Repository: incubator-ranger Updated Branches: refs/heads/stack 63923bf6d -> 3106b1122
RANGER-203: add more policy engine tests; fixes. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3106b112 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3106b112 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3106b112 Branch: refs/heads/stack Commit: 3106b1122b816c0cc458f0ff14957fc6f1b541da Parents: 63923bf Author: Madhan Neethiraj <[email protected]> Authored: Sun Jan 4 22:28:01 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Sun Jan 4 22:28:01 2015 -0800 ---------------------------------------------------------------------- .../plugin/policyengine/RangerAccessResult.java | 35 +++ .../RangerDefaultPolicyEvaluator.java | 20 +- .../plugin/policyengine/TestPolicyEngine.java | 26 ++- .../policyengine/test_policyengine_01.json | 211 ++++++++++++++++++- 4 files changed, 261 insertions(+), 31 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3106b112/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index 6fbfe82..8fa766f 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -19,6 +19,9 @@ package org.apache.ranger.plugin.policyengine; +import org.apache.commons.lang.ObjectUtils; +import org.apache.commons.lang.StringUtils; + public class RangerAccessResult { public enum Result { ALLOWED, DENIED }; @@ -117,6 +120,38 @@ public class RangerAccessResult { } @Override + public boolean equals(Object obj) { + boolean ret = false; + + if(obj != null && (obj instanceof RangerAccessResult)) { + RangerAccessResult other = (RangerAccessResult)obj; + + ret = (this == other); + + if(! ret) { + ret = this.isAudited == other.isAudited && + this.policyId == other.policyId && + StringUtils.equals(this.reason, other.reason) && + ObjectUtils.equals(this.result, other.result); + } + } + + return ret; + } + + @Override + public int hashCode() { + int ret = 7; + + ret = 31 * ret + (isAudited ? 1 : 0); + ret = 31 * ret + (int)policyId; + ret = 31 * ret + (reason == null ? 0 : reason.hashCode()); + ret = 31 * ret + (result == null ? 0 : result.hashCode()); + + return ret; + } + + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3106b112/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 3ef5d08..2d0f300 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -91,24 +91,24 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator for(RangerPolicyItem policyItem : policy.getPolicyItems()) { RangerPolicyItemAccess access = getAccess(policyItem, request.getAccessType()); - if(access != null && (access.getIsAllowed() || policy.getIsAuditEnabled())) { + if(access != null) { + if(! result.isAudited() && policy.getIsAuditEnabled()) { + result.setAudited(true); + } + if(matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) { if(matchCustomConditions(policyItem, request)) { if(result.getResult() != Result.ALLOWED && access.getIsAllowed()) { result.setResult(Result.ALLOWED); result.setPolicyId(policy.getId()); } - - if(! result.isAudited() && policy.getIsAuditEnabled()) { - result.setAudited(true); - } - - if(result.getResult() == Result.ALLOWED && result.isAudited()) { - result.setFinal(true); - break; - } } } + + if(result.getResult() == Result.ALLOWED && result.isAudited()) { + result.setFinal(true); + break; + } } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3106b112/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 3c2c688..b7d156a 100644 --- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -10,7 +10,7 @@ import java.util.List; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTests.TestData; +import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; @@ -53,19 +53,17 @@ public class TestPolicyEngine { public void runTests(InputStreamReader reader, String testName) { try { - PolicyEngineTests tests = gsonBuilder.fromJson(reader, PolicyEngineTests.class); + PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class); - assertTrue("invalid input: " + testName, tests != null && tests.serviceDef != null && tests.policies != null && tests.tests != null); + assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null); - policyEngine.setPolicies(tests.serviceDef, tests.policies); + policyEngine.setPolicies(testCase.serviceDef, testCase.policies); - for(TestData td : tests.tests) { - RangerAccessResult expected = td.result; - RangerAccessResult result = policyEngine.isAccessAllowed(td.request); + for(TestData test : testCase.tests) { + RangerAccessResult expected = test.result; + RangerAccessResult result = policyEngine.isAccessAllowed(test.request); - assertEquals(result.getResult(), expected.getResult()); - assertEquals(result.isAudited(), expected.isAudited()); - assertEquals(result.getPolicyId(), expected.getPolicyId()); + assertEquals(test.name, expected, result); } } catch(Throwable excp) { excp.printStackTrace(); @@ -73,10 +71,10 @@ public class TestPolicyEngine { } - static class PolicyEngineTests { - public RangerServiceDef serviceDef; - public List<RangerPolicy> policies; - public List<TestData> tests; + static class PolicyEngineTestCase { + public RangerServiceDef serviceDef; + public List<RangerPolicy> policies; + public List<TestData> tests; class TestData { public String name; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3106b112/plugin-common/src/test/resources/policyengine/test_policyengine_01.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json index e952d84..7388bbd 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json @@ -8,8 +8,8 @@ {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Column","description":"Hive Column"} ], "accessTypes":[ - {"name":"select","label":"select"}, - {"name":"update","label":"update"}, + {"name":"select","label":"Select"}, + {"name":"update","label":"Update"}, {"name":"create","label":"Create"}, {"name":"drop","label":"Drop"}, {"name":"alter","label":"Alter"}, @@ -31,31 +31,228 @@ "resources":{"database":{"values":["default"]},"table":{"values":["test*"]},"column":{"values":["*"]}}, "policyItems":[ {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false} + , + {"accesses":[{"type":"create","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["admin"],"groups":["admin"],"delegateAdmin":true} ] } ], "tests":[ - {"request":{ + {"name":"'use default;' as user1 ==> ALLOWED", + "request":{ "resource":{"elements":{"database":"default"}}, "accessType":"select","user":"user1","userGroups":["users"],"requestData":"use default" }, "result":{"result":"ALLOWED","isAudited":true,"policyId":2} } , - {"request":{ - "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" + {"name":"'use default;' as user2 ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"select","user":"user2","userGroups":["users"],"requestData":"use default" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"name":"'use default;' as user3 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"select","user":"user3","userGroups":["users"],"requestData":"use default" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } + , + {"name":"'use default;' as user3, group1 ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"select","user":"user3","userGroups":["users", "group1"],"requestData":"use default" }, "result":{"result":"ALLOWED","isAudited":true,"policyId":2} } , - {"request":{ + {"name":"'use default;' as user3, group2 ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"select","user":"user3","userGroups":["users", "group2"],"requestData":"use default" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"name":"'use default;' as user3, group3 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"select","user":"user3","userGroups":["users", "group3"],"requestData":"use default" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } + , + {"name":"'use finance;' as user3, group3 ==> DENIED", + "request":{ "resource":{"elements":{"database":"finance"}}, "accessType":"select","user":"user1","userGroups":["users"],"requestData":"use finance" }, "result":{"result":"DENIED","isAudited":true,"policyId":-1} } + , + {"name":"'select col1 from default.testtable;' as user1 ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"name":"'select col1 from default.testtable;' as user2 ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"name":"'select col1 from default.testtable;' as user3 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } + , + {"name":"'select col1 from default.testtable;' as user3, group1 ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"name":"'select col1 from default.testtable;' as user3, group2 ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"name":"'select col1 from default.testtable;' as user3, group3 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } + , + {"name":"'select col1 from default.table1;' as user1 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, + "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } + , + {"name":"'create table default.testtable1;' as user1 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } + , + {"name":"'create table default.testtable1;' as user1, group1 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"create","user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } + , + {"name":"'create table default.testtable1;' as admin ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"create","user":"admin","userGroups":["users"],"requestData":"create table default.testtable1" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"name":"'create table default.testtable1;' as user1, admin ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"name":"'drop table default.testtable1;' as user1 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } + , + {"name":"'drop table default.testtable1;' as user1, group1 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"drop","user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } + , + {"name":"'drop table default.testtable1;' as admin ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"drop","user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"name":"'drop table default.testtable1;' as user1, admin ==> ALLOWED", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" + }, + "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + } + , + {"name":"'create table default.table1;' as user1 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" + }, + "result":{"result":"DENIED","isAudited":false,"policyId":-1} + } + , + {"name":"'create table default.table1;' as user1, admin ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" + }, + "result":{"result":"DENIED","isAudited":false,"policyId":-1} + } + , + {"name":"'drop table default.table1;' as user1 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" + }, + "result":{"result":"DENIED","isAudited":false,"policyId":-1} + } + , + {"name":"'drop table default.table1;' as user1, admin ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" + }, + "result":{"result":"DENIED","isAudited":false,"policyId":-1} + } + , + {"name":"'select col1 from default.table1;' as user3 ==> DENIED", + "request":{ + "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, + "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1" + }, + "result":{"result":"DENIED","isAudited":true,"policyId":-1} + } ] }
