Repository: incubator-ranger Updated Branches: refs/heads/stack 3106b1122 -> 29747dcd6
RANGER-203: AccessRequest updated to support multiple accessTypes (like [read, execute]). Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/29747dcd Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/29747dcd Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/29747dcd Branch: refs/heads/stack Commit: 29747dcd6eedb117ccfcdb18835a2d6eda3ddeff Parents: 3106b11 Author: Madhan Neethiraj <[email protected]> Authored: Mon Jan 5 13:58:58 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Jan 5 13:58:58 2015 -0800 ---------------------------------------------------------------------- .../policyengine/RangerAccessRequest.java | 6 +- .../policyengine/RangerAccessRequestImpl.java | 34 ++- .../plugin/policyengine/RangerAccessResult.java | 275 +++++++++++++------ .../plugin/policyengine/RangerPolicyEngine.java | 4 - .../policyengine/RangerPolicyEngineImpl.java | 40 +-- .../RangerDefaultPolicyEvaluator.java | 33 ++- .../policyengine/test_policyengine_01.json | 108 ++++---- 7 files changed, 316 insertions(+), 184 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java index 5082947..fc4d954 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java @@ -19,18 +19,18 @@ package org.apache.ranger.plugin.policyengine; -import java.util.Collection; import java.util.Date; import java.util.Map; +import java.util.Set; public interface RangerAccessRequest { RangerResource getResource(); - String getAccessType(); + Set<String> getAccessTypes(); String getUser(); - Collection<String> getUserGroups(); + Set<String> getUserGroups(); Date getAccessTime(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java index 8e215da..f428c6a 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java @@ -1,20 +1,17 @@ package org.apache.ranger.plugin.policyengine; -import java.util.Collection; import java.util.Date; import java.util.HashMap; import java.util.HashSet; import java.util.Map; - -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import java.util.Set; public class RangerAccessRequestImpl implements RangerAccessRequest { private RangerResource resource = null; - private String accessType = null; + private Set<String> accessTypes = null; private String user = null; - private Collection<String> userGroups = null; + private Set<String> userGroups = null; private Date accessTime = null; private String clientIPAddress = null; private String clientType = null; @@ -28,9 +25,9 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { this(null, null, null, null); } - public RangerAccessRequestImpl(RangerResource resource, String accessType, String user, Collection<String> userGroups) { + public RangerAccessRequestImpl(RangerResource resource, Set<String> accessTypes, String user, Set<String> userGroups) { setResource(resource); - setAccessType(accessType); + setAccessTypes(accessTypes); setUser(user); setUserGroups(userGroups); @@ -50,8 +47,8 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { } @Override - public String getAccessType() { - return accessType; + public Set<String> getAccessTypes() { + return accessTypes; } @Override @@ -60,7 +57,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { } @Override - public Collection<String> getUserGroups() { + public Set<String> getUserGroups() { return userGroups; } @@ -104,15 +101,15 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { this.resource = resource; } - public void setAccessType(String accessType) { - this.accessType = accessType; + public void setAccessTypes(Set<String> accessTypes) { + this.accessTypes = (accessTypes == null) ? new HashSet<String>() : accessTypes; } public void setUser(String user) { this.user = user; } - public void setUserGroups(Collection<String> userGroups) { + public void setUserGroups(Set<String> userGroups) { this.userGroups = (userGroups == null) ? new HashSet<String>() : userGroups; } @@ -157,7 +154,14 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { sb.append("RangerAccessRequestImpl={"); sb.append("resource={").append(resource).append("} "); - sb.append("accessType={").append(accessType).append("} "); + + sb.append("accessTypes={"); + if(accessTypes != null) { + for(String accessType : accessTypes) { + sb.append(accessType).append(" "); + } + } + sb.append("user={").append(user).append("} "); sb.append("userGroups={"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index 8fa766f..5d7db60 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -19,104 +19,108 @@ package org.apache.ranger.plugin.policyengine; +import java.util.HashMap; +import java.util.Map; + import org.apache.commons.lang.ObjectUtils; import org.apache.commons.lang.StringUtils; public class RangerAccessResult { - public enum Result { ALLOWED, DENIED }; - - private Result result = null; - private boolean isAudited = false; - private boolean isFinal = false; - private long policyId = -1; - private String reason = null; + public enum Result { ALLOWED, DENIED, PARTIALLY_ALLOWED }; + private Map<String, ResultDetail> accessTypeResults = null; public RangerAccessResult() { - this(Result.DENIED, false, false, -1, null); + this(null); } - public RangerAccessResult(Result result, boolean isAudited, boolean isFinal) { - this(result, isAudited, isFinal, -1, null); - } - - public RangerAccessResult(Result result, boolean isAudited, boolean isFinal, long policyId, String reason) { - this.result = result; - this.isAudited = isAudited; - this.isFinal = isFinal; - this.policyId = policyId; - this.reason = reason; + public RangerAccessResult(Map<String, ResultDetail> accessTypeResults) { + setAccessTypeResults(accessTypeResults); } /** - * @return the result + * @return the accessTypeResults */ - public Result getResult() { - return result; + public Map<String, ResultDetail> getAccessTypeResults() { + return accessTypeResults; } /** * @param result the result to set */ - public void setResult(Result result) { - this.result = result; - } - - /** - * @return the isAudited - */ - public boolean isAudited() { - return isAudited; + public void setAccessTypeResults(Map<String, ResultDetail> accessTypeResults) { + this.accessTypeResults = accessTypeResults == null ? new HashMap<String, ResultDetail>() : accessTypeResults; } /** - * @param isAudited the isAudited to set + * @param accessType the accessType + * @return the accessTypeResult */ - public void setAudited(boolean isAudited) { - this.isAudited = isAudited; + public ResultDetail getAccessTypeResult(String accessType) { + return accessTypeResults == null ? null : accessTypeResults.get(accessType); } /** - * @return the isFinal + * @param accessType the accessType + * @param result the result to set */ - public boolean isFinal() { - return isFinal; - } + public void setAccessTypeResult(String accessType, ResultDetail result) { + if(accessTypeResults == null) { + accessTypeResults = new HashMap<String, ResultDetail>(); + } - /** - * @param isFinal the isFinal to set - */ - public void setFinal(boolean isFinal) { - this.isFinal = isFinal; + accessTypeResults.put(accessType, result); } - /** - * @return the policyId - */ - public long getPolicyId() { - return policyId; - } + public boolean isAllAllowedAndAudited() { + boolean ret = true; + + if(accessTypeResults != null) { + for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) { + ResultDetail result = e.getValue(); + + ret = result.isAllowed && result.isAudited; + + if(! ret) { + break; + } + } + } - /** - * @param policyId the policyId to set - */ - public void setPolicyId(long policyId) { - this.policyId = policyId; + return ret; } /** - * @return the reason + * @return the overall result */ - public String getReason() { - return reason; - } + public Result getResult() { + Result ret = Result.ALLOWED; + + if(accessTypeResults != null) { + int numAllowed = 0; + int numDenied = 0; + + for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) { + ResultDetail result = e.getValue(); + + if(result.isAllowed) { + numAllowed++; + } else { + numDenied++; + } + } + + if(numAllowed == accessTypeResults.size()) { + ret = Result.ALLOWED; + } else if(numDenied == accessTypeResults.size()) { + ret = Result.DENIED; + } else { + ret = Result.PARTIALLY_ALLOWED; + } + } - /** - * @param reason the reason to set - */ - public void setReason(String reason) { - this.reason = reason; + return ret; } @Override @@ -126,14 +130,8 @@ public class RangerAccessResult { if(obj != null && (obj instanceof RangerAccessResult)) { RangerAccessResult other = (RangerAccessResult)obj; - ret = (this == other); - - if(! ret) { - ret = this.isAudited == other.isAudited && - this.policyId == other.policyId && - StringUtils.equals(this.reason, other.reason) && - ObjectUtils.equals(this.result, other.result); - } + ret = (this == other) || + ObjectUtils.equals(accessTypeResults, other.accessTypeResults); } return ret; @@ -143,10 +141,7 @@ public class RangerAccessResult { public int hashCode() { int ret = 7; - ret = 31 * ret + (isAudited ? 1 : 0); - ret = 31 * ret + (int)policyId; - ret = 31 * ret + (reason == null ? 0 : reason.hashCode()); - ret = 31 * ret + (result == null ? 0 : result.hashCode()); + ret = 31 * ret + (accessTypeResults == null ? 0 : accessTypeResults.hashCode()); // TODO: review return ret; } @@ -163,14 +158,136 @@ public class RangerAccessResult { public StringBuilder toString(StringBuilder sb) { sb.append("RangerAccessResult={"); - sb.append("result={").append(result).append("} "); - sb.append("isAudited={").append(isAudited).append("} "); - sb.append("isFinal={").append(isFinal).append("} "); - sb.append("policyId={").append(policyId).append("} "); - sb.append("reason={").append(reason).append("} "); + sb.append("accessTypeResults={"); + if(accessTypeResults != null) { + for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) { + sb.append(e.getKey()).append("={").append(e.getValue()).append("} "); + } + } + sb.append("} "); sb.append("}"); return sb; } + + public static class ResultDetail { + private boolean isAllowed; + private boolean isAudited; + private long policyId; + private String reason; + + public ResultDetail() { + setIsAllowed(false); + setIsAudited(false); + setPolicyId(-1); + setReason(null); + } + + /** + * @return the isAllowed + */ + public boolean isAllowed() { + return isAllowed; + } + + /** + * @param isAllowed the isAllowed to set + */ + public void setIsAllowed(boolean isAllowed) { + this.isAllowed = isAllowed; + } + + /** + * @return the isAudited + */ + public boolean isAudited() { + return isAudited; + } + + /** + * @param isAudited the isAudited to set + */ + public void setIsAudited(boolean isAudited) { + this.isAudited = isAudited; + } + + /** + * @return the policyId + */ + public long getPolicyId() { + return policyId; + } + + /** + * @param policyId the policyId to set + */ + public void setPolicyId(long policyId) { + this.policyId = policyId; + } + + /** + * @return the reason + */ + public String getReason() { + return reason; + } + + /** + * @param reason the reason to set + */ + public void setReason(String reason) { + this.reason = reason; + } + + @Override + public boolean equals(Object obj) { + boolean ret = false; + + if(obj != null && (obj instanceof ResultDetail)) { + ResultDetail other = (ResultDetail)obj; + + ret = (this == other); + + if(! ret) { + ret = this.isAllowed == other.isAllowed && + this.isAudited == other.isAudited && + this.policyId == other.policyId && + StringUtils.equals(this.reason, other.reason); + } + } + + return ret; + } + + @Override + public int hashCode() { + int ret = 7; + + ret = 31 * ret + (isAllowed ? 1 : 0); + ret = 31 * ret + (isAudited ? 1 : 0); + ret = 31 * ret + (int)policyId; + ret = 31 * ret + (reason == null ? 0 : reason.hashCode()); + + return ret; + } + + @Override + public String toString( ) { + StringBuilder sb = new StringBuilder(); + + toString(sb); + + return sb.toString(); + } + + public StringBuilder toString(StringBuilder sb) { + sb.append("isAllowed={").append(isAllowed).append("} "); + sb.append("isAudited={").append(isAudited).append("} "); + sb.append("policyId={").append(policyId).append("} "); + sb.append("reason={").append(reason).append("} "); + + return sb; + } + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 271e190..fd48ca1 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -30,8 +30,4 @@ public interface RangerPolicyEngine { RangerAccessResult isAccessAllowed(RangerAccessRequest request); List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests); - - void auditAccess(RangerAccessResult result); - - void auditAccess(List<RangerAccessResult> results); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index e63effd..1f4b2a2 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -29,7 +29,6 @@ import org.apache.ranger.plugin.manager.ServiceManager; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.policyengine.RangerAccessResult.Result; import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; @@ -60,10 +59,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { List<RangerPolicyEvaluator> evaluators = new ArrayList<RangerPolicyEvaluator>(); for(RangerPolicy policy : policies) { - RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef); - - if(evaluator != null) { - evaluators.add(evaluator); + if(policy.getIsEnabled()) { + RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef); + + if(evaluator != null) { + evaluators.add(evaluator); + } } } @@ -87,11 +88,15 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { List<RangerPolicyEvaluator> evaluators = policyEvaluators; - if(request != null && evaluators != null) { + if(request != null && request.getAccessTypes() != null && evaluators != null) { + for(String accessType : request.getAccessTypes()) { + ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail()); + } + for(RangerPolicyEvaluator evaluator : evaluators) { evaluator.evaluate(request, ret); - - if(ret.isFinal()) { + + if(ret.isAllAllowedAndAudited()) { break; } } @@ -127,17 +132,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { return ret; } - @Override - public void auditAccess(RangerAccessResult result) { - // TODO Auto-generated method stub - - } - - @Override - public void auditAccess(List<RangerAccessResult> results) { - // TODO Auto-generated method stub - - } public void init(String svcName) throws Exception { if(LOG.isDebugEnabled()) { @@ -184,12 +178,20 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } private RangerPolicyEvaluator getPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.getPolicyEvaluator(" + policy + "," + serviceDef + ")"); + } + RangerPolicyEvaluator ret = null; ret = new RangerDefaultPolicyEvaluator(); // TODO: configurable evaluator class? ret.init(policy, serviceDef); + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.getPolicyEvaluator(" + policy + "," + serviceDef + "): " + ret); + } + return ret; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 2d0f300..05fd334 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -86,30 +86,43 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator RangerPolicy policy = getPolicy(); - if(policy != null && policy.getIsEnabled() && request != null && result != null && !result.isFinal()) { + if(policy != null && request != null && result != null) { if(matchResource(request.getResource())) { for(RangerPolicyItem policyItem : policy.getPolicyItems()) { - RangerPolicyItemAccess access = getAccess(policyItem, request.getAccessType()); + for(String accessType : request.getAccessTypes()) { + RangerPolicyItemAccess access = getAccess(policyItem, accessType); - if(access != null) { - if(! result.isAudited() && policy.getIsAuditEnabled()) { - result.setAudited(true); + if(access == null) { + continue; + } + + RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType); + + if(accessResult.isAllowed() && accessResult.isAudited()) { + continue; + } + + if(!accessResult.isAudited() && policy.getIsAuditEnabled()) { + accessResult.setIsAudited(true); } if(matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) { if(matchCustomConditions(policyItem, request)) { - if(result.getResult() != Result.ALLOWED && access.getIsAllowed()) { - result.setResult(Result.ALLOWED); - result.setPolicyId(policy.getId()); + if(!accessResult.isAllowed() && access.getIsAllowed()) { + accessResult.setIsAllowed(true); + accessResult.setPolicyId(policy.getId()); } } } - if(result.getResult() == Result.ALLOWED && result.isAudited()) { - result.setFinal(true); + if(result.isAllAllowedAndAudited()) { break; } } + + if(result.isAllAllowedAndAudited()) { + break; + } } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/test/resources/policyengine/test_policyengine_01.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json index 7388bbd..d9c224c 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json @@ -41,217 +41,217 @@ {"name":"'use default;' as user1 ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessType":"select","user":"user1","userGroups":["users"],"requestData":"use default" + "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"use default" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'use default;' as user2 ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessType":"select","user":"user2","userGroups":["users"],"requestData":"use default" + "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"use default" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'use default;' as user3 ==> DENIED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessType":"select","user":"user3","userGroups":["users"],"requestData":"use default" + "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"use default" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'use default;' as user3, group1 ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessType":"select","user":"user3","userGroups":["users", "group1"],"requestData":"use default" + "accessTypes":["select"],"user":"user3","userGroups":["users", "group1"],"requestData":"use default" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'use default;' as user3, group2 ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessType":"select","user":"user3","userGroups":["users", "group2"],"requestData":"use default" + "accessTypes":["select"],"user":"user3","userGroups":["users", "group2"],"requestData":"use default" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'use default;' as user3, group3 ==> DENIED", "request":{ "resource":{"elements":{"database":"default"}}, - "accessType":"select","user":"user3","userGroups":["users", "group3"],"requestData":"use default" + "accessTypes":["select"],"user":"user3","userGroups":["users", "group3"],"requestData":"use default" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'use finance;' as user3, group3 ==> DENIED", "request":{ "resource":{"elements":{"database":"finance"}}, - "accessType":"select","user":"user1","userGroups":["users"],"requestData":"use finance" + "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"use finance" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'select col1 from default.testtable;' as user1 ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" + "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'select col1 from default.testtable;' as user2 ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessType":"select","user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable" + "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'select col1 from default.testtable;' as user3 ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable" + "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'select col1 from default.testtable;' as user3, group1 ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessType":"select","user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable" + "accessTypes":["select"],"user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'select col1 from default.testtable;' as user3, group2 ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessType":"select","user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable" + "accessTypes":["select"],"user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'select col1 from default.testtable;' as user3, group3 ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessType":"select","user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable" + "accessTypes":["select"],"user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'select col1 from default.table1;' as user1 ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, - "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1" + "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'create table default.testtable1;' as user1 ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" + "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'create table default.testtable1;' as user1, group1 ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessType":"create","user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1" + "accessTypes":["create"],"user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'create table default.testtable1;' as admin ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessType":"create","user":"admin","userGroups":["users"],"requestData":"create table default.testtable1" + "accessTypes":["create"],"user":"admin","userGroups":["users"],"requestData":"create table default.testtable1" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'create table default.testtable1;' as user1, admin ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" + "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'drop table default.testtable1;' as user1 ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" + "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'drop table default.testtable1;' as user1, group1 ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessType":"drop","user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1" + "accessTypes":["drop"],"user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , {"name":"'drop table default.testtable1;' as admin ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessType":"drop","user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1" + "accessTypes":["drop"],"user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'drop table default.testtable1;' as user1, admin ==> ALLOWED", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" + "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" }, - "result":{"result":"ALLOWED","isAudited":true,"policyId":2} + "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , {"name":"'create table default.table1;' as user1 ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, - "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" + "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" }, - "result":{"result":"DENIED","isAudited":false,"policyId":-1} + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":false,"policyId":-1}}} } , {"name":"'create table default.table1;' as user1, admin ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, - "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" + "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" }, - "result":{"result":"DENIED","isAudited":false,"policyId":-1} + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":false,"policyId":-1}}} } , {"name":"'drop table default.table1;' as user1 ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, - "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" + "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" }, - "result":{"result":"DENIED","isAudited":false,"policyId":-1} + "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":false,"policyId":-1}}} } , {"name":"'drop table default.table1;' as user1, admin ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, - "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" + "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" }, - "result":{"result":"DENIED","isAudited":false,"policyId":-1} + "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":false,"policyId":-1}}} } , {"name":"'select col1 from default.table1;' as user3 ==> DENIED", "request":{ "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, - "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1" + "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1" }, - "result":{"result":"DENIED","isAudited":true,"policyId":-1} + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } ] }
