This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3e6df72 RANGER-2465:Create a PolicyCondition to apply if all given
tags are present for the accessed resource-addon-sampleTagDef
3e6df72 is described below
commit 3e6df72d24c81aea6ef5adb978218a2eb9e3572f
Author: rmani <[email protected]>
AuthorDate: Thu Jun 13 13:18:44 2019 -0700
RANGER-2465:Create a PolicyCondition to apply if all given tags are present
for the accessed resource-addon-sampleTagDef
Signed-off-by: rmani <[email protected]>
---
...=> RangerTagsAllPresentConditionEvaluator.java} | 12 +--
.../test_multitag_policycondition-hive.json | 117 +++++++++++++++++++++
2 files changed, 123 insertions(+), 6 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerMultipleTagsConditionEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagsAllPresentConditionEvaluator.java
similarity index 78%
rename from
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerMultipleTagsConditionEvaluator.java
rename to
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagsAllPresentConditionEvaluator.java
index 6f0c12d..8616c66 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerMultipleTagsConditionEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagsAllPresentConditionEvaluator.java
@@ -28,16 +28,16 @@ import java.util.HashSet;
import java.util.Set;
-public class RangerMultipleTagsConditionEvaluator extends
RangerAbstractConditionEvaluator {
+public class RangerTagsAllPresentConditionEvaluator extends
RangerAbstractConditionEvaluator {
- private static final Log LOG =
LogFactory.getLog(RangerMultipleTagsConditionEvaluator.class);
+ private static final Log LOG =
LogFactory.getLog(RangerTagsAllPresentConditionEvaluator.class);
private final Set<String> policyConditionTags = new HashSet<>();
@Override
public void init() {
if(LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerMultipleTagsConditionEvaluator.init(" + condition + ")");
+ LOG.debug("==>
RangerTagsAllPresentConditionEvaluator.init(" + condition + ")");
}
super.init();
@@ -49,7 +49,7 @@ public class RangerMultipleTagsConditionEvaluator extends
RangerAbstractConditio
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerMultipleTagsConditionEvaluator.init(" + condition + "): Tags[" +
policyConditionTags + "]");
+ LOG.debug("<==
RangerTagsAllPresentConditionEvaluator.init(" + condition + "): Tags[" +
policyConditionTags + "]");
}
}
@@ -57,7 +57,7 @@ public class RangerMultipleTagsConditionEvaluator extends
RangerAbstractConditio
public boolean isMatched(RangerAccessRequest request) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerMultipleTagsConditionEvaluator.isMatched(" + request + ")");
+ LOG.debug("==>
RangerTagsAllPresentConditionEvaluator.isMatched(" + request + ")");
}
boolean matched = true;
@@ -72,7 +72,7 @@ public class RangerMultipleTagsConditionEvaluator extends
RangerAbstractConditio
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerMultipleTagsConditionEvaluator.isMatched(" + request+ "): " + matched);
+ LOG.debug("<==
RangerTagsAllPresentConditionEvaluator.isMatched(" + request+ "): " + matched);
}
return matched;
diff --git
a/agents-common/src/test/resources/policycondition/test_multitag_policycondition-hive.json
b/agents-common/src/test/resources/policycondition/test_multitag_policycondition-hive.json
new file mode 100644
index 0000000..9050181
--- /dev/null
+++
b/agents-common/src/test/resources/policycondition/test_multitag_policycondition-hive.json
@@ -0,0 +1,117 @@
+{
+ "serviceName":"hivedev",
+
+ "serviceDef":{
+ "name":"hive",
+ "id":3,
+ "resources":[
+
{"name":"url","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"S3 URL","description":"S3 Bucket URL"},
+
{"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive Database","description":"Hive Database"},
+
{"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive Table","description":"Hive Table"},
+
{"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"},
+
{"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive Column","description":"Hive Column"}
+ ],
+ "accessTypes":[
+ {"name":"select","label":"Select"},
+ {"name":"update","label":"Update"},
+ {"name":"create","label":"Create"},
+ {"name":"drop","label":"Drop"},
+ {"name":"alter","label":"Alter"},
+ {"name":"index","label":"Index"},
+ {"name":"lock","label":"Lock"},
+ {"name":"all","label":"All"}
+ ],
+ "contextEnrichers":
+ [
+ {
+ "itemId": 1,
+ "name" : "TagEnricher",
+ "enricher" :
"org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
+ "enricherOptions" : {
+ "tagRetrieverClassName":
"org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever",
+ "tagRefresherPollingInterval": 60000
+ }
+ }
+ ],
+ "policyConditions":
+ [
+ {
+ "itemId":1,
+ "name":"accessed-after-expiry",
+ "evaluator":
"org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
+ "evaluatorOptions" : {
"scriptTemplate":"ctx.isAccessedAfter('expiry_date');" },
+ "uiHint": "{ \"singleValue\":true }",
+ "label":"Accessed after expiry_date (yes/no)?",
+ "description": "Accessed after expiry_date? (yes/no)"
+ },
+ {
+ "itemId":2,
+ "name":"expression",
+ "evaluator":
"org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions" : {"engineName":"JavaScript",
"ui.isMultiline":"true"},
+ "label":"Enter boolean expression",
+ "description": "Boolean expression"
+ },
+ {
+ "itemId":3,
+ "name":"tags",
+ "evaluator":
"org.apache.ranger.plugin.conditionevaluator.RangerTagsAllPresentConditionEvaluator",
+ "label":"All tags present?",
+ "description": "All tags present condition"
+ }
+ ]
+
+ },
+
+ "tagDefinitions": {
+ "1":{"name":"PII"},
+
"2":{"name":"EXPIRES_ON","attributeDefs":[{"name":"expiry_date","type":"date"}]},
+ "3":{"name":"FINANCE"},
+ "4":{"name":"PCI"},
+ "5":{"name":"HIPPA"}
+ },
+
+ "tags": {
+ "1":{"type":"PII"},
+ "2":{"type":"EXPIRES_ON","attributes":{"expiry_date":"2015/12/31"}},
+ "3":{"type":"FINANCE"},
+ "4":{"type":"EXPIRES_ON","attributes":{"expiry_date":"2025/12/31"}},
+ "5":{"type":"PCI"},
+ "6":{"type":"HIPPA"}
+ },
+
+ "serviceResources": [
+
{"id":1,"serviceName":"cl1_hive","resourceElements":{"database":{"values":["hr"]},"table":{"values":["employee"]},"column":{"values":["ssn"]}}},
+
{"id":2,"serviceName":"cl1_hive","resourceElements":{"database":{"values":["finance"]}}},
+
{"id":3,"serviceName":"cl1_hive","resourceElements":{"database":{"values":["finance"]},"table":{"values":["tax_2010"]}}},
+
{"id":4,"serviceName":"cl1_hive","resourceElements":{"database":{"values":["finance"]},"table":{"values":["tax_2010"]},"column":{"values":["ssn"]}}},
+
{"id":5,"serviceName":"cl1_hive","resourceElements":{"url":{"values":["someurl"]}}},
+
{"id":6,"serviceName":"cl1_hive","resourceElements":{"database":{"values":["def?n"]}}}
+ ],
+
+ "resourceToTagIds": {
+ "1":[1],
+ "2":[3],
+ "3":[2],
+ "4":[1, 4],
+ "5":[1],
+ "6":[5]
+ },
+
+ "tests":[
+ {"name":"multitag-policy-for-financeDB",
+ "resource":{"elements":{"database":"finance"}},
+ "accessType": "read",
+ "conditions": [
+ {
+ "type": "tags",
+ "values": [
+ "PCI",
+ "HIPPA"
+ ]
+ }
+ ],
+ "result":[{"type":"EXPIRES_ON"}, {"type":"FINANCE"}, {"type":"PII"},
{"type":"EXPIRES_ON"},{"type":"PCI"}, {"type":"HIPPA"}]
+ }
+ ]
+}
