Repository: ranger
Updated Branches:
  refs/heads/master c8f67ce7c -> 3b510f8c0


http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
 
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
new file mode 100644
index 0000000..e92a2e6
--- /dev/null
+++ 
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
@@ -0,0 +1,211 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import static org.junit.Assert.*;
+
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.lang.reflect.Type;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import com.google.gson.JsonDeserializationContext;
+import com.google.gson.JsonDeserializer;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonParseException;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.util.ServicePolicies;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+
+public class TestPolicyACLs {
+       private static Gson gsonBuilder;
+
+       @BeforeClass
+       public static void setUpBeforeClass() throws Exception {
+               gsonBuilder = new 
GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
+                               .setPrettyPrinting()
+                               
.registerTypeAdapter(RangerAccessResource.class, new 
RangerResourceDeserializer())
+                               .create();
+
+       }
+
+       @AfterClass
+       public static void tearDownAfterClass() throws Exception {
+       }
+
+       @Before
+       public void setUp() throws Exception {
+       }
+
+       @After
+       public void tearDown() throws Exception {
+       }
+
+       @Test
+       public void testResourceMatcher_default() throws Exception {
+               String[] tests = { 
"/policyengine/test_aclprovider_default.json" };
+
+               runTestsFromResourceFiles(tests);
+       }
+
+       private void runTestsFromResourceFiles(String[] resourceNames) throws 
Exception {
+               for(String resourceName : resourceNames) {
+                       InputStream       inStream = 
this.getClass().getResourceAsStream(resourceName);
+                       InputStreamReader reader   = new 
InputStreamReader(inStream);
+
+                       runTests(reader, resourceName);
+               }
+       }
+
+       private void runTests(InputStreamReader reader, String testName) throws 
Exception {
+               PolicyACLsTests testCases = gsonBuilder.fromJson(reader, 
PolicyACLsTests.class);
+
+               assertTrue("invalid input: " + testName, testCases != null && 
testCases.testCases != null);
+
+               for(PolicyACLsTests.TestCase testCase : testCases.testCases) {
+                       RangerPolicyEngineOptions policyEngineOptions = new 
RangerPolicyEngineOptions();
+                       RangerPolicyEngine policyEngine = new 
RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, 
policyEngineOptions);
+
+                       for(PolicyACLsTests.TestCase.OneTest oneTest : 
testCase.tests) {
+                               if(oneTest == null) {
+                                       continue;
+                               }
+                               RangerAccessRequestImpl request = new 
RangerAccessRequestImpl(oneTest.resource, RangerPolicyEngine.ANY_ACCESS, null, 
null);
+                               policyEngine.preProcess(request);
+                               RangerResourceACLs acls = 
policyEngine.getResourceACLs(request);
+
+                               boolean userACLsMatched = true, 
groupACLsMatched = true;
+
+                               if (MapUtils.isNotEmpty(acls.getUserACLs()) && 
MapUtils.isNotEmpty(oneTest.userPermissions)) {
+
+                                       for (Map.Entry<String, Map<String, 
RangerResourceACLs.AccessResult>> entry :
+                                                       
acls.getUserACLs().entrySet()) {
+                                               String userName = 
entry.getKey();
+                                               Map<String, 
RangerResourceACLs.AccessResult> expected = 
oneTest.userPermissions.get(userName);
+                                               if 
(MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
+                                                       // Compare
+                                                       for (Map.Entry<String, 
RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
+                                                               if 
(StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
+                                                                       
continue;
+                                                               }
+                                                               
RangerResourceACLs.AccessResult expectedResult = 
expected.get(privilege.getKey());
+                                                               if 
(expectedResult == null) {
+                                                                       
userACLsMatched = false;
+                                                                       break;
+                                                               } else if 
(!expectedResult.equals(privilege.getValue())) {
+                                                                       
userACLsMatched = false;
+                                                                       break;
+                                                               }
+                                                       }
+                                               } else if 
(!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))){
+                                                       Set<String> privileges 
= entry.getValue().keySet();
+                                                       if (privileges.size() 
== 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
+                                                               userACLsMatched 
= true;
+                                                       } else {
+                                                               userACLsMatched 
= false;
+                                                       }
+                                                       break;
+                                               }
+                                               if (!userACLsMatched) {
+                                                       break;
+                                               }
+                                       }
+                               } else if 
(!(MapUtils.isEmpty(acls.getUserACLs()) && 
MapUtils.isEmpty(oneTest.userPermissions))) {
+                                       userACLsMatched = false;
+                               }
+
+                               if (MapUtils.isNotEmpty(acls.getGroupACLs()) && 
MapUtils.isNotEmpty(oneTest.groupPermissions)) {
+                                       for (Map.Entry<String, Map<String, 
RangerResourceACLs.AccessResult>> entry :
+                                                       
acls.getGroupACLs().entrySet()) {
+                                               String groupName = 
entry.getKey();
+                                               Map<String, 
RangerResourceACLs.AccessResult> expected = 
oneTest.groupPermissions.get(groupName);
+                                               if 
(MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
+                                                       // Compare
+                                                       for (Map.Entry<String, 
RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
+                                                               if 
(StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
+                                                                       
continue;
+                                                               }
+                                                               
RangerResourceACLs.AccessResult expectedResult = 
expected.get(privilege.getKey());
+                                                               if 
(expectedResult == null) {
+                                                                       
groupACLsMatched = false;
+                                                                       break;
+                                                               } else if 
(!expectedResult.equals(privilege.getValue())) {
+                                                                       
groupACLsMatched = false;
+                                                                       break;
+                                                               }
+                                                       }
+                                               } else if 
(!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))){
+                                                       Set<String> privileges 
= entry.getValue().keySet();
+                                                       if (privileges.size() 
== 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
+                                                               
groupACLsMatched = true;
+                                                       } else {
+                                                               
groupACLsMatched = false;
+                                                       }
+                                                       break;
+                                               }
+                                               if (!groupACLsMatched) {
+                                                       break;
+                                               }
+                                       }
+                               } else if 
(!(MapUtils.isEmpty(acls.getGroupACLs()) && 
MapUtils.isEmpty(oneTest.groupPermissions))) {
+                                       groupACLsMatched = false;
+                               }
+
+                               assertTrue("getResourceACLs() failed! " + 
testCase.name + ":" + oneTest.name, userACLsMatched && groupACLsMatched);
+                       }
+               }
+       }
+
+       static class PolicyACLsTests {
+               List<TestCase> testCases;
+
+               class TestCase {
+                       String               name;
+                       ServicePolicies      servicePolicies;
+                       List<OneTest>        tests;
+
+                       class OneTest {
+                               String               name;
+                               RangerAccessResource   resource;
+                               Map<String, Map<String, 
RangerResourceACLs.AccessResult>> userPermissions;
+                               Map<String, Map<String, 
RangerResourceACLs.AccessResult>> groupPermissions;
+                       }
+               }
+       }
+
+       static class RangerResourceDeserializer implements 
JsonDeserializer<RangerAccessResource> {
+               @Override
+               public RangerAccessResource deserialize(JsonElement jsonObj, 
Type type,
+                                                       
JsonDeserializationContext context) throws JsonParseException {
+                       return gsonBuilder.fromJson(jsonObj, 
RangerAccessResourceImpl.class);
+               }
+       }
+}
+

http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 325626a..4ed9a6f 100644
--- 
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ 
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -366,6 +366,7 @@ public class TestPolicyEngine {
                RangerPolicyEngineOptions policyEngineOptions = new 
RangerPolicyEngineOptions();
 
                policyEngineOptions.disableTagPolicyEvaluation = false;
+               policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary 
= false;
 
                boolean useForwardedIPAddress = 
RangerConfiguration.getInstance().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress",
 false);
                String trustedProxyAddressString = 
RangerConfiguration.getInstance().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
@@ -376,8 +377,16 @@ public class TestPolicyEngine {
                        }
                }
                RangerPolicyEngine policyEngine = new 
RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
+
                policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
                policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
+
+               policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary 
= true;
+               RangerPolicyEngine policyEngineForResourceAccessInfo = new 
RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
+
+               
policyEngineForResourceAccessInfo.setUseForwardedIPAddress(useForwardedIPAddress);
+               
policyEngineForResourceAccessInfo.setTrustedProxyAddresses(trustedProxyAddresses);
+
                long requestCount = 0L;
 
                RangerAccessRequest request = null;
@@ -489,8 +498,9 @@ public class TestPolicyEngine {
                        }
 
                        if(test.resourceAccessInfo != null) {
+
                                RangerResourceAccessInfo expected = new 
RangerResourceAccessInfo(test.resourceAccessInfo);
-                               RangerResourceAccessInfo result   = 
policyEngine.getResourceAccessInfo(test.request);
+                               RangerResourceAccessInfo result   = 
policyEngineForResourceAccessInfo.getResourceAccessInfo(test.request);
 
                                assertNotNull("result was null! - " + 
test.name, result);
                                assertEquals("allowedUsers mismatched! - " + 
test.name, expected.getAllowedUsers(), result.getAllowedUsers());
@@ -617,6 +627,9 @@ public class TestPolicyEngine {
                        RangerAccessRequestImpl ret = 
gsonBuilder.fromJson(jsonObj, RangerAccessRequestImpl.class);
 
                        ret.setAccessType(ret.getAccessType()); // to force 
computation of isAccessTypeAny and isAccessTypeDelegatedAdmin
+                       if (ret.getAccessTime() == null) {
+                               ret.setAccessTime(new Date());
+                       }
 
                        return ret;
                }

http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/resources/log4j.xml
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/log4j.xml 
b/agents-common/src/test/resources/log4j.xml
index 926f47c..d1a6f1c 100644
--- a/agents-common/src/test/resources/log4j.xml
+++ b/agents-common/src/test/resources/log4j.xml
@@ -34,8 +34,17 @@
             <param name="ConversionPattern" value="%d [%t] %m%n" />
         </layout>
     </appender>
-
     <!--
+    <logger name="org.apache.ranger.perf.policyengine.getResourceACLs" 
additivity="false">
+        <level value="debug" />
+        <appender-ref ref="ranger_perf_appender" />
+    </logger>
+
+    <logger name="org.apache.ranger.perf.policy.init.ACLSummary" 
additivity="false">
+        <level value="debug" />
+        <appender-ref ref="ranger_perf_appender" />
+    </logger>
+
     <logger name="org.apache.ranger.perf.policyengine" additivity="false">
         <level value="debug" />
         <appender-ref ref="ranger_perf_appender" />
@@ -75,13 +84,12 @@
         <level value="debug" />
         <appender-ref ref="ranger_perf_appender" />
     </logger>
-        -->
 
     <logger name="org.apache.ranger.perf.policyresourcematcher" 
additivity="false">
-        <level value="warn" />
+        <level value="debug" />
         <appender-ref ref="ranger_perf_appender" />
     </logger>
-
+        -->
     <root>
         <level value="warn" />
         <appender-ref ref="console" />

http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/resources/policyengine/ACLResourceTags.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/ACLResourceTags.json 
b/agents-common/src/test/resources/policyengine/ACLResourceTags.json
new file mode 100644
index 0000000..711190c
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/ACLResourceTags.json
@@ -0,0 +1,207 @@
+{
+    "op":"add_or_update",
+    "tagModel":"resource_private",
+    "serviceName": "cl1_hive",
+    "tagDefinitions": {
+      "1": {
+        "name": "EXPIRES_ON",
+        "attributeDefs": [ { "name": "expiry_date", "type": "datetime" } ],
+        "id": 1,
+        "guid": "tagdefinition-expires-on-guid"
+      },
+      "2": {
+        "name": "PII",
+        "attributeDefs": [ { "name": "expiry", "type": "datetime" } ],
+        "id": 2,
+        "guid": "tagdefinition-pii-guid"
+      },
+      "3": {
+        "name": "PII-FINAL",
+        "attributeDefs": [ { "name": "expiry", "type": "datetime" } ],
+        "id": 3,
+        "guid": "tagdefinition-pii-final-guid"
+      },
+      "4": {
+        "name": "RESTRICTED",
+        "attributeDefs": [ { "name": "activation_date", "type": "datetime" } ],
+        "id": 4,
+        "guid": "tagdefinition-restricted-guid"
+      },
+      "5": {
+        "name": "RESTRICTED-FINAL",
+        "attributeDefs": [ { "name": "activation_date", "type": "datetime" } ],
+        "id": 5,
+        "guid": "tagdefinition-restricted-final-guid"
+      }
+    },
+    "tags": {
+      "1": {
+        "type": "EXPIRES_ON",
+        "attributes": { "expiry_date": "2026/06/15" },
+        "id": 1,
+        "guid": "tag-expires-on-1-guid"
+      },
+      "2": {
+        "type": "EXPIRES_ON",
+        "attributes": { "expiry_date": "2015/08/10" },
+        "id": 2,
+        "guid": "tag-expires-on-2-guid"
+      },
+      "3": {
+        "type": "RESTRICTED",
+        "attributes": { "activation_date": "2015/08/10", "score": "2" },
+        "id": 3,
+        "guid": "tag-restricted-3-guid"
+      },
+      "4": {
+        "type": "RESTRICTED-FINAL",
+        "attributes": { "activation_date": "2026/06/15" },
+        "id": 4,
+        "guid": "tag-restricted-final-4-guid"
+      },
+      "5": {
+        "type": "PII",
+        "attributes": { "expiry": "2026/06/15" },
+        "id": 5,
+        "guid": "tag-pii-5-guid"
+      },
+      "6": {
+        "type": "PII-FINAL",
+        "attributes": { "expiry": "2026/06/15" },
+        "id": 6,
+        "guid": "tag-pii-final-6-guid"
+      }
+    },
+    "serviceResources": [
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "ssn" ] }
+        },
+        "id": 1,
+        "guid": "employee.personal.ssn-guid"
+     },
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "id" ] }
+        },
+        "id": 2,
+        "guid": "employee.personal.id-guid"
+     },
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "city" ] }
+        },
+        "id": 3,
+        "guid": "employee.personal.city-guid"
+     },
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "address" ] }
+        },
+        "id": 4,
+        "guid": "employee.personal.address-guid"
+     },
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "salary" ] }
+        },
+        "id": 5,
+        "guid": "employee.personal.salary-guid"
+     },
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "emp-number" ] }
+        },
+        "id": 6,
+        "guid": "employee.personal.emp-number-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "name" ] }
+        },
+        "id": 7,
+        "guid": "employee.personal.name-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "nodb" ] }
+        },
+        "id": 8,
+        "guid": "nodb-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "nodb" ] },
+          "table": { "values": [ "table1" ] }
+        },
+        "id": 9,
+        "guid": "nodb.table1-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "nodb" ] },
+          "table": { "values": [ "table1" ] },
+          "column": { "values": [ "name" ] }
+        },
+        "id": 10,
+        "guid": "nodb.table1.name-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "finance" ] },
+          "table": { "values": [ "sales" ] }
+        },
+        "id": 11,
+        "guid": "finance.sales-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "finance" ] },
+          "table": { "values": [ "sales" ] },
+          "column": { "values": [ "invoice_id" ] }
+        },
+        "id": 12,
+        "guid": "finance.sales.invoice_id-guid"
+     }
+    ],
+    "resourceToTagIds": {
+      "1": [ 1 ],
+      "2": [ 2 ],
+      "3": [ 3 ],
+      "4": [ 4 ],
+      "5": [ 2 ],
+      "6": [ 2 ],
+      "8": [ 6 ],
+      "9": [ 5 ],
+      "10": [ 6 ],
+      "11": [ 6 ],
+      "12": [ 5 ]
+    }
+}
+

http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
----------------------------------------------------------------------
diff --git 
a/agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
b/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
new file mode 100644
index 0000000..b4c4def
--- /dev/null
+++ 
b/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
@@ -0,0 +1,586 @@
+{
+  "testCases": [
+    {
+      "name": "Test-ACL-Provider",
+
+      "servicePolicies": {
+        "serviceName": "hivedev",
+        "serviceDef": {
+          "name": "hive", "id": 3,
+          "resources": [
+            { "name": "database", "level": 1, "mandatory": true, 
"lookupSupported": true,
+              "matcher": 
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+              "matcherOptions": { "wildCard": true, "ignoreCase": true },
+              "label": "Hive Database", "description": "Hive Database"
+            },
+            {
+              "name": "table", "level": 2, "parent": "database", "mandatory": 
true, "lookupSupported": true,
+              "matcher": 
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+              "matcherOptions": { "wildCard": true, "ignoreCase": true },
+              "label": "Hive Table", "description": "Hive Table"
+            },
+            {
+              "name": "udf", "level": 2, "parent": "database", "mandatory": 
true, "lookupSupported": true,
+              "matcher": 
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+              "matcherOptions": { "wildCard": true, "ignoreCase": true },
+              "label": "Hive UDF", "description": "Hive UDF"
+            },
+            {
+              "name": "column", "level": 3, "parent": "table", "mandatory": 
true, "lookupSupported": true,
+              "matcher": 
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+              "matcherOptions": { "wildCard": true, "ignoreCase": true },
+              "label": "Hive Column", "description": "Hive Column"
+            }
+          ],
+          "accessTypes": [
+            { "name": "select", "label": "Select" },
+            { "name": "update", "label": "Update" },
+            { "name": "create", "label": "Create" },
+            { "name": "drop", "label": "Drop" },
+            { "name": "alter", "label": "Alter" },
+            { "name": "index", "label": "Index" },
+            { "name": "lock", "label": "Lock" },
+            { "name": "all", "label": "All" }
+          ],
+          "policyConditions":[
+            { "itemId": 1, "name": "ip-range",
+              "evaluator": 
"org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", 
"evaluatorOptions": { },
+              "label": "IP Address Range", "description": "IP Address Range"
+            }
+          ]
+        },
+        "policies": [
+          {
+            "id": 1, "name": "db=default: audit-all-access", "isEnabled": 
true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "default" ] },
+              "table": { "values": [ "*" ] },
+              "column": { "values": [ "*" ] }
+            },
+            "policyItems": [
+              { "accesses": [], "users": [], "groups": [ "public" ], 
"delegateAdmin": false }
+            ]
+          },
+          {
+            "id": 2, "name": "db=default; table=test1,test2; column=column1", 
"isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "default" ] },
+              "table": { "values": [ "test1", "test2" ] },
+              "column": { "values": [ "column1" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user1", "user2" ], "groups": [ "group1", "group2" 
],
+                "delegateAdmin": false
+              },
+              { "accesses": [ { "type": "create", "isAllowed": true }, { 
"type": "drop", "isAllowed": true } ],
+                "users": [ "admin" ], "groups": [ "cluster-admin" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 3, "name": "db=default; table=test1,test2; column=column2", 
"isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "default" ] },
+              "table": { "values": [ "test1", "test2" ] },
+              "column": { "values": [ "column2" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user1", "user2" ], "groups": [ "group1", "group2" 
],
+                "delegateAdmin": false
+              },
+              {
+                "accesses": [
+                  { "type": "create", "isAllowed": true },
+                  { "type": "drop", "isAllowed": true }
+                ],
+                "users": [ "admin" ], "groups": [ "cluster-admin" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 4, "name": "db=finance; table=fin_*; column=*", "isEnabled": 
true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "finance" ] },
+              "table": { "values": [ "fin_*" ] },
+              "column": { "values": [ "*" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user1", "user2" ], "groups": [ 
"finance-controller" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 5, "name": "db=db1; table=tmp; column=tmp*", "isEnabled": 
true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "db1" ] },
+              "table": { "values": [ "tmp" ] },
+              "column": { "values": [ "tmp*" ], "isExcludes": false }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { 
"type": "create", "isAllowed": true } ],
+                "users": [ "user1", "user2" ], "groups": [ "cluster-admin", 
"finance-controller" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 6, "name": "db=hr;udf=udf", "isEnabled": true, 
"isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "hr" ] },
+              "udf": { "values": [ "udf" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { 
"type": "create", "isAllowed": true } ],
+                "users": [ "user1", "user2" ], "groups": [ "cluster-admin" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 7, "name": "db=hr;udf=udf*", "isEnabled": true, 
"isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "hr" ] },
+              "udf": { "values": [ "udf*" ] }
+            },
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { 
"type": "create", "isAllowed": true } ],
+                "users": [ "user3" ], "groups": [ "public" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 8, "name": "db=hr*;udf=udf", "isEnabled": true, 
"isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "hr*" ] },
+              "udf": { "values": [ "udf" ] }
+            },
+            "validitySchedules": [
+              { "startTime": "2018/01/12 14:32:00", "endTime": "2020/02/13 
12:16:00" }
+            ],
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { 
"type": "create", "isAllowed": true } ],
+                "users": [ "user4" ], "groups": [ "hr-admin" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 9, "name": "db=default; table=test2; column=column2", 
"isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "default" ] },
+              "table": { "values": [ "test2" ] },
+              "column": { "values": [ "column2" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user2", "user3" ], "groups": [],
+                "delegateAdmin": false
+              }
+            ],
+            "denyPolicyItems": [
+              {
+                "accesses": [ { "type": "select", "isAllowed": true }, { 
"type": "create", "isAllowed": true } ],
+                "users": [ "user2", "user3", "user4" ], "groups": [ "group3" ],
+                "delegateAdmin": false
+              }
+            ],
+            "denyExceptions": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user3" ], "groups": [],
+                "delegateAdmin": false
+              }
+            ]
+          },
+          {
+            "id": 10, "name": "db=finance; table=fin_*; column=salary", 
"isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "finance" ] },
+              "table": { "values": [ "fin_*" ] },
+              "column": { "values": [ "salary" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user3" ], "groups": [ "cluster-admin" ],
+                "delegateAdmin": true,
+                "conditions":[{"type":"ip-range","values":["1.*.1.*"]}]
+              }
+            ]
+          },
+          {
+            "id": 11, "name": "db=default; table=table; column=column", 
"isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "default" ] },
+              "table": { "values": [ "table" ] },
+              "column": { "values": [ "column" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user1", "user2", "user3", "user4" ], "groups": [ 
"cluster-admin" ],
+                "delegateAdmin": true
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user4" ], "groups": [ "finance-admin" ],
+                "delegateAdmin": true
+              }
+            ],
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user2", "user3" ], "groups": [ "public" ],
+                "delegateAdmin": true
+              }
+            ],
+            "denyExceptions": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user2", "user4" ], "groups": [],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 12, "name": "db=finance; table=accounts; column=status", 
"isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "finance" ] },
+              "table": { "values": [ "accounts" ] },
+              "column": { "values": [ "status" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { 
"type": "update", "isAllowed": true } ],
+                "users": [ "john", "jane" ], "groups": [ "accounting", "admin" 
],
+                "delegateAdmin": true
+              },
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [], "groups": [ "public" ]
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "update", "isAllowed": true } ],
+                "users": [ "mary" ], "groups": [ "interns" ]
+              }
+            ],
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [], "groups": [ "housekeeping" ]
+              }
+            ]
+          },
+          {
+            "id": 13, "name": "db=finance; table=accounts; column=amount", 
"isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "finance" ] },
+              "table": { "values": [ "accounts" ] },
+              "column": { "values": [ "amount" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { 
"type": "update", "isAllowed": true } ],
+                "users": [ "john", "jane" ], "groups": [ "accounting", "admin" 
],
+                "delegateAdmin": true
+              },
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [], "groups": [ "public" ]
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "update", "isAllowed": true } ],
+                "users": [ "mary" ], "groups": [ "interns" ]
+              }
+            ],
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "drop", "isAllowed": true } ],
+                "users": [], "groups": [ "housekeeping" ]
+              }
+            ]
+          },
+          {
+            "id": 13, "name": "db=db1; table=tbl1; column=col1", "isEnabled": 
true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "db1" ] },
+              "table": { "values": [ "tbl1" ] },
+              "column": { "values": [ "col1" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { 
"type": "update", "isAllowed": true } ],
+                "users": [ "john", "jane" ]
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "update", "isAllowed": true } ],
+                "users": [ "john" ],
+                "conditions":[{"type":"ip-range","values":["1.*.1.*"]}]
+              }
+            ],
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "drop", "isAllowed": true } ],
+                "users": ["adam", "eve"]
+              }
+            ],
+            "denyExceptions": [
+              { "accesses": [ { "type": "select", "isAllowed": true },  { 
"type": "drop", "isAllowed": true }],
+                "users": ["eve"],
+                "conditions":[{"type":"ip-range","values":["10.*.10.*"]}]
+              }
+            ]
+          },
+          {
+            "id": 14, "name": "db=db2; table=tbl2; column=col2", "isEnabled": 
true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "db2" ] },
+              "table": { "values": [ "tbl2" ] },
+              "column": { "values": [ "col2" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { 
"type": "update", "isAllowed": true } ],
+                "users": [ "john", "jane" ]
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "update", "isAllowed": true } ],
+                "users": [ "john" ]
+              }
+            ],
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "drop", "isAllowed": true } ],
+                "users": ["adam", "eve"]
+              }
+            ],
+            "denyExceptions": [
+              { "accesses": [ { "type": "select", "isAllowed": true },  { 
"type": "drop", "isAllowed": true }],
+                "users": ["eve"],
+                "conditions":[{"type":"ip-range","values":["10.*.10.*"]}]
+              }
+            ]
+          }
+        ],
+        "tagPolicies": {
+          "serviceName": "tagdev",
+          "serviceDef": {
+            "name": "tag", "id": 100,
+            "resources": [
+              { "itemId": 1, "name": "tag", "type": "string", "level": 1, 
"parent": "", "mandatory": true,
+                "lookupSupported": true, "recursiveSupported": false, 
"excludesSupported": false,
+                "matcher": 
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+                "matcherOptions": { "wildCard": true, "ignoreCase": false },
+                "label": "TAG", "description": "TAG"
+              }
+            ],
+            "accessTypes": [
+              { "itemId": 1, "name": "hive:select", "label": "hive:select" },
+              { "itemId": 2, "name": "hive:update", "label": "hive:update" },
+              { "itemId": 3, "name": "hive:create", "label": "hive:create" },
+              { "itemId": 4, "name": "hive:drop", "label": "hive:drop" },
+              { "itemId": 5, "name": "hive:alter", "label": "hive:alter" },
+              { "itemId": 6, "name": "hive:index", "label": "hive:index" },
+              { "itemId": 7, "name": "hive:lock", "label": "hive:lock" },
+              { "itemId": 8, "name": "hive:all", "label": "hive:all", 
+               "impliedGrants": [ "hive:select", "hive:update", "hive:create", 
"hive:drop", "hive:alter", "hive:index", "hive:lock" ] }
+            ],
+            "contextEnrichers": [
+              { "itemId": 1, "name": "TagEnricher",
+                "enricher": 
"org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
+                "enricherOptions": {
+                  "tagRetrieverClassName": 
"org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever",
+                  "tagRefresherPollingInterval": 60000,
+                  "serviceTagsFileName": "/policyengine/ACLResourceTags.json"
+                }
+              }
+            ],
+            "policyConditions": [
+              { "itemId": 1, "name": "expression",
+                "evaluator": 
"org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+                "evaluatorOptions": { "engineName": "JavaScript", 
"ui.isMultiline": "true" },
+                "label": "Enter boolean expression", "description": "Boolean 
expression"
+              },
+              {
+                "itemId": 2, "name": "enforce-expiry",
+                "evaluator": 
"org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
+                "evaluatorOptions": { "scriptTemplate": 
"ctx.isAccessedAfter('expiry_date');" },
+                "label": "Deny access after expiry_date?", "description": 
"Deny access after expiry_date? (yes/no)"
+              },
+              {
+                "itemId": 3, "name": "ip-range",
+                "evaluator": 
"org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", 
"evaluatorOptions": { },
+                "label": "IP Address Range", "description": "IP Address Range"
+              }
+            ]
+          },
+          "policies": [
+            { "id": 101, "name": "RESTRICTED_TAG_POLICY", "isEnabled": true, 
"isAuditEnabled": true,
+              "resources": {
+                "tag": { "values": [ "RESTRICTED" ], "isRecursive": false }
+              },
+              "policyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [ "hive", "user1" ],
+                  "groups": [],
+                  "delegateAdmin": false,
+                  "conditions": [
+                    { "type": "expression", "values": [ "if ( 
tagAttr.get('score') < 2 ) ctx.result = true;" ] }
+                  ]
+                }
+              ]
+            },
+            {
+              "id": 102, "name": "PII_TAG_POLICY", "isEnabled": true, 
"isAuditEnabled": true,
+              "resources": {
+                "tag": { "values": [ "PII" ], "isRecursive": false }
+              },
+              "policyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true }, 
{ "type": "hive:create", "isAllowed": true } ],
+                  "users": [ "hive" ], "groups": [],
+                  "delegateAdmin": false
+                }
+              ],
+              "denyPolicyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [ "hive" ], "groups": [],
+                  "delegateAdmin": false
+                }
+              ]
+            },
+            {
+              "id": 103, "name": "PII_TAG_POLICY-FINAL", "isEnabled": true, 
"isAuditEnabled": true,
+              "resources": {
+                "tag": { "values": [ "PII-FINAL" ], "isRecursive": false }
+              },
+              "policyItems": [
+                { "accesses": [ { "type": "hive:index", "isAllowed": true } ],
+                  "users": [ ], "groups": [ "public" ],
+                  "delegateAdmin": false,
+                  "conditions":[{"type":"ip-range","values":["1.*.1.*"]}]
+                }
+              ],
+              "denyPolicyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [ "admin" ], "groups": [],
+                  "delegateAdmin": false
+                }
+              ],
+              "denyExceptions": [
+                {
+                  "accesses": [
+                    { "type": "hive:drop", "isAllowed": true }
+                  ],
+                  "users": [ "hive" ], "groups": [],
+                  "delegateAdmin": false
+                }
+              ]
+            },
+            {
+              "id": 104, "name": "RESTRICTED_TAG_POLICY_FINAL", "isEnabled": 
true, "isAuditEnabled": true,
+              "resources": {
+                "tag": { "values": [ "RESTRICTED-FINAL" ], "isRecursive": 
false }
+              },
+              "denyPolicyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [], "groups": [ "public" ],
+                  "delegateAdmin": false
+                }
+              ],
+              "denyExceptions": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [ "hive", "user1" ], "groups": [],
+                  "delegateAdmin": false,
+                  "conditions": [
+                    { "type": "expression", "values": [ "if ( 
ctx.isAccessedBefore('activation_date') ) ctx.result = true;" ] }
+                  ]
+                }
+              ]
+            },
+            {
+              "id": 105, "name": "EXPIRES_ON", "isEnabled": true, 
"isAuditEnabled": true,
+              "resources": {
+                "tag": { "values": [ "EXPIRES_ON" ], "isRecursive": false }
+              },
+              "denyPolicyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [], "groups": [ "public" ],
+                  "delegateAdmin": false,
+                  "conditions": [
+                    { "type": "enforce-expiry", "values": [ "yes" ] }
+                  ]
+                }
+              ],
+              "denyExceptions": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [ "dataloader" ], "groups": [],
+                  "delegateAdmin": false
+                }
+              ]
+            }
+          ]
+        }
+      },
+
+      "tests": [
+        {
+          "name": "all-deny-test",
+          "resource": {"elements":{"database":"hr", "udf":"udf" }},
+          "userPermissions": {},
+          "groupPermissions": {"public": {"select":{"result":-1, 
"isFinal":true},"create":{"result":-1, "isFinal":true}}}
+        },
+        {
+          "name": "no-deny-test",
+          "resource": {"elements":{"database":"default", "table":"test1", 
"column":"column2"}},
+          "userPermissions": {"user1":{"select":{"result":1, "isFinal":true}}, 
"user2":{"select":{"result":1, "isFinal":true}}, "admin":{"create":{"result":1, 
"isFinal":true},"drop":{"result":1, "isFinal":true}}},
+          "groupPermissions": {"group1": {"select":{"result":1, 
"isFinal":true}}, "group2": {"select":{"result":1, 
"isFinal":true}},"cluster-admin": {"create":{"result":1, 
"isFinal":true},"drop":{"result":1, "isFinal":true}}}
+        },
+        {
+          "name": "partial-deny-test",
+          "resource": {"elements":{"database":"default", "table":"test2", 
"column":"column2"}},
+          "userPermissions": {"user1":{"select":{"result":1, "isFinal":true}}, 
"user2":{"select":{"result":-1, "isFinal":true},"create":{"result":-1, 
"isFinal":true}}, "user3":{"select":{"result":1, 
"isFinal":true},"create":{"result":-1, 
"isFinal":true}},"user4":{"select":{"result":-1, 
"isFinal":true},"create":{"result":-1, 
"isFinal":true}},"admin":{"create":{"result":1, 
"isFinal":true},"drop":{"result":1, "isFinal":true}}},
+          "groupPermissions": {"group1": {"select":{"result":1, 
"isFinal":true}}, "group2": {"select":{"result":1, "isFinal":true}},"group3": 
{"select":{"result":-1, "isFinal":true},"create":{"result":-1, 
"isFinal":true}},"cluster-admin": {"create":{"result":1, 
"isFinal":true},"drop":{"result":1, "isFinal":true}}}
+        },
+        {
+          "name": "conditional-deny-test",
+          "resource": {"elements":{"database":"finance", "table":"fin_1", 
"column":"salary"}},
+          "userPermissions": {"user1":{"select":{"result":1, "isFinal":true}}, 
"user2":{"select":{"result":1, "isFinal":true}}, "user3":{"select":{"result":2, 
"isFinal":true}} },
+          "groupPermissions": {"finance-controller": {"select":{"result":1, 
"isFinal":true}}, "cluster-admin": {"select":{"result":2, "isFinal":true}}}
+        },
+        {
+          "name": "conditional-tag-only-test-descendant",
+          "resource": {"elements":{"database":"finance", "table":"sales"}},
+          "userPermissions": {"hive":{"select":{"result":-1, 
"isFinal":true},"create":{"result":1, "isFinal":true}, "drop":{"result":-1, 
"isFinal":true}}, "admin":{"select":{"result":-1, "isFinal":true}} },
+          "groupPermissions": {"public": {"index":{"result":2, 
"isFinal":true}}}
+        },
+        {
+          "name": "all-types-of-policy-items",
+          "resource": {"elements":{"database":"default", "table":"table", 
"column":"column"}},
+          "userPermissions": {"user1":{"select":{"result":2, "isFinal":true}}, 
"user2":{"select":{"result":2, "isFinal":true}}, "user3":{"select":{"result":2, 
"isFinal":true}}, "user4":{"select":{"result":2, "isFinal":true}} },
+          "groupPermissions": {"public": {"select":{"result":2, 
"isFinal":true}}, "cluster-admin": {"select":{"result":2, "isFinal":true}}}
+        },
+        {
+          "name": "public-allow-test",
+          "resource": {"elements":{"database":"finance", "table":"accounts", 
"column": "status" }},
+          "userPermissions": {"john":{"select":{"result":2, "isFinal":true}, 
"update":{"result":2, "isFinal":true}}, "jane":{"select":{"result":2, 
"isFinal":true},"update":{"result":2, "isFinal":true}}, 
"mary":{"update":{"result":-1, "isFinal":true}}},
+          "groupPermissions": {"public": {"select":{"result":2, 
"isFinal":true}}, "accounting": {"select":{"result":2, 
"isFinal":true},"update":{"result":2, "isFinal":true}}, "admin": 
{"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}}, 
"interns":{"update":{"result":-1, "isFinal":true}}, 
"housekeeping":{"select":{"result":-1, "isFinal":true}}}
+        },
+        {
+          "name": "public-allow-test-next",
+          "resource": {"elements":{"database":"finance", "table":"accounts", 
"column": "amount" }},
+          "userPermissions": {"john":{"select":{"result":2, "isFinal":true}, 
"update":{"result":2, "isFinal":true}}, "jane":{"select":{"result":2, 
"isFinal":true},"update":{"result":2, "isFinal":true}}, 
"mary":{"update":{"result":-1, "isFinal":true}}},
+          "groupPermissions": {"public": {"select":{"result":2, 
"isFinal":true}}, "accounting": {"select":{"result":2, 
"isFinal":true},"update":{"result":2, "isFinal":true}}, "admin": 
{"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}}, 
"interns":{"update":{"result":-1, "isFinal":true}}, 
"housekeeping":{"drop":{"result":-1, "isFinal":true}}}
+        },
+        {
+          "name": "conditions-in-exceptions-test",
+          "resource": {"elements":{"database":"db1", "table":"tbl1", "column": 
"col1" }},
+          "userPermissions": {"john":{"select":{"result":2, "isFinal":true}, 
"update":{"result":2, "isFinal":true}}, "jane":{"select":{"result":2, 
"isFinal":true},"update":{"result":2, "isFinal":true}}, 
"adam":{"drop":{"result":2, "isFinal":true}}, "eve":{"drop":{"result":2, 
"isFinal":true}}},
+          "groupPermissions": {}
+        },
+        {
+          "name": "conditions-in-some-exceptions-test",
+          "resource": {"elements":{"database":"db2", "table":"tbl2", "column": 
"col2" }},
+          "userPermissions": {"john":{"select":{"result":1, "isFinal":true}, 
"update":{"result":-1, "isFinal":true}}, "jane":{"select":{"result":1, 
"isFinal":true},"update":{"result":1, "isFinal":true}}, 
"adam":{"drop":{"result":2, "isFinal":true}}, "eve":{"drop":{"result":2, 
"isFinal":true}}},
+          "groupPermissions": {}
+        }
+      ]
+    }
+  ]
+}

http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
----------------------------------------------------------------------
diff --git 
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
index 11f31e3..ef75887 100644
--- 
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
+++ 
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -224,7 +224,7 @@
         "resource":{"elements":{"database":"employee", "table":"personal", 
"column":"ssn"}},
         
"accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn 
from employee.personal;' for user1",
 
-        "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", 
\"attributes\":{\"expiry_date\":\"2026-06-15T15:05:15.000Z\"}, 
\"matchType\":1}]"}
+        "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", 
\"attributes\":{\"expiry_date\":\"2026-06-15T15:05:15.000Z\"}, 
\"matchType\":\"SELF\"}]"}
       },
       "result":{"isAudited":true,"isAllowed":true,"policyId":101}
     },

Reply via email to