This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new e9b724b  RANGER-3156: RangerResouceTrie.add() and 
RangerResourceTrie.delete() do not work correctly for the resources containing 
wildcards
e9b724b is described below

commit e9b724b05e395587c0fcd67ce576fe3a0bc54b80
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Sat Jan 23 13:28:42 2021 -0800

    RANGER-3156: RangerResouceTrie.add() and RangerResourceTrie.delete() do not 
work correctly for the resources containing wildcards
---
 .../plugin/policyengine/RangerResourceTrie.java    |  46 +-
 .../ranger/plugin/service/RangerBasePlugin.java    |   5 +-
 .../ranger/plugin/util/RangerPolicyDeltaUtil.java  |   7 +-
 .../policyengine/TestPolicyEngineForDeltas.java    | 570 ++++++++++++++++++
 .../test_policyengine_hdfs_incremental_delete.json | 635 +++++++++++++++++++++
 .../main/resources/META-INF/jpa_named_queries.xml  |   4 +-
 6 files changed, 1244 insertions(+), 23 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 6d784c2..7149135 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -258,6 +258,11 @@ public class RangerResourceTrie<T extends 
RangerPolicyResourceEvaluator> {
     public void wrapUpUpdate() {
         if (root != null) {
             root.wrapUpUpdate();
+            if (TRACE_LOG.isTraceEnabled()) {
+                StringBuilder sb = new StringBuilder();
+                root.toString("", sb);
+                TRACE_LOG.trace("Trie Dump from 
RangerResourceTrie.wrapUpUpdate(name=" + resourceDef.getName() + "):\n{" + 
sb.toString() + "}");
+            }
         }
     }
 
@@ -988,13 +993,14 @@ public class RangerResourceTrie<T extends 
RangerPolicyResourceEvaluator> {
         }
 
         void addWildcardEvaluator(U evaluator) {
+            undoSetup();
+
             if (wildcardEvaluators == null) {
                 wildcardEvaluators = new HashSet<>();
             }
 
             if (!wildcardEvaluators.contains(evaluator)) {
                 wildcardEvaluators.add(evaluator);
-                undoSetup();
             }
         }
 
@@ -1008,20 +1014,13 @@ public class RangerResourceTrie<T extends 
RangerPolicyResourceEvaluator> {
             }
         }
 
-        boolean removeWildcardEvaluator(U evaluator) {
-            if (CollectionUtils.isNotEmpty(wildcardEvaluators) && 
wildcardEvaluators.contains(evaluator)) {
-                undoSetup();
-
-                if (CollectionUtils.isNotEmpty(wildcardEvaluators)) {
-                    wildcardEvaluators.remove(evaluator);
+        void removeWildcardEvaluator(U evaluator) {
+            if (CollectionUtils.isNotEmpty(wildcardEvaluators)) {
+                wildcardEvaluators.remove(evaluator);
 
-                    if (CollectionUtils.isEmpty(wildcardEvaluators)) {
-                        wildcardEvaluators = null;
-                    }
+                if (CollectionUtils.isEmpty(wildcardEvaluators)) {
+                    wildcardEvaluators = null;
                 }
-                return true;
-            } else {
-                return false;
             }
         }
 
@@ -1066,6 +1065,15 @@ public class RangerResourceTrie<T extends 
RangerPolicyResourceEvaluator> {
             }
         }
 
+        void removeSelfFromTrie() {
+            if (evaluators == null && wildcardEvaluators == null && 
children.size() == 0) {
+                TrieNode<U> parent = getParent();
+                if (parent != null) {
+                    parent.children.remove(str.charAt(0));
+                }
+            }
+        }
+
         void wrapUpUpdate() {
             if (isOptimizedForRetrieval) {
                 RangerPerfTracer postSetupPerf = null;
@@ -1155,13 +1163,13 @@ public class RangerResourceTrie<T extends 
RangerPolicyResourceEvaluator> {
         }
 
         private void removeEvaluatorFromSubtree(U evaluator) {
-            if (removeWildcardEvaluator(evaluator)) {
-                for (Map.Entry<Character, TrieNode<U>> entry : 
children.entrySet()) {
-                    entry.getValue().removeEvaluatorFromSubtree(evaluator);
-                }
+            if (CollectionUtils.isNotEmpty(wildcardEvaluators) && 
wildcardEvaluators.contains(evaluator)) {
+                undoSetup();
+                removeWildcardEvaluator(evaluator);
+            } else {
+                removeEvaluator(evaluator);
             }
-
-            removeEvaluator(evaluator);
+            removeSelfFromTrie();
         }
 
         void toString(StringBuilder sb) {
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index e1f09b8..fda57f9 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -212,7 +212,7 @@ public class RangerBasePlugin {
                                Boolean hasPolicyDeltas = 
RangerPolicyDeltaUtil.hasPolicyDeltas(policies);
 
                                if (hasPolicyDeltas == null) {
-                                       LOG.warn("Downloaded policies are 
internally inconsistent!! [" + policies + "]. Please check server-side code! 
Keeping old policy-engine!");
+                                       LOG.warn("Downloaded policies do not 
require policy change !! [" + policies + "]. Keeping old policy-engine!");
                                        isNewEngineNeeded = false;
                                } else {
                                        if 
(hasPolicyDeltas.equals(Boolean.TRUE)) {
@@ -230,6 +230,9 @@ public class RangerBasePlugin {
                                                }
                                        } else {
                                                usePolicyDeltas = false;
+                                               if (policies.getPolicies() == 
null) {
+                                                       
policies.setPolicies(new ArrayList<>());
+                                               }
                                        }
                                }
                        }
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
index 0269461..62b60a1 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
@@ -183,8 +183,13 @@ public class RangerPolicyDeltaUtil {
             boolean isPolicyDeltasExist = 
CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) || 
isPolicyDeltasExistInSecurityZones;
 
             if (isPoliciesExist && isPolicyDeltasExist) {
-                LOG.warn("ServicePolicies contain both policies and 
policy-deltas!!");
+                LOG.warn("ServicePolicies contain both policies and 
policy-deltas!! Cannot build policy-engine from these servicePolicies. Please 
check server-side code!");
+                LOG.warn("Downloaded ServicePolicies are [" + servicePolicies 
+ "]");
                 ret = null;
+            } else if (!isPoliciesExist && !isPolicyDeltasExist) {
+                LOG.warn("ServicePolicies do not contain any policies or 
policy-deltas!! There are no material changes in the policies. There may be 
service changes!");
+                LOG.warn("Downloaded ServicePolicies are [" + servicePolicies 
+ "]");
+                ret = false;
             } else {
                 ret = isPolicyDeltasExist;
             }
diff --git 
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java
 
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java
new file mode 100644
index 0000000..c4187cc
--- /dev/null
+++ 
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java
@@ -0,0 +1,570 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.google.gson.JsonDeserializationContext;
+import com.google.gson.JsonDeserializer;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonParseException;
+import com.google.gson.reflect.TypeToken;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.audit.provider.AuditHandler;
+import org.apache.ranger.audit.provider.AuditProviderFactory;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicyDelta;
+import org.apache.ranger.plugin.model.RangerRole;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import 
org.apache.ranger.plugin.policyengine.TestPolicyEngineForDeltas.PolicyEngineTestCase.TestData;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
+import org.apache.ranger.plugin.util.RangerRequestedResources;
+import org.apache.ranger.plugin.util.RangerRoles;
+import org.apache.ranger.plugin.util.ServicePolicies;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.lang.reflect.Type;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+
+import static org.junit.Assert.*;
+
+public class TestPolicyEngineForDeltas {
+       static RangerPluginContext pluginContext;
+       static Gson gsonBuilder;
+
+       @BeforeClass
+       public static void setUpBeforeClass() throws Exception {
+               pluginContext = new RangerPluginContext(new 
RangerPluginConfig("hive", null, "hive", "cl1", "on-prem", null));
+
+               gsonBuilder = new 
GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSSZ")
+                               .setPrettyPrinting()
+                               .registerTypeAdapter(RangerAccessRequest.class, 
new RangerAccessRequestDeserializer())
+                               
.registerTypeAdapter(RangerAccessResource.class, new 
RangerResourceDeserializer())
+                               .create();
+
+               // For setting up auditProvider
+               Properties auditProperties = new Properties();
+
+               String AUDIT_PROPERTIES_FILE = "xasecure-audit.properties";
+
+               File propFile = new File(AUDIT_PROPERTIES_FILE);
+
+               if (propFile.exists()) {
+                       System.out.println("Loading Audit properties file" + 
AUDIT_PROPERTIES_FILE);
+
+                       auditProperties.load(new FileInputStream(propFile));
+               } else {
+                       System.out.println("Audit properties file missing: " + 
AUDIT_PROPERTIES_FILE);
+
+                       
auditProperties.setProperty("xasecure.audit.jpa.javax.persistence.jdbc.url", 
"jdbc:mysql://node-1:3306/xasecure_audit");
+                       
auditProperties.setProperty("xasecure.audit.jpa.javax.persistence.jdbc.user", 
"xalogger");
+                       
auditProperties.setProperty("xasecure.audit.jpa.javax.persistence.jdbc.password",
 "xalogger");
+                       
auditProperties.setProperty("xasecure.audit.jpa.javax.persistence.jdbc.driver", 
"com.mysql.jdbc.Driver");
+
+                       
auditProperties.setProperty("xasecure.audit.is.enabled", "false"); // Set this 
to true to enable audit logging
+                       
auditProperties.setProperty("xasecure.audit.log4j.is.enabled", "false");
+                       
auditProperties.setProperty("xasecure.audit.log4j.is.async", "false");
+                       
auditProperties.setProperty("xasecure.audit.log4j.async.max.queue.size", 
"100000");
+                       
auditProperties.setProperty("xasecure.audit.log4j.async.max.flush.interval.ms", 
"30000");
+                       
auditProperties.setProperty("xasecure.audit.db.is.enabled", "false");
+                       
auditProperties.setProperty("xasecure.audit.db.is.async", "false");
+                       
auditProperties.setProperty("xasecure.audit.db.async.max.queue.size", "100000");
+                       
auditProperties.setProperty("xasecure.audit.db.async.max.flush.interval.ms", 
"30000");
+                       
auditProperties.setProperty("xasecure.audit.db.batch.size", "100");
+               }
+
+               AuditProviderFactory factory = 
AuditProviderFactory.getInstance();
+               factory.init(auditProperties, "hdfs"); // second parameter does 
not matter for v2
+
+               AuditHandler provider = factory.getAuditProvider();
+
+               System.out.println("provider=" + provider.toString());
+
+               File file = File.createTempFile("ranger-admin-test-site", 
".xml");
+               file.deleteOnExit();
+
+               FileOutputStream outStream = new FileOutputStream(file);
+               OutputStreamWriter writer = new OutputStreamWriter(outStream);
+
+               /*
+               // For setting up TestTagProvider
+
+               writer.write("<configuration>\n" +
+                               "        <property>\n" +
+                               "                
<name>ranger.plugin.tag.policy.rest.url</name>\n" +
+                               "                
<value>http://os-def:6080</value>\n" +
+                               "        </property>\n" +
+                               "        <property>\n" +
+                               "                
<name>ranger.externalurl</name>\n" +
+                               "                
<value>http://os-def:6080</value>\n" +
+                               "        </property>\n" +
+                               "</configuration>\n");
+                               */
+
+               writer.write("<configuration>\n" +
+                               /*
+                               // For setting up TestTagProvider
+                               "        <property>\n" +
+                               "                
<name>ranger.plugin.tag.policy.rest.url</name>\n" +
+                               "                
<value>http://os-def:6080</value>\n" +
+                               "        </property>\n" +
+                               "        <property>\n" +
+                               "                
<name>ranger.externalurl</name>\n" +
+                               "                
<value>http://os-def:6080</value>\n" +
+                               "        </property>\n" +
+                               */
+                               // For setting up x-forwarded-for for Hive
+                               "        <property>\n" +
+                               "                
<name>ranger.plugin.hive.use.x-forwarded-for.ipaddress</name>\n" +
+                               "                <value>true</value>\n" +
+                               "        </property>\n" +
+                               "        <property>\n" +
+                               "                
<name>ranger.plugin.hive.trusted.proxy.ipaddresses</name>\n" +
+                               "                <value>255.255.255.255; 
128.101.101.101;128.101.101.99</value>\n" +
+                               "        </property>\n" +
+                               "        <property>\n" +
+                               "                
<name>ranger.plugin.tag.attr.additional.date.formats</name>\n" +
+                               "                
<value>abcd||xyz||yyyy/MM/dd'T'HH:mm:ss.SSS'Z'</value>\n" +
+                               "        </property>\n" +
+                               "        <property>\n" +
+                               "                
<name>ranger.policyengine.trie.builder.thread.count</name>\n" +
+                               "                <value>3</value>\n" +
+                               "        </property>\n" +
+                "</configuration>\n");
+               writer.close();
+
+               pluginContext.getConfig().addResource(new 
org.apache.hadoop.fs.Path(file.toURI()));
+       }
+
+       @AfterClass
+       public static void tearDownAfterClass() {
+       }
+
+       @Test
+       public void testPolicyEngine_hdfs_incremental_delete() {
+               String[] hdfsTestResourceFiles = 
{"/policyengine/test_policyengine_hdfs_incremental_delete.json"};
+
+               runTestsFromResourceFiles(hdfsTestResourceFiles);
+       }
+
+       private void runTestsFromResourceFiles(String[] resourceNames) {
+               for(String resourceName : resourceNames) {
+                       InputStream inStream = 
this.getClass().getResourceAsStream(resourceName);
+                       InputStreamReader reader   = new 
InputStreamReader(inStream);
+
+                       runTests(reader, resourceName);
+               }
+       }
+
+       private void runTests(InputStreamReader reader, String testName) {
+               PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, 
PolicyEngineTestCase.class);
+
+               assertTrue("invalid input: " + testName, testCase != null && 
testCase.serviceDef != null && testCase.policies != null && testCase.testsInfo 
!= null && testCase.testsInfo.tests != null);
+
+               ServicePolicies servicePolicies = new ServicePolicies();
+               servicePolicies.setPolicyVersion(100L);
+               servicePolicies.setServiceName(testCase.serviceName);
+               servicePolicies.setServiceDef(testCase.serviceDef);
+               servicePolicies.setPolicies(testCase.policies);
+               servicePolicies.setSecurityZones(testCase.securityZones);
+               servicePolicies.setServiceConfig(testCase.serviceConfig);
+
+               if (StringUtils.isNotBlank(testCase.auditMode)) {
+                       servicePolicies.setAuditMode(testCase.auditMode);
+               }
+
+               if (null != testCase.tagPolicyInfo) {
+                       ServicePolicies.TagPolicies tagPolicies = new 
ServicePolicies.TagPolicies();
+                       
tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
+                       
tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
+                       
tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
+                       
tagPolicies.setServiceConfig(testCase.tagPolicyInfo.serviceConfig);
+
+                       if (StringUtils.isNotBlank(testCase.auditMode)) {
+                               tagPolicies.setAuditMode(testCase.auditMode);
+                       }
+                       servicePolicies.setTagPolicies(tagPolicies);
+               }
+
+               boolean useForwardedIPAddress = 
pluginContext.getConfig().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress",
 false);
+               String trustedProxyAddressString = 
pluginContext.getConfig().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
+               String[] trustedProxyAddresses = 
StringUtils.split(trustedProxyAddressString, ';');
+               if (trustedProxyAddresses != null) {
+                       for (int i = 0; i < trustedProxyAddresses.length; i++) {
+                               trustedProxyAddresses[i] = 
trustedProxyAddresses[i].trim();
+                       }
+               }
+
+               RangerRoles roles = new RangerRoles();
+               roles.setServiceName(testCase.serviceName);
+               roles.setRoleVersion(-1L);
+               Set<RangerRole> rolesSet = new HashSet<>();
+
+               Map<String, Set<String>> userRoleMapping = testCase.userRoles;
+               Map<String, Set<String>> groupRoleMapping = testCase.groupRoles;
+               Map<String, Set<String>> roleRoleMapping = testCase.roleRoles;
+               if (userRoleMapping != null) {
+                       for (Map.Entry<String, Set<String>> userRole : 
userRoleMapping.entrySet()) {
+                               String user = userRole.getKey();
+                               Set<String> userRoles = userRole.getValue();
+                               RangerRole.RoleMember userRoleMember = new 
RangerRole.RoleMember(user, true);
+                               List<RangerRole.RoleMember> userRoleMembers = 
Arrays.asList(userRoleMember);
+                               for (String usrRole : userRoles) {
+                                       RangerRole rangerUserRole = new 
RangerRole(usrRole, usrRole, null, userRoleMembers, null);
+                                       rolesSet.add(rangerUserRole);
+                               }
+                       }
+               }
+
+               if (groupRoleMapping != null) {
+                       for (Map.Entry<String, Set<String>> groupRole : 
groupRoleMapping.entrySet()) {
+                               String group = groupRole.getKey();
+                               Set<String> groupRoles = groupRole.getValue();
+                               RangerRole.RoleMember groupRoleMember = new 
RangerRole.RoleMember(group, true);
+                               List<RangerRole.RoleMember> groupRoleMembers = 
Arrays.asList(groupRoleMember);
+                               for (String grpRole : groupRoles) {
+                                       RangerRole rangerGroupRole = new 
RangerRole(grpRole, grpRole, null, null, groupRoleMembers);
+                                       rolesSet.add(rangerGroupRole);
+                               }
+                       }
+               }
+
+               if (roleRoleMapping != null) {
+                       for (Map.Entry<String, Set<String>> roleRole : 
roleRoleMapping.entrySet()) {
+                               String role = roleRole.getKey();
+                               Set<String> roleRoles = roleRole.getValue();
+                               RangerRole.RoleMember roleRoleMember = new 
RangerRole.RoleMember(role, true);
+                               List<RangerRole.RoleMember> roleRoleMembers = 
Arrays.asList(roleRoleMember);
+                               for (String rleRole : roleRoles) {
+                                       RangerRole rangerRoleRole = new 
RangerRole(rleRole, rleRole, null, null, null, roleRoleMembers);
+                                       rolesSet.add(rangerRoleRole);
+                               }
+                       }
+               }
+
+               roles.setRangerRoles(rolesSet);
+
+        RangerPolicyEngineOptions policyEngineOptions = 
pluginContext.getConfig().getPolicyEngineOptions();
+
+        policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
+
+        setPluginConfig(pluginContext.getConfig(), ".super.users", 
testCase.superUsers);
+        setPluginConfig(pluginContext.getConfig(), ".super.groups", 
testCase.superGroups);
+        setPluginConfig(pluginContext.getConfig(), ".audit.exclude.users", 
testCase.auditExcludedUsers);
+        setPluginConfig(pluginContext.getConfig(), ".audit.exclude.groups", 
testCase.auditExcludedGroups);
+        setPluginConfig(pluginContext.getConfig(), ".audit.exclude.roles", 
testCase.auditExcludedRoles);
+
+        // so that setSuperUsersAndGroups(), 
setAuditExcludedUsersGroupsRoles() will be called on the pluginConfig
+        new RangerBasePlugin(pluginContext.getConfig());
+
+        RangerPolicyEngineImpl policyEngine = new 
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
+
+        policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
+        policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
+
+        policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = 
false;
+
+               RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new 
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
+
+               
policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
+               
policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
+
+               PolicyEngineTestCase.TestsInfo testsInfo = testCase.testsInfo;
+               do {
+                       runTestCaseTests(policyEngine, 
policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, 
testsInfo.tests);
+                       if (testsInfo.updatedPolicies != null && 
CollectionUtils.isNotEmpty(testsInfo.updatedPolicies.policyDeltas)) {
+                               
servicePolicies.setPolicyDeltas(testsInfo.updatedPolicies.policyDeltas);
+                               servicePolicies.setPolicies(null);
+                               if 
(MapUtils.isNotEmpty(testsInfo.updatedPolicies.securityZones)) {
+                                       
servicePolicies.setSecurityZones(testsInfo.updatedPolicies.securityZones);
+                               }
+                               policyEngine = (RangerPolicyEngineImpl) 
RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
+                               policyEngineForEvaluatingWithACLs = 
(RangerPolicyEngineImpl) 
RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs, 
servicePolicies);
+                               if (policyEngine != null && 
policyEngineForEvaluatingWithACLs != null) {
+                                       testsInfo = testsInfo.updatedTestsInfo;
+                               } else {
+                                       testsInfo = null;
+                               }
+                       } else {
+                               testsInfo = null;
+                       }
+
+               } while (testsInfo != null && testsInfo.tests != null);
+
+       }
+
+    private void runTestCaseTests(RangerPolicyEngine policyEngine, 
RangerPolicyEngine policyEngineForEvaluatingWithACLs, RangerServiceDef 
serviceDef, String testName, List<TestData> tests) {
+        RangerAccessRequest request;
+
+        for(TestData test : tests) {
+                       request = test.request;
+
+                       if 
(request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) ||
+                                       
request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES))
 {
+                               // Create a new AccessRequest
+                               RangerAccessRequestImpl newRequest =
+                                               new 
RangerAccessRequestImpl(request.getResource(), request.getAccessType(),
+                                                               
request.getUser(), request.getUserGroups(), null);
+
+                               
newRequest.setClientType(request.getClientType());
+                               
newRequest.setAccessTime(request.getAccessTime());
+                               newRequest.setAction(request.getAction());
+                               
newRequest.setRemoteIPAddress(request.getRemoteIPAddress());
+                               
newRequest.setForwardedAddresses(request.getForwardedAddresses());
+                               
newRequest.setRequestData(request.getRequestData());
+                               newRequest.setSessionId(request.getSessionId());
+
+                               Map<String, Object> context = 
request.getContext();
+                               String tagsJsonString = (String) 
context.get(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
+                               
context.remove(RangerAccessRequestUtil.KEY_CONTEXT_TAGS);
+
+                               if(!StringUtils.isEmpty(tagsJsonString)) {
+                                       try {
+                                               Type setType = new 
TypeToken<Set<RangerTagForEval>>() {
+                                               }.getType();
+                                               Set<RangerTagForEval> tags = 
gsonBuilder.fromJson(tagsJsonString, setType);
+
+                                               
context.put(RangerAccessRequestUtil.KEY_CONTEXT_TAGS, tags);
+                                       } catch (Exception e) {
+                                               
System.err.println("TestPolicyEngineForDeltas.runTests(): error parsing TAGS 
JSON string in file " + testName + ", tagsJsonString=" +
+                                                               tagsJsonString 
+ ", exception=" + e);
+                                       }
+                               } else if 
(request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES))
 {
+                                       String resourcesJsonString = (String) 
context.get(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
+                                       
context.remove(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES);
+                                       if 
(!StringUtils.isEmpty(resourcesJsonString)) {
+                                               try {
+                                                       /*
+                                                       Reader stringReader = 
new StringReader(resourcesJsonString);
+                                                       
RangerRequestedResources resources = gsonBuilder.fromJson(stringReader, 
RangerRequestedResources.class);
+                                                       */
+
+                                                       Type myType = new 
TypeToken<RangerRequestedResources>() {
+                                                       }.getType();
+                                                       
RangerRequestedResources resources = gsonBuilder.fromJson(resourcesJsonString, 
myType);
+
+                                                       
context.put(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES, resources);
+                                               } catch (Exception e) {
+                                                       
System.err.println("TestPolicyEngineForDeltas.runTests(): error parsing 
REQUESTED_RESOURCES string in file " + testName + ", resourcesJsonString=" +
+                                                                       
resourcesJsonString + ", exception=" + e);
+                                               }
+                                       }
+                               }
+                               newRequest.setContext(context);
+
+                               // accessResource.ServiceDef is set here, so 
that we can skip call to policyEngine.preProcess() which
+                               // sets the serviceDef in the resource AND 
calls enrichers. We dont want enrichers to be called when
+                               // context already contains tags -- This may 
change when we want enrichers to enrich request in the
+                               // presence of tags!!!
+
+                               // Safe cast
+                               RangerAccessResourceImpl accessResource = 
(RangerAccessResourceImpl) request.getResource();
+                               accessResource.setServiceDef(serviceDef);
+
+                               request = newRequest;
+
+                       }
+
+                       RangerAccessResultProcessor auditHandler = new 
RangerDefaultAuditHandler();
+
+                       if(test.result != null) {
+                RangerAccessResult expected = test.result;
+                RangerAccessResult result;
+
+                               result   = 
policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, 
auditHandler);
+
+                               policyEngine.evaluateAuditPolicies(result);
+
+                               assertNotNull("result was null! - " + 
test.name, result);
+                               assertEquals("isAllowed mismatched! - " + 
test.name, expected.getIsAllowed(), result.getIsAllowed());
+                               assertEquals("policy-id mismatched! - " + 
test.name, expected.getPolicyId(), result.getPolicyId());
+                               assertEquals("isAudited mismatched! - " + 
test.name, expected.getIsAudited(), result.getIsAudited() && 
result.getIsAuditedDetermined());
+
+                               result   = 
policyEngineForEvaluatingWithACLs.evaluatePolicies(request, 
RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
+
+                               policyEngine.evaluateAuditPolicies(result);
+
+                assertNotNull("result was null! - " + test.name, result);
+                assertEquals("isAllowed mismatched! - " + test.name, 
expected.getIsAllowed(), result.getIsAllowed());
+                assertEquals("isAudited mismatched! - " + test.name, 
expected.getIsAudited(), result.getIsAudited());
+                       }
+
+                       if(test.dataMaskResult != null) {
+                               RangerAccessResult expected = 
test.dataMaskResult;
+                               RangerAccessResult result;
+
+                result   = policyEngine.evaluatePolicies(request, 
RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
+
+                policyEngine.evaluateAuditPolicies(result);
+
+                assertNotNull("result was null! - " + test.name, result);
+                assertEquals("maskType mismatched! - " + test.name, 
expected.getMaskType(), result.getMaskType());
+                assertEquals("maskCondition mismatched! - " + test.name, 
expected.getMaskCondition(), result.getMaskCondition());
+                assertEquals("maskedValue mismatched! - " + test.name, 
expected.getMaskedValue(), result.getMaskedValue());
+                assertEquals("policyId mismatched! - " + test.name, 
expected.getPolicyId(), result.getPolicyId());
+
+                result = 
policyEngineForEvaluatingWithACLs.evaluatePolicies(request, 
RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
+
+                policyEngine.evaluateAuditPolicies(result);
+
+                               assertNotNull("result was null! - " + 
test.name, result);
+                               assertEquals("maskType mismatched! - " + 
test.name, expected.getMaskType(), result.getMaskType());
+                               assertEquals("maskCondition mismatched! - " + 
test.name, expected.getMaskCondition(), result.getMaskCondition());
+                               assertEquals("maskedValue mismatched! - " + 
test.name, expected.getMaskedValue(), result.getMaskedValue());
+                               assertEquals("policyId mismatched! - " + 
test.name, expected.getPolicyId(), result.getPolicyId());
+
+                       }
+
+                       if(test.rowFilterResult != null) {
+                               RangerAccessResult expected = 
test.rowFilterResult;
+                               RangerAccessResult result;
+
+                result   = policyEngine.evaluatePolicies(request, 
RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
+
+                policyEngine.evaluateAuditPolicies(result);
+
+                assertNotNull("result was null! - " + test.name, result);
+                assertEquals("filterExpr mismatched! - " + test.name, 
expected.getFilterExpr(), result.getFilterExpr());
+                assertEquals("policyId mismatched! - " + test.name, 
expected.getPolicyId(), result.getPolicyId());
+
+                               result = 
policyEngineForEvaluatingWithACLs.evaluatePolicies(request, 
RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
+
+                               policyEngine.evaluateAuditPolicies(result);
+
+                               assertNotNull("result was null! - " + 
test.name, result);
+                               assertEquals("filterExpr mismatched! - " + 
test.name, expected.getFilterExpr(), result.getFilterExpr());
+                               assertEquals("policyId mismatched! - " + 
test.name, expected.getPolicyId(), result.getPolicyId());
+
+                       }
+
+                       if(test.resourceAccessInfo != null) {
+
+                               RangerResourceAccessInfo expected = new 
RangerResourceAccessInfo(test.resourceAccessInfo);
+                               RangerResourceAccessInfo result   = 
policyEngine.getResourceAccessInfo(test.request);
+
+                               assertNotNull("result was null! - " + 
test.name, result);
+                               assertEquals("allowedUsers mismatched! - " + 
test.name, expected.getAllowedUsers(), result.getAllowedUsers());
+                               assertEquals("allowedGroups mismatched! - " + 
test.name, expected.getAllowedGroups(), result.getAllowedGroups());
+                               assertEquals("deniedUsers mismatched! - " + 
test.name, expected.getDeniedUsers(), result.getDeniedUsers());
+                               assertEquals("deniedGroups mismatched! - " + 
test.name, expected.getDeniedGroups(), result.getDeniedGroups());
+                       }
+               }
+
+       }
+
+       private void setPluginConfig(RangerPluginConfig conf, String suffix, 
Set<String> value) {
+               conf.set(conf.getPropertyPrefix() + suffix, 
CollectionUtils.isNotEmpty(value) ? StringUtils.join(value, ',') : "");
+       }
+
+       static class PolicyEngineTestCase {
+               public String             serviceName;
+               public RangerServiceDef   serviceDef;
+               public List<RangerPolicy> policies;
+               public TagPolicyInfo      tagPolicyInfo;
+               public Map<String, ServicePolicies.SecurityZoneInfo> 
securityZones;
+               public Map<String, Set<String>> userRoles;
+               public Map<String, Set<String>> groupRoles;
+               public Map<String, Set<String>> roleRoles;
+               public String             auditMode;
+               public TestsInfo          testsInfo;
+               //public List<TestData>     tests;
+               public Map<String, String> serviceConfig;
+               //public UpdatedPolicies    updatedPolicies;
+               //public List<TestData>     updatedTests;
+               public Set<String>        superUsers;
+               public Set<String>        superGroups;
+               public Set<String>        auditExcludedUsers;
+               public Set<String>        auditExcludedGroups;
+               public Set<String>        auditExcludedRoles;
+
+               static class TestsInfo {
+                       public List<TestData>     tests;
+                       public UpdatedPolicies    updatedPolicies;
+                       public TestsInfo          updatedTestsInfo;
+
+               }
+               static class TestData {
+                       public String              name;
+                       public RangerAccessRequest request;
+                       public RangerAccessResult  result;
+                       public RangerAccessResult  dataMaskResult;
+                       public RangerAccessResult rowFilterResult;
+                       public RangerResourceAccessInfo resourceAccessInfo;
+               }
+
+               static class TagPolicyInfo {
+                       public String   serviceName;
+                       public RangerServiceDef serviceDef;
+                       public Map<String, String> serviceConfig;
+                       public List<RangerPolicy> tagPolicies;
+               }
+       }
+
+       static class UpdatedPolicies {
+               public Map<String, ServicePolicies.SecurityZoneInfo> 
securityZones;
+               public List<RangerPolicyDelta>                       
policyDeltas;
+       }
+
+    static class RangerAccessRequestDeserializer implements 
JsonDeserializer<RangerAccessRequest> {
+               @Override
+               public RangerAccessRequest deserialize(JsonElement jsonObj, 
Type type,
+                               JsonDeserializationContext context) throws 
JsonParseException {
+                       RangerAccessRequestImpl ret = 
gsonBuilder.fromJson(jsonObj, RangerAccessRequestImpl.class);
+
+                       ret.setAccessType(ret.getAccessType()); // to force 
computation of isAccessTypeAny and isAccessTypeDelegatedAdmin
+                       if (ret.getAccessTime() == null) {
+                               ret.setAccessTime(new Date());
+                       }
+
+                       return ret;
+               }
+       }
+       
+       static class RangerResourceDeserializer implements 
JsonDeserializer<RangerAccessResource> {
+               @Override
+               public RangerAccessResource deserialize(JsonElement jsonObj, 
Type type,
+                               JsonDeserializationContext context) throws 
JsonParseException {
+                       return gsonBuilder.fromJson(jsonObj, 
RangerAccessResourceImpl.class);
+               }
+       }
+
+}
+
diff --git 
a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_incremental_delete.json
 
b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_incremental_delete.json
new file mode 100644
index 0000000..c74af3e
--- /dev/null
+++ 
b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_incremental_delete.json
@@ -0,0 +1,635 @@
+{
+  "serviceName":"hdfsdev",
+
+  "serviceDef":{
+    "name":"hdfs",
+    "id":1,
+    "resources":[
+      
{"name":"path","type":"path","level":10,"mandatory":true,"lookupSupported":true,"recursiveSupported":
 
true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":true,
 "ignoreCase":false},"label":"Resource Path","description":"HDFS file or 
directory path"}
+    ],
+    "accessTypes":[
+      {"itemId": 1, "name":"read","label":"Read"},
+      {"itemId": 2, "name":"write","label":"Write"},
+      {"itemId": 3, "name":"execute","label":"Execute"}
+    ],
+    "contextEnrichers": [],
+    "policyConditions": []
+  },
+
+  "policies":[
+    {"id":1,"name":"policy_for_audits","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["/*"],"isRecursive":true}},
+      "policyItems":[]
+    }
+  ,
+    
{"id":10,"name":"user1_/test?_notrecursive","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"path":{"values":["/test?"],"isRecursive":false}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+      ]
+    }
+  ],
+
+  "testsInfo" : {
+    "tests":[
+      {"name":"ALLOW test_01A_wildcard_true_recursive_false",
+        "request":{
+          "resource":{"elements":{"path":"/test1"}},
+          
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1"
+        },
+        "result":{"isAudited":true,"isAllowed":true,"policyId":10}
+      }
+      ,
+      {"name":"DENY test_01B_wildcard_true_recursive_false",
+        "request":{
+          "resource":{"elements":{"path":"/test1/test11"}},
+          
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/test11"
+        },
+        "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+      }
+      ,
+      {"name":"DENY test_01C_wildcard_true_recursive_false",
+        "request":{
+          "resource":{"elements":{"path":"/test12"}},
+          
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test12"
+        },
+        "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+      }
+    ],
+    "updatedPolicies": {
+      "policyDeltas": [
+        {"changeType": 2,
+          "policy": {
+            "id": 10,
+            "version": 1,
+            "policyType": 0,
+            "serviceType": "hdfs"
+          }
+        }
+      ,
+        {"changeType": 0,
+          "policy": {"serviceType": "hdfs", "policyType": 0, "version": 1,
+            
"id":20,"name":"user1_/test?","isEnabled":true,"isAuditEnabled":true,
+            "resources":{"path":{"values":["/test?"],"isRecursive":true}},
+            "policyItems":[
+              {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+            ]
+          }
+        }
+      ]
+    },
+    "updatedTestsInfo" : {
+      "tests": [
+        {"name":"ALLOW test_02A_wildcard_true_recursive_true",
+          "request":{
+            "resource":{"elements":{"path":"/test1/test11"}},
+            
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/test11"
+          },
+          "result":{"isAudited":true,"isAllowed":true,"policyId":20}
+        }
+      ],
+      "updatedPolicies": {
+        "policyDeltas": [
+          {"changeType": 2,
+            "policy": {
+              "id": 20,
+              "version": 1,
+              "policyType": 0,
+              "serviceType": "hdfs"
+            }
+          }
+        ,
+          {"changeType": 0,
+            "policy": {"serviceType": "hdfs", "policyType": 0, "version": 1,
+              
"id":30,"name":"user1_/test?a?_notrecursive","isEnabled":true,"isAuditEnabled":true,
+              "resources":{"path":{"values":["/test?a?"],"isRecursive":false}},
+              "policyItems":[
+                {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+              ]
+            }
+          }
+        ]
+      },
+      "updatedTestsInfo" : {
+        "tests": [
+          {"name":"ALLOW test_03A_wildcard_true_recursive_false",
+            "request":{
+              "resource":{"elements":{"path":"/test1a1"}},
+              
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1a1"
+            },
+            "result":{"isAudited":true,"isAllowed":true,"policyId":30}
+          }
+          ,
+          {"name":"DENY test_03B_wildcard_true_recursive_false",
+            "request":{
+              "resource":{"elements":{"path":"/test2A2"}},
+              
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test2A2"
+            },
+            "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+          }
+        ,
+          {"name":"DENY test_03C_wildcard_true_recursive_false",
+            "request":{
+              "resource":{"elements":{"path":"/test1a12"}},
+              
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1a12"
+            },
+            "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+          }
+        ,
+          {"name":"DENY test_03D_wildcard_true_recursive_false",
+            "request":{
+              "resource":{"elements":{"path":"/test12a1"}},
+              
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test12a1"
+            },
+            "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+          }
+        ,
+          {"name":"DENY test_03E_wildcard_true_recursive_false",
+            "request":{
+              "resource":{"elements":{"path":"/test12a12"}},
+              
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test12a12"
+            },
+            "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+          }
+        ,
+          {"name":"DENY test_03F_wildcard_true_recursive_false",
+            "request":{
+              "resource":{"elements":{"path":"/test1a"}},
+              
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1a"
+            },
+            "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+          }
+        ],
+        "updatedPolicies": {
+          "policyDeltas": [
+            {"changeType": 2,
+              "policy": {
+                "id": 30,
+                "version": 1,
+                "policyType": 0,
+                "serviceType": "hdfs"
+              }
+            }
+          ,
+            {"changeType": 0,
+              "policy": {"serviceType": "hdfs", "policyType": 0, "version": 1,
+                
"id":40,"name":"user1_/test?a?_recursive","isEnabled":true,"isAuditEnabled":true,
+                
"resources":{"path":{"values":["/test?a?"],"isRecursive":true}},
+                "policyItems":[
+                  {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+                ]
+              }
+            }
+          ]
+        },
+        "updatedTestsInfo" : {
+          "tests": [
+            {"name":"ALLOW test_04A_wildcard_true_recursive_true",
+              "request":{
+                "resource":{"elements":{"path":"/test1a1/test11a1"}},
+                
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1a1/test11a1"
+              },
+              "result":{"isAudited":true,"isAllowed":true,"policyId":40}
+            }
+          ]
+          ,
+          "updatedPolicies": {
+            "policyDeltas": [
+              {"changeType": 2,
+                "policy": {
+                  "id": 40,
+                  "version": 1,
+                  "policyType": 0,
+                  "serviceType": "hdfs"
+                }
+              }
+            ,
+              {"changeType": 0,
+                "policy": {"serviceType": "hdfs", "policyType": 0, "version": 
1,
+                  
"id":50,"name":"user1_/test??_notrecursive","isEnabled":true,"isAuditEnabled":true,
+                  
"resources":{"path":{"values":["/test??"],"isRecursive":false}},
+                  "policyItems":[
+                    {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+                  ]
+                }
+              }
+            ]
+          },
+          "updatedTestsInfo" : {
+            "tests": [
+              {"name":"ALLOW test_05A_wildcard_true_recursive_false",
+                "request":{
+                  "resource":{"elements":{"path":"/test12"}},
+                  
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test12"
+                },
+                "result":{"isAudited":true,"isAllowed":true,"policyId":50}
+              },
+              {"name":"ALLOW test_05B_wildcard_true_recursive_false",
+                "request":{
+                  "resource":{"elements":{"path":"/test1"}},
+                  
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1"
+                },
+                "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+              },
+              {"name":"ALLOW test_05C_wildcard_true_recursive_false",
+                "request":{
+                  "resource":{"elements":{"path":"/test1a1"}},
+                  
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1a1"
+                },
+                "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+              }
+            ],
+            "updatedPolicies": {
+              "policyDeltas": [
+                {"changeType": 2,
+                  "policy": {
+                    "id": 50,
+                    "version": 1,
+                    "policyType": 0,
+                    "serviceType": "hdfs"
+                  }
+                }
+              ,
+                {"changeType": 0,
+                  "policy": {"serviceType": "hdfs", "policyType": 0, 
"version": 1,
+                    
"id":60,"name":"user1_/test???_notrecursive","isEnabled":true,"isAuditEnabled":true,
+                    
"resources":{"path":{"values":["/test???"],"isRecursive":false}},
+                    "policyItems":[
+                      {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+                    ]
+                  }
+                }
+              ]
+            },
+            "updatedTestsInfo" : {
+              "tests": [
+                {"name":"DENY test_06A_wildcard_true_recursive_false",
+                  "request":{
+                    "resource":{"elements":{"path":"/test12"}},
+                    
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test12"
+                  },
+                  "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+                },
+                {"name":"ALLOW test_06B_wildcard_true_recursive_false",
+                  "request":{
+                    "resource":{"elements":{"path":"/test1/1"}},
+                    
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/1"
+                  },
+                  "result":{"isAudited":true,"isAllowed":true,"policyId":60}
+                },
+                {"name":"ALLOW test_06C_wildcard_true_recursive_false",
+                  "request":{
+                    "resource":{"elements":{"path":"/test123"}},
+                    
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test123"
+                  },
+                  "result":{"isAudited":true,"isAllowed":true,"policyId":60}
+                }
+              ],
+              "updatedPolicies": {
+                "policyDeltas": [
+                  {"changeType": 2,
+                    "policy": {
+                      "id": 60,
+                      "version": 1,
+                      "policyType": 0,
+                      "serviceType": "hdfs"
+                    }
+                  }
+                ,
+                  {"changeType": 0,
+                    "policy": {"serviceType": "hdfs", "policyType": 0, 
"version": 1,
+                      
"id":70,"name":"user1_/test1/?_notrecursive","isEnabled":true,"isAuditEnabled":true,
+                      
"resources":{"path":{"values":["/test1/?"],"isRecursive":false}},
+                      "policyItems":[
+                        {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+                      ]
+                    }
+                  }
+                ]
+              },
+              "updatedTestsInfo" : {
+                "tests": [
+                  {"name":"DENY test_07A_wildcard_true_recursive_false",
+                    "request":{
+                      "resource":{"elements":{"path":"/test1"}},
+                      
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1"
+                    },
+                    "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+                  },
+                  {"name":"DENY test_07B_wildcard_true_recursive_false",
+                    "request":{
+                      "resource":{"elements":{"path":"/test1/test11"}},
+                      
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/test11"
+                    },
+                    "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+                  },
+                  {"name":"ALLOW test_07C_wildcard_true_recursive_false",
+                    "request":{
+                      "resource":{"elements":{"path":"/test1/a"}},
+                      
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/a"
+                    },
+                    "result":{"isAudited":true,"isAllowed":true,"policyId":70}
+                  }
+                ],
+                "updatedPolicies": {
+                  "policyDeltas": [
+                    {"changeType": 2,
+                      "policy": {
+                        "id": 70,
+                        "version": 1,
+                        "policyType": 0,
+                        "serviceType": "hdfs"
+                      }
+                    }
+                  ,
+                    {"changeType": 0,
+                      "policy": {"serviceType": "hdfs", "policyType": 0, 
"version": 1,
+                        
"id":80,"name":"user1_/test*_/test_notrecursive","isEnabled":true,"isAuditEnabled":true,
+                        "resources":{"path":{"values":["/test*", 
"/test"],"isRecursive":false}},
+                        "policyItems":[
+                          {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+                        ]
+                      }
+                    }
+                  ]
+                },
+                "updatedTestsInfo" : {
+                  "tests": [
+                    {"name":"ALLOW test_08A_wildcard_true_recursive_false",
+                      "request":{
+                        "resource":{"elements":{"path":"/test12"}},
+                        
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test12"
+                      },
+                      
"result":{"isAudited":true,"isAllowed":true,"policyId":80}
+                    }
+                  ,
+                    {"name":"ALLOW test_08B_wildcard_true_recursive_false",
+                      "request":{
+                        "resource":{"elements":{"path":"/test1/1"}},
+                        
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/1"
+                      },
+                      
"result":{"isAudited":true,"isAllowed":true,"policyId":80}
+                    }
+                  ,
+                    {"name":"ALLOW test_08C_wildcard_true_recursive_false",
+                      "request":{
+                        "resource":{"elements":{"path":"/test1/1/2"}},
+                        
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/1/2"
+                      },
+                      
"result":{"isAudited":true,"isAllowed":true,"policyId":80}
+                    }
+                  ,
+                    {"name":"ALLOW test_08D_wildcard_true_recursive_false",
+                      "request":{
+                        "resource":{"elements":{"path":"/test1/1/2/a.txt"}},
+                        
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/1/2/a.txt"
+                      },
+                      
"result":{"isAudited":true,"isAllowed":true,"policyId":80}
+                    }
+                  ],
+                  "updatedPolicies": {
+                    "policyDeltas": [
+                      {"changeType": 2,
+                        "policy": {
+                          "id": 80,
+                          "version": 1,
+                          "policyType": 0,
+                          "serviceType": "hdfs"
+                        }
+                      }
+                    ,
+                      {"changeType": 0,
+                        "policy": { "serviceType": "hdfs", "policyType": 0, 
"version": 1,
+                          
"id":90,"name":"user1_/test*1*_notrecursive","isEnabled":true,"isAuditEnabled":true,
+                          
"resources":{"path":{"values":["/test*1*"],"isRecursive":false}},
+                          "policyItems":[
+                            {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+                          ]
+                        }
+                      }
+                    ]
+                  },
+                  "updatedTestsInfo" : {
+                    "tests": [
+                      {"name":"ALLOW test_09A_wildcard_true_recursive_false ",
+                        "request":{
+                          "resource":{"elements":{"path":"/test1"}},
+                          
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1"
+                        },
+                        
"result":{"isAudited":true,"isAllowed":true,"policyId":90}
+                      },
+                      {"name":"ALLOW test_09B_wildcard_true_recursive_false ",
+                        "request":{
+                          "resource":{"elements":{"path":"/test1/1"}},
+                          
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/1"
+                        },
+                        
"result":{"isAudited":true,"isAllowed":true,"policyId":90}
+                      },
+                      {"name":"ALLOW test_09C_wildcard_true_recursive_false ",
+                        "request":{
+                          "resource":{"elements":{"path":"/test1/1/2"}},
+                          
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/1/2"
+                        },
+                        
"result":{"isAudited":true,"isAllowed":true,"policyId":90}
+                      }
+                    ],
+                    "updatedPolicies": {
+                      "policyDeltas": [
+                        {"changeType": 2,
+                          "policy": {
+                            "id": 90,
+                            "version": 1,
+                            "policyType": 0,
+                            "serviceType": "hdfs"
+                          }
+                        }
+                      ,
+                        {"changeType": 0,
+                          "policy": { "serviceType": "hdfs", "policyType": 0, 
"version": 1,
+                            
"id":100,"name":"user1_/test*1*2_notrecursive","isEnabled":true,"isAuditEnabled":true,
+                            
"resources":{"path":{"values":["/test*1*2"],"isRecursive":false}},
+                            "policyItems":[
+                              {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+                            ]
+                          }
+                        }
+                      ]
+                    },
+                    "updatedTestsInfo" : {
+                      "tests": [
+                        {"name":"ALLOW test_10A_wildcard_true_recursive_false 
",
+                          "request":{
+                            "resource":{"elements":{"path":"/test12"}},
+                            
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test12"
+                          },
+                          
"result":{"isAudited":true,"isAllowed":true,"policyId":100}
+                        },
+                        {"name":"DENY test_10B_wildcard_true_recursive_false ",
+                          "request":{
+                            "resource":{"elements":{"path":"/test123"}},
+                            
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test123"
+                          },
+                          
"result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+                        },
+                        {"name":"ALLOW test_10C_wildcard_true_recursive_false 
",
+                          "request":{
+                            "resource":{"elements":{"path":"/test12a12"}},
+                            
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/testa12"
+                          },
+                          
"result":{"isAudited":true,"isAllowed":true,"policyId":100}
+                        },
+                        {"name":"ALLOW test_10D_wildcard_true_recursive_false 
",
+                          "request":{
+                            "resource":{"elements":{"path":"/test2/1/2"}},
+                            
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test2/1/2"
+                          },
+                          
"result":{"isAudited":true,"isAllowed":true,"policyId":100}
+                        }
+                      ],
+                      "updatedPolicies": {
+                        "policyDeltas": [
+                          {"changeType": 2,
+                            "policy": {
+                              "id": 100,
+                              "version": 1,
+                              "policyType": 0,
+                              "serviceType": "hdfs"
+                            }
+                          }
+                        ,
+                          {"changeType": 0,
+                            "policy": { "serviceType": "hdfs", "policyType": 
0, "version": 1,
+                              
"id":110,"name":"user1_/test1/b*y.txt_/test2_notrecursive","isEnabled":true,"isAuditEnabled":true,
+                              "resources":{"path":{"values":["/test1/b*y.txt", 
"/test2"],"isRecursive":false}},
+                              "policyItems":[
+                                {"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+                              ]
+                            }
+                          }
+                        ]
+                      },
+                      "updatedTestsInfo" : {
+                        "tests": [
+                          {"name":"ALLOW 
test_11A_wildcard_true_recursive_false ",
+                            "request":{
+                              
"resource":{"elements":{"path":"/test1/boy.txt"}},
+                              
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/boy.txt"
+                            },
+                            
"result":{"isAudited":true,"isAllowed":true,"policyId":110}
+                          },
+                          {"name":"ALLOW 
test_11B_wildcard_true_recursive_false ",
+                            "request":{
+                              
"resource":{"elements":{"path":"/test1/b1/a2/any.txt"}},
+                              
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/b1/a1/any.txt"
+                            },
+                            
"result":{"isAudited":true,"isAllowed":true,"policyId":110}
+                          },
+                          {"name":"ALLOW 
test_11C_wildcard_true_recursive_false ",
+                            "request":{
+                              "resource":{"elements":{"path":"/test1/by.txt"}},
+                              
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/by.txt"
+                            },
+                            
"result":{"isAudited":true,"isAllowed":true,"policyId":110}
+                          }
+                        ],
+                        "updatedPolicies": {
+                          "policyDeltas": [
+                            {"changeType": 2,
+                              "policy": {
+                                "id": 110,
+                                "version": 1,
+                                "policyType": 0,
+                                "serviceType": "hdfs"
+                              }
+                            }
+                          ,
+                            {"changeType": 0,
+                              "policy": { "serviceType": "hdfs", "policyType": 
0, "version": 1,
+                                
"id":120,"name":"user1_/test1/*/a.txt_/test2_notrecursive","isEnabled":true,"isAuditEnabled":true,
+                                
"resources":{"path":{"values":["/test1/*/a.txt", 
"/test2"],"isRecursive":false}},
+                                "policyItems":[
+                                  
{"accesses":[{"type":"read","isAllowed":true}, 
{"type":"write","isAllowed":true}, 
{"type":"execute","isAllowed":true}],"users":["hrt_21"],"groups":[],"delegateAdmin":false}
+                                ]
+                              }
+                            }
+                          ]
+                        },
+                        "updatedTestsInfo" : {
+                          "tests": [
+                            {"name":"ALLOW 
test_12A_wildcard_true_recursive_false_target_dir ",
+                              "request":{
+                                "resource":{"elements":{"path":"/test2"}},
+                                
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test2"
+                              },
+                              
"result":{"isAudited":true,"isAllowed":true,"policyId":120}
+                            },
+                            {"name":"DENY 
test_12A_wildcard_true_recursive_false ",
+                              "request":{
+                                
"resource":{"elements":{"path":"/test1/a.txt"}},
+                                
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/a.txt"
+                              },
+                              
"result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+                            },
+                            {"name":"ALLOW 
test_12B_wildcard_true_recursive_false ",
+                              "request":{
+                                
"resource":{"elements":{"path":"/test1/1/2/a.txt"}},
+                                
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/1/2/a.txt"
+                              },
+                              
"result":{"isAudited":true,"isAllowed":true,"policyId":120}
+                            },
+                            {"name":"DENY 
test_12C_wildcard_true_recursive_false ",
+                              "request":{
+                                
"resource":{"elements":{"path":"/test1/1/2/ba.txt"}},
+                                
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test1/1/2/ba.txt"
+                              },
+                              
"result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+                            }
+                          ],
+                          "updatedPolicies": {
+                            "policyDeltas": [
+                              {"changeType": 2,
+                                "policy": {
+                                  "id": 120,
+                                  "version": 1,
+                                  "policyType": 0,
+                                  "serviceType": "hdfs"
+                                }
+                              }
+                            ]
+                          },
+                          "updatedTestsInfo" : {
+                            "tests": [
+                              {"name":"DENY 
test_13_wildcard_true_recursive_false ",
+                                "request":{
+                                  "resource":{"elements":{"path":"/test2"}},
+                                  
"accessType":"write","user":"hrt_21","userGroups":[],"requestData":"write 
/test2"
+                                },
+                                
"result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+                              }
+                            ],
+                            "updatedPolicies": {
+                              "policyDeltas": [
+                                {"changeType": 2,
+                                  "policy": {
+                                    "id": 1,
+                                    "version": 1,
+                                    "policyType": 0,
+                                    "serviceType": "hdfs"
+                                  }
+                                }
+                              ]
+                            }
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml 
b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index f6951f6..d026dec 100755
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -1555,7 +1555,7 @@
     <named-query name="XXPolicyChangeLog.findSinceVersion">
         <query>
             select obj.id, obj.changeType, obj.policyVersion, obj.serviceType, 
obj.policyType, obj.policyId, obj.zoneName from
-            XXPolicyChangeLog obj where obj.serviceId = :serviceId and 
obj.policyVersion >= :version order by
+            XXPolicyChangeLog obj where obj.serviceId = :serviceId and 
obj.serviceType != 'tag' and obj.policyVersion >= :version order by
             obj.policyVersion
         </query>
     </named-query>
@@ -1563,7 +1563,7 @@
     <named-query name="XXPolicyChangeLog.findGreaterThan">
         <query>
             select obj.id, obj.changeType, obj.policyVersion, obj.serviceType, 
obj.policyType, obj.policyId, obj.zoneName from
-            XXPolicyChangeLog obj where obj.serviceId = :serviceId and obj.id 
> :id order by obj.id
+            XXPolicyChangeLog obj where obj.serviceId = :serviceId and 
obj.serviceType = 'tag' and obj.id > :id order by obj.id
         </query>
     </named-query>
 

Reply via email to