This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 7581932 RANGER-2405: Evaluation of Ranger policies targeted to valid
but partial resources
7581932 is described below
commit 7581932cb42ecb908925f4dfc844cb190ad504cd
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Mon Apr 22 09:37:08 2019 -0700
RANGER-2405: Evaluation of Ranger policies targeted to valid but partial
resources
---
.../policyengine/RangerPolicyEngineImpl.java | 2 +-
.../RangerDefaultPolicyEvaluator.java | 5 +-
.../RangerDefaultPolicyResourceMatcher.java | 12 +-
.../RangerPolicyResourceMatcher.java | 4 +-
.../plugin/policyengine/TestPolicyEngine.java | 7 +
.../TestDefaultPolicyResourceMatcher.java | 2 +
...engine_hive_with_partial_resource_policies.json | 321 +++++++++++++++++++++
.../test_defaultpolicyresourcematcher.json | 32 +-
...faultpolicyresourcematcher_for_hive_policy.json | 8 +-
9 files changed, 364 insertions(+), 29 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index be256a9..35fa534 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -609,7 +609,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if (request.getResourceMatchingScope() ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
} else {
- isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR;
+ isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR_WITH_WILDCARDS;
}
if (!isMatched) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index f1e999a..580a32c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -234,6 +234,9 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
if
(RangerTagAccessRequest.class.isInstance(request)) {
matchType = ((RangerTagAccessRequest)
request).getMatchType();
+ if (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
+ matchType =
RangerPolicyResourceMatcher.MatchType.SELF;
+ }
} else {
matchType = resourceMatcher != null ?
resourceMatcher.getMatchType(request.getResource(), request.getContext()) :
RangerPolicyResourceMatcher.MatchType.NONE;
}
@@ -245,7 +248,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
} else if (request.getResourceMatchingScope()
== RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
} else {
- isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR;
+ isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR_WITH_WILDCARDS;
}
if (isMatched) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 12a1c1c..b0fcf6e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -599,14 +599,16 @@ public class RangerDefaultPolicyResourceMatcher
implements RangerPolicyResourceM
}
} else {
// More matchers than resource-values
- ret = MatchType.DESCENDANT;
-
if (lastMatchedMatcherIndex >=
lastNonAnyMatcherIndex) {
- ret = MatchType.ANCESTOR;
- if (lastMatchedMatcherIndex ==
lastNonAnyMatcherIndex && lastMatchedMatcherIndex == -1) {
- // For degenerate case :
resourceKeysSize == 0 and all matchers are of type Any
+ // all remaining matchers are of type Any
+ if (lastMatchedMatcherIndex == -1) {
+ // For degenerate case: empty resource
ret = MatchType.SELF;
+ } else {
+ ret =
MatchType.ANCESTOR_WITH_WILDCARDS;
}
+ } else {
+ ret = MatchType.DESCENDANT;
}
break;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
index 4696d84..6c1591a 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
@@ -29,8 +29,8 @@ import
org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
public interface RangerPolicyResourceMatcher {
- enum MatchScope { SELF, SELF_OR_DESCENDANT, SELF_OR_ANCESTOR,
DESCENDANT, ANCESTOR, ANY };
- enum MatchType { NONE, SELF, DESCENDANT, ANCESTOR };
+ enum MatchScope { SELF, SELF_OR_DESCENDANT, SELF_OR_ANCESTOR,
DESCENDANT, ANCESTOR, ANY, ANCESTOR_WITH_WILDCARDS };
+ enum MatchType { NONE, SELF, DESCENDANT, ANCESTOR,
ANCESTOR_WITH_WILDCARDS };
void setServiceDef(RangerServiceDef serviceDef);
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index e019e62..5a47ba4 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -219,6 +219,13 @@ public class TestPolicyEngine {
}
@Test
+ public void testPolicyEngine_hive_with_partial_resource_policies() {
+ String[] hiveTestResourceFiles = {
"/policyengine/test_policyengine_hive_with_partial_resource_policies.json" };
+
+ runTestsFromResourceFiles(hiveTestResourceFiles);
+ }
+
+ @Test
public void testPolicyEngine_hive() {
String[] hiveTestResourceFiles = {
"/policyengine/test_policyengine_hive.json" };
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
index 1755233..ab85399 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
@@ -145,6 +145,8 @@ public class TestDefaultPolicyResourceMatcher {
scope =
RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR;
} else if (StringUtils.equalsIgnoreCase(oneTest.type,
"ancestorMatch")) {
scope =
RangerPolicyResourceMatcher.MatchScope.ANCESTOR;
+ } else if (StringUtils.equalsIgnoreCase(oneTest.type,
"ancestorWithWildcardsMatch")) {
+ scope =
RangerPolicyResourceMatcher.MatchScope.ANCESTOR_WITH_WILDCARDS;
} else if (StringUtils.equalsIgnoreCase(oneTest.type,
"anyMatch")) {
scope =
RangerPolicyResourceMatcher.MatchScope.ANY;
} else {
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_hive_with_partial_resource_policies.json
b/agents-common/src/test/resources/policyengine/test_policyengine_hive_with_partial_resource_policies.json
new file mode 100644
index 0000000..ea6617d
--- /dev/null
+++
b/agents-common/src/test/resources/policyengine/test_policyengine_hive_with_partial_resource_policies.json
@@ -0,0 +1,321 @@
+{
+ "serviceName": "hivedev",
+ "serviceDef": {
+ "name": "hive",
+ "id": 3,
+ "resources": [
+ {
+ "name": "database",
+ "level": 1,
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "isValidLeaf": true,
+ "label": "Hive Database",
+ "description": "Hive Database"
+ },
+ {
+ "name": "table",
+ "level": 2,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "isValidLeaf": true,
+ "label": "Hive Table",
+ "description": "Hive Table"
+ },
+ {
+ "name": "column",
+ "level": 3,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive Column",
+ "description": "Hive Column"
+ }
+ ],
+ "accessTypes": [
+ {
+ "name": "select",
+ "label": "Select"
+ },
+ {
+ "name": "update",
+ "label": "Update"
+ },
+ {
+ "name": "create",
+ "label": "Create"
+ },
+ {
+ "name": "drop",
+ "label": "Drop"
+ },
+ {
+ "name": "alter",
+ "label": "Alter"
+ },
+ {
+ "name": "index",
+ "label": "Index"
+ },
+ {
+ "name": "lock",
+ "label": "Lock"
+ },
+ {
+ "name": "all",
+ "label": "All",
+ "impliedGrants": [
+ "select",
+ "update",
+ "create",
+ "drop",
+ "alter",
+ "index",
+ "lock"
+ ]
+ }
+ ]
+ },
+ "policies": [
+ {
+ "id": 1,
+ "name": "db=default: audit-all-access",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ]
+ },
+ "table": {
+ "values": [
+ "*"
+ ]
+ },
+ "column": {
+ "values": [
+ "*"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [],
+ "users": [],
+ "groups": [
+ "public"
+ ],
+ "delegateAdmin": false
+ }
+ ]
+ },
+ {
+ "id": 2,
+ "name": "db=default",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "user1"
+ ],
+ "groups": [
+ ],
+ "delegateAdmin": false
+ }
+ ]
+ },
+ {
+ "id": 3,
+ "name": "db=default; table=table",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ]
+ },
+ "table": {
+ "values": [
+ "table"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "user2"
+ ],
+ "groups": [
+ ],
+ "delegateAdmin": false
+ }
+ ]
+ },
+ {
+ "id": 4,
+ "name": "db=default; table=table; column=column",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ]
+ },
+ "table": {
+ "values": [
+ "table"
+ ]
+ },
+ "column": {
+ "values": [
+ "column"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "user3"
+ ],
+ "groups": [
+ ],
+ "delegateAdmin": false
+ }
+ ]
+ }
+ ],
+ "tests": [
+ {"name":"ALLOW 'create database default default ;' for user1",
+ "request":{
+ "resource":{"elements":{"database":"default"}},
+
"accessType":"create","user":"user1","userGroups":[],"requestData":"create
database default ; for user1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ },
+ {"name":"DENY 'create database default ;' for user2",
+ "request":{
+ "resource":{"elements":{"database":"default"}},
+
"accessType":"create","user":"user2","userGroups":[],"requestData":"create
database default ; for user2"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ },
+ {"name":"DENY 'create database default ;' for user3",
+ "request":{
+ "resource":{"elements":{"database":"default"}},
+
"accessType":"create","user":"user3","userGroups":[],"requestData":"create
database default ; for user3"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ },
+ {"name":"DENY 'create table default.table ;' for user1",
+ "request":{
+ "resource":{"elements":{"database":"default", "table": "table"}},
+
"accessType":"create","user":"user1","userGroups":[],"requestData":"create
table default.table ; for user1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ },
+ {"name":"ALLOW 'create table default.table ;' for user2",
+ "request":{
+ "resource":{"elements":{"database":"default", "table": "table"}},
+
"accessType":"create","user":"user2","userGroups":[],"requestData":"create
table default.table ; for user2"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+ },
+ {"name":"DENY 'create table default.table ;' for user3",
+ "request":{
+ "resource":{"elements":{"database":"default", "table": "table"}},
+
"accessType":"create","user":"user3","userGroups":[],"requestData":"create
table default.table ; for user3"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ },
+ {"name":"DENY 'select column from default.table ;' for user1",
+ "request":{
+ "resource":{"elements":{"database":"default", "table": "table",
"column":"column"}},
+
"accessType":"select","user":"user1","userGroups":[],"requestData":"select
column from default.table ;' for user1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ },
+ {"name":"DENY 'select column from default.table ;' for user2",
+ "request":{
+ "resource":{"elements":{"database":"default", "table": "table",
"column":"column"}},
+
"accessType":"select","user":"user2","userGroups":[],"requestData":"select
column from default.table ;' for user2"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ },
+ {"name":"ALLOW 'select column from default.table ;' for user3",
+ "request":{
+ "resource":{"elements":{"database":"default", "table": "table",
"column":"column"}},
+
"accessType":"select","user":"user3","userGroups":[],"requestData":"select
column from default.table ;' for user3"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":4}
+ }
+ ]
+}
\ No newline at end of file
diff --git
a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
index 211e0ed..68166f9 100644
---
a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
+++
b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
@@ -143,8 +143,8 @@
}
,
{
- "name": "MATCH for parent 'finance'",
- "type": "ancestorMatch",
+ "name": "MATCH for parent with wildcards 'finance'",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {"database": "finance"}
},
@@ -287,8 +287,8 @@
}
,
{
- "name": "MATCH for parent 'finance'",
- "type": "ancestorMatch",
+ "name": "MATCH for parent with wildcards 'finance'",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {"database": "finance"}
},
@@ -450,8 +450,8 @@
}
,
{
- "name": "MATCH for parent 'finance:tax'",
- "type": "ancestorMatch",
+ "name": "MATCH for parent with wildcards 'finance:tax'",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {"database": "finance","table": "tax"}
},
@@ -460,8 +460,8 @@
}
,
{
- "name": "MATCH for parent 'finance'",
- "type": "ancestorMatch",
+ "name": "MATCH for parent with wildcards 'finance'",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {"database": "finance"}
},
@@ -616,8 +616,8 @@
}
,
{
- "name": "MATCH for parent 'finance:tax'",
- "type": "ancestorMatch",
+ "name": "MATCH for parent with wildcards 'finance:tax'",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {"database": "finance","table": "tax"}
},
@@ -626,8 +626,8 @@
}
,
{
- "name": "MATCH for parent 'finance'",
- "type": "ancestorMatch",
+ "name": "MATCH for parent with wildcards 'finance'",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {"database": "finance"}
},
@@ -657,8 +657,8 @@
}
,
{
- "name": "MATCH for parent 'finance:tax'",
- "type": "ancestorMatch",
+ "name": "MATCH for parent with wildcards 'finance:tax'",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {"database": "finance","table": "tax"}
},
@@ -777,8 +777,8 @@
}
,
{
- "name": "MATCH for parent 'finance:tax'",
- "type": "ancestorMatch",
+ "name": "MATCH for parent with wildcards 'finance:tax'",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {"database": "finance","table": "tax"}
},
diff --git
a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json
b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json
index ddb171d..32df8b9 100644
---
a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json
+++
b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json
@@ -309,8 +309,8 @@
"result" : true
},
{
- "name": "Ancestor match for 'finance,hr,tmp*:tax,employee,tmp*:'
policy",
- "type": "ancestorMatch",
+ "name": "Ancestor with wildcards match for
'finance,hr,tmp*:tax,employee,tmp*:' policy",
+ "type": "ancestorWithWildcardsMatch",
"policy" : {
"service" : "any",
"name" : "test",
@@ -382,8 +382,8 @@
"result" : false
},
{
- "name": "Ancestor match for 'finance,hr,tmp*::' policy",
- "type": "ancestorMatch",
+ "name": "Ancestor with wildcards match for 'finance,hr,tmp*::'
policy",
+ "type": "ancestorWithWildcardsMatch",
"policy" : {
"service" : "any",
"name" : "test",
