List of usage examples for org.apache.solr.security AuthorizationResponse PROMPT
AuthorizationResponse PROMPT
To view the source code for org.apache.solr.security AuthorizationResponse PROMPT.
Click Source Link
From source file:org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl.java
License:Apache License
@Override public AuthorizationResponse authorize(AuthorizationContext authCtx) { if (authCtx.getUserPrincipal() == null) { // Request not authenticated. return AuthorizationResponse.PROMPT; }// www . j av a2 s .c o m if (LOG.isDebugEnabled()) { LOG.debug("Authorizing a request with authorization context {} ", SolrAuthzUtil.toString(authCtx)); } String userNameStr = getShortUserName(authCtx.getUserPrincipal()); if (this.solrSuperUser.equals(userNameStr)) { return AuthorizationResponse.OK; } if (authCtx.getHandler() instanceof PermissionNameProvider) { Subject userName = new Subject(userNameStr); Name perm = ((PermissionNameProvider) authCtx.getHandler()).getPermissionName(authCtx); switch (perm) { case READ_PERM: case UPDATE_PERM: { AuthorizationResponse resp = AuthorizationResponse.FORBIDDEN; Set<SolrModelAction> actions = (perm == Name.READ_PERM) ? QUERY : UPDATE; for (CollectionRequest req : authCtx.getCollectionRequests()) { resp = binding.authorizeCollection(userName, new Collection(req.collectionName), actions); if (!AuthorizationResponse.OK.equals(resp)) { break; } } audit(perm, authCtx, resp); return resp; } case SECURITY_EDIT_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.SECURITY), UPDATE); } case SECURITY_READ_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.SECURITY), QUERY); } case CORE_READ_PERM: case CORE_EDIT_PERM: case COLL_READ_PERM: case COLL_EDIT_PERM: { AuthorizationResponse resp = AuthorizationResponse.FORBIDDEN; SolrModelAuthorizable auth = (perm == Name.COLL_READ_PERM || perm == Name.COLL_EDIT_PERM) ? AdminOperation.COLLECTIONS : AdminOperation.CORES; Set<SolrModelAction> actions = (perm == Name.COLL_READ_PERM || perm == Name.CORE_READ_PERM) ? QUERY : UPDATE; resp = binding.authorize(userName, Collections.singleton(auth), actions); audit(perm, authCtx, resp); if (AuthorizationResponse.OK.equals(resp)) { // Apply collection/core-level permissions check as well. for (Map.Entry<String, SolrModelAction> entry : SolrAuthzUtil.getCollectionsForAdminOp(authCtx) .entrySet()) { resp = binding.authorizeCollection(userName, new Collection(entry.getKey()), Collections.singleton(entry.getValue())); Name p = entry.getValue().equals(SolrModelAction.UPDATE) ? Name.UPDATE_PERM : Name.READ_PERM; audit(p, authCtx, resp); if (!AuthorizationResponse.OK.equals(resp)) { break; } } } return resp; } case CONFIG_EDIT_PERM: { return binding.authorize(userName, SolrAuthzUtil.getConfigAuthorizables(authCtx), UPDATE); } case CONFIG_READ_PERM: { return binding.authorize(userName, SolrAuthzUtil.getConfigAuthorizables(authCtx), QUERY); } case SCHEMA_EDIT_PERM: { return binding.authorize(userName, SolrAuthzUtil.getSchemaAuthorizables(authCtx), UPDATE); } case SCHEMA_READ_PERM: { return binding.authorize(userName, SolrAuthzUtil.getSchemaAuthorizables(authCtx), QUERY); } case METRICS_HISTORY_READ_PERM: case METRICS_READ_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.METRICS), QUERY); } case AUTOSCALING_READ_PERM: case AUTOSCALING_HISTORY_READ_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.AUTOSCALING), QUERY); } case AUTOSCALING_WRITE_PERM: { return binding.authorize(userName, Collections.singleton(AdminOperation.AUTOSCALING), UPDATE); } case ALL: { return AuthorizationResponse.OK; } } } /* * The switch-case statement above handles all possible permission types. Some of the request handlers * in SOLR do not implement PermissionNameProvider interface and hence are incapable to providing the * type of permission to be enforced for this request. This is a design limitation (or a bug) on the SOLR * side. Until that issue is resolved, Solr/Sentry plugin needs to return OK for such requests. * Ref: SOLR-11623 */ return AuthorizationResponse.OK; }