[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege
[ https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15922735#comment-15922735 ] Jinmei Liao edited comment on GEODE-2605 at 3/13/17 7:06 PM: - Created this dunit test to verify the behavior. {quote} public class LuceneSecuritydUnitTest { @Rule public LocatorServerStartupRule lsRule = new LocatorServerStartupRule(); @Rule public GfshShellConnectionRule gfsh = new GfshShellConnectionRule(); @Test public void test() throws Exception{ Properties locatorProps = new Properties(); locatorProps.setProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()); MemberVM locator = lsRule.startLocatorVM(0, locatorProps); Properties serverProps = new Properties(); serverProps.setProperty("security-username", "cluster"); serverProps.setProperty("security-password", "cluster"); MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort()); gfsh.connectAndVerify(locator, "user", "data", "password", "data"); gfsh.executeAndVerifyCommand("create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD"); gfsh.executeAndVerifyCommand("create region --name=testRegion --type=PARTITION_PERSISTENT"); gfsh.executeAndVerifyCommand("put --key=1 --value=value1 --region=testRegion"); String result = gfsh.execute("search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD"); assertThat(result).contains("Unauthorized. Reason : data not authorized for CLUSTER:READ"); } } {quote} This passes because in LuceneIndexCommand, the searchIndex command is annotated as requiring "cluster:read" permission: {quote} @ResourceOperation(resource = Resource.CLUSTER, operation = Operation.READ) {quote} was (Author: jinmeiliao): Created this dunit test to verify the behavior. {quote} public class LuceneSecuritydUnitTest { @Rule public LocatorServerStartupRule lsRule = new LocatorServerStartupRule(); @Rule public GfshShellConnectionRule gfsh = new GfshShellConnectionRule(); @Test public void test() throws Exception{ Properties locatorProps = new Properties(); locatorProps.setProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()); MemberVM locator = lsRule.startLocatorVM(0, locatorProps); Properties serverProps = new Properties(); serverProps.setProperty("security-username", "cluster"); serverProps.setProperty("security-password", "cluster"); MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort()); gfsh.connectAndVerify(locator, "user", "data", "password", "data"); gfsh.executeAndVerifyCommand("create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD"); gfsh.executeAndVerifyCommand("create region --name=testRegion --type=PARTITION_PERSISTENT"); gfsh.executeAndVerifyCommand("put --key=1 --value=value1 --region=testRegion"); String result = gfsh.execute("search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD"); assertThat(result).contains("Unauthorized. Reason : data not authorized for CLUSTER:READ"); } } {quote} This passes because in LuceneIndexCommand, the searchIndex command is annotated as requiring "cluster:read" permission: {quote} @CliCommand(value = LuceneCliStrings.LUCENE_DESTROY_INDEX, help = LuceneCliStrings.LUCENE_DESTROY_INDEX__HELP) @CliMetaData(shellOnly = false, relatedTopic = {CliStrings.TOPIC_GEODE_REGION, CliStrings.TOPIC_GEODE_DATA}) @ResourceOperation(resource = Resource.CLUSTER, operation = Operation.READ) {quote} > Unable to do a Lucene query without CLUSTER:READ privilege > -- > > Key: GEODE-2605 > URL: https://issues.apache.org/jira/browse/GEODE-2605 > Project: Geode > Issue Type: Bug > Components: docs, lucene, security >Reporter: Diane Hardman > Attachments: security.json > > > I have configured a small cluster with security and am testing the privileges > I need for creating a Lucene index and then executing a query/search using > Lucene. > I have confirmed that DATA:MANAGE privilege allows me to create a lucene > index (similar to creating OQL indexes). > I assumed I needed DATA:WRITE privilege to execute 'search lucene' because > the implementation uses a function. Instead, I am getting an error that I > need CLUSTER:READ privilege. I don't know why. > As an aside, we may want to document that all DATA privileges automatically > include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but > could not list the indexes I created without CLUSTER:READ... go figure. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege
[ https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15922735#comment-15922735 ] Jinmei Liao edited comment on GEODE-2605 at 3/13/17 7:04 PM: - Created this dunit test to verify the behavior. {quote} public class LuceneSecuritydUnitTest { @Rule public LocatorServerStartupRule lsRule = new LocatorServerStartupRule(); @Rule public GfshShellConnectionRule gfsh = new GfshShellConnectionRule(); @Test public void test() throws Exception{ Properties locatorProps = new Properties(); locatorProps.setProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()); MemberVM locator = lsRule.startLocatorVM(0, locatorProps); Properties serverProps = new Properties(); serverProps.setProperty("security-username", "cluster"); serverProps.setProperty("security-password", "cluster"); MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort()); gfsh.connectAndVerify(locator, "user", "data", "password", "data"); gfsh.executeAndVerifyCommand("create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD"); gfsh.executeAndVerifyCommand("create region --name=testRegion --type=PARTITION_PERSISTENT"); gfsh.executeAndVerifyCommand("put --key=1 --value=value1 --region=testRegion"); String result = gfsh.execute("search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD"); assertThat(result).contains("Unauthorized. Reason : data not authorized for CLUSTER:READ"); } } {quote} was (Author: jinmeiliao): Created this dunit test to verify the behavior. {{ public class LuceneSecuritydUnitTest { @Rule public LocatorServerStartupRule lsRule = new LocatorServerStartupRule(); @Rule public GfshShellConnectionRule gfsh = new GfshShellConnectionRule(); @Test public void test() throws Exception{ Properties locatorProps = new Properties(); locatorProps.setProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()); MemberVM locator = lsRule.startLocatorVM(0, locatorProps); Properties serverProps = new Properties(); serverProps.setProperty("security-username", "cluster"); serverProps.setProperty("security-password", "cluster"); MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort()); gfsh.connectAndVerify(locator, "user", "data", "password", "data"); gfsh.executeAndVerifyCommand("create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD"); gfsh.executeAndVerifyCommand("create region --name=testRegion --type=PARTITION_PERSISTENT"); gfsh.executeAndVerifyCommand("put --key=1 --value=value1 --region=testRegion"); String result = gfsh.execute("search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD"); assertThat(result).contains("Unauthorized. Reason : data not authorized for CLUSTER:READ"); } } }} > Unable to do a Lucene query without CLUSTER:READ privilege > -- > > Key: GEODE-2605 > URL: https://issues.apache.org/jira/browse/GEODE-2605 > Project: Geode > Issue Type: Bug > Components: docs, lucene, security >Reporter: Diane Hardman > Attachments: security.json > > > I have configured a small cluster with security and am testing the privileges > I need for creating a Lucene index and then executing a query/search using > Lucene. > I have confirmed that DATA:MANAGE privilege allows me to create a lucene > index (similar to creating OQL indexes). > I assumed I needed DATA:WRITE privilege to execute 'search lucene' because > the implementation uses a function. Instead, I am getting an error that I > need CLUSTER:READ privilege. I don't know why. > As an aside, we may want to document that all DATA privileges automatically > include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but > could not list the indexes I created without CLUSTER:READ... go figure. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege
[ https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15922735#comment-15922735 ] Jinmei Liao edited comment on GEODE-2605 at 3/13/17 7:03 PM: - Created this dunit test to verify the behavior. {{ public class LuceneSecuritydUnitTest { @Rule public LocatorServerStartupRule lsRule = new LocatorServerStartupRule(); @Rule public GfshShellConnectionRule gfsh = new GfshShellConnectionRule(); @Test public void test() throws Exception{ Properties locatorProps = new Properties(); locatorProps.setProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()); MemberVM locator = lsRule.startLocatorVM(0, locatorProps); Properties serverProps = new Properties(); serverProps.setProperty("security-username", "cluster"); serverProps.setProperty("security-password", "cluster"); MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort()); gfsh.connectAndVerify(locator, "user", "data", "password", "data"); gfsh.executeAndVerifyCommand("create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD"); gfsh.executeAndVerifyCommand("create region --name=testRegion --type=PARTITION_PERSISTENT"); gfsh.executeAndVerifyCommand("put --key=1 --value=value1 --region=testRegion"); String result = gfsh.execute("search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD"); assertThat(result).contains("Unauthorized. Reason : data not authorized for CLUSTER:READ"); } } }} was (Author: jinmeiliao): Created this dunit test to verify the behavior. public class LuceneSecuritydUnitTest { @Rule public LocatorServerStartupRule lsRule = new LocatorServerStartupRule(); @Rule public GfshShellConnectionRule gfsh = new GfshShellConnectionRule(); @Test public void test() throws Exception{ Properties locatorProps = new Properties(); locatorProps.setProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()); MemberVM locator = lsRule.startLocatorVM(0, locatorProps); Properties serverProps = new Properties(); serverProps.setProperty("security-username", "cluster"); serverProps.setProperty("security-password", "cluster"); MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort()); gfsh.connectAndVerify(locator, "user", "data", "password", "data"); gfsh.executeAndVerifyCommand("create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD"); gfsh.executeAndVerifyCommand("create region --name=testRegion --type=PARTITION_PERSISTENT"); gfsh.executeAndVerifyCommand("put --key=1 --value=value1 --region=testRegion"); String result = gfsh.execute("search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD"); assertThat(result).contains("Unauthorized. Reason : data not authorized for CLUSTER:READ"); } } > Unable to do a Lucene query without CLUSTER:READ privilege > -- > > Key: GEODE-2605 > URL: https://issues.apache.org/jira/browse/GEODE-2605 > Project: Geode > Issue Type: Bug > Components: docs, lucene, security >Reporter: Diane Hardman > Attachments: security.json > > > I have configured a small cluster with security and am testing the privileges > I need for creating a Lucene index and then executing a query/search using > Lucene. > I have confirmed that DATA:MANAGE privilege allows me to create a lucene > index (similar to creating OQL indexes). > I assumed I needed DATA:WRITE privilege to execute 'search lucene' because > the implementation uses a function. Instead, I am getting an error that I > need CLUSTER:READ privilege. I don't know why. > As an aside, we may want to document that all DATA privileges automatically > include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but > could not list the indexes I created without CLUSTER:READ... go figure. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege
[ https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15922735#comment-15922735 ] Jinmei Liao edited comment on GEODE-2605 at 3/13/17 7:01 PM: - Created this dunit test to verify the behavior. public class LuceneSecuritydUnitTest { @Rule public LocatorServerStartupRule lsRule = new LocatorServerStartupRule(); @Rule public GfshShellConnectionRule gfsh = new GfshShellConnectionRule(); @Test public void test() throws Exception{ Properties locatorProps = new Properties(); locatorProps.setProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()); MemberVM locator = lsRule.startLocatorVM(0, locatorProps); Properties serverProps = new Properties(); serverProps.setProperty("security-username", "cluster"); serverProps.setProperty("security-password", "cluster"); MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort()); gfsh.connectAndVerify(locator, "user", "data", "password", "data"); gfsh.executeAndVerifyCommand("create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD"); gfsh.executeAndVerifyCommand("create region --name=testRegion --type=PARTITION_PERSISTENT"); gfsh.executeAndVerifyCommand("put --key=1 --value=value1 --region=testRegion"); String result = gfsh.execute("search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD"); assertThat(result).contains("Unauthorized. Reason : data not authorized for CLUSTER:READ"); } } was (Author: jinmeiliao): Created this dunit test to verify the behavior. the test is passing because the LuceneIndexCommand declares that searchIndex requires "cluster:read". public class LuceneSecuritydUnitTest { @Rule public LocatorServerStartupRule lsRule = new LocatorServerStartupRule(); @Rule public GfshShellConnectionRule gfsh = new GfshShellConnectionRule(); @Test public void test() throws Exception{ Properties locatorProps = new Properties(); locatorProps.setProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()); MemberVM locator = lsRule.startLocatorVM(0, locatorProps); Properties serverProps = new Properties(); serverProps.setProperty("security-username", "cluster"); serverProps.setProperty("security-password", "cluster"); MemberVM server = lsRule.startServerVM(1, serverProps, locator.getPort()); gfsh.connectAndVerify(locator, "user", "data", "password", "data"); gfsh.executeAndVerifyCommand("create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD"); gfsh.executeAndVerifyCommand("create region --name=testRegion --type=PARTITION_PERSISTENT"); gfsh.executeAndVerifyCommand("put --key=1 --value=value1 --region=testRegion"); String result = gfsh.execute("search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD"); assertThat(result).contains("Unauthorized. Reason : data not authorized for CLUSTER:READ"); } } > Unable to do a Lucene query without CLUSTER:READ privilege > -- > > Key: GEODE-2605 > URL: https://issues.apache.org/jira/browse/GEODE-2605 > Project: Geode > Issue Type: Bug > Components: docs, lucene, security >Reporter: Diane Hardman > Attachments: security.json > > > I have configured a small cluster with security and am testing the privileges > I need for creating a Lucene index and then executing a query/search using > Lucene. > I have confirmed that DATA:MANAGE privilege allows me to create a lucene > index (similar to creating OQL indexes). > I assumed I needed DATA:WRITE privilege to execute 'search lucene' because > the implementation uses a function. Instead, I am getting an error that I > need CLUSTER:READ privilege. I don't know why. > As an aside, we may want to document that all DATA privileges automatically > include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but > could not list the indexes I created without CLUSTER:READ... go figure. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (GEODE-2605) Unable to do a Lucene query without CLUSTER:READ privilege
[ https://issues.apache.org/jira/browse/GEODE-2605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15900383#comment-15900383 ] Diane Hardman edited comment on GEODE-2605 at 3/7/17 11:40 PM: --- Here are the gfsh commands to reproduce this behavior: In first VM using gfsh, start up the cluster with 1 locator and 1 server configured with security as ‘super-user’ (all cluster and data privileges): start locator --name=loc2 --J=-Dgemfire.security-manager=org.apache.geode.examples.security.ExampleSecurityManager --classpath=. start server --name=serv2 --start-rest-api --http-service-port=8080 --http-service-bind-address=localhost --locators=localhost[10334] --classpath=. --user=super-user connect list members In second VM using gfsh, connect to running cluster as ‘dataAdmin’ (all data privileges): connect create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD list lucene indexes --with-stats=true NOTE: This will fail as it needs CLUSTER:READ privilege. I can however execute this command on the first VM create region --name=testRegion --type=PARTITION_PERSISTENT put --key=1 --value=value1 --region=testRegion put --key=2 --value=value2 --region=testRegion put --key=3 --value=value3 --region=testRegion search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD NOTE: This fails with message that I need CLUSTER:READ privilege The Lucene query will execute a function so I assumed that I needed DATA:WRITE privilege and am surprised that I need CLUSTER:READ. Here is a link to the Lucene Integration spec, illustrating the implementation: https://cwiki.apache.org/confluence/display/GEODE/Text+Search+With+Lucene was (Author: dhardman): Here are the gfsh commands to reproduce this behavior: In first VM using gfsh, start up the cluster with 1 locator and 1 server configured with security as ‘super-user’ (all cluster and data privileges): start locator --name=loc2 --J=-Dgemfire.security-manager=org.apache.geode.examples.security.ExampleSecurityManager --classpath=. start server --name=serv2 --start-rest-api --http-service-port=8080 --http-service-bind-address=localhost --locators=localhost[10334] --classpath=. --user=super-user connect list members In second VM using gfsh, connect to running cluster as ‘dataAdmin’ (all data privileges): connect create lucene index --name=testIndex --region=testRegion --field=__REGION_VALUE_FIELD list lucene indexes --with-stats=true NOTE: This will fail as it needs CLUSTER:READ privilege. I can however execute this command on the first VM create region --name=testRegion --type=PARTITION_PERSISTENT put --key=1 --value=value1 --region=testRegion put --key=2 --value=value2 --region=testRegion put --key=3 --value=value3 --region=testRegion search lucene --name=testIndex --region=testRegion --queryStrings=value* --defaultField=__REGION_VALUE_FIELD NOTE: This fails with message that I need CLUSTER:READ privilege The Lucene query will execute a function so I assumed that I needed DATA:WRITE privilege and am surprised that I need CLUSTER:READ. Here is a link to the Lucene Integration spec, illustrating the implementation: https://cwiki.apache.org/confluence/display/GEODE/Text+Search+With+Lucene > Unable to do a Lucene query without CLUSTER:READ privilege > -- > > Key: GEODE-2605 > URL: https://issues.apache.org/jira/browse/GEODE-2605 > Project: Geode > Issue Type: Bug > Components: lucene, security >Reporter: Diane Hardman > Attachments: security.json > > > I have configured a small cluster with security and am testing the privileges > I need for creating a Lucene index and then executing a query/search using > Lucene. > I have confirmed that DATA:MANAGE privilege allows me to create a lucene > index (similar to creating OQL indexes). > I assumed I needed DATA:WRITE privilege to execute 'search lucene' because > the implementation uses a function. Instead, I am getting an error that I > need CLUSTER:READ privilege. I don't know why. > As an aside, we may want to document that all DATA privileges automatically > include CLUSTER:READ as I found I could create indexes with DATA:WRITE, but > could not list the indexes I created without CLUSTER:READ... go figure. -- This message was sent by Atlassian JIRA (v6.3.15#6346)