Repository: incubator-ranger Updated Branches: refs/heads/stack c0abd84c5 -> 63923bf6d
RANGER-203: added JSON driven policy-engine unit tests. RangerResource updated for base/simple resource definition; complex resources would be added later when needed. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/63923bf6 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/63923bf6 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/63923bf6 Branch: refs/heads/stack Commit: 63923bf6d51dcb135fc2a1edfe06b2af702d8cb6 Parents: c0abd84 Author: Madhan Neethiraj <[email protected]> Authored: Sun Jan 4 14:16:47 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Sun Jan 4 14:16:47 2015 -0800 ---------------------------------------------------------------------- .../plugin/policyengine/RangerAccessResult.java | 51 +++++---- .../policyengine/RangerMutableResource.java | 2 - .../policyengine/RangerPolicyEngineImpl.java | 13 +-- .../plugin/policyengine/RangerResource.java | 6 -- .../plugin/policyengine/RangerResourceImpl.java | 42 +------- .../RangerDefaultPolicyEvaluator.java | 81 +++++++-------- .../policyevaluator/RangerPolicyEvaluator.java | 4 +- .../RangerAbstractResourceMatcher.java | 9 ++ .../RangerDefaultResourceMatcher.java | 8 +- .../service-defs/ranger-servicedef-hbase.json | 6 +- .../service-defs/ranger-servicedef-hdfs.json | 2 +- .../service-defs/ranger-servicedef-hive.json | 8 +- .../service-defs/ranger-servicedef-knox.json | 4 +- .../service-defs/ranger-servicedef-storm.json | 2 +- .../plugin/policyengine/TestPolicyEngine.java | 104 +++++++++++++++++++ .../policyengine/test_policyengine_01.json | 61 +++++++++++ 16 files changed, 267 insertions(+), 136 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index 1eadc05..6fbfe82 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -21,39 +21,32 @@ package org.apache.ranger.plugin.policyengine; public class RangerAccessResult { - public enum Result { ALLOWED, DENIED, PARTIALLY_DENIED }; + public enum Result { ALLOWED, DENIED }; - private RangerAccessRequest request = null; - private Result result = null; - private boolean isAudited = false; - private long policyId = -1; - private String reason = null; + private Result result = null; + private boolean isAudited = false; + private boolean isFinal = false; + private long policyId = -1; + private String reason = null; - public RangerAccessResult(RangerAccessRequest request) { - this(request, Result.DENIED, false, -1, null); + public RangerAccessResult() { + this(Result.DENIED, false, false, -1, null); } - public RangerAccessResult(RangerAccessRequest request, Result result, boolean isAudited) { - this(request, result, isAudited, -1, null); + public RangerAccessResult(Result result, boolean isAudited, boolean isFinal) { + this(result, isAudited, isFinal, -1, null); } - public RangerAccessResult(RangerAccessRequest request, Result result, boolean isAudited, long policyId, String reason) { - this.request = request; + public RangerAccessResult(Result result, boolean isAudited, boolean isFinal, long policyId, String reason) { this.result = result; this.isAudited = isAudited; + this.isFinal = isFinal; this.policyId = policyId; this.reason = reason; } /** - * @return the request - */ - public RangerAccessRequest getRequest() { - return request; - } - - /** * @return the result */ public Result getResult() { @@ -68,20 +61,34 @@ public class RangerAccessResult { } /** - * @return the auditAccess + * @return the isAudited */ public boolean isAudited() { return isAudited; } /** - * @param auditAccess the auditAccess to set + * @param isAudited the isAudited to set */ public void setAudited(boolean isAudited) { this.isAudited = isAudited; } /** + * @return the isFinal + */ + public boolean isFinal() { + return isFinal; + } + + /** + * @param isFinal the isFinal to set + */ + public void setFinal(boolean isFinal) { + this.isFinal = isFinal; + } + + /** * @return the policyId */ public long getPolicyId() { @@ -121,9 +128,9 @@ public class RangerAccessResult { public StringBuilder toString(StringBuilder sb) { sb.append("RangerAccessResult={"); - sb.append("request={").append(request).append("} "); sb.append("result={").append(result).append("} "); sb.append("isAudited={").append(isAudited).append("} "); + sb.append("isFinal={").append(isFinal).append("} "); sb.append("policyId={").append(policyId).append("} "); sb.append("reason={").append(reason).append("} "); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java index da254c9..fb3c331 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java @@ -25,6 +25,4 @@ public interface RangerMutableResource extends RangerResource { void setOwnerUser(String ownerUser); void setElement(String type, String value); - - void setLeafElement(String type, Collection<String> value); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 33b2ec7..e63effd 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -83,27 +83,20 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")"); } - RangerAccessResult ret = null; + RangerAccessResult ret = new RangerAccessResult(); List<RangerPolicyEvaluator> evaluators = policyEvaluators; if(request != null && evaluators != null) { for(RangerPolicyEvaluator evaluator : evaluators) { - ret = evaluator.evaluate(request); + evaluator.evaluate(request, ret); - if(ret != null) { + if(ret.isFinal()) { break; } } } - if(ret == null) { - ret = new RangerAccessResult(request); - - ret.setResult(Result.DENIED); - ret.setAudited(Boolean.FALSE); - } - if(LOG.isDebugEnabled()) { LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java index df5abcb..03ae5fc 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResource.java @@ -27,10 +27,4 @@ public interface RangerResource { public abstract boolean elementExists(String type); public abstract String getElementValue(String type); - - public abstract boolean isLeafElement(String type); - - public abstract String getLeafElementType(); - - public abstract Collection<String> getLeafElementValues(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java index 97a49b8..fc13cdf 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java @@ -19,7 +19,6 @@ package org.apache.ranger.plugin.policyengine; -import java.util.Collection; import java.util.HashMap; import java.util.Map; @@ -27,8 +26,6 @@ import java.util.Map; public class RangerResourceImpl implements RangerMutableResource { private String ownerUser = null; private Map<String, String> elements = null; - private String leafElementType = null; - private Collection<String> leafElementValues = null; public RangerResourceImpl() { @@ -41,13 +38,7 @@ public class RangerResourceImpl implements RangerMutableResource { @Override public boolean elementExists(String type) { - return ((elements != null && elements.containsKey(type)) || - (leafElementType != null && leafElementType.equals(type) && leafElementValues != null && !leafElementType.isEmpty())); - } - - @Override - public boolean isLeafElement(String type) { - return leafElementType != null && leafElementType.equals(type); + return elements != null && elements.containsKey(type); } @Override @@ -56,26 +47,12 @@ public class RangerResourceImpl implements RangerMutableResource { if(elements != null && elements.containsKey(type)) { ret = elements.get(type); - } else if(leafElementType != null && leafElementType.equals(type)) { - if(leafElementValues != null && !leafElementValues.isEmpty()) { - ret = leafElementValues.iterator().next(); - } } return ret; } @Override - public String getLeafElementType() { - return leafElementType; - } - - @Override - public Collection<String> getLeafElementValues() { - return leafElementValues; - } - - @Override public void setOwnerUser(String ownerUser) { this.ownerUser = ownerUser; } @@ -91,13 +68,6 @@ public class RangerResourceImpl implements RangerMutableResource { } @Override - public void setLeafElement(String type, Collection<String> value) { - // TODO: verify that elements doesn't have an entry for type - leafElementType = type; - leafElementValues = value; - } - - @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -119,16 +89,6 @@ public class RangerResourceImpl implements RangerMutableResource { } sb.append("} "); - sb.append("leafElementType={").append(leafElementType).append("} "); - - sb.append("leafElementValues={"); - if(leafElementValues != null) { - for(String s : leafElementValues) { - sb.append(s).append("; "); - } - } - sb.append("} "); - sb.append("}"); return sb; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 4911f40..3ef5d08 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -25,6 +25,7 @@ import java.util.Collections; import java.util.List; import java.util.Map; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy; @@ -78,33 +79,35 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } @Override - public RangerAccessResult evaluate(RangerAccessRequest request) { + public void evaluate(RangerAccessRequest request, RangerAccessResult result) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ")"); + LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")"); } - RangerAccessResult ret = null; - RangerPolicy policy = getPolicy(); - - /* - * TODO: handle partial-deny cases, especially for plug-ins that can deal with - * allowing access to part of the requested resource - like HBase returning - * columns for which the user has access to - */ - if(request != null && policy != null && matchResource(request.getResource())) { - for(RangerPolicyItem policyItem : policy.getPolicyItems()) { - RangerPolicyItemAccess access = getAccess(policyItem, request.getAccessType()); - - if(access != null && access.getIsAllowed()) { - if(matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) { - if(matchCustomConditions(policyItem, request)) { - ret = new RangerAccessResult(request); - - ret.setPolicyId(policy.getId()); - ret.setResult(access.getIsAllowed() ? Result.ALLOWED : Result.DENIED); - ret.setAudited(access.getIsAudited()); - - break; + RangerPolicy policy = getPolicy(); + + if(policy != null && policy.getIsEnabled() && request != null && result != null && !result.isFinal()) { + if(matchResource(request.getResource())) { + for(RangerPolicyItem policyItem : policy.getPolicyItems()) { + RangerPolicyItemAccess access = getAccess(policyItem, request.getAccessType()); + + if(access != null && (access.getIsAllowed() || policy.getIsAuditEnabled())) { + if(matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) { + if(matchCustomConditions(policyItem, request)) { + if(result.getResult() != Result.ALLOWED && access.getIsAllowed()) { + result.setResult(Result.ALLOWED); + result.setPolicyId(policy.getId()); + } + + if(! result.isAudited() && policy.getIsAuditEnabled()) { + result.setAudited(true); + } + + if(result.getResult() == Result.ALLOWED && result.isAudited()) { + result.setFinal(true); + break; + } + } } } } @@ -112,10 +115,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + "): " + ret); + LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")"); } - - return ret; } protected boolean matchResource(RangerResource resource) { @@ -129,15 +130,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator ret = true; for(ResourceDefMatcher matcher : matchers) { - String resourceType = matcher.getResourceType(); - - if(resource.isLeafElement(resourceType)) { - Collection<String> resourceValues = resource.getLeafElementValues(); - - ret = matcher.isMatch(resourceValues); - } else { - String resourceValue = resource.getElementValue(resourceType); + String resourceType = matcher.getResourceType(); + String resourceValue = resource.getElementValue(resourceType); + if(resourceValue != null) { ret = matcher.isMatch(resourceValue); } @@ -161,12 +157,15 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator boolean ret = false; - if(policyItem != null && user != null && policyItem.getUsers() != null) { - ret = policyItem.getUsers().contains(user); - } - - if(!ret && policyItem != null && groups != null && policyItem.getGroups() != null) { - ret = !Collections.disjoint(policyItem.getGroups(), groups); + if(policyItem != null) { + if(!ret && user != null && policyItem.getUsers() != null) { + ret = policyItem.getUsers().contains(user); + } + + if(!ret && groups != null && policyItem.getGroups() != null) { + ret = policyItem.getGroups().contains(GROUP_PUBLIC) || + !Collections.disjoint(policyItem.getGroups(), groups); + } } if(LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index 333275e..54efb15 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -25,11 +25,13 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; public interface RangerPolicyEvaluator { + public static final String GROUP_PUBLIC = "public"; + void init(RangerPolicy policy, RangerServiceDef serviceDef); RangerPolicy getPolicy(); RangerServiceDef getServiceDef(); - RangerAccessResult evaluate(RangerAccessRequest request); + void evaluate(RangerAccessRequest request, RangerAccessResult result); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java index 6ddebd1..500650c 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java @@ -130,6 +130,15 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat return ret; } + public String getWildCardPattern(String policyValue) { + if (policyValue != null) { + policyValue = policyValue.replaceAll("\\?", "\\.") + .replaceAll("\\*", ".*") ; + } + + return policyValue ; + } + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java index 9aa882b..cf35131 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java @@ -53,11 +53,15 @@ public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher if(policyValue == null) { continue; } - + if(optIgnoreCase) { policyValue = policyValue.toLowerCase(); } - + + if(optWildCard) { + policyValue = getWildCardPattern(policyValue); + } + policyValues.add(policyValue); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json index 5f06235..3faaf3a 100644 --- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json +++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json @@ -33,9 +33,9 @@ ], "resources": [ - {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.policyengine.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Table","description":"HBase Table"}, - {"name":"column-family","level":2,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.policyengine.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column-family","description":"HBase Column-family"}, - {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":false,"matcher":"org.apache.ranger.plugin.policyengine.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column","description":"HBase Column"} + {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Table","description":"HBase Table"}, + {"name":"column-family","level":2,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column-family","description":"HBase Column-family"}, + {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":false,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column","description":"HBase Column"} ], "accessTypes": [ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json index 193932e..ee461d2 100644 --- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json +++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json @@ -45,7 +45,7 @@ ], "resources": [ - {"name":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.policyengine.RangerPathResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Resource Path","description":"HDFS file or directory path"} + {"name":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Resource Path","description":"HDFS file or directory path"} ], "accessTypes": [ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/resources/service-defs/ranger-servicedef-hive.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hive.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hive.json index ca388ef..6029d2c 100644 --- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hive.json +++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hive.json @@ -21,10 +21,10 @@ ], "resources": [ - {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.policyengine.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Database","description":"Hive Database"}, - {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.policyengine.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Table","description":"Hive Table"}, - {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.policyengine.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive UDF","description":"Hive UDF"}, - {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.policyengine.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Column","description":"Hive Column"} + {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Database","description":"Hive Database"}, + {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Table","description":"Hive Table"}, + {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive UDF","description":"Hive UDF"}, + {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Column","description":"Hive Column"} ], "accessTypes": [ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/resources/service-defs/ranger-servicedef-knox.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-knox.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-knox.json index a9afe42..2116d92 100644 --- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-knox.json +++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-knox.json @@ -20,8 +20,8 @@ ], "resources": [ - {"name":"topology","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.policyengine.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Knox Topology","description":"Knox Topology"}, - {"name":"service","level":2,"parent":"topology","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.policyengine.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Knox Service","description":"Knox Service"} + {"name":"topology","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Knox Topology","description":"Knox Topology"}, + {"name":"service","level":2,"parent":"topology","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Knox Service","description":"Knox Service"} ], "accessTypes": [ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/main/resources/service-defs/ranger-servicedef-storm.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-storm.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-storm.json index db69dbb..a753002 100644 --- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-storm.json +++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-storm.json @@ -20,7 +20,7 @@ ], "resources": [ - {"name":"topology","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.policyengine.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Storm Topology","description":"Storm Topology"} + {"name":"topology","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Storm Topology","description":"Storm Topology"} ], "accessTypes": [ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java new file mode 100644 index 0000000..3c2c688 --- /dev/null +++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -0,0 +1,104 @@ +package org.apache.ranger.plugin.policyengine; + +import static org.junit.Assert.*; + +import java.io.InputStream; +import java.io.InputStreamReader; +import java.lang.reflect.Type; +import java.util.List; + + +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTests.TestData; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.google.gson.JsonDeserializationContext; +import com.google.gson.JsonDeserializer; +import com.google.gson.JsonElement; +import com.google.gson.JsonParseException; + + +public class TestPolicyEngine { + static RangerPolicyEngine policyEngine = null; + static Gson gsonBuilder = null; + + + @BeforeClass + public static void setUpBeforeClass() throws Exception { + policyEngine = new RangerPolicyEngineImpl(); + gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") + .setPrettyPrinting() + .registerTypeAdapter(RangerAccessRequest.class, new RangerAccessRequestDeserializer()) + .registerTypeAdapter(RangerResource.class, new RangerResourceDeserializer()) + .create(); + } + + @AfterClass + public static void tearDownAfterClass() throws Exception { + } + + @Test + public void testPolicyEngine_01() { + String filename = "/policyengine/test_policyengine_01.json"; + InputStream inStream = this.getClass().getResourceAsStream(filename); + InputStreamReader reader = new InputStreamReader(inStream); + + runTests(reader, filename); + } + + public void runTests(InputStreamReader reader, String testName) { + try { + PolicyEngineTests tests = gsonBuilder.fromJson(reader, PolicyEngineTests.class); + + assertTrue("invalid input: " + testName, tests != null && tests.serviceDef != null && tests.policies != null && tests.tests != null); + + policyEngine.setPolicies(tests.serviceDef, tests.policies); + + for(TestData td : tests.tests) { + RangerAccessResult expected = td.result; + RangerAccessResult result = policyEngine.isAccessAllowed(td.request); + + assertEquals(result.getResult(), expected.getResult()); + assertEquals(result.isAudited(), expected.isAudited()); + assertEquals(result.getPolicyId(), expected.getPolicyId()); + } + } catch(Throwable excp) { + excp.printStackTrace(); + } + + } + + static class PolicyEngineTests { + public RangerServiceDef serviceDef; + public List<RangerPolicy> policies; + public List<TestData> tests; + + class TestData { + public String name; + public RangerAccessRequest request; + public RangerAccessResult result; + } + } + + static class RangerAccessRequestDeserializer implements JsonDeserializer<RangerAccessRequest> { + @Override + public RangerAccessRequest deserialize(JsonElement jsonObj, Type type, + JsonDeserializationContext context) throws JsonParseException { + return gsonBuilder.fromJson(jsonObj, RangerAccessRequestImpl.class); + } + } + + static class RangerResourceDeserializer implements JsonDeserializer<RangerResource> { + @Override + public RangerResource deserialize(JsonElement jsonObj, Type type, + JsonDeserializationContext context) throws JsonParseException { + return gsonBuilder.fromJson(jsonObj, RangerResourceImpl.class); + } + } +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/63923bf6/plugin-common/src/test/resources/policyengine/test_policyengine_01.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json new file mode 100644 index 0000000..e952d84 --- /dev/null +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json @@ -0,0 +1,61 @@ +{ + "serviceDef":{ + "name":"hive", + "resources":[ + {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Database","description":"Hive Database"}, + {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Table","description":"Hive Table"}, + {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive UDF","description":"Hive UDF"}, + {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Column","description":"Hive Column"} + ], + "accessTypes":[ + {"name":"select","label":"select"}, + {"name":"update","label":"update"}, + {"name":"create","label":"Create"}, + {"name":"drop","label":"Drop"}, + {"name":"alter","label":"Alter"}, + {"name":"index","label":"Index"}, + {"name":"lock","label":"Lock"}, + {"name":"all","label":"All"} + ] + }, + + "policies":[ + {"id":1,"name":"audit-all-select","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"select","isAllowed":false}],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"db=default; table=test*; column=*","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["default"]},"table":{"values":["test*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false} + ] + } + ], + + "tests":[ + {"request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"select","user":"user1","userGroups":["users"],"requestData":"use default" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"request":{ + "resource":{"elements":{"database":"finance"}}, + "accessType":"select","user":"user1","userGroups":["users"],"requestData":"use finance" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } + ] +} +
