List of usage examples for org.apache.solr.security AuthorizationResponse OK
AuthorizationResponse OK
To view the source code for org.apache.solr.security AuthorizationResponse OK.
Click Source Link
From source file:org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl.java
License:Apache License
@Override public AuthorizationResponse authorize(AuthorizationContext authCtx) { if (authCtx.getUserPrincipal() == null) { // Request not authenticated. return AuthorizationResponse.PROMPT; }/*from w w w. j ava2s.co m*/ if (LOG.isDebugEnabled()) { LOG.debug("Authorizing a request with authorization context {} ", SolrAuthzUtil.toString(authCtx)); } String userNameStr = getShortUserName(authCtx.getUserPrincipal()); if (this.solrSuperUser.equals(userNameStr)) { return AuthorizationResponse.OK; } if (authCtx.getHandler() instanceof PermissionNameProvider) { Subject userName = new Subject(userNameStr); Name perm = ((PermissionNameProvider) authCtx.getHandler()).getPermissionName(authCtx); switch (perm) { case READ_PERM: case UPDATE_PERM: { AuthorizationResponse resp = AuthorizationResponse.FORBIDDEN; Set<SolrModelAction> actions = (perm == Name.READ_PERM) ? QUERY : UPDATE; for (CollectionRequest req : authCtx.getCollectionRequests()) { resp = binding.authorizeCollection(userName, new Collection(req.collectionName), actions); if (!AuthorizationResponse.OK.equals(resp)) { break; } } audit(perm, authCtx, resp); return resp; } case SECURITY_EDIT_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.SECURITY), UPDATE); } case SECURITY_READ_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.SECURITY), QUERY); } case CORE_READ_PERM: case CORE_EDIT_PERM: case COLL_READ_PERM: case COLL_EDIT_PERM: { AuthorizationResponse resp = AuthorizationResponse.FORBIDDEN; SolrModelAuthorizable auth = (perm == Name.COLL_READ_PERM || perm == Name.COLL_EDIT_PERM) ? AdminOperation.COLLECTIONS : AdminOperation.CORES; Set<SolrModelAction> actions = (perm == Name.COLL_READ_PERM || perm == Name.CORE_READ_PERM) ? QUERY : UPDATE; resp = binding.authorize(userName, Collections.singleton(auth), actions); audit(perm, authCtx, resp); if (AuthorizationResponse.OK.equals(resp)) { // Apply collection/core-level permissions check as well. for (Map.Entry<String, SolrModelAction> entry : SolrAuthzUtil.getCollectionsForAdminOp(authCtx) .entrySet()) { resp = binding.authorizeCollection(userName, new Collection(entry.getKey()), Collections.singleton(entry.getValue())); Name p = entry.getValue().equals(SolrModelAction.UPDATE) ? Name.UPDATE_PERM : Name.READ_PERM; audit(p, authCtx, resp); if (!AuthorizationResponse.OK.equals(resp)) { break; } } } return resp; } case CONFIG_EDIT_PERM: { return binding.authorize(userName, SolrAuthzUtil.getConfigAuthorizables(authCtx), UPDATE); } case CONFIG_READ_PERM: { return binding.authorize(userName, SolrAuthzUtil.getConfigAuthorizables(authCtx), QUERY); } case SCHEMA_EDIT_PERM: { return binding.authorize(userName, SolrAuthzUtil.getSchemaAuthorizables(authCtx), UPDATE); } case SCHEMA_READ_PERM: { return binding.authorize(userName, SolrAuthzUtil.getSchemaAuthorizables(authCtx), QUERY); } case METRICS_HISTORY_READ_PERM: case METRICS_READ_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.METRICS), QUERY); } case AUTOSCALING_READ_PERM: case AUTOSCALING_HISTORY_READ_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.AUTOSCALING), QUERY); } case AUTOSCALING_WRITE_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.AUTOSCALING), UPDATE); } case ALL: { return AuthorizationResponse.OK; } } } /* * The switch-case statement above handles all possible permission types. Some of the request handlers * in SOLR do not implement PermissionNameProvider interface and hence are incapable to providing the * type of permission to be enforced for this request. This is a design limitation (or a bug) on the SOLR * side. Until that issue is resolved, Solr/Sentry plugin needs to return OK for such requests. * Ref: SOLR-11623 */ return AuthorizationResponse.OK; }
From source file:org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl.java
License:Apache License
private void audit(Name perm, AuthorizationContext ctx, AuthorizationResponse resp) { if (!auditLog.isPresent() || !auditLog.get().isLogEnabled()) { return;/*w w w. ja v a 2 s . co m*/ } String userName = getShortUserName(ctx.getUserPrincipal()); String ipAddress = ctx.getRemoteAddr(); long eventTime = System.currentTimeMillis(); int allowed = (resp.statusCode == AuthorizationResponse.OK.statusCode) ? AuditLogger.ALLOWED : AuditLogger.UNAUTHORIZED; String operationParams = ctx.getParams().toString(); switch (perm) { case COLL_EDIT_PERM: case COLL_READ_PERM: { String collectionName = "admin"; String actionName = ctx.getParams().get(CoreAdminParams.ACTION); String operationName = (actionName != null) ? "CollectionAction." + ctx.getParams().get(CoreAdminParams.ACTION) : ctx.getHandler().getClass().getName(); auditLog.get().log(userName, null, ipAddress, operationName, operationParams, eventTime, allowed, collectionName); break; } case CORE_EDIT_PERM: case CORE_READ_PERM: { String collectionName = "admin"; String operationName = "CoreAdminAction.STATUS"; if (ctx.getParams().get(CoreAdminParams.ACTION) != null) { operationName = "CoreAdminAction." + ctx.getParams().get(CoreAdminParams.ACTION); } auditLog.get().log(userName, null, ipAddress, operationName, operationParams, eventTime, allowed, collectionName); break; } case READ_PERM: case UPDATE_PERM: { List<String> names = new ArrayList<>(); for (CollectionRequest r : ctx.getCollectionRequests()) { names.add(r.collectionName); } String collectionName = String.join(",", names); String operationName = (perm == Name.READ_PERM) ? SolrConstants.QUERY : SolrConstants.UPDATE; auditLog.get().log(userName, null, ipAddress, operationName, operationParams, eventTime, allowed, collectionName); break; } default: { // Do nothing. break; } } }
From source file:org.apache.sentry.binding.solr.authz.SolrAuthzBinding.java
License:Apache License
/** * Authorize access to a Solr operation// www .jav a2s . c om * @param subject The user invoking the SOLR operation * @param admin The {@linkplain SolrModelAuthorizable} associated with the operation * @param actions The action performed as part of the operation (query or update) * @return {@linkplain AuthorizationResponse#OK} If the authorization is successful * {@linkplain AuthorizationResponse#FORBIDDEN} if the authorization fails. */ public AuthorizationResponse authorize(Subject subject, java.util.Collection<? extends SolrModelAuthorizable> authorizables, Set<SolrModelAction> actions) { if (LOG.isDebugEnabled()) { LOG.debug("Going to authorize " + authorizables + " for subject " + subject.getName()); LOG.debug("Actions: " + actions); } for (SolrModelAuthorizable a : authorizables) { if (!authProvider.hasAccess(subject, Arrays.asList(new Authorizable[] { a }), actions, ActiveRoleSet.ALL)) { return AuthorizationResponse.FORBIDDEN; } } return AuthorizationResponse.OK; }