This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 5100d60  RANGER-2507:Support for policy to implicitly deny all 
accesses not explicitly allowed by it
5100d60 is described below

commit 5100d60ce72333c220eddf3b1d9cb3556de23efd
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Tue Jul 16 22:24:30 2019 -0700

    RANGER-2507:Support for policy to implicitly deny all accesses not 
explicitly allowed by it
---
 .../ranger/plugin/errors/ValidationErrorCode.java  |  1 +
 .../apache/ranger/plugin/model/RangerPolicy.java   | 22 ++++++-
 .../model/validation/RangerPolicyValidator.java    | 11 ++++
 .../RangerAbstractPolicyEvaluator.java             |  2 +-
 .../RangerDefaultPolicyEvaluator.java              | 20 ++++++-
 .../RangerOptimizedPolicyEvaluator.java            | 26 +++++---
 .../policyevaluator/RangerPolicyEvaluator.java     | 69 +++++++++++++++++++++-
 .../policyengine/test_aclprovider_default.json     | 29 +++++++++
 .../policyengine/test_policyengine_hdfs.json       | 61 +++++++++++++++++++
 9 files changed, 227 insertions(+), 14 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
index aa87c81..34f41f1 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
@@ -99,6 +99,7 @@ public enum ValidationErrorCode {
     POLICY_VALIDATION_ERR_UPDATE_ZONE_NAME_NOT_ALLOWED(3032, "Update of Zone 
name from={0} to={1} in policy is not supported"),
     POLICY_VALIDATION_ERR_NONEXISTANT_ZONE_NAME(3033, "Non-existent Zone 
name={0} in policy create"),
     POLICY_VALIDATION_ERR_SERVICE_NOT_ASSOCIATED_TO_ZONE(3048, "Service name = 
{0} is not associated to Zone name = {1}"),
+    POLICY_VALIDATION_ERR_UNSUPPORTED_POLICY_ITEM_TYPE(3049, "Deny or 
deny-exceptions are not supported if policy has isDenyAllElse flag set to 
true"),
 
     // SECURITY_ZONE Validations
     SECURITY_ZONE_VALIDATION_ERR_UNSUPPORTED_ACTION(3034, "Internal error: 
unsupported action[{0}]; isValid() is only supported for DELETE"),
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index c228da5..31156f7 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -87,6 +87,7 @@ public class RangerPolicy extends RangerBaseModelObject 
implements java.io.Seria
        private List<RangerValiditySchedule>      validitySchedules;
        private List<String>                      policyLabels;
        private String                            zoneName;
+       private Boolean                           isDenyAllElse;
 
        public RangerPolicy() {
                this(null, null, null, null, null, null, null, null, null, 
null, null);
@@ -100,6 +101,10 @@ public class RangerPolicy extends RangerBaseModelObject 
implements java.io.Seria
                this(service, name, policyType, policyPriority, description, 
resources, policyItems, resourceSignature, options, validitySchedules, 
policyLables, zoneName, null);
        }
 
+       public RangerPolicy(String service, String name, Integer policyType, 
Integer policyPriority, String description, Map<String, RangerPolicyResource> 
resources, List<RangerPolicyItem> policyItems, String resourceSignature, 
Map<String, Object> options, List<RangerValiditySchedule> validitySchedules, 
List<String> policyLables, String zoneName, List<RangerPolicyItemCondition> 
conditions) {
+               this(service, name, policyType, policyPriority, description, 
resources, policyItems, resourceSignature, options, validitySchedules, 
policyLables, zoneName, conditions, null);
+       }
+
        /**
         * @param service
         * @param name
@@ -109,7 +114,7 @@ public class RangerPolicy extends RangerBaseModelObject 
implements java.io.Seria
         * @param policyItems
         * @param resourceSignature TODO
         */
-       public RangerPolicy(String service, String name, Integer policyType, 
Integer policyPriority, String description, Map<String, RangerPolicyResource> 
resources, List<RangerPolicyItem> policyItems, String resourceSignature, 
Map<String, Object> options, List<RangerValiditySchedule> validitySchedules, 
List<String> policyLables, String zoneName, List<RangerPolicyItemCondition> 
conditions) {
+       public RangerPolicy(String service, String name, Integer policyType, 
Integer policyPriority, String description, Map<String, RangerPolicyResource> 
resources, List<RangerPolicyItem> policyItems, String resourceSignature, 
Map<String, Object> options, List<RangerValiditySchedule> validitySchedules, 
List<String> policyLables, String zoneName, List<RangerPolicyItemCondition> 
conditions, Boolean isDenyAllElse) {
                super();
 
                setService(service);
@@ -131,6 +136,7 @@ public class RangerPolicy extends RangerBaseModelObject 
implements java.io.Seria
                setPolicyLabels(policyLables);
                setZoneName(zoneName);
                setConditions(conditions);
+               setIsDenyAllElse(isDenyAllElse);
 
        }
 
@@ -159,6 +165,7 @@ public class RangerPolicy extends RangerBaseModelObject 
implements java.io.Seria
                setPolicyLabels(other.getPolicyLabels());
                setZoneName(other.getZoneName());
                setConditions(other.getConditions());
+               setIsDenyAllElse(other.getIsDenyAllElse());
        }
 
        /**
@@ -509,6 +516,14 @@ public class RangerPolicy extends RangerBaseModelObject 
implements java.io.Seria
                this.conditions = conditions;
        }
 
+       public Boolean getIsDenyAllElse() {
+               return isDenyAllElse;
+       }
+
+       public void setIsDenyAllElse(Boolean isDenyAllElse) {
+               this.isDenyAllElse = isDenyAllElse == null ? Boolean.FALSE : 
isDenyAllElse;
+       }
+
        @Override
        public String toString( ) {
                StringBuilder sb = new StringBuilder();
@@ -641,7 +656,10 @@ public class RangerPolicy extends RangerBaseModelObject 
implements java.io.Seria
             }
         }
         sb.append(", zoneName=").append(zoneName);
-        sb.append("}");
+
+               sb.append(", isDenyAllElse={").append(isDenyAllElse).append("} 
");
+
+               sb.append("}");
 
                sb.append("}");
 
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 412d9e1..a854107 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -353,6 +353,17 @@ public class RangerPolicyValidator extends RangerValidator 
{
                                                .build());
                                        valid = false;
                                } else {
+                                       if 
(Boolean.TRUE.equals(policy.getIsDenyAllElse())) {
+                                               if 
(CollectionUtils.isNotEmpty(policy.getDenyPolicyItems()) || 
CollectionUtils.isNotEmpty(policy.getDenyExceptions())) {
+                                                       ValidationErrorCode 
error = ValidationErrorCode.POLICY_VALIDATION_ERR_UNSUPPORTED_POLICY_ITEM_TYPE;
+                                                       failures.add(new 
ValidationFailureDetailsBuilder()
+                                                                       
.field("policy items")
+                                                                       
.becauseOf(error.getMessage())
+                                                                       
.errorCode(error.getErrorCode())
+                                                                       
.build());
+                                                       valid = false;
+                                               }
+                                       }
                                        valid = 
isValidPolicyItems(policy.getPolicyItems(), failures, serviceDef) && valid;
                                        valid = 
isValidPolicyItems(policy.getDenyPolicyItems(), failures, serviceDef) && valid;
                                        valid = 
isValidPolicyItems(policy.getAllowExceptions(), failures, serviceDef) && valid;
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index bc459e3..4d6962f 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -97,7 +97,7 @@ public abstract class RangerAbstractPolicyEvaluator 
implements RangerPolicyEvalu
        }
 
        public boolean hasDeny() {
-               return policy != null && 
CollectionUtils.isNotEmpty(policy.getDenyPolicyItems());
+               return policy != null && (policy.getIsDenyAllElse() || 
CollectionUtils.isNotEmpty(policy.getDenyPolicyItems()));
        }
 
        @Override
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index a0283c4..ecd6cb7 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -552,8 +552,23 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
                                        ret.processPolicyItem(policyItem, 
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS, false);
                                }
                        }
+                       final boolean isDenyAllElse = 
Boolean.TRUE.equals(getPolicy().getIsDenyAllElse());
 
-                       ret.finalizeAcls();
+                       final Set<String> allAccessTypeNames;
+
+                       if (isDenyAllElse) {
+                               allAccessTypeNames = new HashSet<>();
+                               RangerServiceDef serviceDef = getServiceDef();
+                               for (RangerAccessTypeDef accessTypeDef 
:serviceDef.getAccessTypes()) {
+                                       if 
(!StringUtils.equalsIgnoreCase(accessTypeDef.getName(), "all")) {
+                                               
allAccessTypeNames.add(accessTypeDef.getName());
+                                       }
+                               }
+                       } else {
+                               allAccessTypeNames = Collections.EMPTY_SET;
+                       }
+
+                       ret.finalizeAcls(isDenyAllElse, allAccessTypeNames);
                }
 
                RangerPerfTracer.logAlways(perf);
@@ -614,6 +629,8 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
 
                        if (matchedPolicyItem != null) {
                                matchedPolicyItem.updateAccessResult(this, 
result, matchType);
+                       } else if (getPolicy().getIsDenyAllElse() && 
(getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == 
RangerPolicy.POLICY_TYPE_ACCESS)) {
+                               updateAccessResult(result, 
RangerPolicyResourceMatcher.MatchType.NONE, false, "matched deny-all-else 
policy");
                        }
                }
 
@@ -1250,4 +1267,5 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
 
                return rangerConditionEvaluators;
        }
+
 }
\ No newline at end of file
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index 7eb15d8..00c0d42 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -94,10 +94,14 @@ public class RangerOptimizedPolicyEvaluator extends 
RangerDefaultPolicyEvaluator
             }
         }
 
-        for (String group : groups) {
-            if (RangerPolicyEngine.GROUP_PUBLIC.equalsIgnoreCase(group)) {
-                hasPublicGroup = true;
-                break;
+        if (policy.getIsDenyAllElse()) {
+            hasPublicGroup = true;
+        } else {
+            for (String group : groups) {
+                if (RangerPolicyEngine.GROUP_PUBLIC.equalsIgnoreCase(group)) {
+                    hasPublicGroup = true;
+                    break;
+                }
             }
         }
 
@@ -332,11 +336,15 @@ public class RangerOptimizedPolicyEvaluator extends 
RangerDefaultPolicyEvaluator
         }
         boolean result = true;
 
-        List<RangerServiceDef.RangerAccessTypeDef> serviceAccessTypes = 
getServiceDef().getAccessTypes();
-        for (RangerServiceDef.RangerAccessTypeDef serviceAccessType : 
serviceAccessTypes) {
-            if(! accessPerms.contains(serviceAccessType.getName())) {
-                result = false;
-                break;
+        if (getPolicy().getIsDenyAllElse()) {
+            hasAllPerms = true;
+        } else {
+            List<RangerServiceDef.RangerAccessTypeDef> serviceAccessTypes = 
getServiceDef().getAccessTypes();
+            for (RangerServiceDef.RangerAccessTypeDef serviceAccessType : 
serviceAccessTypes) {
+                if (!accessPerms.contains(serviceAccessType.getName())) {
+                    result = false;
+                    break;
+                }
             }
         }
 
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 5174f4e..4512a5e 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -367,10 +367,11 @@ public interface RangerPolicyEvaluator extends 
RangerPolicyResourceEvaluator {
                        }
                }
 
-               void finalizeAcls() {
+               void finalizeAcls(final boolean isDenyAllElse, final 
Set<String> allAccessTypeNames) {
                        Map<String, AccessResult>  publicGroupAccessInfo = 
groupsAccessInfo.get(RangerPolicyEngine.GROUP_PUBLIC);
 
                        if (publicGroupAccessInfo != null) {
+
                                // For each accessType in public, retrieve 
access
                                for (Map.Entry<String, AccessResult> entry : 
publicGroupAccessInfo.entrySet()) {
                                        final String       accessType   = 
entry.getKey();
@@ -428,7 +429,73 @@ public interface RangerPolicyEvaluator extends 
RangerPolicyResourceEvaluator {
                                                }
                                        }
                                }
+                       }
+
+                       if (isDenyAllElse) {
+                               // Go through all usersAccessInfo and 
groupsAccessInfo and mark ACCESS_UNDETERMINED to ACCESS_DENIED
+                               for (Map.Entry<String, Map<String, 
AccessResult>> mapEntry : usersAccessInfo.entrySet()) {
+                                       for (Map.Entry<String, AccessResult> 
accessEntry : mapEntry.getValue().entrySet()) {
+                                               AccessResult result = 
accessEntry.getValue();
+                                               if (result.getResult() == 
ACCESS_UNDETERMINED) {
+                                                       
result.setResult(ACCESS_DENIED);
+                                               }
+                                       }
+                               }
 
+                               for (Map.Entry<String, Map<String, 
AccessResult>> mapEntry : groupsAccessInfo.entrySet()) {
+                                       for (Map.Entry<String, AccessResult> 
accessEntry : mapEntry.getValue().entrySet()) {
+                                               AccessResult result = 
accessEntry.getValue();
+                                               if (result.getResult() == 
ACCESS_UNDETERMINED) {
+                                                       
result.setResult(ACCESS_DENIED);
+                                               }
+                                       }
+                               }
+
+                               // Mark all unseen accessTypeNames are having 
no permission
+                               for (Map.Entry<String, Map<String, 
AccessResult>> mapEntry : usersAccessInfo.entrySet()) {
+                                       for (String accessTypeName : 
allAccessTypeNames) {
+                                               if 
(!mapEntry.getValue().keySet().contains(accessTypeName)) {
+                                                       
mapEntry.getValue().put(accessTypeName, new AccessResult(ACCESS_DENIED, true));
+                                               }
+                                       }
+                               }
+
+                               for (Map.Entry<String, Map<String, 
AccessResult>> mapEntry : groupsAccessInfo.entrySet()) {
+                                       for (String accessTypeName : 
allAccessTypeNames) {
+                                               if 
(!mapEntry.getValue().keySet().contains(accessTypeName)) {
+                                                       
mapEntry.getValue().put(accessTypeName, new AccessResult(ACCESS_DENIED, true));
+                                               }
+                                       }
+                               }
+
+                               publicGroupAccessInfo = 
groupsAccessInfo.computeIfAbsent(RangerPolicyEngine.GROUP_PUBLIC, k -> new 
HashMap<>());
+
+                               Set<String> accessTypeNamesInPublicGroup = 
publicGroupAccessInfo.keySet();
+
+                               for (String accessTypeName : 
allAccessTypeNames) {
+                                       if 
(!accessTypeNamesInPublicGroup.contains(accessTypeName)) {
+                                               boolean isDenyAccess = true;
+                                               for (Map.Entry<String, 
Map<String, AccessResult>> mapEntry : usersAccessInfo.entrySet()) {
+                                                       AccessResult result = 
mapEntry.getValue().get(accessTypeName);
+                                                       if (result == null || 
result.getResult() != ACCESS_DENIED) {
+                                                               isDenyAccess = 
false;
+                                                               break;
+                                                       }
+                                               }
+                                               if (isDenyAccess) {
+                                                       for (Map.Entry<String, 
Map<String, AccessResult>> mapEntry : groupsAccessInfo.entrySet()) {
+                                                               if 
(!StringUtils.equals(mapEntry.getKey(), RangerPolicyEngine.GROUP_PUBLIC)) {
+                                                                       
AccessResult result = mapEntry.getValue().get(accessTypeName);
+                                                                       if 
(result == null || result.getResult() != ACCESS_DENIED) {
+                                                                               
isDenyAccess = false;
+                                                                               
break;
+                                                                       }
+                                                               }
+                                                       }
+                                               }
+                                               
publicGroupAccessInfo.put(accessTypeName, new AccessResult(isDenyAccess ? 
ACCESS_DENIED : ACCESS_CONDITIONAL, true));
+                                       }
+                               }
                        }
                }
 
diff --git 
a/agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
b/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
index 7c7004a..37f4f3c 100644
--- 
a/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
+++ 
b/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
@@ -375,6 +375,25 @@
                 "users": ["adam", "eve"], "roles": ["eden"]
               }
             ]
+          },
+          {
+            "id": 20, "name": "db=denyAllElse; table=table-1; 
column=column-1", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "denyAllElse" ] },
+              "table": { "values": [ "table-1" ] },
+              "column": { "values": [ "column-1" ] }
+            },
+            "isDenyAllElse": true,
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { 
"type": "update", "isAllowed": true }, { "type": "create", "isAllowed": true }, 
{ "type": "drop", "isAllowed": true }, { "type": "alter", "isAllowed": true }, 
{ "type": "index", "isAllowed": true }],
+                "users": [ "user1", "user3" ]
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "update", "isAllowed": true } ],
+                "users": ["user1", "user2"]
+              }
+            ]
           }
         ],
         "tagPolicies": {
@@ -538,6 +557,16 @@
       },
 
       "tests": [
+      {
+        "name": "denyAllElse-test",
+        "resource": {"elements":{"database":"denyAllElse", "table":"table-1", 
"column": "column-1" }},
+        "userPermissions":
+          {"user1": {"select": {"result": 1, "isFinal": true}, "update": 
{"result": -1, "isFinal": true},"create": {"result": 1, "isFinal": 
true},"drop": {"result": 1, "isFinal": true},"alter": {"result": 1, "isFinal": 
true},"index": {"result": 1, "isFinal": true},"lock": {"result": -1, "isFinal": 
true}},
+            "user2": {"select": {"result": -1, "isFinal": true}, "update": 
{"result": -1, "isFinal": true},"create": {"result": -1, "isFinal": 
true},"drop": {"result": -1, "isFinal": true},"alter": {"result": -1, 
"isFinal": true},"index": {"result": -1, "isFinal": true},"lock": {"result": 
-1, "isFinal": true}},
+            "user3": {"select": {"result": 1, "isFinal": true}, "update": 
{"result": 1, "isFinal": true},"create": {"result": 1, "isFinal": true},"drop": 
{"result": 1, "isFinal": true},"alter": {"result": 1, "isFinal": true},"index": 
{"result": 1, "isFinal": true},"lock": {"result": -1, "isFinal": true}}},
+        "groupPermissions": {"public": {"select": {"result": 2, "isFinal": 
true}, "update": {"result": 2, "isFinal": true},"create": {"result": 2, 
"isFinal": true},"drop": {"result": 2, "isFinal": true},"alter": {"result": 2, 
"isFinal": true},"index": {"result": 2, "isFinal": true},"lock": {"result": -1, 
"isFinal": true}}},
+        "rolePermissions": {}
+      },
         {
           "name": "all-deny-test",
           "resource": {"elements":{"database":"hr", "udf":"udf" }},
diff --git 
a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json 
b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index 3833ba1..976cd25 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -37,6 +37,40 @@
   },
 
   "policies":[
+    {"id":10,"name":"allow-read-to-user1,user3 
/test/restricted/","isEnabled":true,"isAuditEnabled":true,
+      "isDenyAllElse": true,
+      "resources":{"path":{"values":["/test/restricted/"],"isRecursive":true}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}],"users":["user1", 
"user2", "user3"],"groups":[],"delegateAdmin":false}
+      ],
+      "allowExceptions":[
+        
{"accesses":[{"type":"read","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
+      ]
+    }
+  ,
+    {"id":20,"name":"allow-read-to-user2 
/test/restricted/","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["/test/restricted/"],"isRecursive":true}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}],"users":["user2", "non-user1", "non-user2", 
"non-user3"],"groups":["public"],"delegateAdmin":false}],
+      "denyPolicyItems":[
+        
{"accesses":[{"type":"read","isAllowed":true}],"users":["non-user4"],"groups":[],"delegateAdmin":false}
+      ]
+    }
+  ,
+    {"id":30,"name":"deny-read-to-user3 
/test/restricted/","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["/test/restricted/"],"isRecursive":true}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}],"users":["non-user5", 
"non-user6", "non-user7", 
"non-user8"],"groups":["public"],"delegateAdmin":false,
+        "conditions":[{
+          "type":"ScriptConditionEvaluator",
+          "values":["var country_code = 
ctx.getRequestContextAttribute('LOCATION_TEST_COUNTRY_CODE'); ctx.result = 
!!country_code;"]
+        }]}],
+
+      "denyPolicyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}],"users":["user3", 
"non-user9"],"groups":[],"delegateAdmin":false}
+      ]
+    }
+  ,
     {"id":1,"name":"audit-all-access under 
/finance/restricted/","isEnabled":true,"isAuditEnabled":true,
      
"resources":{"path":{"values":["/finance/restricted/"],"isRecursive":true}},
      "policyItems":[
@@ -70,6 +104,33 @@
   ],
 
   "tests":[
+    {"name":"DENY 'read /test/restricted/sales.db' for u=user2",
+      "request":{
+        "resource":{"elements":{"path":"/test/restricted/sales.db"}},
+        "accessType":"read","user":"user2","userGroups":[],"requestData":"read 
/test/restricted/sales.db",
+        "remoteIPAddress":"255.255.255.255"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":10}
+    }
+  ,
+    {"name":"ALLOW 'read /test/restricted/sales.db' for u=user1",
+      "request":{
+        "resource":{"elements":{"path":"/test/restricted/sales.db"}},
+        "accessType":"read","user":"user1","userGroups":[],"requestData":"read 
/test/restricted/sales.db",
+        "remoteIPAddress":"255.255.255.255"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":10}
+    }
+  ,
+    {"name":"DENY 'read /test/restricted/sales.db' for u=user3",
+      "request":{
+        "resource":{"elements":{"path":"/test/restricted/sales.db"}},
+        "accessType":"read","user":"user3","userGroups":[],"requestData":"read 
/test/restricted/sales.db",
+        "remoteIPAddress":"255.255.255.255"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":30}
+    }
+  ,
     {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance; valid 
clientIPAddress",
      "request":{
       "resource":{"elements":{"path":"/finance/restricted/sales.db"}},

Reply via email to