This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new daeda7a RANGER-785: updated Ranger plugin to support the notion of
super-users and super-groups
daeda7a is described below
commit daeda7ab8aefcfdbe5869ff7c5852fe1ee351635
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Tue Mar 31 18:43:38 2020 -0700
RANGER-785: updated Ranger plugin to support the notion of super-users and
super-groups
---
.../plugin/policyengine/RangerPolicyEngine.java | 10 +-
.../policyengine/RangerPolicyEngineImpl.java | 70 +++++++-
.../ranger/plugin/service/RangerBasePlugin.java | 17 +-
.../plugin/policyengine/TestPolicyEngine.java | 16 +-
.../test_policyengine_super_user_groups.json | 182 +++++++++++++++++++++
5 files changed, 281 insertions(+), 14 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 4602903..c673169 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -38,9 +38,11 @@ public interface RangerPolicyEngine {
String AUDIT_NONE = "audit-none";
String AUDIT_DEFAULT = "audit-default";
- String PLUGIN_AUDIT_EXCLUDE_USERS = "ranger.plugin.audit.exclude.users";
+ String PLUGIN_AUDIT_EXCLUDE_USERS =
"ranger.plugin.audit.exclude.users";
String PLUGIN_AUDIT_EXCLUDE_GROUPS =
"ranger.plugin.audit.exclude.groups";
- String PLUGIN_AUDIT_EXCLUDE_ROLES = "ranger.plugin.audit.exclude.roles";
+ String PLUGIN_AUDIT_EXCLUDE_ROLES =
"ranger.plugin.audit.exclude.roles";
+ String PLUGIN_SUPER_USERS = "ranger.plugin.super.users";
+ String PLUGIN_SUPER_GROUPS = "ranger.plugin.super.groups";
String USER_CURRENT = "{" + RangerAccessRequestUtil.KEY_USER + "}";
String RESOURCE_OWNER = "{OWNER}";
@@ -49,6 +51,10 @@ public interface RangerPolicyEngine {
void setTrustedProxyAddresses(String[] trustedProxyAddresses);
+ void setSuperUsersAndGroups(Set<String> users, Set<String> groups);
+
+ boolean isSuperUser(String userName, Set<String> userGroups);
+
RangerServiceDef getServiceDef();
long getPolicyVersion();
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index fefa465..c68e22d 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -24,6 +24,7 @@ import org.apache.commons.collections.ListUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -39,6 +40,7 @@ import org.apache.ranger.plugin.util.ServicePolicies;
import java.util.ArrayList;
import java.util.Collection;
+import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
@@ -57,6 +59,11 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
private final PolicyEngine policyEngine;
private final RangerAccessRequestProcessor requestProcessor;
+ private final Set<String> svcCfgSuperUsers;
+ private final Set<String> svcCfgSuperGroups;
+ private Set<String> superUsers;
+ private Set<String> superGroups;
+ private boolean isEmptySupers = true;
static public RangerPolicyEngine getPolicyEngine(final
RangerPolicyEngineImpl other, final ServicePolicies servicePolicies) {
@@ -66,7 +73,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
PolicyEngine policyEngine =
other.policyEngine.cloneWithDelta(servicePolicies);
if (policyEngine != null) {
- ret = new RangerPolicyEngineImpl(policyEngine);
+ ret = new RangerPolicyEngineImpl(policyEngine,
other);
}
}
@@ -74,11 +81,29 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
public RangerPolicyEngineImpl(ServicePolicies servicePolicies,
RangerPluginContext pluginContext, RangerRoles roles) {
+ this(servicePolicies, pluginContext, roles, null, null);
+ }
+
+ public RangerPolicyEngineImpl(ServicePolicies servicePolicies,
RangerPluginContext pluginContext, RangerRoles roles, Set<String> superUsers,
Set<String> superGroups) {
policyEngine = new PolicyEngine(servicePolicies, pluginContext,
roles);
policyEngine.getPluginContext().getAuthContext().setRoles(roles);
requestProcessor = new
RangerDefaultRequestProcessor(policyEngine);
+
+ Map<String, String> svcConfig =
servicePolicies.getServiceConfig();
+ String cfgSuperUsers = null;
+ String cfgSuperGroups = null;
+
+ if (svcConfig != null) {
+ cfgSuperUsers =
svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_USERS);
+ cfgSuperGroups =
svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_GROUPS);
+ }
+
+ svcCfgSuperUsers = StringUtils.isNotBlank(cfgSuperUsers) ?
StringUtil.toSet(cfgSuperUsers) : Collections.emptySet();
+ svcCfgSuperGroups = StringUtils.isNotBlank(cfgSuperGroups) ?
StringUtil.toSet(cfgSuperGroups) : Collections.emptySet();
+
+ setSuperUsersAndGroups(superUsers, superGroups);
}
@Override
@@ -472,6 +497,21 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
@Override
+ public void setSuperUsersAndGroups(Set<String> users, Set<String>
groups) {
+ this.superUsers = users == null ? Collections.emptySet() :
users;
+ this.superGroups = groups == null ? Collections.emptySet() :
groups;
+ this.isEmptySupers = CollectionUtils.isEmpty(superUsers) &&
CollectionUtils.isEmpty(svcCfgSuperUsers) &&
+ CollectionUtils.isEmpty(superGroups) &&
CollectionUtils.isEmpty(svcCfgSuperGroups);
+ }
+
+ @Override
+ public boolean isSuperUser(String userName, Set<String> userGroups) {
+ return !isEmptySupers && (superUsers.contains(userName) ||
svcCfgSuperUsers.contains(userName) ||
+
CollectionUtils.containsAny(superGroups, userGroups) ||
+
CollectionUtils.containsAny(svcCfgSuperGroups, userGroups));
+ }
+
+ @Override
public RangerServiceDef getServiceDef() {
return policyEngine.getServiceDef();
}
@@ -533,9 +573,13 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
}
- private RangerPolicyEngineImpl(final PolicyEngine policyEngine) {
- this.policyEngine = policyEngine;
- this.requestProcessor = new
RangerDefaultRequestProcessor(policyEngine);
+ private RangerPolicyEngineImpl(final PolicyEngine policyEngine,
RangerPolicyEngineImpl other) {
+ this.policyEngine = policyEngine;
+ this.requestProcessor = new
RangerDefaultRequestProcessor(policyEngine);
+ this.svcCfgSuperUsers = new HashSet<>(other.svcCfgSuperUsers);
+ this.svcCfgSuperGroups = new HashSet<>(other.svcCfgSuperGroups);
+ this.superUsers = new HashSet<>(other.superUsers);
+ this.superGroups = new HashSet<>(other.superGroups);
}
private RangerAccessResult
zoneAwareAccessEvaluationWithNoAudit(RangerAccessRequest request, int
policyType) {
@@ -578,8 +622,18 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
LOG.debug("==>
RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" +
policyType + ", zoneName=" + zoneName + ")");
}
- Date accessTime = request.getAccessTime() != null
? request.getAccessTime() : new Date();
- RangerAccessResult ret =
policyEngine.createAccessResult(request, policyType);
+ final Date accessTime = request.getAccessTime()
!= null ? request.getAccessTime() : new Date();
+ final RangerAccessResult ret =
policyEngine.createAccessResult(request, policyType);
+ final boolean isSuperUser =
isSuperUser(request.getUser(), request.getUserGroups());
+
+ // for superusers, set access as allowed
+ if (isSuperUser) {
+ ret.setIsAllowed(true);
+ ret.setIsAccessDetermined(true);
+ ret.setPolicyId(-1);
+ ret.setPolicyPriority(Integer.MAX_VALUE);
+ ret.setReason("superuser");
+ }
evaluateTagPolicies(request, policyType, zoneName,
tagPolicyRepository, ret);
@@ -601,7 +655,9 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
boolean findAuditByResource =
!ret.getIsAuditedDetermined();
boolean foundInCache = findAuditByResource &&
policyRepository.setAuditEnabledFromCache(request, ret);
- ret.setIsAccessDetermined(false); // discard result by
tag-policies, to evaluate resource policies for possible override
+ if (!isSuperUser) {
+ ret.setIsAccessDetermined(false); // discard
result by tag-policies, to evaluate resource policies for possible override
+ }
List<RangerPolicyEvaluator> evaluators =
policyRepository.getLikelyMatchPolicyEvaluators(request.getResource(),
policyType);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 32fbb06..b5e18ba 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -67,6 +67,8 @@ public class RangerBasePlugin {
private RangerAuthContext currentAuthContext;
private RangerAccessResultProcessor resultProcessor;
private RangerRoles roles;
+ private Set<String> superUsers =
Collections.emptySet();
+ private Set<String> superGroups =
Collections.emptySet();
public RangerBasePlugin(String serviceType, String appId) {
@@ -128,6 +130,17 @@ public class RangerBasePlugin {
pluginContext.notifyAuthContextChanged();
}
+ public void setSuperUsersAndGroups(Set<String> users, Set<String>
groups) {
+ this.superUsers = users == null ? Collections.emptySet() :
users;
+ this.superGroups = groups == null ? Collections.emptySet() :
groups;
+
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
+ if (policyEngine != null) {
+ policyEngine.setSuperUsersAndGroups(this.superUsers,
this.superGroups);
+ }
+ }
+
public RangerServiceDef getServiceDef() {
RangerPolicyEngine policyEngine = this.policyEngine;
@@ -217,7 +230,7 @@ public class RangerBasePlugin {
LOG.debug("Creating engine from
policies");
}
- newPolicyEngine = new
RangerPolicyEngineImpl(policies, pluginContext, roles);
+ newPolicyEngine = new
RangerPolicyEngineImpl(policies, pluginContext, roles, superUsers, superGroups);
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("policy-deltas are
not null");
@@ -246,7 +259,7 @@ public class RangerBasePlugin {
LOG.debug("Creating new engine from servicePolicies:[" + servicePolicies + "]");
}
- newPolicyEngine = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
+ newPolicyEngine = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles, superUsers,
superGroups);
}
} else {
if (LOG.isDebugEnabled()) {
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 4265b06..8811f2a 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -401,6 +401,13 @@ public class TestPolicyEngine {
runTestsFromResourceFiles(conditionsTestResourceFiles);
}
+ @Test
+ public void testPolicyEngine_superUserGroups() {
+ String[] resourceFiles =
{"/policyengine/test_policyengine_super_user_groups.json"};
+
+ runTestsFromResourceFiles(resourceFiles);
+ }
+
private void runTestsFromResourceFiles(String[] resourceNames) {
for(String resourceName : resourceNames) {
InputStream inStream =
this.getClass().getResourceAsStream(resourceName);
@@ -421,6 +428,7 @@ public class TestPolicyEngine {
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
servicePolicies.setSecurityZones(testCase.securityZones);
+ servicePolicies.setServiceConfig(testCase.serviceConfig);
if (StringUtils.isNotBlank(testCase.auditMode)) {
servicePolicies.setAuditMode(testCase.auditMode);
@@ -486,14 +494,14 @@ public class TestPolicyEngine {
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
- RangerPolicyEngineImpl policyEngine = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
+ RangerPolicyEngineImpl policyEngine = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles,
testCase.superUsers, testCase.superGroups);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary =
false;
- RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
+ RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles,
testCase.superUsers, testCase.superGroups);
policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
@@ -666,9 +674,11 @@ public class TestPolicyEngine {
public Map<String, Set<String>> groupRoles;
public String auditMode;
public List<TestData> tests;
-
+ public Map<String, String> serviceConfig;
public UpdatedPolicies updatedPolicies;
public List<TestData> updatedTests;
+ public Set<String> superUsers;
+ public Set<String> superGroups;
class TestData {
public String name;
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_super_user_groups.json
b/agents-common/src/test/resources/policyengine/test_policyengine_super_user_groups.json
new file mode 100644
index 0000000..c16d5f4
--- /dev/null
+++
b/agents-common/src/test/resources/policyengine/test_policyengine_super_user_groups.json
@@ -0,0 +1,182 @@
+{
+ "serviceName":"hivedev",
+
+ "original-serviceDef":{
+ "name":"hive",
+ "id":3,
+ "resources":[
+
{"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive Database","description":"Hive Database"},
+
{"name":"url","level":1,"mandatory":true,"lookupSupported":false,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"URL","description":"URL"},
+
{"name":"hiveservice","level":1,"mandatory":true,"lookupSupported":false,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"HiveService","description":"HiveService"},
+
{"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive Table","description":"Hive Table"},
+
{"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"},
+
{"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive Column","description":"Hive Column"}
+ ],
+ "accessTypes":[
+ {"name":"select","label":"Select"},
+ {"name":"update","label":"Update"},
+ {"name":"create","label":"Create"},
+ {"name":"drop","label":"Drop"},
+ {"name":"alter","label":"Alter"},
+ {"name":"index","label":"Index"},
+ {"name":"lock","label":"Lock"},
+ {"name":"read","label":"Read"},
+ {"name":"write","label":"Write"},
+ {"name":"repladmin","label":"ReplAdmin"},
+ {"name":"serviceadmin","label":"ServiceAdmin"},
+ {"name":"all","label":"All",
+ "impliedGrants": ["select", "update", "create", "drop", "alter",
"index", "lock", "read", "write", "repladmin", "serviceadmin"]
+ }
+ ]
+ },
+
+ "serviceDef": {
+ "id":3,
+ "name": "hive",
+ "implClass": "org.apache.ranger.services.hive.RangerServiceHive",
+ "label": "Hive Server2",
+ "description": "Hive Server2",
+ "guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c",
+
+ "resources": [
+ {"itemId": 1, "name": "database", "type": "string", "level": 10,
"parent": "", "mandatory": true, "lookupSupported": true, "recursiveSupported":
false, "excludesSupported": true, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"",
"validationMessage": "", "uiHint":"", "label": "Hive Database", "description":
"Hive Database", "isValidLeaf": true},
+ {"itemId": 2, "name": "table", "type": "string", "level": 20, "parent":
"database", "mandatory": true, "lookupSupported": true, "recursiveSupported":
false, "excludesSupported": true, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"",
"validationMessage": "", "uiHint":"", "label": "Hive Table", "description":
"Hive Table", "isValidLeaf": true},
+ {"itemId": 3, "name": "udf", "type": "string", "level": 20, "parent":
"database", "mandatory": true, "lookupSupported": true, "recursiveSupported":
false, "excludesSupported": true, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"",
"validationMessage": "", "uiHint":"", "label": "Hive UDF", "description": "Hive
UDF", "isValidLeaf": true},
+ {"itemId": 4, "name": "column", "type": "string", "level": 30, "parent":
"table", "mandatory": true, "lookupSupported": true, "recursiveSupported":
false, "excludesSupported": true, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"",
"validationMessage": "", "uiHint":"", "label": "Hive Column", "description":
"Hive Column", "isValidLeaf": true},
+ {"itemId": 5, "name": "url", "type": "string", "level": 10, "parent":
"", "mandatory": true, "lookupSupported": false, "recursiveSupported": true,
"excludesSupported": false, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":false },
"validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "URL",
"description": "URL", "isValidLeaf": true}
+ ],
+
+ "accessTypes": [
+ {"itemId": 1, "name": "select", "label": "select"},
+ {"itemId": 2, "name": "update", "label": "update"},
+ {"itemId": 3, "name": "create", "label": "Create"},
+ {"itemId": 4, "name": "drop", "label": "Drop"},
+ {"itemId": 5, "name": "alter", "label": "Alter"},
+ {"itemId": 6, "name": "index", "label": "Index"},
+ {"itemId": 7, "name": "lock", "label": "Lock"},
+ {"itemId": 8, "name": "all", "label": "All",
+ "impliedGrants": ["select", "update", "create", "drop", "alter",
"index", "lock", "read", "write"]},
+ {"itemId": 9, "name": "read", "label": "Read"},
+ {"itemId": 10, "name": "write", "label": "Write"}
+ ],
+
+ "configs": [
+ {"itemId": 1, "name": "username", "type": "string", "mandatory": true,
"validationRegEx":"", "validationMessage": "", "uiHint":"", "label":
"Username"},
+ {"itemId": 2, "name": "password", "type": "password", "mandatory": true,
"validationRegEx":"", "validationMessage": "", "uiHint":"", "label":
"Password"},
+ {"itemId": 3, "name": "jdbc.driverClassName", "type": "string",
"mandatory": true, "validationRegEx":"", "validationMessage": "", "uiHint":"",
"defaultValue": "org.apache.hive.jdbc.HiveDriver"},
+ {"itemId": 4, "name": "jdbc.url", "type": "string", "mandatory": true,
"defaultValue": "", "validationRegEx":"", "validationMessage": "", "uiHint":""},
+ {"itemId": 5, "name": "commonNameForCertificate", "type": "string",
"mandatory": false, "validationRegEx":"", "validationMessage": "", "uiHint":"",
"label": "Common Name for Certificate"}
+ ],
+
+ "enums": [
+ ],
+
+ "contextEnrichers": [
+ ],
+
+ "policyConditions": [
+ ]
+ },
+
+ "serviceConfig": {
+ "ranger.plugin.super.users": "svc-cfg-su1, svc-cfg-su2",
+ "ranger.plugin.super.groups": "svc-cfg-sg1, svc-cfg-sg2"
+ },
+
+ "policies":[
+ {"id":1,"name":"database=db-*,table=*,column=* -
audit-all-access","isEnabled":true,"isAuditEnabled":true,
+
"resources":{"database":{"values":["db-*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
+ "policyItems":[
+ ],
+ "denyPolicyItems":[
+
{"accesses":[{"type":"create","isAllowed":true}],"users":["hive1","hive2"],"groups":["hadoop","hive"],"delegateAdmin":false}
+ ]
+ }
+ ],
+
+ "superUsers": [ "su1", "su2" ],
+ "superGroups": [ "sg1", "sg2" ],
+
+ "tests":[
+ {"name":"ALLOW 'create db-1;' for su1",
+ "request":{
+ "resource":{"elements":{"database":"db-1"}},
+
"accessType":"create","user":"su1","userGroups":[""],"requestData":"create db-1
for su1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW 'create db-2;' for su2",
+ "request":{
+ "resource":{"elements":{"database":"db-2"}},
+
"accessType":"create","user":"su2","userGroups":[""],"requestData":"create db-2
for su2"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW 'create db-1;' for svc-cfg-su1",
+ "request":{
+ "resource":{"elements":{"database":"db-1"}},
+
"accessType":"create","user":"svc-cfg-su1","userGroups":[""],"requestData":"create
db-1 for svc-cfg-su1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW 'create db-2;' for svc-cfg-su2",
+ "request":{
+ "resource":{"elements":{"database":"db-2"}},
+
"accessType":"create","user":"svc-cfg-su2","userGroups":[""],"requestData":"create
db-2 for svc-cfg-su2"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW 'create db-1.tbl-1;' for user1 (in sg1)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+
"accessType":"create","user":"user1","userGroups":["sg1"],"requestData":"create
db-1.tbl-1;' for user1 (in sg1)"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW 'create db-1.tbl-2;' for user2 (in sg2)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+
"accessType":"create","user":"user2","userGroups":["sg2"],"requestData":"create
db-1.tbl-2;' for user2 (in sg2)"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW 'create db-1.tbl-1;' for user1 (in svc-cfg-sg1)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+
"accessType":"create","user":"user1","userGroups":["svc-cfg-sg1"],"requestData":"create
db-1.tbl-1;' for user1 (in svc-cfg-sg1)"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW 'create db-1.tbl-2;' for user2 (in svc-cfg-sg2)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+
"accessType":"create","user":"user2","userGroups":["svc-cfg-sg2"],"requestData":"create
db-1.tbl-2;' for user2 (in svc-cfg-sg2)"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"DENY 'create db-1.tbl-3;' for user3",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-3"}},
+
"accessType":"create","user":"user3","userGroups":["users"],"requestData":"create
db-1.tbl-3;' for user3"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW 'create testdb;' for su1; no audit",
+ "request":{
+ "resource":{"elements":{"database":"testdb"}},
+
"accessType":"create","user":"su1","userGroups":[""],"requestData":"create db-1
for su1"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":-1}
+ }
+ ]
+}
+
