This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new ac9be11 RANGER-2992: updated Ranger policy engine to support
super-user as a permission
ac9be11 is described below
commit ac9be113f48d5fe4de0a3cf5696b29370a601fe6
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Wed Sep 9 18:22:43 2020 -0700
RANGER-2992: updated Ranger policy engine to support super-user as a
permission
---
.../plugin/policyengine/RangerPolicyEngine.java | 7 +-
.../policyengine/RangerPolicyEngineImpl.java | 4 +-
.../plugin/policyengine/TestPolicyEngine.java | 7 +
.../test_policyengine_super_user_access.json | 161 +++++++++++++++++++++
4 files changed, 174 insertions(+), 5 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 100d1f1..4e41adc 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -30,9 +30,10 @@ import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerRoles;
public interface RangerPolicyEngine {
- String GROUP_PUBLIC = "public";
- String ANY_ACCESS = "_any";
- String ADMIN_ACCESS = "_admin";
+ String GROUP_PUBLIC = "public";
+ String ANY_ACCESS = "_any";
+ String ADMIN_ACCESS = "_admin";
+ String SUPER_USER_ACCESS = "_super_user";
String AUDIT_ALL = "audit-all";
String AUDIT_NONE = "audit-none";
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 25c8d22..b66d5a1 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -515,8 +515,8 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
final boolean isSuperUser =
isSuperUser(request.getUser(), request.getUserGroups());
// for superusers, set access as allowed
- if (isSuperUser) {
- ret.setIsAllowed(true);
+ if (isSuperUser || StringUtils.equals(request.getAccessType(),
RangerPolicyEngine.SUPER_USER_ACCESS)) {
+ ret.setIsAllowed(isSuperUser);
ret.setIsAccessDetermined(true);
ret.setPolicyId(-1);
ret.setPolicyPriority(Integer.MAX_VALUE);
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index cc16655..63fccd0 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -423,6 +423,13 @@ public class TestPolicyEngine {
runTestsFromResourceFiles(resourceFiles);
}
+ @Test
+ public void testPolicyEngine_superUserAccess() {
+ String[] resourceFiles =
{"/policyengine/test_policyengine_super_user_access.json"};
+
+ runTestsFromResourceFiles(resourceFiles);
+ }
+
private void runTestsFromResourceFiles(String[] resourceNames) {
for(String resourceName : resourceNames) {
InputStream inStream =
this.getClass().getResourceAsStream(resourceName);
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_super_user_access.json
b/agents-common/src/test/resources/policyengine/test_policyengine_super_user_access.json
new file mode 100644
index 0000000..cb5ca16
--- /dev/null
+++
b/agents-common/src/test/resources/policyengine/test_policyengine_super_user_access.json
@@ -0,0 +1,161 @@
+{
+ "serviceName":"hivedev",
+
+ "serviceDef": {
+ "id":3,
+ "name": "hive",
+ "implClass": "org.apache.ranger.services.hive.RangerServiceHive",
+ "label": "Hive Server2",
+ "description": "Hive Server2",
+ "guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c",
+
+ "resources": [
+ {"itemId": 1, "name": "database", "type": "string", "level": 10,
"parent": "", "mandatory": true, "lookupSupported": true, "recursiveSupported":
false, "excludesSupported": true, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"",
"validationMessage": "", "uiHint":"", "label": "Hive Database", "description":
"Hive Database", "isValidLeaf": true},
+ {"itemId": 2, "name": "table", "type": "string", "level": 20, "parent":
"database", "mandatory": true, "lookupSupported": true, "recursiveSupported":
false, "excludesSupported": true, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"",
"validationMessage": "", "uiHint":"", "label": "Hive Table", "description":
"Hive Table", "isValidLeaf": true},
+ {"itemId": 3, "name": "udf", "type": "string", "level": 20, "parent":
"database", "mandatory": true, "lookupSupported": true, "recursiveSupported":
false, "excludesSupported": true, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"",
"validationMessage": "", "uiHint":"", "label": "Hive UDF", "description": "Hive
UDF", "isValidLeaf": true},
+ {"itemId": 4, "name": "column", "type": "string", "level": 30, "parent":
"table", "mandatory": true, "lookupSupported": true, "recursiveSupported":
false, "excludesSupported": true, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"",
"validationMessage": "", "uiHint":"", "label": "Hive Column", "description":
"Hive Column", "isValidLeaf": true},
+ {"itemId": 5, "name": "url", "type": "string", "level": 10, "parent":
"", "mandatory": true, "lookupSupported": false, "recursiveSupported": true,
"excludesSupported": false, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
"matcherOptions": { "wildCard":true, "ignoreCase":false },
"validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "URL",
"description": "URL", "isValidLeaf": true}
+ ],
+
+ "accessTypes": [
+ {"itemId": 1, "name": "select", "label": "select"},
+ {"itemId": 2, "name": "update", "label": "update"},
+ {"itemId": 3, "name": "create", "label": "Create"},
+ {"itemId": 4, "name": "drop", "label": "Drop"},
+ {"itemId": 5, "name": "alter", "label": "Alter"},
+ {"itemId": 6, "name": "index", "label": "Index"},
+ {"itemId": 7, "name": "lock", "label": "Lock"},
+ {"itemId": 8, "name": "all", "label": "All",
+ "impliedGrants": ["select", "update", "create", "drop", "alter",
"index", "lock", "read", "write"]},
+ {"itemId": 9, "name": "read", "label": "Read"},
+ {"itemId": 10, "name": "write", "label": "Write"}
+ ],
+
+ "configs": [
+ {"itemId": 1, "name": "username", "type": "string", "mandatory": true,
"validationRegEx":"", "validationMessage": "", "uiHint":"", "label":
"Username"},
+ {"itemId": 2, "name": "password", "type": "password", "mandatory": true,
"validationRegEx":"", "validationMessage": "", "uiHint":"", "label":
"Password"},
+ {"itemId": 3, "name": "jdbc.driverClassName", "type": "string",
"mandatory": true, "validationRegEx":"", "validationMessage": "", "uiHint":"",
"defaultValue": "org.apache.hive.jdbc.HiveDriver"},
+ {"itemId": 4, "name": "jdbc.url", "type": "string", "mandatory": true,
"defaultValue": "", "validationRegEx":"", "validationMessage": "", "uiHint":""},
+ {"itemId": 5, "name": "commonNameForCertificate", "type": "string",
"mandatory": false, "validationRegEx":"", "validationMessage": "", "uiHint":"",
"label": "Common Name for Certificate"}
+ ],
+
+ "enums": [
+ ],
+
+ "contextEnrichers": [
+ ],
+
+ "policyConditions": [
+ ]
+ },
+
+ "serviceConfig": {
+ "ranger.plugin.super.users": "svc-cfg-su1, svc-cfg-su2",
+ "ranger.plugin.super.groups": "svc-cfg-sg1, svc-cfg-sg2"
+ },
+
+ "policies":[
+ {"id":1,"name":"database=db-*,table=*,column=* -
audit-all-access","isEnabled":true,"isAuditEnabled":true,
+
"resources":{"database":{"values":["db-*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
+ "policyItems":[
+ ],
+ "denyPolicyItems":[
+
{"accesses":[{"type":"create","isAllowed":true}],"users":["hive1","hive2"],"groups":["hadoop","hive"],"delegateAdmin":false}
+ ]
+ }
+ ],
+
+ "superUsers": [ "su1", "su2" ],
+ "superGroups": [ "sg1", "sg2" ],
+
+ "tests":[
+ {"name":"ALLOW '_super_user' for su1",
+ "request":{
+ "resource":{"elements":{"database":"db-1"}},
+
"accessType":"_super_user","user":"su1","userGroups":[""],"requestData":"_super_user
for su1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW '_super_user' for su2",
+ "request":{
+ "resource":{"elements":{"database":"db-2"}},
+
"accessType":"_super_user","user":"su2","userGroups":[""],"requestData":"_super_user
for su2"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW '_super_user' for svc-cfg-su1",
+ "request":{
+ "resource":{"elements":{"database":"db-1"}},
+
"accessType":"_super_user","user":"svc-cfg-su1","userGroups":[""],"requestData":"_super_user
for svc-cfg-su1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW '_super_user' for svc-cfg-su2",
+ "request":{
+ "resource":{"elements":{"database":"db-2"}},
+
"accessType":"_super_user","user":"svc-cfg-su2","userGroups":[""],"requestData":"_super_user
for svc-cfg-su2"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW '_super_user' for user1 (in sg1)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+
"accessType":"_super_user","user":"user1","userGroups":["sg1"],"requestData":"_super_user
for user1 (in sg1)"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW '_super_user;' for user2 (in sg2)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+
"accessType":"_super_user","user":"user2","userGroups":["sg2"],"requestData":"_super_user
for user2 (in sg2)"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW '_super_user' for user1 (in svc-cfg-sg1)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+
"accessType":"_super_user","user":"user1","userGroups":["svc-cfg-sg1"],"requestData":"_super_user
for user1 (in svc-cfg-sg1)"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW '_super_user' for user2 (in svc-cfg-sg2)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+
"accessType":"_super_user","user":"user2","userGroups":["svc-cfg-sg2"],"requestData":"_super_user
for user2 (in svc-cfg-sg2)"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW '_super_user' for su1; no audit",
+ "request":{
+ "resource":{"elements":{"database":"testdb"}},
+
"accessType":"_super_user","user":"su1","userGroups":[""],"requestData":"_super_user
for su1"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":-1}
+ }
+ ,
+ {"name":"DENY '_super_user' for user3",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-3"}},
+
"accessType":"_super_user","user":"user3","userGroups":["users"],"requestData":"_super_user
for user3"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"DENY '_super_user' for user3; no audit",
+ "request":{
+ "resource":{"elements":{"database":"testdb"}},
+
"accessType":"_super_user","user":"user3","userGroups":["users"],"requestData":"_super_user
for user3"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+ }
+ ]
+}
+
