Repository: incubator-ranger Updated Branches: refs/heads/stack 7d00538b3 -> 7a87f4d6c
RANGER-203: Policyengine updated to support the notion of "any" access Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7a87f4d6 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7a87f4d6 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7a87f4d6 Branch: refs/heads/stack Commit: 7a87f4d6c28149f4e306ddbf04c506e2a33405c7 Parents: 7d00538 Author: Madhan Neethiraj <[email protected]> Authored: Thu Jan 8 13:05:59 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Jan 8 13:05:59 2015 -0800 ---------------------------------------------------------------------- .../ranger/plugin/model/RangerService.java | 1 - .../plugin/policyengine/RangerAccessResult.java | 14 +- .../plugin/policyengine/RangerPolicyEngine.java | 2 +- .../policyengine/RangerPolicyEngineImpl.java | 118 ++++++------ .../RangerDefaultPolicyEvaluator.java | 192 ++++++++++++------- .../policyengine/test_policyengine_01.json | 68 +++---- 6 files changed, 216 insertions(+), 179 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java index 2f8d5e5..ea2182a 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java @@ -26,7 +26,6 @@ import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlRootElement; -import org.apache.ranger.plugin.manager.CustomizedMapDeserializer; import org.codehaus.jackson.annotate.JsonAutoDetect; import org.codehaus.jackson.annotate.JsonIgnoreProperties; import org.codehaus.jackson.annotate.JsonAutoDetect.Visibility; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index 57094a4..a5a1ef3 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -58,19 +58,7 @@ public class RangerAccessResult { * @return the accessTypeResult */ public ResultDetail getAccessTypeResult(String accessType) { - if(accessTypeResults == null) { - accessTypeResults = new HashMap<String, ResultDetail>(); - } - - ResultDetail ret = accessTypeResults.get(accessType); - - if(ret == null) { - ret = new ResultDetail(); - - accessTypeResults.put(accessType, ret); - } - - return ret; + return accessTypeResults == null ? null : accessTypeResults.get(accessType); } /** http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 0f70b09..f5f10e8 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -28,7 +28,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef; public interface RangerPolicyEngine { public static final String GROUP_PUBLIC = "public"; - public static final String ACCESS_ANY = "any"; + public static final String ANY_ACCESS = "any"; public static final long UNKNOWN_POLICY = -1; void setPolicies(String serviceName, RangerServiceDef serviceDef, List<RangerPolicy> policies); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 4b26c27..c3b3098 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -67,12 +67,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { List<RangerPolicyEvaluator> evaluators = new ArrayList<RangerPolicyEvaluator>(); for(RangerPolicy policy : policies) { - if(policy.getIsEnabled()) { - RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef); - - if(evaluator != null) { - evaluators.add(evaluator); - } + if(! policy.getIsEnabled()) { + continue; + } + + RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef); + + if(evaluator != null) { + evaluators.add(evaluator); } } @@ -246,53 +248,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } } - - /* - public void init(String svcName) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.init(" + svcName + ")"); - } - - ServiceManager svcMgr = new ServiceManager(); - ServiceDefManager sdMgr = new ServiceDefManager(); - - RangerServiceDef serviceDef = null; - List<RangerPolicy> policies = null; - - RangerService service = svcMgr.getByName(svcName); - - if(service == null) { - String msg = svcName + ": service not found"; - - LOG.error(msg); - - throw new Exception(msg); - } else { - serviceDef = sdMgr.getByName(service.getType()); - - if(serviceDef == null) { - String msg = service.getType() + ": service-def not found"; - - LOG.error(msg); - - throw new Exception(msg); - } - - policies = svcMgr.getPolicies(service.getId()); - - if(LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.init(): found " + (policyEvaluators == null ? 0 : policyEvaluators.size()) + " policies in service '" + svcName + "'"); - } - } - - setPolicies(serviceDef, policies); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.init(" + svcName + ")"); - } - } - */ - public String getResourceName(RangerResource resource) { String ret = null; @@ -350,11 +305,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { if(request != null) { if(CollectionUtils.isEmpty(request.getAccessTypes())) { - ret.setAccessTypeResult(RangerPolicyEngine.ACCESS_ANY, new RangerAccessResult.ResultDetail()); - } else { - for(String accessType : request.getAccessTypes()) { - ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail()); - } + request.getAccessTypes().add(ANY_ACCESS); + } + + for(String accessType : request.getAccessTypes()) { + ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail()); } List<RangerPolicyEvaluator> evaluators = policyEvaluators; @@ -421,4 +376,51 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { return sb; } + + + /* + public void init(String svcName) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.init(" + svcName + ")"); + } + + ServiceManager svcMgr = new ServiceManager(); + ServiceDefManager sdMgr = new ServiceDefManager(); + + RangerServiceDef serviceDef = null; + List<RangerPolicy> policies = null; + + RangerService service = svcMgr.getByName(svcName); + + if(service == null) { + String msg = svcName + ": service not found"; + + LOG.error(msg); + + throw new Exception(msg); + } else { + serviceDef = sdMgr.getByName(service.getType()); + + if(serviceDef == null) { + String msg = service.getType() + ": service-def not found"; + + LOG.error(msg); + + throw new Exception(msg); + } + + policies = svcMgr.getPolicies(service.getId()); + + if(LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.init(): found " + (policyEvaluators == null ? 0 : policyEvaluators.size()) + " policies in service '" + svcName + "'"); + } + } + + setPolicies(serviceDef, policies); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.init(" + svcName + ")"); + } + } + */ } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index ee2503f..a09a958 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -19,10 +19,10 @@ package org.apache.ranger.plugin.policyevaluator; -import java.util.ArrayList; import java.util.Collection; import java.util.Collections; -import java.util.List; +import java.util.HashMap; +import java.util.Map; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; @@ -45,7 +45,7 @@ import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator { private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyEvaluator.class); - private List<RangerResourceMatcher> matchers = null; + private Map<String, RangerResourceMatcher> matchers = null; @Override public void init(RangerPolicy policy, RangerServiceDef serviceDef) { @@ -55,7 +55,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator super.init(policy, serviceDef); - this.matchers = new ArrayList<RangerResourceMatcher>(); + this.matchers = new HashMap<String, RangerResourceMatcher>(); if(policy != null && policy.getResources() != null && serviceDef != null) { for(RangerResourceDef resourceDef : serviceDef.getResources()) { @@ -65,7 +65,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator RangerResourceMatcher matcher = createResourceMatcher(resourceDef, policyResource); if(matcher != null) { - matchers.add(matcher); + matchers.put(resourceName, matcher); } else { LOG.error("failed to find matcher for resource " + resourceName); } @@ -86,83 +86,72 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator RangerPolicy policy = getPolicy(); if(policy != null && request != null && result != null) { - if(matchResource(request.getResource())) { - for(RangerPolicyItem policyItem : policy.getPolicyItems()) { - - // if no access is requested, grant if ***any*** access is available - if(CollectionUtils.isEmpty(request.getAccessTypes())) { - RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(RangerPolicyEngine.ACCESS_ANY); + boolean isResourceMatch = matchResource(request.getResource()); + boolean isResourceHeadMatch = isResourceMatch || matchResourceHead(request.getResource()); - if(!accessResult.isAudited() && policy.getIsAuditEnabled()) { - accessResult.setIsAudited(true); - } - - if(! matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) { - continue; - } + for(RangerPolicyItem policyItem : policy.getPolicyItems()) { + boolean isUserGroupMatch = matchUserGroup(policyItem, request.getUser(), request.getUserGroups()); + boolean isCustomConditionsMatch = matchCustomConditions(policyItem, request); - if(! matchCustomConditions(policyItem, request)) { - continue; - } + if(! isCustomConditionsMatch) { + continue; + } - if(CollectionUtils.isEmpty(policyItem.getAccesses())) { - continue; - } + for(String accessType : request.getAccessTypes()) { + RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType); - for(RangerPolicyItemAccess access : policyItem.getAccesses()) { - if(!accessResult.isAllowed() && access.getIsAllowed()) { - accessResult.setIsAllowed(true); - accessResult.setPolicyId(policy.getId()); + // are we done with this accessType? + if(accessResult.isAllowed() && accessResult.isAudited()) { + continue; + } - break; - } - } - } else { - if(! matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) { - continue; - } + boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS); - if(! matchCustomConditions(policyItem, request)) { + // partial match is only for "any" access + if(!isResourceMatch) { + if(!isResourceHeadMatch || !isAnyAccess) { continue; } + } - for(String accessType : request.getAccessTypes()) { - RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType); - - if(CollectionUtils.isEmpty(policyItem.getAccesses())) { - if(!accessResult.isAudited() && policy.getIsAuditEnabled()) { - accessResult.setIsAudited(true); - } + if(!accessResult.isAudited() && policy.getIsAuditEnabled()) { + accessResult.setIsAudited(true); + } - continue; - } - - RangerPolicyItemAccess access = getAccess(policyItem, accessType); - - if(access == null) { - continue; - } + if(!isUserGroupMatch) { + continue; + } + if(CollectionUtils.isEmpty(policyItem.getAccesses())) { + continue; + } - if(accessResult.isAllowed() && accessResult.isAudited()) { - continue; - } - - if(!accessResult.isAudited() && policy.getIsAuditEnabled()) { - accessResult.setIsAudited(true); - } - + if(isAnyAccess) { + for(RangerPolicyItemAccess access : policyItem.getAccesses()) { if(!accessResult.isAllowed() && access.getIsAllowed()) { accessResult.setIsAllowed(true); accessResult.setPolicyId(policy.getId()); } + + break; + } + } else { + RangerPolicyItemAccess access = getAccess(policyItem, accessType); + + if(access == null) { + continue; } - } - if(result.isAllAllowedAndAudited()) { - break; + if(!accessResult.isAllowed() && access.getIsAllowed()) { + accessResult.setIsAllowed(true); + accessResult.setPolicyId(policy.getId()); + } } } + + if(result.isAllAllowedAndAudited()) { + break; + } } } @@ -178,18 +167,24 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator boolean ret = false; - if(matchers != null && !matchers.isEmpty()) { - ret = true; + RangerServiceDef serviceDef = getServiceDef(); - for(RangerResourceMatcher matcher : matchers) { - String resourceName = matcher.getResourceDef().getName(); - String resourceValue = resource.getValue(resourceName); + if(serviceDef != null && serviceDef.getResources() != null) { + for(RangerResourceDef resourceDef : serviceDef.getResources()) { + String resourceName = resourceDef.getName(); + String resourceValue = resource == null ? null : resource.getValue(resourceName); + RangerResourceMatcher matcher = matchers == null ? null : matchers.get(resourceName); - ret = matcher.isMatch(resourceValue); + // when no value exists for a resourceName, consider it a match only if (policy doesn't have a matcher OR matcher allows no-value resource) + if(StringUtils.isEmpty(resourceValue)) { + ret = matcher == null || matcher.isMatch(resourceValue); + } else { + ret = matcher != null && matcher.isMatch(resourceValue); + } - if(! ret) { - break; - } + if(! ret) { + break; + } } } @@ -200,6 +195,59 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } + protected boolean matchResourceHead(RangerResource resource) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.matchResourceHead(" + resource + ")"); + } + + boolean ret = false; + + RangerServiceDef serviceDef = getServiceDef(); + + if(serviceDef != null && serviceDef.getResources() != null) { + int numMatched = 0; + int numUnmatched = 0; + + for(RangerResourceDef resourceDef : serviceDef.getResources()) { + String resourceName = resourceDef.getName(); + String resourceValue = resource == null ? null : resource.getValue(resourceName); + RangerResourceMatcher matcher = matchers == null ? null : matchers.get(resourceName); + + if(numUnmatched > 0) { // no further values are expected in the resource + if(! StringUtils.isEmpty(resourceValue)) { + break; + } + + numUnmatched++; + continue; + } else { + boolean isMatch = false; + + // when no value exists for a resourceName, consider it a match only if (policy doesn't have a matcher OR matcher allows no-value resource) + if(StringUtils.isEmpty(resourceValue)) { + isMatch = matcher == null || matcher.isMatch(resourceValue); + } else { + isMatch = matcher != null && matcher.isMatch(resourceValue); + } + + if(isMatch) { + numMatched++; + } else { + numUnmatched++; + } + } + } + + ret = (numMatched > 0) && serviceDef.getResources().size() == (numMatched + numUnmatched); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.matchResourceHead(" + resource + "): " + ret); + } + + return ret; + } + protected boolean matchUserGroup(RangerPolicyItem policyItem, String user, Collection<String> groups) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.matchUserGroup(" + policyItem + ", " + user + ", " + groups + ")"); @@ -314,7 +362,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator sb.append("matchers={"); if(matchers != null) { - for(RangerResourceMatcher matcher : matchers) { + for(RangerResourceMatcher matcher : matchers.values()) { sb.append("{").append(matcher).append("} "); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/test/resources/policyengine/test_policyengine_01.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json index ef45c84..d4dcc55 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json @@ -23,8 +23,8 @@ }, "policies":[ - {"id":1,"name":"audit-all-select","isEnabled":true,"isAuditEnabled":true, - "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, + {"id":1,"name":"db=default: audit-all-access","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["default"]},"table":{"values":["*"]},"column":{"values":["*"]}}, "policyItems":[ {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} ] @@ -41,23 +41,23 @@ ], "tests":[ - {"name":"'use default;' as user1 ==> DENIED", + {"name":"ALLOW 'use default;' for user1", "request":{ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use default" }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'use default;' as user2 ==> DENIED", + {"name":"ALLOW 'use default;' for user2", "request":{ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user2","userGroups":["users"],"requestData":"use default" }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'use default;' as user3 ==> DENIED", + {"name":"DENY 'use default;' to user3", "request":{ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user3","userGroups":["users"],"requestData":"use default" @@ -65,23 +65,23 @@ "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'use default;' as user3, group1 ==> DENIED", + {"name":"ALLOW 'use default;' to group1", "request":{ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user3","userGroups":["users", "group1"],"requestData":"use default" }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'use default;' as user3, group2 ==> DENIED", + {"name":"ALLOW 'use default;' to group2", "request":{ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user3","userGroups":["users", "group2"],"requestData":"use default" }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'use default;' as user3, group3 ==> DENIED", + {"name":"DENY 'use default;' to user3/group3", "request":{ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user3","userGroups":["users", "group3"],"requestData":"use default" @@ -89,15 +89,15 @@ "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'use finance;' as user3, group3 ==> DENIED", + {"name":"DENY 'use finance;' to user3/group3", "request":{ "resource":{"elements":{"database":"finance"}}, "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use finance" }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":false,"policyId":-1}}} } , - {"name":"'select col1 from default.testtable;' as user1 ==> ALLOWED", + {"name":"ALLOW 'select col1 from default.testtable;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" @@ -105,7 +105,7 @@ "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'select col1 from default.testtable;' as user2 ==> ALLOWED", + {"name":"ALLOW 'select col1 from default.testtable;' to user2", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable" @@ -113,7 +113,7 @@ "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'select col1 from default.testtable;' as user3 ==> DENIED", + {"name":"DENY 'select col1 from default.testtable;' to user3", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable" @@ -121,7 +121,7 @@ "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'select col1 from default.testtable;' as user3, group1 ==> ALLOWED", + {"name":"ALLOW 'select col1 from default.testtable;' to group1", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable" @@ -129,7 +129,7 @@ "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'select col1 from default.testtable;' as user3, group2 ==> ALLOWED", + {"name":"ALLOW 'select col1 from default.testtable;' to group2", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable" @@ -137,7 +137,7 @@ "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'select col1 from default.testtable;' as user3, group3 ==> DENIED", + {"name":"DENY 'select col1 from default.testtable;' to user3/group3", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable" @@ -145,7 +145,7 @@ "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'select col1 from default.table1;' as user1 ==> DENIED", + {"name":"DENY 'select col1 from default.table1;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1" @@ -153,7 +153,7 @@ "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'create table default.testtable1;' as user1 ==> DENIED", + {"name":"DENY 'create table default.testtable1;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" @@ -161,7 +161,7 @@ "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'create table default.testtable1;' as user1, group1 ==> DENIED", + {"name":"DENY 'create table default.testtable1;' to user1/group1", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1" @@ -169,7 +169,7 @@ "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'create table default.testtable1;' as admin ==> ALLOWED", + {"name":"ALLOW 'create table default.testtable1;' to admin", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["create"],"user":"admin","userGroups":["users"],"requestData":"create table default.testtable1" @@ -177,7 +177,7 @@ "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'create table default.testtable1;' as user1, admin ==> ALLOWED", + {"name":"ALLOW 'create table default.testtable1;' to user1/admin", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" @@ -185,7 +185,7 @@ "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'drop table default.testtable1;' as user1 ==> DENIED", + {"name":"DENY 'drop table default.testtable1;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" @@ -193,7 +193,7 @@ "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'drop table default.testtable1;' as user1, group1 ==> DENIED", + {"name":"DENY 'drop table default.testtable1;' to user1/group1", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1" @@ -201,7 +201,7 @@ "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'drop table default.testtable1;' as admin ==> ALLOWED", + {"name":"ALLOW 'drop table default.testtable1;' to admin", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["drop"],"user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1" @@ -209,7 +209,7 @@ "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'drop table default.testtable1;' as user1, admin ==> ALLOWED", + {"name":"ALLOW 'drop table default.testtable1;' to user1/admin", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" @@ -217,7 +217,7 @@ "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}} } , - {"name":"'create table default.table1;' as user1 ==> DENIED", + {"name":"DENY 'create table default.table1;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" @@ -225,7 +225,7 @@ "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'create table default.table1;' as user1, admin ==> DENIED", + {"name":"DENY 'create table default.table1;' to user1/admin", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" @@ -233,7 +233,7 @@ "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'drop table default.table1;' as user1 ==> DENIED", + {"name":"DENY 'drop table default.table1;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" @@ -241,7 +241,7 @@ "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'drop table default.table1;' as user1, admin ==> DENIED", + {"name":"DENY 'drop table default.table1;' to user1/admin", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" @@ -249,7 +249,7 @@ "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} } , - {"name":"'select col1 from default.table1;' as user3 ==> DENIED", + {"name":"DENY 'select col1 from default.table1;' to user3", "request":{ "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1"
