This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 5100d60 RANGER-2507:Support for policy to implicitly deny all
accesses not explicitly allowed by it
5100d60 is described below
commit 5100d60ce72333c220eddf3b1d9cb3556de23efd
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Tue Jul 16 22:24:30 2019 -0700
RANGER-2507:Support for policy to implicitly deny all accesses not
explicitly allowed by it
---
.../ranger/plugin/errors/ValidationErrorCode.java | 1 +
.../apache/ranger/plugin/model/RangerPolicy.java | 22 ++++++-
.../model/validation/RangerPolicyValidator.java | 11 ++++
.../RangerAbstractPolicyEvaluator.java | 2 +-
.../RangerDefaultPolicyEvaluator.java | 20 ++++++-
.../RangerOptimizedPolicyEvaluator.java | 26 +++++---
.../policyevaluator/RangerPolicyEvaluator.java | 69 +++++++++++++++++++++-
.../policyengine/test_aclprovider_default.json | 29 +++++++++
.../policyengine/test_policyengine_hdfs.json | 61 +++++++++++++++++++
9 files changed, 227 insertions(+), 14 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
index aa87c81..34f41f1 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
@@ -99,6 +99,7 @@ public enum ValidationErrorCode {
POLICY_VALIDATION_ERR_UPDATE_ZONE_NAME_NOT_ALLOWED(3032, "Update of Zone
name from={0} to={1} in policy is not supported"),
POLICY_VALIDATION_ERR_NONEXISTANT_ZONE_NAME(3033, "Non-existent Zone
name={0} in policy create"),
POLICY_VALIDATION_ERR_SERVICE_NOT_ASSOCIATED_TO_ZONE(3048, "Service name =
{0} is not associated to Zone name = {1}"),
+ POLICY_VALIDATION_ERR_UNSUPPORTED_POLICY_ITEM_TYPE(3049, "Deny or
deny-exceptions are not supported if policy has isDenyAllElse flag set to
true"),
// SECURITY_ZONE Validations
SECURITY_ZONE_VALIDATION_ERR_UNSUPPORTED_ACTION(3034, "Internal error:
unsupported action[{0}]; isValid() is only supported for DELETE"),
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index c228da5..31156f7 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -87,6 +87,7 @@ public class RangerPolicy extends RangerBaseModelObject
implements java.io.Seria
private List<RangerValiditySchedule> validitySchedules;
private List<String> policyLabels;
private String zoneName;
+ private Boolean isDenyAllElse;
public RangerPolicy() {
this(null, null, null, null, null, null, null, null, null,
null, null);
@@ -100,6 +101,10 @@ public class RangerPolicy extends RangerBaseModelObject
implements java.io.Seria
this(service, name, policyType, policyPriority, description,
resources, policyItems, resourceSignature, options, validitySchedules,
policyLables, zoneName, null);
}
+ public RangerPolicy(String service, String name, Integer policyType,
Integer policyPriority, String description, Map<String, RangerPolicyResource>
resources, List<RangerPolicyItem> policyItems, String resourceSignature,
Map<String, Object> options, List<RangerValiditySchedule> validitySchedules,
List<String> policyLables, String zoneName, List<RangerPolicyItemCondition>
conditions) {
+ this(service, name, policyType, policyPriority, description,
resources, policyItems, resourceSignature, options, validitySchedules,
policyLables, zoneName, conditions, null);
+ }
+
/**
* @param service
* @param name
@@ -109,7 +114,7 @@ public class RangerPolicy extends RangerBaseModelObject
implements java.io.Seria
* @param policyItems
* @param resourceSignature TODO
*/
- public RangerPolicy(String service, String name, Integer policyType,
Integer policyPriority, String description, Map<String, RangerPolicyResource>
resources, List<RangerPolicyItem> policyItems, String resourceSignature,
Map<String, Object> options, List<RangerValiditySchedule> validitySchedules,
List<String> policyLables, String zoneName, List<RangerPolicyItemCondition>
conditions) {
+ public RangerPolicy(String service, String name, Integer policyType,
Integer policyPriority, String description, Map<String, RangerPolicyResource>
resources, List<RangerPolicyItem> policyItems, String resourceSignature,
Map<String, Object> options, List<RangerValiditySchedule> validitySchedules,
List<String> policyLables, String zoneName, List<RangerPolicyItemCondition>
conditions, Boolean isDenyAllElse) {
super();
setService(service);
@@ -131,6 +136,7 @@ public class RangerPolicy extends RangerBaseModelObject
implements java.io.Seria
setPolicyLabels(policyLables);
setZoneName(zoneName);
setConditions(conditions);
+ setIsDenyAllElse(isDenyAllElse);
}
@@ -159,6 +165,7 @@ public class RangerPolicy extends RangerBaseModelObject
implements java.io.Seria
setPolicyLabels(other.getPolicyLabels());
setZoneName(other.getZoneName());
setConditions(other.getConditions());
+ setIsDenyAllElse(other.getIsDenyAllElse());
}
/**
@@ -509,6 +516,14 @@ public class RangerPolicy extends RangerBaseModelObject
implements java.io.Seria
this.conditions = conditions;
}
+ public Boolean getIsDenyAllElse() {
+ return isDenyAllElse;
+ }
+
+ public void setIsDenyAllElse(Boolean isDenyAllElse) {
+ this.isDenyAllElse = isDenyAllElse == null ? Boolean.FALSE :
isDenyAllElse;
+ }
+
@Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
@@ -641,7 +656,10 @@ public class RangerPolicy extends RangerBaseModelObject
implements java.io.Seria
}
}
sb.append(", zoneName=").append(zoneName);
- sb.append("}");
+
+ sb.append(", isDenyAllElse={").append(isDenyAllElse).append("}
");
+
+ sb.append("}");
sb.append("}");
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 412d9e1..a854107 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -353,6 +353,17 @@ public class RangerPolicyValidator extends RangerValidator
{
.build());
valid = false;
} else {
+ if
(Boolean.TRUE.equals(policy.getIsDenyAllElse())) {
+ if
(CollectionUtils.isNotEmpty(policy.getDenyPolicyItems()) ||
CollectionUtils.isNotEmpty(policy.getDenyExceptions())) {
+ ValidationErrorCode
error = ValidationErrorCode.POLICY_VALIDATION_ERR_UNSUPPORTED_POLICY_ITEM_TYPE;
+ failures.add(new
ValidationFailureDetailsBuilder()
+
.field("policy items")
+
.becauseOf(error.getMessage())
+
.errorCode(error.getErrorCode())
+
.build());
+ valid = false;
+ }
+ }
valid =
isValidPolicyItems(policy.getPolicyItems(), failures, serviceDef) && valid;
valid =
isValidPolicyItems(policy.getDenyPolicyItems(), failures, serviceDef) && valid;
valid =
isValidPolicyItems(policy.getAllowExceptions(), failures, serviceDef) && valid;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index bc459e3..4d6962f 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -97,7 +97,7 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
}
public boolean hasDeny() {
- return policy != null &&
CollectionUtils.isNotEmpty(policy.getDenyPolicyItems());
+ return policy != null && (policy.getIsDenyAllElse() ||
CollectionUtils.isNotEmpty(policy.getDenyPolicyItems()));
}
@Override
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index a0283c4..ecd6cb7 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -552,8 +552,23 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
ret.processPolicyItem(policyItem,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS, false);
}
}
+ final boolean isDenyAllElse =
Boolean.TRUE.equals(getPolicy().getIsDenyAllElse());
- ret.finalizeAcls();
+ final Set<String> allAccessTypeNames;
+
+ if (isDenyAllElse) {
+ allAccessTypeNames = new HashSet<>();
+ RangerServiceDef serviceDef = getServiceDef();
+ for (RangerAccessTypeDef accessTypeDef
:serviceDef.getAccessTypes()) {
+ if
(!StringUtils.equalsIgnoreCase(accessTypeDef.getName(), "all")) {
+
allAccessTypeNames.add(accessTypeDef.getName());
+ }
+ }
+ } else {
+ allAccessTypeNames = Collections.EMPTY_SET;
+ }
+
+ ret.finalizeAcls(isDenyAllElse, allAccessTypeNames);
}
RangerPerfTracer.logAlways(perf);
@@ -614,6 +629,8 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
if (matchedPolicyItem != null) {
matchedPolicyItem.updateAccessResult(this,
result, matchType);
+ } else if (getPolicy().getIsDenyAllElse() &&
(getPolicy().getPolicyType() == null || getPolicy().getPolicyType() ==
RangerPolicy.POLICY_TYPE_ACCESS)) {
+ updateAccessResult(result,
RangerPolicyResourceMatcher.MatchType.NONE, false, "matched deny-all-else
policy");
}
}
@@ -1250,4 +1267,5 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
return rangerConditionEvaluators;
}
+
}
\ No newline at end of file
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index 7eb15d8..00c0d42 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -94,10 +94,14 @@ public class RangerOptimizedPolicyEvaluator extends
RangerDefaultPolicyEvaluator
}
}
- for (String group : groups) {
- if (RangerPolicyEngine.GROUP_PUBLIC.equalsIgnoreCase(group)) {
- hasPublicGroup = true;
- break;
+ if (policy.getIsDenyAllElse()) {
+ hasPublicGroup = true;
+ } else {
+ for (String group : groups) {
+ if (RangerPolicyEngine.GROUP_PUBLIC.equalsIgnoreCase(group)) {
+ hasPublicGroup = true;
+ break;
+ }
}
}
@@ -332,11 +336,15 @@ public class RangerOptimizedPolicyEvaluator extends
RangerDefaultPolicyEvaluator
}
boolean result = true;
- List<RangerServiceDef.RangerAccessTypeDef> serviceAccessTypes =
getServiceDef().getAccessTypes();
- for (RangerServiceDef.RangerAccessTypeDef serviceAccessType :
serviceAccessTypes) {
- if(! accessPerms.contains(serviceAccessType.getName())) {
- result = false;
- break;
+ if (getPolicy().getIsDenyAllElse()) {
+ hasAllPerms = true;
+ } else {
+ List<RangerServiceDef.RangerAccessTypeDef> serviceAccessTypes =
getServiceDef().getAccessTypes();
+ for (RangerServiceDef.RangerAccessTypeDef serviceAccessType :
serviceAccessTypes) {
+ if (!accessPerms.contains(serviceAccessType.getName())) {
+ result = false;
+ break;
+ }
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 5174f4e..4512a5e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -367,10 +367,11 @@ public interface RangerPolicyEvaluator extends
RangerPolicyResourceEvaluator {
}
}
- void finalizeAcls() {
+ void finalizeAcls(final boolean isDenyAllElse, final
Set<String> allAccessTypeNames) {
Map<String, AccessResult> publicGroupAccessInfo =
groupsAccessInfo.get(RangerPolicyEngine.GROUP_PUBLIC);
if (publicGroupAccessInfo != null) {
+
// For each accessType in public, retrieve
access
for (Map.Entry<String, AccessResult> entry :
publicGroupAccessInfo.entrySet()) {
final String accessType =
entry.getKey();
@@ -428,7 +429,73 @@ public interface RangerPolicyEvaluator extends
RangerPolicyResourceEvaluator {
}
}
}
+ }
+
+ if (isDenyAllElse) {
+ // Go through all usersAccessInfo and
groupsAccessInfo and mark ACCESS_UNDETERMINED to ACCESS_DENIED
+ for (Map.Entry<String, Map<String,
AccessResult>> mapEntry : usersAccessInfo.entrySet()) {
+ for (Map.Entry<String, AccessResult>
accessEntry : mapEntry.getValue().entrySet()) {
+ AccessResult result =
accessEntry.getValue();
+ if (result.getResult() ==
ACCESS_UNDETERMINED) {
+
result.setResult(ACCESS_DENIED);
+ }
+ }
+ }
+ for (Map.Entry<String, Map<String,
AccessResult>> mapEntry : groupsAccessInfo.entrySet()) {
+ for (Map.Entry<String, AccessResult>
accessEntry : mapEntry.getValue().entrySet()) {
+ AccessResult result =
accessEntry.getValue();
+ if (result.getResult() ==
ACCESS_UNDETERMINED) {
+
result.setResult(ACCESS_DENIED);
+ }
+ }
+ }
+
+ // Mark all unseen accessTypeNames are having
no permission
+ for (Map.Entry<String, Map<String,
AccessResult>> mapEntry : usersAccessInfo.entrySet()) {
+ for (String accessTypeName :
allAccessTypeNames) {
+ if
(!mapEntry.getValue().keySet().contains(accessTypeName)) {
+
mapEntry.getValue().put(accessTypeName, new AccessResult(ACCESS_DENIED, true));
+ }
+ }
+ }
+
+ for (Map.Entry<String, Map<String,
AccessResult>> mapEntry : groupsAccessInfo.entrySet()) {
+ for (String accessTypeName :
allAccessTypeNames) {
+ if
(!mapEntry.getValue().keySet().contains(accessTypeName)) {
+
mapEntry.getValue().put(accessTypeName, new AccessResult(ACCESS_DENIED, true));
+ }
+ }
+ }
+
+ publicGroupAccessInfo =
groupsAccessInfo.computeIfAbsent(RangerPolicyEngine.GROUP_PUBLIC, k -> new
HashMap<>());
+
+ Set<String> accessTypeNamesInPublicGroup =
publicGroupAccessInfo.keySet();
+
+ for (String accessTypeName :
allAccessTypeNames) {
+ if
(!accessTypeNamesInPublicGroup.contains(accessTypeName)) {
+ boolean isDenyAccess = true;
+ for (Map.Entry<String,
Map<String, AccessResult>> mapEntry : usersAccessInfo.entrySet()) {
+ AccessResult result =
mapEntry.getValue().get(accessTypeName);
+ if (result == null ||
result.getResult() != ACCESS_DENIED) {
+ isDenyAccess =
false;
+ break;
+ }
+ }
+ if (isDenyAccess) {
+ for (Map.Entry<String,
Map<String, AccessResult>> mapEntry : groupsAccessInfo.entrySet()) {
+ if
(!StringUtils.equals(mapEntry.getKey(), RangerPolicyEngine.GROUP_PUBLIC)) {
+
AccessResult result = mapEntry.getValue().get(accessTypeName);
+ if
(result == null || result.getResult() != ACCESS_DENIED) {
+
isDenyAccess = false;
+
break;
+ }
+ }
+ }
+ }
+
publicGroupAccessInfo.put(accessTypeName, new AccessResult(isDenyAccess ?
ACCESS_DENIED : ACCESS_CONDITIONAL, true));
+ }
+ }
}
}
diff --git
a/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
b/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
index 7c7004a..37f4f3c 100644
---
a/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
+++
b/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
@@ -375,6 +375,25 @@
"users": ["adam", "eve"], "roles": ["eden"]
}
]
+ },
+ {
+ "id": 20, "name": "db=denyAllElse; table=table-1;
column=column-1", "isEnabled": true, "isAuditEnabled": true,
+ "resources": {
+ "database": { "values": [ "denyAllElse" ] },
+ "table": { "values": [ "table-1" ] },
+ "column": { "values": [ "column-1" ] }
+ },
+ "isDenyAllElse": true,
+ "policyItems": [
+ { "accesses": [ { "type": "select", "isAllowed": true }, {
"type": "update", "isAllowed": true }, { "type": "create", "isAllowed": true },
{ "type": "drop", "isAllowed": true }, { "type": "alter", "isAllowed": true },
{ "type": "index", "isAllowed": true }],
+ "users": [ "user1", "user3" ]
+ }
+ ],
+ "allowExceptions": [
+ { "accesses": [ { "type": "update", "isAllowed": true } ],
+ "users": ["user1", "user2"]
+ }
+ ]
}
],
"tagPolicies": {
@@ -538,6 +557,16 @@
},
"tests": [
+ {
+ "name": "denyAllElse-test",
+ "resource": {"elements":{"database":"denyAllElse", "table":"table-1",
"column": "column-1" }},
+ "userPermissions":
+ {"user1": {"select": {"result": 1, "isFinal": true}, "update":
{"result": -1, "isFinal": true},"create": {"result": 1, "isFinal":
true},"drop": {"result": 1, "isFinal": true},"alter": {"result": 1, "isFinal":
true},"index": {"result": 1, "isFinal": true},"lock": {"result": -1, "isFinal":
true}},
+ "user2": {"select": {"result": -1, "isFinal": true}, "update":
{"result": -1, "isFinal": true},"create": {"result": -1, "isFinal":
true},"drop": {"result": -1, "isFinal": true},"alter": {"result": -1,
"isFinal": true},"index": {"result": -1, "isFinal": true},"lock": {"result":
-1, "isFinal": true}},
+ "user3": {"select": {"result": 1, "isFinal": true}, "update":
{"result": 1, "isFinal": true},"create": {"result": 1, "isFinal": true},"drop":
{"result": 1, "isFinal": true},"alter": {"result": 1, "isFinal": true},"index":
{"result": 1, "isFinal": true},"lock": {"result": -1, "isFinal": true}}},
+ "groupPermissions": {"public": {"select": {"result": 2, "isFinal":
true}, "update": {"result": 2, "isFinal": true},"create": {"result": 2,
"isFinal": true},"drop": {"result": 2, "isFinal": true},"alter": {"result": 2,
"isFinal": true},"index": {"result": 2, "isFinal": true},"lock": {"result": -1,
"isFinal": true}}},
+ "rolePermissions": {}
+ },
{
"name": "all-deny-test",
"resource": {"elements":{"database":"hr", "udf":"udf" }},
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index 3833ba1..976cd25 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -37,6 +37,40 @@
},
"policies":[
+ {"id":10,"name":"allow-read-to-user1,user3
/test/restricted/","isEnabled":true,"isAuditEnabled":true,
+ "isDenyAllElse": true,
+ "resources":{"path":{"values":["/test/restricted/"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":["user1",
"user2", "user3"],"groups":[],"delegateAdmin":false}
+ ],
+ "allowExceptions":[
+
{"accesses":[{"type":"read","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":20,"name":"allow-read-to-user2
/test/restricted/","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/test/restricted/"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true},
{"type":"write","isAllowed":true}],"users":["user2", "non-user1", "non-user2",
"non-user3"],"groups":["public"],"delegateAdmin":false}],
+ "denyPolicyItems":[
+
{"accesses":[{"type":"read","isAllowed":true}],"users":["non-user4"],"groups":[],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":30,"name":"deny-read-to-user3
/test/restricted/","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/test/restricted/"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":["non-user5",
"non-user6", "non-user7",
"non-user8"],"groups":["public"],"delegateAdmin":false,
+ "conditions":[{
+ "type":"ScriptConditionEvaluator",
+ "values":["var country_code =
ctx.getRequestContextAttribute('LOCATION_TEST_COUNTRY_CODE'); ctx.result =
!!country_code;"]
+ }]}],
+
+ "denyPolicyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":["user3",
"non-user9"],"groups":[],"delegateAdmin":false}
+ ]
+ }
+ ,
{"id":1,"name":"audit-all-access under
/finance/restricted/","isEnabled":true,"isAuditEnabled":true,
"resources":{"path":{"values":["/finance/restricted/"],"isRecursive":true}},
"policyItems":[
@@ -70,6 +104,33 @@
],
"tests":[
+ {"name":"DENY 'read /test/restricted/sales.db' for u=user2",
+ "request":{
+ "resource":{"elements":{"path":"/test/restricted/sales.db"}},
+ "accessType":"read","user":"user2","userGroups":[],"requestData":"read
/test/restricted/sales.db",
+ "remoteIPAddress":"255.255.255.255"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":10}
+ }
+ ,
+ {"name":"ALLOW 'read /test/restricted/sales.db' for u=user1",
+ "request":{
+ "resource":{"elements":{"path":"/test/restricted/sales.db"}},
+ "accessType":"read","user":"user1","userGroups":[],"requestData":"read
/test/restricted/sales.db",
+ "remoteIPAddress":"255.255.255.255"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":10}
+ }
+ ,
+ {"name":"DENY 'read /test/restricted/sales.db' for u=user3",
+ "request":{
+ "resource":{"elements":{"path":"/test/restricted/sales.db"}},
+ "accessType":"read","user":"user3","userGroups":[],"requestData":"read
/test/restricted/sales.db",
+ "remoteIPAddress":"255.255.255.255"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":30}
+ }
+ ,
{"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance; valid
clientIPAddress",
"request":{
"resource":{"elements":{"path":"/finance/restricted/sales.db"}},