[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege
[
https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15922735#comment-15922735
]
Jinmei Liao edited comment on GEODE-2605 at 3/13/17 7:06 PM:
-
Created this dunit test to verify the behavior.
{quote}
public class LuceneSecuritydUnitTest {
@Rule
public LocatorServerStartupRule lsRule = new LocatorServerStartupRule();
@Rule
public GfshShellConnectionRule gfsh = new GfshShellConnectionRule();
@Test
public void test() throws Exception{
Properties locatorProps = new Properties();
locatorProps.setProperty(SECURITY_MANAGER,
SimpleTestSecurityManager.class.getName());
MemberVM locator = lsRule.startLocatorVM(0, locatorProps);
Properties serverProps = new Properties();
serverProps.setProperty("security-username", "cluster");
serverProps.setProperty("security-password", "cluster");
MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort());
gfsh.connectAndVerify(locator, "user", "data", "password", "data");
gfsh.executeAndVerifyCommand("create lucene index --name=testIndex
--region=testRegion --field=__REGION_VALUE_FIELD");
gfsh.executeAndVerifyCommand("create region --name=testRegion
--type=PARTITION_PERSISTENT");
gfsh.executeAndVerifyCommand("put --key=1 --value=value1
--region=testRegion");
String result = gfsh.execute("search lucene --name=testIndex
--region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD");
assertThat(result).contains("Unauthorized. Reason : data not authorized for
CLUSTER:READ");
}
}
{quote}
This passes because in LuceneIndexCommand, the searchIndex command is annotated
as requiring "cluster:read" permission:
{quote}
@ResourceOperation(resource = Resource.CLUSTER, operation = Operation.READ)
{quote}
was (Author: jinmeiliao):
Created this dunit test to verify the behavior.
{quote}
public class LuceneSecuritydUnitTest {
@Rule
public LocatorServerStartupRule lsRule = new LocatorServerStartupRule();
@Rule
public GfshShellConnectionRule gfsh = new GfshShellConnectionRule();
@Test
public void test() throws Exception{
Properties locatorProps = new Properties();
locatorProps.setProperty(SECURITY_MANAGER,
SimpleTestSecurityManager.class.getName());
MemberVM locator = lsRule.startLocatorVM(0, locatorProps);
Properties serverProps = new Properties();
serverProps.setProperty("security-username", "cluster");
serverProps.setProperty("security-password", "cluster");
MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort());
gfsh.connectAndVerify(locator, "user", "data", "password", "data");
gfsh.executeAndVerifyCommand("create lucene index --name=testIndex
--region=testRegion --field=__REGION_VALUE_FIELD");
gfsh.executeAndVerifyCommand("create region --name=testRegion
--type=PARTITION_PERSISTENT");
gfsh.executeAndVerifyCommand("put --key=1 --value=value1
--region=testRegion");
String result = gfsh.execute("search lucene --name=testIndex
--region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD");
assertThat(result).contains("Unauthorized. Reason : data not authorized for
CLUSTER:READ");
}
}
{quote}
This passes because in LuceneIndexCommand, the searchIndex command is annotated
as requiring "cluster:read" permission:
{quote}
@CliCommand(value = LuceneCliStrings.LUCENE_DESTROY_INDEX,
help = LuceneCliStrings.LUCENE_DESTROY_INDEX__HELP)
@CliMetaData(shellOnly = false,
relatedTopic = {CliStrings.TOPIC_GEODE_REGION,
CliStrings.TOPIC_GEODE_DATA})
@ResourceOperation(resource = Resource.CLUSTER, operation = Operation.READ)
{quote}
> Unable to do a Lucene query without CLUSTER:READ privilege
> --
>
> Key: GEODE-2605
> URL: https://issues.apache.org/jira/browse/GEODE-2605
> Project: Geode
> Issue Type: Bug
> Components: docs, lucene, security
>Reporter: Diane Hardman
> Attachments: security.json
>
>
> I have configured a small cluster with security and am testing the privileges
> I need for creating a Lucene index and then executing a query/search using
> Lucene.
> I have confirmed that DATA:MANAGE privilege allows me to create a lucene
> index (similar to creating OQL indexes).
> I assumed I needed DATA:WRITE privilege to execute 'search lucene' because
> the implementation uses a function. Instead, I am getting an error that I
> need CLUSTER:READ privilege. I don't know why.
> As an aside, we may want to document that all DATA privileges automatically
> include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but
> could not list the indexes I created without CLUSTER:READ... go figure.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege
[
https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15922735#comment-15922735
]
Jinmei Liao edited comment on GEODE-2605 at 3/13/17 7:04 PM:
-
Created this dunit test to verify the behavior.
{quote}
public class LuceneSecuritydUnitTest {
@Rule
public LocatorServerStartupRule lsRule = new LocatorServerStartupRule();
@Rule
public GfshShellConnectionRule gfsh = new GfshShellConnectionRule();
@Test
public void test() throws Exception{
Properties locatorProps = new Properties();
locatorProps.setProperty(SECURITY_MANAGER,
SimpleTestSecurityManager.class.getName());
MemberVM locator = lsRule.startLocatorVM(0, locatorProps);
Properties serverProps = new Properties();
serverProps.setProperty("security-username", "cluster");
serverProps.setProperty("security-password", "cluster");
MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort());
gfsh.connectAndVerify(locator, "user", "data", "password", "data");
gfsh.executeAndVerifyCommand("create lucene index --name=testIndex
--region=testRegion --field=__REGION_VALUE_FIELD");
gfsh.executeAndVerifyCommand("create region --name=testRegion
--type=PARTITION_PERSISTENT");
gfsh.executeAndVerifyCommand("put --key=1 --value=value1
--region=testRegion");
String result = gfsh.execute("search lucene --name=testIndex
--region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD");
assertThat(result).contains("Unauthorized. Reason : data not authorized for
CLUSTER:READ");
}
}
{quote}
was (Author: jinmeiliao):
Created this dunit test to verify the behavior.
{{
public class LuceneSecuritydUnitTest {
@Rule
public LocatorServerStartupRule lsRule = new LocatorServerStartupRule();
@Rule
public GfshShellConnectionRule gfsh = new GfshShellConnectionRule();
@Test
public void test() throws Exception{
Properties locatorProps = new Properties();
locatorProps.setProperty(SECURITY_MANAGER,
SimpleTestSecurityManager.class.getName());
MemberVM locator = lsRule.startLocatorVM(0, locatorProps);
Properties serverProps = new Properties();
serverProps.setProperty("security-username", "cluster");
serverProps.setProperty("security-password", "cluster");
MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort());
gfsh.connectAndVerify(locator, "user", "data", "password", "data");
gfsh.executeAndVerifyCommand("create lucene index --name=testIndex
--region=testRegion --field=__REGION_VALUE_FIELD");
gfsh.executeAndVerifyCommand("create region --name=testRegion
--type=PARTITION_PERSISTENT");
gfsh.executeAndVerifyCommand("put --key=1 --value=value1
--region=testRegion");
String result = gfsh.execute("search lucene --name=testIndex
--region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD");
assertThat(result).contains("Unauthorized. Reason : data not authorized for
CLUSTER:READ");
}
}
}}
> Unable to do a Lucene query without CLUSTER:READ privilege
> --
>
> Key: GEODE-2605
> URL: https://issues.apache.org/jira/browse/GEODE-2605
> Project: Geode
> Issue Type: Bug
> Components: docs, lucene, security
>Reporter: Diane Hardman
> Attachments: security.json
>
>
> I have configured a small cluster with security and am testing the privileges
> I need for creating a Lucene index and then executing a query/search using
> Lucene.
> I have confirmed that DATA:MANAGE privilege allows me to create a lucene
> index (similar to creating OQL indexes).
> I assumed I needed DATA:WRITE privilege to execute 'search lucene' because
> the implementation uses a function. Instead, I am getting an error that I
> need CLUSTER:READ privilege. I don't know why.
> As an aside, we may want to document that all DATA privileges automatically
> include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but
> could not list the indexes I created without CLUSTER:READ... go figure.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege
[
https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15922735#comment-15922735
]
Jinmei Liao edited comment on GEODE-2605 at 3/13/17 7:03 PM:
-
Created this dunit test to verify the behavior.
{{
public class LuceneSecuritydUnitTest {
@Rule
public LocatorServerStartupRule lsRule = new LocatorServerStartupRule();
@Rule
public GfshShellConnectionRule gfsh = new GfshShellConnectionRule();
@Test
public void test() throws Exception{
Properties locatorProps = new Properties();
locatorProps.setProperty(SECURITY_MANAGER,
SimpleTestSecurityManager.class.getName());
MemberVM locator = lsRule.startLocatorVM(0, locatorProps);
Properties serverProps = new Properties();
serverProps.setProperty("security-username", "cluster");
serverProps.setProperty("security-password", "cluster");
MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort());
gfsh.connectAndVerify(locator, "user", "data", "password", "data");
gfsh.executeAndVerifyCommand("create lucene index --name=testIndex
--region=testRegion --field=__REGION_VALUE_FIELD");
gfsh.executeAndVerifyCommand("create region --name=testRegion
--type=PARTITION_PERSISTENT");
gfsh.executeAndVerifyCommand("put --key=1 --value=value1
--region=testRegion");
String result = gfsh.execute("search lucene --name=testIndex
--region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD");
assertThat(result).contains("Unauthorized. Reason : data not authorized for
CLUSTER:READ");
}
}
}}
was (Author: jinmeiliao):
Created this dunit test to verify the behavior.
public class LuceneSecuritydUnitTest {
@Rule
public LocatorServerStartupRule lsRule = new LocatorServerStartupRule();
@Rule
public GfshShellConnectionRule gfsh = new GfshShellConnectionRule();
@Test
public void test() throws Exception{
Properties locatorProps = new Properties();
locatorProps.setProperty(SECURITY_MANAGER,
SimpleTestSecurityManager.class.getName());
MemberVM locator = lsRule.startLocatorVM(0, locatorProps);
Properties serverProps = new Properties();
serverProps.setProperty("security-username", "cluster");
serverProps.setProperty("security-password", "cluster");
MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort());
gfsh.connectAndVerify(locator, "user", "data", "password", "data");
gfsh.executeAndVerifyCommand("create lucene index --name=testIndex
--region=testRegion --field=__REGION_VALUE_FIELD");
gfsh.executeAndVerifyCommand("create region --name=testRegion
--type=PARTITION_PERSISTENT");
gfsh.executeAndVerifyCommand("put --key=1 --value=value1
--region=testRegion");
String result = gfsh.execute("search lucene --name=testIndex
--region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD");
assertThat(result).contains("Unauthorized. Reason : data not authorized for
CLUSTER:READ");
}
}
> Unable to do a Lucene query without CLUSTER:READ privilege
> --
>
> Key: GEODE-2605
> URL: https://issues.apache.org/jira/browse/GEODE-2605
> Project: Geode
> Issue Type: Bug
> Components: docs, lucene, security
>Reporter: Diane Hardman
> Attachments: security.json
>
>
> I have configured a small cluster with security and am testing the privileges
> I need for creating a Lucene index and then executing a query/search using
> Lucene.
> I have confirmed that DATA:MANAGE privilege allows me to create a lucene
> index (similar to creating OQL indexes).
> I assumed I needed DATA:WRITE privilege to execute 'search lucene' because
> the implementation uses a function. Instead, I am getting an error that I
> need CLUSTER:READ privilege. I don't know why.
> As an aside, we may want to document that all DATA privileges automatically
> include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but
> could not list the indexes I created without CLUSTER:READ... go figure.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege
[
https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15922735#comment-15922735
]
Jinmei Liao edited comment on GEODE-2605 at 3/13/17 7:01 PM:
-
Created this dunit test to verify the behavior.
public class LuceneSecuritydUnitTest {
@Rule
public LocatorServerStartupRule lsRule = new LocatorServerStartupRule();
@Rule
public GfshShellConnectionRule gfsh = new GfshShellConnectionRule();
@Test
public void test() throws Exception{
Properties locatorProps = new Properties();
locatorProps.setProperty(SECURITY_MANAGER,
SimpleTestSecurityManager.class.getName());
MemberVM locator = lsRule.startLocatorVM(0, locatorProps);
Properties serverProps = new Properties();
serverProps.setProperty("security-username", "cluster");
serverProps.setProperty("security-password", "cluster");
MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort());
gfsh.connectAndVerify(locator, "user", "data", "password", "data");
gfsh.executeAndVerifyCommand("create lucene index --name=testIndex
--region=testRegion --field=__REGION_VALUE_FIELD");
gfsh.executeAndVerifyCommand("create region --name=testRegion
--type=PARTITION_PERSISTENT");
gfsh.executeAndVerifyCommand("put --key=1 --value=value1
--region=testRegion");
String result = gfsh.execute("search lucene --name=testIndex
--region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD");
assertThat(result).contains("Unauthorized. Reason : data not authorized for
CLUSTER:READ");
}
}
was (Author: jinmeiliao):
Created this dunit test to verify the behavior. the test is passing because the
LuceneIndexCommand declares that searchIndex requires "cluster:read".
public class LuceneSecuritydUnitTest {
@Rule
public LocatorServerStartupRule lsRule = new LocatorServerStartupRule();
@Rule
public GfshShellConnectionRule gfsh = new GfshShellConnectionRule();
@Test
public void test() throws Exception{
Properties locatorProps = new Properties();
locatorProps.setProperty(SECURITY_MANAGER,
SimpleTestSecurityManager.class.getName());
MemberVM locator = lsRule.startLocatorVM(0, locatorProps);
Properties serverProps = new Properties();
serverProps.setProperty("security-username", "cluster");
serverProps.setProperty("security-password", "cluster");
MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort());
gfsh.connectAndVerify(locator, "user", "data", "password", "data");
gfsh.executeAndVerifyCommand("create lucene index --name=testIndex
--region=testRegion --field=__REGION_VALUE_FIELD");
gfsh.executeAndVerifyCommand("create region --name=testRegion
--type=PARTITION_PERSISTENT");
gfsh.executeAndVerifyCommand("put --key=1 --value=value1
--region=testRegion");
String result = gfsh.execute("search lucene --name=testIndex
--region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD");
assertThat(result).contains("Unauthorized. Reason : data not authorized for
CLUSTER:READ");
}
}
> Unable to do a Lucene query without CLUSTER:READ privilege
> --
>
> Key: GEODE-2605
> URL: https://issues.apache.org/jira/browse/GEODE-2605
> Project: Geode
> Issue Type: Bug
> Components: docs, lucene, security
>Reporter: Diane Hardman
> Attachments: security.json
>
>
> I have configured a small cluster with security and am testing the privileges
> I need for creating a Lucene index and then executing a query/search using
> Lucene.
> I have confirmed that DATA:MANAGE privilege allows me to create a lucene
> index (similar to creating OQL indexes).
> I assumed I needed DATA:WRITE privilege to execute 'search lucene' because
> the implementation uses a function. Instead, I am getting an error that I
> need CLUSTER:READ privilege. I don't know why.
> As an aside, we may want to document that all DATA privileges automatically
> include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but
> could not list the indexes I created without CLUSTER:READ... go figure.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege
[ https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15900383#comment-15900383 ] Diane Hardman edited comment on GEODE-2605 at 3/7/17 11:40 PM: --- Here are the gfsh commands to reproduce this behavior: In first VM using gfsh, start up the cluster with 1 locator and 1 server configured with security as ‘super-user’ (all cluster and data privileges): start locator --name=loc2 --J=-Dgemfire.security-manager=org.apache.geode.examples.security.ExampleSecurityManager --classpath=. start server --name=serv2 --start-rest-api --http-service-port=8080 --http-service-bind-address=localhost --locators=localhost[10334] --classpath=. --user=super-user connect list members In second VM using gfsh, connect to running cluster as ‘dataAdmin’ (all data privileges): connect create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD list lucene indexes --with-stats=true NOTE: This will fail as it needs CLUSTER:READ privilege. I can however execute this command on the first VM create region --name=testRegion --type=PARTITION_PERSISTENT put --key=1 --value=value1 --region=testRegion put --key=2 --value=value2 --region=testRegion put --key=3 --value=value3 --region=testRegion search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD NOTE: This fails with message that I need CLUSTER:READ privilege The Lucene query will execute a function so I assumed that I needed DATA:WRITE privilege and am surprised that I need CLUSTER:READ. Here is a link to the Lucene Integration spec, illustrating the implementation: https://cwiki.apache.org/confluence/display/GEODE/Text+Search+With+Lucene was (Author: dhardman): Here are the gfsh commands to reproduce this behavior: In first VM using gfsh, start up the cluster with 1 locator and 1 server configured with security as ‘super-user’ (all cluster and data privileges): start locator --name=loc2 --J=-Dgemfire.security-manager=org.apache.geode.examples.security.ExampleSecurityManager --classpath=. start server --name=serv2 --start-rest-api --http-service-port=8080 --http-service-bind-address=localhost --locators=localhost[10334] --classpath=. --user=super-user connect list members In second VM using gfsh, connect to running cluster as ‘dataAdmin’ (all data privileges): connect create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD list lucene indexes --with-stats=true NOTE: This will fail as it needs CLUSTER:READ privilege. I can however execute this command on the first VM create region --name=testRegion --type=PARTITION_PERSISTENT put --key=1 --value=value1 --region=testRegion put --key=2 --value=value2 --region=testRegion put --key=3 --value=value3 --region=testRegion search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD NOTE: This fails with message that I need CLUSTER:READ privilege The Lucene query will execute a function so I assumed that I needed DATA:WRITE privilege and am surprised that I need CLUSTER:READ. Here is a link to the Lucene Integration spec, illustrating the implementation: https://cwiki.apache.org/confluence/display/GEODE/Text+Search+With+Lucene > Unable to do a Lucene query without CLUSTER:READ privilege > -- > > Key: GEODE-2605 > URL: https://issues.apache.org/jira/browse/GEODE-2605 > Project: Geode > Issue Type: Bug > Components: lucene, security >Reporter: Diane Hardman > Attachments: security.json > > > I have configured a small cluster with security and am testing the privileges > I need for creating a Lucene index and then executing a query/search using > Lucene. > I have confirmed that DATA:MANAGE privilege allows me to create a lucene > index (similar to creating OQL indexes). > I assumed I needed DATA:WRITE privilege to execute 'search lucene' because > the implementation uses a function. Instead, I am getting an error that I > need CLUSTER:READ privilege. I don't know why. > As an aside, we may want to document that all DATA privileges automatically > include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but > could not list the indexes I created without CLUSTER:READ... go figure. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
