OPENDJ-1351 (CR-3830) Require a privilege needed for searching cn=changelog - Upgrade task
* tools.properties
** Adding the description message of the upgrade task
* Upgrade.java
** Upgrade task n° 2.7.0.10820 which add the 'changelog-read' value to the Root DNs default privilege list
* ExternalChangeLogTest.java
** ChangeLog privilege unit test code refactoring to make it more compact ant more meaningful
| | |
|---|
| | | INFO_UPGRADE_TASK_10339_1_SUMMARY_10026=Updating ds-cfg-override-severity attribute in Replication Repair Logger |
|---|
| | | INFO_UPGRADE_TASK_10733_1_SUMMARY_10027=Removing 'dc=replicationchanges' backend |
|---|
| | | INFO_UPGRADE_TASK_10733_2_SUMMARY_10028=Removing ACI for 'dc=replicationchanges' |
|---|
| | | INFO_UPGRADE_TASK_10820_SUMMARY_10029=Adding default privilege 'changelog-read' to all root DNs |
|---|
| | |
|---|
| | | + "(version 3.0; acl \"Replication backend access\"; " |
|---|
| | | + "deny (all) userdn=\"ldap:///anyone\";)")); |
|---|
| | | |
|---|
| | | /** See OPENDJ-1351 */ |
|---|
| | | register("2.7.0.10820", |
|---|
| | | modifyConfigEntry(INFO_UPGRADE_TASK_10820_SUMMARY.get(), |
|---|
| | | "(objectClass=ds-cfg-root-dn)", |
|---|
| | | "add: ds-cfg-default-root-privilege-name", |
|---|
| | | "ds-cfg-default-root-privilege-name: changelog-read")); |
|---|
| | | |
|---|
| | | /* |
|---|
| | | * All upgrades will refresh the server configuration schema and generate |
|---|
| | | * a new upgrade folder. |
|---|
| | |
|---|
| | | ECLFilterOnReplicationCSN(csn); |
|---|
| | | } |
|---|
| | | |
|---|
| | | //Verifies that is not possible to read the changelog without the changelog-read privilege |
|---|
| | | /** |
|---|
| | | * Verifies that is not possible to read the changelog without the changelog-read privilege |
|---|
| | | */ |
|---|
| | | @Test(enabled=true, dependsOnMethods = { "ECLReplicationServerTest"}) |
|---|
| | | public void ECLChangelogReadPrivilegeTest() throws Exception |
|---|
| | | { |
|---|
| | | InternalClientConnection conn = |
|---|
| | | new InternalClientConnection(new AuthenticationInfo()); |
|---|
| | | InternalSearchOperation ico = conn.processSearch( |
|---|
| | | "cn=changelog", |
|---|
| | | SearchScope.WHOLE_SUBTREE, |
|---|
| | | DereferenceAliasesPolicy.NEVER, |
|---|
| | | 0, // Size limit |
|---|
| | | 0, // Time limit |
|---|
| | | false, // Types only |
|---|
| | | "(objectclass=*)", |
|---|
| | | ALL_ATTRIBUTES, |
|---|
| | | NO_CONTROL, |
|---|
| | | null); |
|---|
| | | { |
|---|
| | | AuthenticationInfo nonPrivilegedUser = new AuthenticationInfo(); |
|---|
| | | |
|---|
| | | assertEquals(ico.getResultCode(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS); |
|---|
| | | assertEquals(ico.getErrorMessage().toMessage(), NOTE_SEARCH_CHANGELOG_INSUFFICIENT_PRIVILEGES.get()); |
|---|
| | | InternalClientConnection conn = new InternalClientConnection(nonPrivilegedUser); |
|---|
| | | InternalSearchOperation ico = conn.processSearch("cn=changelog", SearchScope.WHOLE_SUBTREE, "(objectclass=*)"); |
|---|
| | | |
|---|
| | | assertEquals(ico.getResultCode(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS); |
|---|
| | | assertEquals(ico.getErrorMessage().toMessage(), NOTE_SEARCH_CHANGELOG_INSUFFICIENT_PRIVILEGES.get()); |
|---|
| | | } |
|---|
| | | |
|---|
| | | private void ECLIsNotASupportedSuffix() throws Exception |
|---|
