This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new cbdd054d5 RANGER-4286: allow security-zone to exist without any
services/resources assigned
cbdd054d5 is described below
commit cbdd054d59a94de787c6d8f980859982d22f467a
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Thu Jun 8 22:32:56 2023 -0700
RANGER-4286: allow security-zone to exist without any services/resources
assigned
---
.../validation/RangerSecurityZoneValidator.java | 369 +++++++++------------
.../validation/RangerZoneResourceMatcher.java | 10 +-
.../plugin/store/SecurityZonePredicateUtil.java | 33 +-
.../apache/ranger/plugin/util/SearchFilter.java | 1 +
.../RangerSecurityZoneValidatorTest.java | 112 ++++++-
5 files changed, 292 insertions(+), 233 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
index cb4f37cc0..1a2b3160b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
@@ -23,10 +23,11 @@ import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.plugin.errors.ValidationErrorCode;
-import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import
org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerResourceTrie;
@@ -37,6 +38,7 @@ import org.apache.ranger.plugin.store.SecurityZoneStore;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.RangerResourceEvaluatorsRetriever;
import org.apache.ranger.plugin.util.SearchFilter;
+import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -48,6 +50,8 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
+import static org.apache.ranger.plugin.model.RangerPolicy.POLICY_TYPES;
+
public class RangerSecurityZoneValidator extends RangerValidator {
private static final Logger LOG =
LoggerFactory.getLogger(RangerSecurityZoneValidator.class);
@@ -55,28 +59,27 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
public RangerSecurityZoneValidator(ServiceStore store, SecurityZoneStore
securityZoneStore) {
super(store);
+
this.securityZoneStore = securityZoneStore;
}
public void validate(RangerSecurityZone securityZone, Action action)
throws Exception {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.validate(%s,
%s)", securityZone, action));
+ LOG.debug(String.format("==>
RangerSecurityZoneValidator.validate(%s, %s)", securityZone, action));
}
List<ValidationFailureDetails> failures = new ArrayList<>();
+ boolean valid = isValid(securityZone,
action, failures);
- boolean valid = isValid(securityZone, action, failures);
-
- String message;
try {
if (!valid) {
- message = serializeFailures(failures);
+ String message = serializeFailures(failures);
+
throw new Exception(message);
}
-
} finally {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<==
RangerPolicyValidator.validate(%s, %s)", securityZone, action));
+ LOG.debug(String.format("<==
RangerSecurityZoneValidator.validate(%s, %s)", securityZone, action));
}
}
}
@@ -84,7 +87,7 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
@Override
boolean isValid(String name, Action action, List<ValidationFailureDetails>
failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s,
%s)", name, action, failures));
+ LOG.debug(String.format("==>
RangerSecurityZoneValidator.isValid(%s, %s, %s)", name, action, failures));
}
boolean ret = true;
@@ -94,24 +97,20 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
failures.add(new
ValidationFailureDetailsBuilder().isAnInternalError().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
ret = false;
- } else {
- if (StringUtils.isEmpty(name)) {
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_FIELD;
+ } else if (StringUtils.isEmpty(name)) {
+ ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_FIELD;
- failures.add(new
ValidationFailureDetailsBuilder().becauseOf("security zone name was
null/missing").field("name").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage("name")).build());
- ret = false;
- } else {
- if (getSecurityZone(name) == null) {
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
+ failures.add(new
ValidationFailureDetailsBuilder().becauseOf("security zone name was
null/missing").field("name").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage("name")).build());
+ ret = false;
+ } else if (getSecurityZone(name) == null) {
+ ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
- failures.add(new
ValidationFailureDetailsBuilder().becauseOf("security zone does not
exist").field("name").errorCode(error.getErrorCode()).becauseOf(error.getMessage(name)).build());
- ret = false;
- }
- }
+ failures.add(new
ValidationFailureDetailsBuilder().becauseOf("security zone does not
exist").field("name").errorCode(error.getErrorCode()).becauseOf(error.getMessage(name)).build());
+ ret = false;
}
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s,
%s) : %s", name, action, failures, ret));
+ LOG.debug(String.format("<==
RangerSecurityZoneValidator.isValid(%s, %s, %s) : %s", name, action, failures,
ret));
}
return ret;
@@ -120,7 +119,7 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
@Override
boolean isValid(Long id, Action action, List<ValidationFailureDetails>
failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s,
%s)", id, action, failures));
+ LOG.debug(String.format("==>
RangerSecurityZoneValidator.isValid(%s, %s, %s)", id, action, failures));
}
boolean ret = true;
@@ -136,32 +135,31 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
failures.add(new
ValidationFailureDetailsBuilder().becauseOf("security zone id was
null/missing").field("id").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage("id")).build());
ret = false;
} else if (getSecurityZone(id) == null) {
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
+ ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
- failures.add(new
ValidationFailureDetailsBuilder().becauseOf("security zone id does not
exist").field("id").errorCode(error.getErrorCode()).becauseOf(error.getMessage(id)).build());
- ret = false;
+ failures.add(new
ValidationFailureDetailsBuilder().becauseOf("security zone id does not
exist").field("id").errorCode(error.getErrorCode()).becauseOf(error.getMessage(id)).build());
+ ret = false;
}
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s,
%s) : %s", id, action, failures, ret));
+ LOG.debug(String.format("<==
RangerSecurityZoneValidator.isValid(%s, %s, %s) : %s", id, action, failures,
ret));
}
return ret;
}
- boolean isValid(RangerSecurityZone securityZone, Action action,
List<ValidationFailureDetails> failures) {
+ private boolean isValid(RangerSecurityZone securityZone, Action action,
List<ValidationFailureDetails> failures) {
if(LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s,
%s)", securityZone, action, failures));
+ LOG.debug(String.format("==>
RangerSecurityZoneValidator.isValid(%s, %s, %s)", securityZone, action,
failures));
}
if (!(action == Action.CREATE || action == Action.UPDATE)) {
- throw new IllegalArgumentException("isValid(RangerPolicy, ...) is
only supported for create/update");
+ throw new IllegalArgumentException("isValid(RangerSecurityZone,
...) is only supported for create/update");
}
- boolean ret = true;
-
- RangerSecurityZone existingZone;
+ boolean ret = true;
final String zoneName = securityZone.getName();
+
if (StringUtils.isEmpty(StringUtils.trim(zoneName))) {
ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_FIELD;
@@ -169,9 +167,13 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
ret = false;
}
+ RangerSecurityZone existingZone;
+
if (action == Action.CREATE) {
securityZone.setId(-1L);
+
existingZone = getSecurityZone(zoneName);
+
if (existingZone != null) {
ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_NAME_CONFLICT;
@@ -179,7 +181,8 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
ret = false;
}
} else {
- Long zoneId = securityZone.getId();
+ Long zoneId = securityZone.getId();
+
existingZone = getSecurityZone(zoneId);
if (existingZone == null) {
@@ -191,12 +194,10 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
existingZone = getSecurityZone(zoneName);
if (existingZone != null) {
- if (!StringUtils.equals(existingZone.getName(), zoneName))
{
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_NAME_CONFLICT;
+ ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_NAME_CONFLICT;
- failures.add(new
ValidationFailureDetailsBuilder().becauseOf("security zone
name").field("name").errorCode(error.getErrorCode()).becauseOf(error.getMessage(existingZone.getId())).build());
- ret = false;
- }
+ failures.add(new
ValidationFailureDetailsBuilder().becauseOf("security zone
name").field("name").errorCode(error.getErrorCode()).becauseOf(error.getMessage(existingZone.getId())).build());
+ ret = false;
}
}
}
@@ -206,7 +207,7 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
ret = ret && validateAgainstAllSecurityZones(securityZone, action,
failures);
if(LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s,
%s) : %s", securityZone, action, failures, ret));
+ LOG.debug(String.format("<==
RangerSecurityZoneValidator.isValid(%s, %s, %s) : %s", securityZone, action,
failures, ret));
}
return ret;
@@ -214,25 +215,11 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
private boolean validateWithinSecurityZone(RangerSecurityZone
securityZone, Action action, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==>
RangerPolicyValidator.validateWithinSecurityZone(%s, %s, %s)", securityZone,
action, failures));
+ LOG.debug(String.format("==>
RangerSecurityZoneValidator.validateWithinSecurityZone(%s, %s, %s)",
securityZone, action, failures));
}
boolean ret = true;
- // Validate each service for existence, not being tag-service and each
resource-spec for validity
- if (MapUtils.isNotEmpty(securityZone.getServices())) {
- for (Map.Entry<String,
RangerSecurityZone.RangerSecurityZoneService> serviceSpecification :
securityZone.getServices().entrySet()) {
- String serviceName
= serviceSpecification.getKey();
- RangerSecurityZone.RangerSecurityZoneService
securityZoneService = serviceSpecification.getValue();
-
- ret = ret && validateSecurityZoneService(serviceName,
securityZoneService, failures);
- }
- } else {
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_SERVICES;
-
- failures.add(new
ValidationFailureDetailsBuilder().becauseOf("security zone
services").isMissing().field("services").errorCode(error.getErrorCode()).becauseOf(error.getMessage(securityZone.getName())).build());
- ret = false;
- }
// admin users, user-groups and roles collections can't be empty
if (CollectionUtils.isEmpty(securityZone.getAdminUsers()) &&
CollectionUtils.isEmpty(securityZone.getAdminUserGroups()) &&
CollectionUtils.isEmpty(securityZone.getAdminRoles())) {
ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_USER_AND_GROUPS_AND_ROLES;
@@ -248,90 +235,83 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
ret = false;
}
- if (securityZone.getServices() != null) {
- for (Map.Entry<String, RangerSecurityZoneService>
serviceResourceMapEntry : securityZone.getServices()
- .entrySet()) {
- if
(serviceResourceMapEntry.getValue().getResources() != null) {
- for (Map<String, List<String>> resource
: serviceResourceMapEntry.getValue().getResources()) {
- if (resource != null) {
- for (Map.Entry<String,
List<String>> entry : resource.entrySet()) {
- if
(CollectionUtils.isEmpty(entry.getValue())) {
-
ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_RESOURCES;
-
failures.add(new ValidationFailureDetailsBuilder().field("security zone
resources")
-
.subField("resources").isMissing()
-
.becauseOf(error.getMessage(serviceResourceMapEntry.getKey()))
-
.errorCode(error.getErrorCode()).build());
- ret =
false;
- }
- }
- }
- }
- }
- }
- }
+ // Validate each service for existence, not being tag-service and each
resource-spec for validity
+ if (MapUtils.isNotEmpty(securityZone.getServices())) {
+ for (Map.Entry<String, RangerSecurityZoneService> entry :
securityZone.getServices().entrySet()) {
+ String serviceName = entry.getKey();
+ RangerSecurityZoneService securityZoneService =
entry.getValue();
+
+ ret = validateSecurityZoneService(serviceName,
securityZoneService, failures) && ret;
+ }
+ }
+
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<==
RangerPolicyValidator.validateWithinSecurityZone(%s, %s, %s) : %s",
securityZone, action, failures, ret));
+ LOG.debug(String.format("<==
RangerSecurityZoneValidator.validateWithinSecurityZone(%s, %s, %s) : %s",
securityZone, action, failures, ret));
}
+
return ret;
}
private boolean validateAgainstAllSecurityZones(RangerSecurityZone
securityZone, Action action, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==>
RangerPolicyValidator.validateAgainstAllSecurityZones(%s, %s, %s)",
securityZone, action, failures));
+ LOG.debug(String.format("==>
RangerSecurityZoneValidator.validateAgainstAllSecurityZones(%s, %s, %s)",
securityZone, action, failures));
}
- boolean ret = true;
-
+ boolean ret = true;
final String zoneName;
if (securityZone.getId() != -1L) {
RangerSecurityZone existingZone =
getSecurityZone(securityZone.getId());
+
zoneName = existingZone.getName();
} else {
zoneName = securityZone.getName();
}
- for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService>
entry: securityZone.getServices().entrySet()) {
- String serviceName =
entry.getKey();
- RangerSecurityZone.RangerSecurityZoneService serviceResources =
entry.getValue();
+ for (Map.Entry<String, RangerSecurityZoneService> entry:
securityZone.getServices().entrySet()) {
+ String serviceName = entry.getKey();
+ RangerSecurityZoneService securityZoneService = entry.getValue();
- if (CollectionUtils.isNotEmpty(serviceResources.getResources())) {
- SearchFilter filter = new SearchFilter();
- List<RangerSecurityZone> zones = null;
+ if (CollectionUtils.isEmpty(securityZoneService.getResources())) {
+ continue;
+ }
- filter.setParam(SearchFilter.SERVICE_NAME, serviceName);
- filter.setParam(SearchFilter.ZONE_NAME, zoneName);
+ SearchFilter filter = new SearchFilter();
+ List<RangerSecurityZone> zones = null;
- try {
- zones = securityZoneStore.getSecurityZones(filter);
- } catch (Exception excp) {
- LOG.error("Failed to get Security-Zones", excp);
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
+ filter.setParam(SearchFilter.SERVICE_NAME, serviceName);
+ filter.setParam(SearchFilter.NOT_ZONE_NAME, zoneName);
- failures.add(new
ValidationFailureDetailsBuilder().becauseOf(error.getMessage(excp.getMessage())).errorCode(error.getErrorCode()).build());
- ret = false;
- }
+ try {
+ zones = securityZoneStore.getSecurityZones(filter);
+ } catch (Exception excp) {
+ LOG.error("Failed to get Security-Zones", excp);
+ ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
+
+ failures.add(new
ValidationFailureDetailsBuilder().becauseOf(error.getMessage(excp.getMessage())).errorCode(error.getErrorCode()).build());
+ ret = false;
+ }
- if (CollectionUtils.isNotEmpty(zones)) {
- RangerService service = getService(serviceName);
- RangerServiceDef serviceDef = service != null ?
getServiceDef(service.getType()) : null;
+ if (CollectionUtils.isEmpty(zones)) {
+ continue;
+ }
- if (serviceDef == null) {
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
+ RangerService service = getService(serviceName);
+ RangerServiceDef serviceDef = service != null ?
getServiceDef(service.getType()) : null;
- failures.add(new
ValidationFailureDetailsBuilder().becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
- ret = false;
+ if (serviceDef == null) {
+ ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
- } else {
- zones.add(securityZone);
- ret = ret && validateZoneServiceInAllZones(zones,
serviceName, serviceDef, failures);
- }
- }
+ failures.add(new
ValidationFailureDetailsBuilder().becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
+ ret = false;
+ } else {
+ zones.add(securityZone);
+ ret = ret && validateZoneServiceInAllZones(zones, serviceName,
serviceDef, failures);
}
}
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<==
RangerPolicyValidator.validateAgainstAllSecurityZones(%s, %s, %s) : %s",
securityZone, action, failures, ret));
+ LOG.debug(String.format("<==
RangerSecurityZoneValidator.validateAgainstAllSecurityZones(%s, %s, %s) : %s",
securityZone, action, failures, ret));
}
return ret;
@@ -339,7 +319,7 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
private boolean validateZoneServiceInAllZones(List<RangerSecurityZone>
zones, String serviceName, RangerServiceDef serviceDef,
List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==>
RangerPolicyValidator.validateZoneServiceInAllZones(%s, %s, %s, %s)", zones,
serviceName, serviceDef, failures));
+ LOG.debug(String.format("==>
RangerSecurityZoneValidator.validateZoneServiceInAllZones(%s, %s, %s, %s)",
zones, serviceName, serviceDef, failures));
}
boolean ret = true;
@@ -351,22 +331,26 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
// add this to list-of-evaluators
Map<String, List<RangerZoneResourceMatcher>> matchersForResourceDef =
new HashMap<>();
+ RangerServiceDefHelper serviceDefHelper =
new RangerServiceDefHelper(serviceDef);
for (RangerSecurityZone zone : zones) {
- List<HashMap<String, List<String>>> resources =
zone.getServices().get(serviceName).getResources();
+ Map<String, RangerSecurityZoneService> zoneServices =
zone.getServices();
+ RangerSecurityZoneService zoneService = zoneServices
!= null ? zoneServices.get(serviceName) : null;
+ List<HashMap<String, List<String>>> resources = zoneService
!= null ? zoneService.getResources() : null;
+
+ if (CollectionUtils.isEmpty(resources)) {
+ continue;
+ }
for (Map<String, List<String>> resource : resources) {
- Map<String, RangerPolicy.RangerPolicyResource> policyResources
= new HashMap<>();
+ Map<String, RangerPolicyResource> policyResources = new
HashMap<>();
for (Map.Entry<String, List<String>> entry :
resource.entrySet()) {
String resourceDefName = entry.getKey();
List<String> resourceValues = entry.getValue();
- RangerPolicy.RangerPolicyResource policyResource = new
RangerPolicy.RangerPolicyResource();
+ RangerPolicyResource policyResource = new
RangerPolicyResource(resourceValues, false,
EmbeddedServiceDefsUtil.isRecursiveEnabled(serviceDef, resourceDefName));
- policyResource.setIsExcludes(false);
-
policyResource.setIsRecursive(EmbeddedServiceDefsUtil.isRecursiveEnabled(serviceDef,
resourceDefName));
- policyResource.setValues(resourceValues);
policyResources.put(resourceDefName, policyResource);
if (matchersForResourceDef.get(resourceDefName) == null) {
@@ -374,7 +358,7 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
}
}
- RangerZoneResourceMatcher matcher = new
RangerZoneResourceMatcher(zone.getName(), policyResources, serviceDef);
+ RangerZoneResourceMatcher matcher = new
RangerZoneResourceMatcher(zone.getName(), policyResources, serviceDefHelper);
for (String resourceDefName : resource.keySet()) {
matchersForResourceDef.get(resourceDefName).add(matcher);
@@ -385,21 +369,13 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
// Build a map of trie with list-of-evaluators with one entry
corresponds to one resource-def if it exists in the list-of-resources
Map<String, RangerResourceTrie<RangerZoneResourceMatcher>> trieMap =
new HashMap<>();
- List<RangerServiceDef.RangerResourceDef> resourceDefs =
serviceDef.getResources();
for (Map.Entry<String, List<RangerZoneResourceMatcher>> entry :
matchersForResourceDef.entrySet()) {
- String resourceDefName =
entry.getKey();
- List<RangerZoneResourceMatcher> matchers =
entry.getValue();
- RangerServiceDef.RangerResourceDef resourceDef = null;
-
- for (RangerServiceDef.RangerResourceDef element : resourceDefs) {
- if (StringUtils.equals(element.getName(), resourceDefName)) {
- resourceDef = element;
- break;
- }
- }
+ String resourceDefName = entry.getKey();
+ List<RangerZoneResourceMatcher> matchers = entry.getValue();
+ RangerResourceDef resourceDef =
ServiceDefUtil.getResourceDef(serviceDef, resourceDefName);
- trieMap.put(entry.getKey(), new RangerResourceTrie<>(resourceDef,
matchers));
+ trieMap.put(resourceDefName, new RangerResourceTrie<>(resourceDef,
matchers));
}
// For each zone, get list-of-resources corresponding to serviceName
@@ -413,7 +389,6 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
List<HashMap<String, List<String>>> resources =
zone.getServices().get(serviceName).getResources();
for (Map<String, List<String>> resource : resources) {
-
Collection<RangerZoneResourceMatcher> smallestList =
RangerResourceEvaluatorsRetriever.getEvaluators(trieMap, resource);
if (LOG.isDebugEnabled()) {
@@ -464,20 +439,18 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
}
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<==
RangerPolicyValidator.validateZoneServiceInAllZones(%s, %s, %s, %s) : %s",
zones, serviceName, serviceDef, failures, ret));
+ LOG.debug(String.format("<==
RangerSecurityZoneValidator.validateZoneServiceInAllZones(%s, %s, %s, %s) :
%s", zones, serviceName, serviceDef, failures, ret));
}
return ret;
}
- private boolean validateSecurityZoneService(String serviceName,
RangerSecurityZone.RangerSecurityZoneService securityZoneService,
List<ValidationFailureDetails> failures) {
+ private boolean validateSecurityZoneService(String serviceName,
RangerSecurityZoneService securityZoneService, List<ValidationFailureDetails>
failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==>
RangerPolicyValidator.validateSecurityZoneService(%s, %s, %s)", serviceName,
securityZoneService, failures));
+ LOG.debug(String.format("==>
RangerSecurityZoneValidator.validateSecurityZoneService(%s, %s, %s)",
serviceName, securityZoneService, failures));
}
- boolean ret = true;
-
- // Verify service with serviceName exists - get the service-type
- RangerService service = getService(serviceName);
+ boolean ret = true;
+ RangerService service = getService(serviceName); // Verify service
with serviceName exists
if (service == null) {
ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_SERVICE_NAME;
@@ -489,68 +462,54 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
if (serviceDef == null) {
ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_SERVICE_TYPE;
+
failures.add(new
ValidationFailureDetailsBuilder().field("security zone resource
service-type").becauseOf(error.getMessage(service.getType())).errorCode(error.getErrorCode()).build());
ret = false;
} else {
- String serviceType = serviceDef.getName();
-
- if (StringUtils.equals(serviceType,
EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) {
- if
(CollectionUtils.isNotEmpty(securityZoneService.getResources())) {
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_UNEXPECTED_RESOURCES;
- failures.add(new
ValidationFailureDetailsBuilder().field("security zone
resources").becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
- ret = false;
- }
- } else {
- if
(CollectionUtils.isEmpty(securityZoneService.getResources())) {
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_RESOURCES;
- failures.add(new
ValidationFailureDetailsBuilder().field("security zone
resources").isMissing().becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
- ret = false;
- } else {
- // For each resource-spec, verify that it forms valid
hierarchy for some policy-type
- for (Map<String, List<String>> resource :
securityZoneService.getResources()) {
- Set<String> resourceDefNames = resource.keySet();
- RangerServiceDefHelper serviceDefHelper = new
RangerServiceDefHelper(serviceDef);
- boolean isValidHierarchy = false;
-
- for (int policyType : RangerPolicy.POLICY_TYPES) {
- Set<List<RangerServiceDef.RangerResourceDef>>
resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType,
resourceDefNames);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Size of resourceHierarchies for
resourceDefNames:[" + resourceDefNames + ", policyType=" + policyType + "] = "
+ resourceHierarchies.size());
- }
-
- for (List<RangerServiceDef.RangerResourceDef>
resourceHierarchy : resourceHierarchies) {
-
- if
(RangerDefaultPolicyResourceMatcher.isHierarchyValidForResources(resourceHierarchy,
resource)) {
- isValidHierarchy = true;
- break;
- } else {
- LOG.info("gaps found in resource,
skipping hierarchy:[" + resourceHierarchies + "]");
- }
- }
+ if
(CollectionUtils.isNotEmpty(securityZoneService.getResources())) {
+ // For each resource-spec, verify that it forms valid
hierarchy for some policy-type
+ for (Map<String, List<String>> resource :
securityZoneService.getResources()) {
+ Set<String> resourceDefNames =
resource.keySet();
+ RangerServiceDefHelper serviceDefHelper = new
RangerServiceDefHelper(serviceDef);
+ boolean isValidHierarchy = false;
+
+ for (int policyType : POLICY_TYPES) {
+ Set<List<RangerResourceDef>> resourceHierarchies =
serviceDefHelper.getResourceHierarchies(policyType, resourceDefNames);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Size of resourceHierarchies for
resourceDefNames:[" + resourceDefNames + ", policyType=" + policyType + "] = "
+ resourceHierarchies.size());
}
- if (!isValidHierarchy) {
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_RESOURCE_HIERARCHY;
-
- failures.add(new
ValidationFailureDetailsBuilder().field("security zone resource
hierarchy").becauseOf(error.getMessage(serviceName,
resourceDefNames)).errorCode(error.getErrorCode()).build());
- ret = false;
+ for (List<RangerResourceDef> resourceHierarchy :
resourceHierarchies) {
+ if
(RangerDefaultPolicyResourceMatcher.isHierarchyValidForResources(resourceHierarchy,
resource)) {
+ isValidHierarchy = true;
+ break;
+ } else {
+ LOG.info("gaps found in resource, skipping
hierarchy:[" + resourceHierarchies + "]");
+ }
}
+ }
- /*
- * Ignore this check. It should be possible to have
all wildcard resource in a zone if zone-admin so desires
- *
- boolean isValidResourceSpec =
isAnyNonWildcardResource(resource, failures);
-
- if (!isValidResourceSpec) {
- ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ALL_WILDCARD_RESOURCE_VALUES;
+ if (!isValidHierarchy) {
+ ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_RESOURCE_HIERARCHY;
- failures.add(new
ValidationFailureDetailsBuilder().field("security zone resource
values").becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
+ failures.add(new
ValidationFailureDetailsBuilder().field("security zone resource
hierarchy").becauseOf(error.getMessage(serviceName,
resourceDefNames)).errorCode(error.getErrorCode()).build());
ret = false;
-
LOG.warn("RangerPolicyValidator.validateSecurityZoneService() : All wildcard
resource-values specified for service :[" + serviceName + "]");
}
- */
+ for (Map.Entry<String, List<String>> resourceEntry :
resource.entrySet()) {
+ String resourceName =
resourceEntry.getKey();
+ List<String> resourceValues =
resourceEntry.getValue();
+
+ if (CollectionUtils.isEmpty(resourceValues)) {
+ ValidationErrorCode error =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_RESOURCES;
+
+ failures.add(new
ValidationFailureDetailsBuilder().field("security zone resources")
+ .subField("resources").isMissing()
+
.becauseOf(error.getMessage(resourceName))
+
.errorCode(error.getErrorCode()).build());
+ ret = false;
+ }
}
}
}
@@ -558,41 +517,9 @@ public class RangerSecurityZoneValidator extends
RangerValidator {
}
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<==
RangerPolicyValidator.validateSecurityZoneService(%s, %s, %s) : %s",
serviceName, securityZoneService, failures, ret));
- }
-
- return ret;
- }
-
- /*
- private boolean isAnyNonWildcardResource(Map<String, List<String>>
resource, List<ValidationFailureDetails> failures) {
- if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==>
RangerPolicyValidator.isAnyNonWildcardResource(%s, %s)", resource, failures));
+ LOG.debug(String.format("<==
RangerSecurityZoneValidator.validateSecurityZoneService(%s, %s, %s) : %s",
serviceName, securityZoneService, failures, ret));
}
- boolean ret = false;
-
- for (Map.Entry<String, List<String>> resourceDefValue :
resource.entrySet()) {
- boolean wildCardResourceFound = false;
- List<String> resourceValues = resourceDefValue.getValue();
-
- for (String resourceValue : resourceValues) {
- if (StringUtils.equals(resourceValue,
RangerDefaultResourceMatcher.WILDCARD_ASTERISK)) {
- wildCardResourceFound = true;
- break;
- }
- }
-
- if (!wildCardResourceFound) {
- ret = true;
- break;
- }
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<==
RangerPolicyValidator.isAnyNonWildcardResource(%s, %s) : %s", resource,
failures, ret));
- }
return ret;
}
- */
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
index e079b7c46..bf4247660 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
@@ -42,11 +42,13 @@ public class RangerZoneResourceMatcher implements
RangerResourceEvaluator {
private RangerServiceDef.RangerResourceDef
leafResourceDef;
public RangerZoneResourceMatcher(final String securityZoneName, final
Map<String, RangerPolicy.RangerPolicyResource> policyResource, final
RangerServiceDef serviceDef) {
+ this(securityZoneName, policyResource, new
RangerServiceDefHelper(serviceDef));
+ }
- RangerServiceDefHelper serviceDefHelper = new
RangerServiceDefHelper(serviceDef);
- final Collection<String> resourceKeys =
policyResource.keySet();
-
- RangerDefaultPolicyResourceMatcher matcher = new
RangerDefaultPolicyResourceMatcher();
+ public RangerZoneResourceMatcher(final String securityZoneName, final
Map<String, RangerPolicy.RangerPolicyResource> policyResource, final
RangerServiceDefHelper serviceDefHelper) {
+ final RangerServiceDef serviceDef =
serviceDefHelper.getServiceDef();
+ final Collection<String> resourceKeys =
policyResource.keySet();
+ final RangerDefaultPolicyResourceMatcher matcher = new
RangerDefaultPolicyResourceMatcher();
matcher.setServiceDef(serviceDef);
matcher.setServiceDefHelper(serviceDefHelper);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
index f2c381925..df5fc7956 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
@@ -38,7 +38,8 @@ public class SecurityZonePredicateUtil extends
AbstractPredicateUtil {
addPredicateForServiceName(filter.getParam(SearchFilter.SERVICE_NAME),
predicates);
addPredicateForMatchingZoneId(filter.getParam(SearchFilter.ZONE_ID),
predicates);
-
addPredicateForNonMatchingZoneName(filter.getParam(SearchFilter.ZONE_NAME),
predicates);
+
addPredicateForMatchingZoneName(filter.getParam(SearchFilter.ZONE_NAME),
predicates);
+
addPredicateForNonMatchingZoneName(filter.getParam(SearchFilter.NOT_ZONE_NAME),
predicates);
}
private Predicate addPredicateForServiceName(final String serviceName,
List<Predicate> predicates) {
@@ -105,6 +106,36 @@ public class SecurityZonePredicateUtil extends
AbstractPredicateUtil {
return ret;
}
+ private Predicate addPredicateForMatchingZoneName(final String zoneName,
List<Predicate> predicates) {
+
+ Predicate ret = new Predicate() {
+ @Override
+ public boolean evaluate(Object object) {
+ if(object == null) {
+ return false;
+ }
+
+ boolean ret = false;
+
+ if(object instanceof RangerSecurityZone) {
+ RangerSecurityZone securityZone = (RangerSecurityZone)
object;
+
+ if (StringUtils.equals(zoneName, securityZone.getName())) {
+ ret = true;
+ }
+ }
+
+ return ret;
+ }
+ };
+
+ if(predicates != null) {
+ predicates.add(ret);
+ }
+
+ return ret;
+ }
+
private Predicate addPredicateForNonMatchingZoneName(final String
zoneName, List<Predicate> predicates) {
Predicate ret = new Predicate() {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
index 4653dc31a..61f879894 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
@@ -59,6 +59,7 @@ public class SearchFilter {
public static final String POLICY_LABEL_ID = "policyLabelId";
// search, sort
public static final String ZONE_ID = "zoneId"; //
search, sort
public static final String ZONE_NAME = "zoneName"; //
search, sort
+ public static final String NOT_ZONE_NAME = "notZoneName"; //
search
public static final String ROLE_ID = "roleId"; //
search, sort
public static final String ROLE_NAME = "roleName"; //
search, sort
public static final String GROUP_NAME = "groupName"; //
search, sort
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
index dcc970c47..ef95c69aa 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
@@ -19,11 +19,17 @@
package org.apache.ranger.plugin.model.validation;
import static org.mockito.Mockito.mock;
+
import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.ranger.plugin.errors.ValidationErrorCode;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -34,6 +40,7 @@ import
org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef;
import
org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.store.SecurityZoneStore;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.SearchFilter;
@@ -108,7 +115,7 @@ public class RangerSecurityZoneValidatorTest {
try{
rangerSecurityZoneValidator.validate(suppliedSecurityZone,
RangerValidator.Action.DELETE);
}catch(IllegalArgumentException ex){
- Assert.assertEquals(ex.getMessage(),
"isValid(RangerPolicy, ...) is only supported for create/update");
+ Assert.assertEquals(ex.getMessage(),
"isValid(RangerSecurityZone, ...) is only supported for create/update");
}
}
@@ -161,9 +168,11 @@ public class RangerSecurityZoneValidatorTest {
rangerSecurityZoneValidator.validate(suppliedSecurityZone,
RangerValidator.Action.CREATE);
} catch (Exception ex) {
- Assert.assertEquals(
- ex.getMessage(),
- "(0) Validation failure: error
code[3044], reason[No services specified for security-zone:[MyZone]],
field[services], subfield[null], type[missing] (1) Validation failure: error
code[3038], reason[users, user-groups and roles collections for the security
zone were null/empty], field[security zone admin users/user-groups/roles],
subfield[null], type[missing] (2) Validation failure: error code[3038],
reason[users, user-groups and roles collections for the security zone were
null/empty [...]
+ String failureMessage = ex.getMessage();
+ ValidationErrorCode expectedError =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_USER_AND_GROUPS_AND_ROLES;
+ boolean hasExpectedError =
StringUtils.contains(failureMessage, expectedError.getErrorCode() + "");
+
+ Assert.assertTrue("validation failure message didn't
include expected error code " + expectedError.getErrorCode() + ". Failure
message: " + failureMessage, hasExpectedError);
}
}
@@ -357,8 +366,83 @@ public class RangerSecurityZoneValidatorTest {
Assert.assertFalse(isValid);
}
-
-
+ @Test
+ public void testValidatePathResourceInMultipleSecurityZones() throws
Exception {
+ List<HashMap<String, List<String>>> zone1Resources = new
ArrayList<>();
+ List<HashMap<String, List<String>>> zone2Resources = new
ArrayList<>();
+
+ zone1Resources.add(new HashMap<String, List<String>>() {{
put("hdfs", Arrays.asList("/zone1")); }});
+ zone2Resources.add(new HashMap<String, List<String>>() {{
put("hdfs", Arrays.asList("/zone1/a")); }});
+
+ RangerServiceDef svcDef = rangerServiceDef();
+ RangerService svc = getRangerService();
+ RangerSecurityZoneService zone1HdfsSvc = new
RangerSecurityZoneService(zone1Resources);
+ RangerSecurityZoneService zone2HdfsSvc = new
RangerSecurityZoneService(zone2Resources);
+
+ RangerSecurityZone zone1 = new RangerSecurityZone("zone1",
Collections.singletonMap(svc.getName(), zone1HdfsSvc), null,
Arrays.asList("admin"), null, Arrays.asList("auditor"), null, "Zone 1");
+ RangerSecurityZone zone2 = new RangerSecurityZone("zone2",
Collections.singletonMap(svc.getName(), zone2HdfsSvc), null,
Arrays.asList("admin"), null, Arrays.asList("auditor"), null, "Zone 1");
+
+ zone1.setId(1L);
+ zone2.setId(2L);
+
+ List<RangerSecurityZone> zones = new
ArrayList<RangerSecurityZone>() {{ add(zone1); }};
+
+
Mockito.when(_store.getServiceByName(svc.getName())).thenReturn(svc);
+
Mockito.when(_store.getServiceDefByName(svc.getType())).thenReturn(svcDef);
+ Mockito.when(_store.getSecurityZone(2L)).thenReturn(zone2);
+
Mockito.when(_securityZoneStore.getSecurityZones(Mockito.any())).thenReturn(zones);
+
+ try {
+ rangerSecurityZoneValidator.validate(zone2,
RangerValidator.Action.UPDATE);
+
+ Assert.assertFalse("security-zone update should have
failed in validation", true);
+ } catch (Exception excp) {
+ String failureMessage =
excp.getMessage();
+ ValidationErrorCode expectedError =
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_RESOURCE_CONFLICT;
+ boolean hasExpectedError =
StringUtils.contains(failureMessage, expectedError.getErrorCode() + "");
+
+ Assert.assertTrue("validation failure message didn't
include expected error code " + expectedError.getErrorCode() + ". Failure
message: " + failureMessage, hasExpectedError);
+ }
+ }
+
+ @Test
+ public void testValidateHiveResourceInMultipleSecurityZones() throws
Exception {
+ List<HashMap<String, List<String>>> zone1Resources = new
ArrayList<>();
+ List<HashMap<String, List<String>>> zone2Resources = new
ArrayList<>();
+
+ zone1Resources.add(new HashMap<String, List<String>>() {{
put("database", Arrays.asList("db1")); }});
+ zone2Resources.add(new HashMap<String, List<String>>() {{
put("database", Arrays.asList("db1")); put("table", Arrays.asList("tbl1")); }});
+
+ RangerServiceDef svcDef = getHiveServiceDef();
+ RangerService svc = getHiveService();
+ RangerSecurityZoneService zone1HiveSvc = new
RangerSecurityZoneService(zone1Resources);
+ RangerSecurityZoneService zone2HiveSvc = new
RangerSecurityZoneService(zone2Resources);
+
+ RangerSecurityZone zone1 = new RangerSecurityZone("zone1",
Collections.singletonMap(svc.getName(), zone1HiveSvc), null,
Arrays.asList("admin"), null, Arrays.asList("auditor"), null, "Zone 1");
+ RangerSecurityZone zone2 = new RangerSecurityZone("zone2",
Collections.singletonMap(svc.getName(), zone2HiveSvc), null,
Arrays.asList("admin"), null, Arrays.asList("auditor"), null, "Zone 1");
+
+ zone1.setId(1L);
+ zone2.setId(2L);
+
+ List<RangerSecurityZone> zones = new
ArrayList<RangerSecurityZone>() {{ add(zone1); }};
+
+
Mockito.when(_store.getServiceByName(svc.getName())).thenReturn(svc);
+
Mockito.when(_store.getServiceDefByName(svc.getType())).thenReturn(svcDef);
+ Mockito.when(_store.getSecurityZone(2L)).thenReturn(zone2);
+
Mockito.when(_securityZoneStore.getSecurityZones(Mockito.any())).thenReturn(zones);
+
+ try {
+ rangerSecurityZoneValidator.validate(zone2,
RangerValidator.Action.UPDATE);
+
+ Assert.assertFalse("security-zone update should have
failed in validation", true);
+ } catch (Exception excp) {
+ String failureMessage = excp.getMessage();
+ boolean hasResourceConflictError =
StringUtils.contains(failureMessage,
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_RESOURCE_CONFLICT.getErrorCode()
+ "");
+
+ Assert.assertTrue("validation failure message didn't
include expected error code " +
ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_RESOURCE_CONFLICT.getErrorCode()
+ ". Failure message: " + excp.getMessage(), hasResourceConflictError);
+ }
+ }
+
private RangerService getRangerService() {
Map<String, String> configs = new HashMap<String, String>();
configs.put("username", "servicemgr");
@@ -393,6 +477,8 @@ public class RangerSecurityZoneValidatorTest {
RangerResourceDef rangerResourceDef = new RangerResourceDef();
rangerResourceDef.setName("hdfs");
+ rangerResourceDef.setRecursiveSupported(true);
+
rangerResourceDef.setMatcher("org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher");
List<RangerServiceConfigDef> configs = new
ArrayList<RangerServiceConfigDef>();
List<RangerResourceDef> resources = new
ArrayList<RangerResourceDef>();
@@ -421,6 +507,18 @@ public class RangerSecurityZoneValidatorTest {
return rangerServiceDef;
}
+ private RangerService getHiveService() {
+ RangerService ret = new
RangerService(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HIVE_NAME, "hiveSvc",
"Test Hive Service", null, new HashMap<>());
+
+ ret.setId(1L);
+
+ return ret;
+ }
+
+ private RangerServiceDef getHiveServiceDef() throws Exception {
+ return
EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HIVE_NAME);
+ }
+
private RangerSecurityZone getRangerSecurityZone(){
List<String> resourceList = new ArrayList<String>();
resourceList.add("/path/myfolder");
@@ -466,7 +564,7 @@ public class RangerSecurityZoneValidatorTest {
SearchFilter filter = new SearchFilter();
filter.setParam(SearchFilter.SERVICE_NAME, "hdfsSvc");
- filter.setParam(SearchFilter.ZONE_NAME, "MyZone");
+ filter.setParam(SearchFilter.NOT_ZONE_NAME, "MyZone");
return filter;
}
