password = "dataRead")
+ public void
testValidPermissionsForLuceneGetPageFunctionWithoutRegionParameter()
+ throws Exception {
+ Function thisFunction = luceneGetPageFunction;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataReadThis_test_region", password =
"dataReadThis_test_region")
+ public void
testValidPermissionsForLuceneGetPageFunctionWithRegionParameter() throws
Exception {
+ Function thisFunction = luceneGetPageFunction;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .doesNotContainOutput("not authorized for").statusIsSuccess();
+ }
+
+
+ /* Command refused tests */
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void testInvalidPermissionsForLuceneCreateIndexFunction() throws
Exception {
+ Function thisFunction = luceneCreateIndexFunction;
+ ResourcePermission thisRequiredPermission = CLUSTER_MANAGE_LUCENE;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void testInvalidPermissionsForLuceneDescribeIndexFunction() throws
Exception {
+ Function thisFunction = luceneDescribeIndexFunction;
+ ResourcePermission thisRequiredPermission = CLUSTER_READ_LUCENE;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void testInvalidPermissionsForLuceneDestroyIndexFunction() throws
Exception {
+ Function thisFunction = luceneDestroyIndexFunction;
+ ResourcePermission thisRequiredPermission = CLUSTER_MANAGE_LUCENE;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void testInvalidPermissionsForLuceneListIndexFunction() throws
Exception {
+ Function thisFunction = luceneListIndexFunction;
+ ResourcePermission thisRequiredPermission = CLUSTER_READ_LUCENE;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void
testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_noPermission()
+ throws Exception {
+ Function thisFunction = dumpDirectoryFiles;
+
+ Predicate<String> notAuthForDataRead =
+ s -> s.contains("not authorized for " + DATA_READ.toString());
+ Predicate<String> notAuthForClusterManage =
+ s -> s.contains("not authorized for " + CLUSTER_MANAGE.toString());
+ Predicate<String> notAuthForSomePermission =
+ s -> notAuthForDataRead.test(s) || notAuthForClusterManage.test(s);
+
+ String output = gfsh.execute("execute function --id=" +
thisFunction.getId());
+
+ Condition<String> containsSomeAuthFailure = new
Condition<>(notAuthForSomePermission,
+ "not authorized for for [DATA:MANAGE|CLUSTER:MANAGE]", output);
+ assertThat(output).has(containsSomeAuthFailure);
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataRead", password = "dataRead")
+ public void
testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_withDataRead()
+ throws Exception {
+ Function thisFunction = dumpDirectoryFiles;
+ ResourcePermission thisMissingPermission = CLUSTER_MANAGE;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .containsOutput("not authorized for " +
thisMissingPermission.toString()).statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "clusterManage", password = "clusterManage")
+ public void
testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_withClusterManage()
+ throws Exception {
+ Function thisFunction = dumpDirectoryFiles;
+ ResourcePermission thisMissingPermission = DATA_READ;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .containsOutput("not authorized for " +
thisMissingPermission.toString()).statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void
testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_noPermission()
+ throws Exception {
+ Function thisFunction = dumpDirectoryFiles;
+
+ Predicate<String> notAuthForDataReadRegion =
+ s -> s.contains("not authorized for " + DATA_READ_REGION.toString());
+ Predicate<String> notAuthForClusterManage =
+ s -> s.contains("not authorized for " + CLUSTER_MANAGE.toString());
+ Predicate<String> notAuthForSomePermission =
+ s -> notAuthForDataReadRegion.test(s) ||
notAuthForClusterManage.test(s);
+
+ String output =
+ gfsh.execute("execute function --region=" + regionName + " --id=" +
thisFunction.getId());
+
+ Condition<String> containsSomeAuthFailure =
+ new Condition<>(notAuthForSomePermission, "D:R or C:M:L auth failure",
output);
+ assertThat(output).has(containsSomeAuthFailure);
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "dataReadThis_test_region", password =
"dataReadThis_test_region")
+ public void
testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_withDataReadRegion()
+ throws Exception {
+ Function thisFunction = dumpDirectoryFiles;
+ ResourcePermission thisMissingPermission = CLUSTER_MANAGE;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .containsOutput("not authorized for " +
thisMissingPermission.toString()).statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "clusterManage", password = "clusterManage")
+ public void
testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_withClusterManage()
+ throws Exception {
+ Function thisFunction = dumpDirectoryFiles;
+ ResourcePermission thisMissingPermission = DATA_READ;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .containsOutput("not authorized for " +
thisMissingPermission.toString()).statusIsSuccess();
+ }
+
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void
testInvalidPermissionsForLuceneSearchIndexFunctionWithoutRegionParameter()
+ throws Exception {
+ Function thisFunction = luceneSearchIndexFunction;
+ ResourcePermission thisRequiredPermission = DATA_READ;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void
testInvalidPermissionsForLuceneSearchIndexFunctionWithRegionParameter()
+ throws Exception {
+ Function thisFunction = luceneSearchIndexFunction;
+ ResourcePermission thisRequiredPermission = DATA_READ_REGION;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void
testInvalidPermissionsForLuceneQueryFunctionWithoutRegionParameter()
+ throws Exception {
+ Function thisFunction = luceneQueryFunction;
+ ResourcePermission thisRequiredPermission = DATA_READ;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void
testInvalidPermissionsForLuceneQueryFunctionWithRegionParameter() throws
Exception {
+ Function thisFunction = luceneQueryFunction;
+ ResourcePermission thisRequiredPermission = DATA_READ_REGION;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void
testInvalidPermissionsForWaitUntilFlushedFunctionWithoutRegionParameter()
+ throws Exception {
+ Function thisFunction = waitUntilFlushedFunction;
+ ResourcePermission thisRequiredPermission = DATA_READ;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void
testInvalidPermissionsForWaitUntilFlushedFunctionWithRegionParameter()
+ throws Exception {
+ Function thisFunction = waitUntilFlushedFunction;
+ ResourcePermission thisRequiredPermission = DATA_READ_REGION;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void
testInvalidPermissionsForLuceneGetPageFunctionWithoutRegionParameter()
+ throws Exception {
+ Function thisFunction = luceneGetPageFunction;
+ ResourcePermission thisRequiredPermission = DATA_READ;
+
+ gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+
+ @Test
+ @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+ public void
testInvalidPermissionsForLuceneGetPageFunctionWithRegionParameter() throws
Exception {
+ Function thisFunction = luceneGetPageFunction;
+ ResourcePermission thisRequiredPermission = DATA_READ_REGION;
+
+ gfsh.executeAndAssertThat(
+ "execute function --region=" + regionName + " --id=" +
thisFunction.getId())
+ .containsOutput("not authorized for " +
thisRequiredPermission.toString())
+ .statusIsSuccess();
+ }
+}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> improve permission for Internal functions
> -----------------------------------------
>
> Key: GEODE-3974
> URL: https://issues.apache.org/jira/browse/GEODE-3974
> Project: Geode
> Issue Type: Bug
> Components: docs, management
> Reporter: Jinmei Liao
> Fix For: 1.5.0
>
>
> Internal functions needs to be updated to require appropriate permissions
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
