List of usage examples for org.apache.solr.security AuthorizationContext getHandler
public abstract Object getHandler();
From source file:org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl.java
License:Apache License
@Override public AuthorizationResponse authorize(AuthorizationContext authCtx) { if (authCtx.getUserPrincipal() == null) { // Request not authenticated. return AuthorizationResponse.PROMPT; }/* w ww . j a va 2 s . c om*/ if (LOG.isDebugEnabled()) { LOG.debug("Authorizing a request with authorization context {} ", SolrAuthzUtil.toString(authCtx)); } String userNameStr = getShortUserName(authCtx.getUserPrincipal()); if (this.solrSuperUser.equals(userNameStr)) { return AuthorizationResponse.OK; } if (authCtx.getHandler() instanceof PermissionNameProvider) { Subject userName = new Subject(userNameStr); Name perm = ((PermissionNameProvider) authCtx.getHandler()).getPermissionName(authCtx); switch (perm) { case READ_PERM: case UPDATE_PERM: { AuthorizationResponse resp = AuthorizationResponse.FORBIDDEN; Set<SolrModelAction> actions = (perm == Name.READ_PERM) ? QUERY : UPDATE; for (CollectionRequest req : authCtx.getCollectionRequests()) { resp = binding.authorizeCollection(userName, new Collection(req.collectionName), actions); if (!AuthorizationResponse.OK.equals(resp)) { break; } } audit(perm, authCtx, resp); return resp; } case SECURITY_EDIT_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.SECURITY), UPDATE); } case SECURITY_READ_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.SECURITY), QUERY); } case CORE_READ_PERM: case CORE_EDIT_PERM: case COLL_READ_PERM: case COLL_EDIT_PERM: { AuthorizationResponse resp = AuthorizationResponse.FORBIDDEN; SolrModelAuthorizable auth = (perm == Name.COLL_READ_PERM || perm == Name.COLL_EDIT_PERM) ? AdminOperation.COLLECTIONS : AdminOperation.CORES; Set<SolrModelAction> actions = (perm == Name.COLL_READ_PERM || perm == Name.CORE_READ_PERM) ? QUERY : UPDATE; resp = binding.authorize(userName, Collections.singleton(auth), actions); audit(perm, authCtx, resp); if (AuthorizationResponse.OK.equals(resp)) { // Apply collection/core-level permissions check as well. for (Map.Entry<String, SolrModelAction> entry : SolrAuthzUtil.getCollectionsForAdminOp(authCtx) .entrySet()) { resp = binding.authorizeCollection(userName, new Collection(entry.getKey()), Collections.singleton(entry.getValue())); Name p = entry.getValue().equals(SolrModelAction.UPDATE) ? Name.UPDATE_PERM : Name.READ_PERM; audit(p, authCtx, resp); if (!AuthorizationResponse.OK.equals(resp)) { break; } } } return resp; } case CONFIG_EDIT_PERM: { return binding.authorize(userName, SolrAuthzUtil.getConfigAuthorizables(authCtx), UPDATE); } case CONFIG_READ_PERM: { return binding.authorize(userName, SolrAuthzUtil.getConfigAuthorizables(authCtx), QUERY); } case SCHEMA_EDIT_PERM: { return binding.authorize(userName, SolrAuthzUtil.getSchemaAuthorizables(authCtx), UPDATE); } case SCHEMA_READ_PERM: { return binding.authorize(userName, SolrAuthzUtil.getSchemaAuthorizables(authCtx), QUERY); } case METRICS_HISTORY_READ_PERM: case METRICS_READ_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.METRICS), QUERY); } case AUTOSCALING_READ_PERM: case AUTOSCALING_HISTORY_READ_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.AUTOSCALING), QUERY); } case AUTOSCALING_WRITE_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.AUTOSCALING), UPDATE); } case ALL: { return AuthorizationResponse.OK; } } } /* * The switch-case statement above handles all possible permission types. Some of the request handlers * in SOLR do not implement PermissionNameProvider interface and hence are incapable to providing the * type of permission to be enforced for this request. This is a design limitation (or a bug) on the SOLR * side. Until that issue is resolved, Solr/Sentry plugin needs to return OK for such requests. * Ref: SOLR-11623 */ return AuthorizationResponse.OK; }
From source file:org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl.java
License:Apache License
private void audit(Name perm, AuthorizationContext ctx, AuthorizationResponse resp) { if (!auditLog.isPresent() || !auditLog.get().isLogEnabled()) { return;/* ww w . ja va 2 s .c o m*/ } String userName = getShortUserName(ctx.getUserPrincipal()); String ipAddress = ctx.getRemoteAddr(); long eventTime = System.currentTimeMillis(); int allowed = (resp.statusCode == AuthorizationResponse.OK.statusCode) ? AuditLogger.ALLOWED : AuditLogger.UNAUTHORIZED; String operationParams = ctx.getParams().toString(); switch (perm) { case COLL_EDIT_PERM: case COLL_READ_PERM: { String collectionName = "admin"; String actionName = ctx.getParams().get(CoreAdminParams.ACTION); String operationName = (actionName != null) ? "CollectionAction." + ctx.getParams().get(CoreAdminParams.ACTION) : ctx.getHandler().getClass().getName(); auditLog.get().log(userName, null, ipAddress, operationName, operationParams, eventTime, allowed, collectionName); break; } case CORE_EDIT_PERM: case CORE_READ_PERM: { String collectionName = "admin"; String operationName = "CoreAdminAction.STATUS"; if (ctx.getParams().get(CoreAdminParams.ACTION) != null) { operationName = "CoreAdminAction." + ctx.getParams().get(CoreAdminParams.ACTION); } auditLog.get().log(userName, null, ipAddress, operationName, operationParams, eventTime, allowed, collectionName); break; } case READ_PERM: case UPDATE_PERM: { List<String> names = new ArrayList<>(); for (CollectionRequest r : ctx.getCollectionRequests()) { names.add(r.collectionName); } String collectionName = String.join(",", names); String operationName = (perm == Name.READ_PERM) ? SolrConstants.QUERY : SolrConstants.UPDATE; auditLog.get().log(userName, null, ipAddress, operationName, operationParams, eventTime, allowed, collectionName); break; } default: { // Do nothing. break; } } }
From source file:org.apache.sentry.binding.solr.authz.SolrAuthzUtil.java
License:Apache License
/** * This method returns a collection of {@linkplain Config} entities associated with the current * operation./* w w w.ja v a 2s. c o m*/ */ static Collection<Config> getConfigAuthorizables(AuthorizationContext ctx) { List<Config> result = new ArrayList<>(1); if (ctx.getHandler() instanceof ConfigSetsHandler) { // For Solr configset APIs String name = ctx.getParams().get(CommonParams.NAME); if (name != null) { result.add(new Config(name)); } } else { // For Solr config APIs for (CollectionRequest r : ctx.getCollectionRequests()) { result.add(new Config(r.collectionName)); } } if (result.isEmpty()) { if (LOG.isDebugEnabled()) { LOG.debug("Missing collection name for the config operation with authorization context {}." + " Using * permissions for authorization check", toString(ctx)); } result.add(Config.ALL); } return result; }
From source file:org.apache.sentry.binding.solr.authz.SolrAuthzUtil.java
License:Apache License
static String toString(AuthorizationContext ctx) { StringBuilder builder = new StringBuilder(); builder.append("AuthorizationContext {"); builder.append("userPrincipal : "); builder.append(ctx.getUserPrincipal().getName()); // NOTE - comment out the code until SOLR-10814 is fixed. //builder.append(", userName : "); //builder.append(ctx.getUserName()); builder.append(", collections : "); builder.append(ctx.getCollectionRequests()); builder.append(", handler : "); builder.append(ctx.getHandler()); builder.append(", HTTP method : "); builder.append(ctx.getHttpMethod()); builder.append("}"); return builder.toString(); }