search

apache / accumulo-proxy

Apache Accumulo Proxy
https://accumulo.apache.org
Apache License 2.0
9 stars 19 forks source link

Remove tests that switch users #68

Closed DomGarguilo closed 1 year ago

DomGarguilo commented 1 year ago

This PR:

DomGarguilo commented 1 year ago

Overall the changes look good. Was it discussed somewhere else as to why these tests are removed versus fixing?

Yea good point, sorry. There has been an effort to remove the use of multiple users in the proxy to reduce complexity. Most of that was taken care of in #59

ctubbsii commented 1 year ago

Overall the changes look good. Was it discussed somewhere else as to why these tests are removed versus fixing?

Yea good point, sorry. There has been an effort to remove the use of multiple users in the proxy to reduce complexity. Most of that was taken care of in #59

I think the previous comment by @Manno15 still had a point. Some of those tests probably needed fixing, rather than removal. For example, the permissions test could be changed so that the permissions are added/removed by the root user using the minicluster API directly, and the Proxy instance could be used to check the regular user's permissions are appropriately enabled/restricted.

Similarly, the conditional writer test was doing some checks with the authorizations, which could have been manipulated in minicluster. Multiple proxy instances for separate users (using separate proxy config files for each separate user) would have also worked.

DomGarguilo commented 1 year ago

For example, the permissions test could be changed so that the permissions are added/removed by the root user using the minicluster API directly, and the Proxy instance could be used to check the regular user's permissions are appropriately enabled/restricted.

@ctubbsii, what do you mean by "regular user" here? In the tests when using the minicluster, the only user that is created/used is the root user.

ctubbsii commented 1 year ago

For example, the permissions test could be changed so that the permissions are added/removed by the root user using the minicluster API directly, and the Proxy instance could be used to check the regular user's permissions are appropriately enabled/restricted.

@ctubbsii, what do you mean by "regular user" here? In the tests when using the minicluster, the only user that is created/used is the root user.

Look for lines that say client.createLocalUser. Those created an unprivileged user whose permissions were manipulated to verify that the permissions worked as expected in the proxy. There are a few things that were being verified by those tests:

  1. The proxy's ability to create a user
  2. The proxy's ability to switch users
  3. The proxy's ability to execute the grant/revoke permission APIs
  4. Verifying the new user's permissions were enforced when performing the operation whose permission was granted/revoked

We still want to make sure we have proxy test coverage for 1 and 3. We could rely on Accumulo's own enforcement testing for 4, since the proxy now only has one user... and there's no risk of it using the wrong user's permissions now, but if we want the same coverage as before, we'll need to do some alternative to item 2, which we no longer need to test, as it is not supported.