Repository: incubator-ranger Updated Branches: refs/heads/stack 7a87f4d6c -> 82400d2b6
RANGER-203: policy model updated to support "impliedAccessGrants". HBase will leverege this feature to implicity allow read/write/create accesses when the user/group has "admin" access. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/82400d2b Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/82400d2b Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/82400d2b Branch: refs/heads/stack Commit: 82400d2b60563bd143b3e795b636d8d401fc10a9 Parents: 7a87f4d Author: Madhan Neethiraj <[email protected]> Authored: Thu Jan 8 16:55:19 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Jan 8 16:55:19 2015 -0800 ---------------------------------------------------------------------- .../ranger/plugin/model/RangerServiceDef.java | 47 ++-- .../RangerDefaultPolicyEvaluator.java | 79 ++++++ .../service-defs/ranger-servicedef-hbase.json | 2 +- .../plugin/policyengine/TestPolicyEngine.java | 13 +- .../policyengine/test_policyengine_01.json | 261 ------------------- .../policyengine/test_policyengine_hbase.json | 159 +++++++++++ .../policyengine/test_policyengine_hive.json | 261 +++++++++++++++++++ 7 files changed, 540 insertions(+), 282 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/82400d2b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java index 0be4a8b..53bab5c 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java @@ -1023,21 +1023,21 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S public static class RangerAccessTypeDef implements java.io.Serializable { private static final long serialVersionUID = 1L; - private String name = null; - private String label = null; - private String rbKeyLabel = null; - private Collection<String> impliedAccessTypes = null; + private String name = null; + private String label = null; + private String rbKeyLabel = null; + private Collection<String> impliedAccessGrants = null; public RangerAccessTypeDef() { this(null, null, null, null); } - public RangerAccessTypeDef(String name, String label, String rbKeyLabel, Collection<String> impliedAccessTypes) { + public RangerAccessTypeDef(String name, String label, String rbKeyLabel, Collection<String> impliedAccessGrants) { setName(name); setLabel(label); setRbKeyLabel(rbKeyLabel); - setImpliedAccessTypes(impliedAccessTypes); + setImpliedAccessGrants(impliedAccessGrants); } /** @@ -1083,29 +1083,29 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S } /** - * @return the impliedAccessTypes + * @return the impliedAccessGrants */ - public Collection<String> getImpliedAccessTypes() { - return impliedAccessTypes; + public Collection<String> getImpliedAccessGrants() { + return impliedAccessGrants; } /** - * @param impliedAccessTypes the impliedAccessTypes to set + * @param impliedAccessGrants the impliedAccessGrants to set */ - public void setImpliedAccessTypes(Collection<String> impliedAccessTypes) { - if(this.impliedAccessTypes == null) { - this.impliedAccessTypes = new ArrayList<String>(); + public void setImpliedAccessGrants(Collection<String> impliedAccessGrants) { + if(this.impliedAccessGrants == null) { + this.impliedAccessGrants = new ArrayList<String>(); } - if(this.impliedAccessTypes == impliedAccessTypes) { + if(this.impliedAccessGrants == impliedAccessGrants) { return; } - this.impliedAccessTypes.clear(); + this.impliedAccessGrants.clear(); - if(impliedAccessTypes != null) { - for(String impliedAccessType : impliedAccessTypes) { - this.impliedAccessTypes.add(impliedAccessType); + if(impliedAccessGrants != null) { + for(String impliedAccessGrant : impliedAccessGrants) { + this.impliedAccessGrants.add(impliedAccessGrant); } } } @@ -1124,6 +1124,17 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S sb.append("name={").append(name).append("} "); sb.append("label={").append(label).append("} "); sb.append("rbKeyLabel={").append(rbKeyLabel).append("} "); + + sb.append("impliedAccessGrants={"); + if(impliedAccessGrants != null) { + for(String impliedAccessGrant : impliedAccessGrants) { + if(impliedAccessGrant != null) { + sb.append(impliedAccessGrant).append(" "); + } + } + } + sb.append("} "); + sb.append("}"); return sb; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/82400d2b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index a09a958..eaf343d 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -22,6 +22,7 @@ package org.apache.ranger.plugin.policyevaluator; import java.util.Collection; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.Map; import org.apache.commons.collections.CollectionUtils; @@ -33,6 +34,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; @@ -53,6 +55,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator LOG.debug("==> RangerDefaultPolicyEvaluator.init()"); } + preprocessPolicy(policy, serviceDef); + super.init(policy, serviceDef); this.matchers = new HashMap<String, RangerResourceMatcher>(); @@ -372,4 +376,79 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return sb; } + + private void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef) { + if(policy == null || CollectionUtils.isEmpty(policy.getPolicyItems()) || serviceDef == null) { + return; + } + + Map<String, Collection<String>> impliedAccessGrants = getImpliedAccessGrants(serviceDef); + + if(impliedAccessGrants == null || impliedAccessGrants.isEmpty()) { + return; + } + + for(RangerPolicyItem policyItem : policy.getPolicyItems()) { + if(CollectionUtils.isEmpty(policyItem.getAccesses())) { + continue; + } + + for(Map.Entry<String, Collection<String>> e : impliedAccessGrants.entrySet()) { + String accessType = e.getKey(); + Collection<String> impliedGrants = e.getValue(); + + RangerPolicyItemAccess access = getAccess(policyItem, accessType); + + if(access == null) { + continue; + } + + for(String impliedGrant : impliedGrants) { + RangerPolicyItemAccess impliedAccess = getAccess(policyItem, impliedGrant); + + if(impliedAccess == null) { + impliedAccess = new RangerPolicyItemAccess(impliedGrant, access.getIsAllowed(), access.getIsAudited()); + + policyItem.getAccesses().add(impliedAccess); + } else { + if(! impliedAccess.getIsAllowed()) { + impliedAccess.setIsAllowed(access.getIsAllowed()); + } + + if(! impliedAccess.getIsAudited()) { + impliedAccess.setIsAudited(access.getIsAudited()); + } + } + } + } + } + } + + private Map<String, Collection<String>> getImpliedAccessGrants(RangerServiceDef serviceDef) { + Map<String, Collection<String>> ret = null; + + if(serviceDef != null && !CollectionUtils.isEmpty(serviceDef.getAccessTypes())) { + for(RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) { + if(!CollectionUtils.isEmpty(accessTypeDef.getImpliedAccessGrants())) { + if(ret == null) { + ret = new HashMap<String, Collection<String>>(); + } + + Collection<String> impliedAccessGrants = ret.get(accessTypeDef.getName()); + + if(impliedAccessGrants == null) { + impliedAccessGrants = new HashSet<String>(); + + ret.put(accessTypeDef.getName(), impliedAccessGrants); + } + + for(String impliedAccessGrant : accessTypeDef.getImpliedAccessGrants()) { + impliedAccessGrants.add(impliedAccessGrant); + } + } + } + } + + return ret; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/82400d2b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json index 00d7d70..6569b4e 100644 --- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json +++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json @@ -42,7 +42,7 @@ {"name":"read","label":"Read"}, {"name":"write","label":"Write"}, {"name":"create","label":"Create"}, - {"name":"admin","label":"Admin","impliedAccessTypes":["read","write","create"]} + {"name":"admin","label":"Admin","impliedAccessGrants":["read","write","create"]} ], "policyConditions": [ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/82400d2b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 2447709..553a0d7 100644 --- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -61,8 +61,17 @@ public class TestPolicyEngine { } @Test - public void testPolicyEngine_01() { - String filename = "/policyengine/test_policyengine_01.json"; + public void testPolicyEngine_hive() { + String filename = "/policyengine/test_policyengine_hive.json"; + InputStream inStream = this.getClass().getResourceAsStream(filename); + InputStreamReader reader = new InputStreamReader(inStream); + + runTests(reader, filename); + } + + @Test + public void testPolicyEngine_hbase() { + String filename = "/policyengine/test_policyengine_hbase.json"; InputStream inStream = this.getClass().getResourceAsStream(filename); InputStreamReader reader = new InputStreamReader(inStream); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/82400d2b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json deleted file mode 100644 index d4dcc55..0000000 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json +++ /dev/null @@ -1,261 +0,0 @@ -{ - "serviceName":"hivedev", - - "serviceDef":{ - "name":"hive", - "id":3, - "resources":[ - {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Database","description":"Hive Database"}, - {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Table","description":"Hive Table"}, - {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive UDF","description":"Hive UDF"}, - {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Column","description":"Hive Column"} - ], - "accessTypes":[ - {"name":"select","label":"Select"}, - {"name":"update","label":"Update"}, - {"name":"create","label":"Create"}, - {"name":"drop","label":"Drop"}, - {"name":"alter","label":"Alter"}, - {"name":"index","label":"Index"}, - {"name":"lock","label":"Lock"}, - {"name":"all","label":"All"} - ] - }, - - "policies":[ - {"id":1,"name":"db=default: audit-all-access","isEnabled":true,"isAuditEnabled":true, - "resources":{"database":{"values":["default"]},"table":{"values":["*"]},"column":{"values":["*"]}}, - "policyItems":[ - {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} - ] - } - , - {"id":2,"name":"db=default; table=test*; column=*","isEnabled":true,"isAuditEnabled":true, - "resources":{"database":{"values":["default"]},"table":{"values":["test*"]},"column":{"values":["*"]}}, - "policyItems":[ - {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false} - , - {"accesses":[{"type":"create","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["admin"],"groups":["admin"],"delegateAdmin":true} - ] - } - ], - - "tests":[ - {"name":"ALLOW 'use default;' for user1", - "request":{ - "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use default" - }, - "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"ALLOW 'use default;' for user2", - "request":{ - "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user2","userGroups":["users"],"requestData":"use default" - }, - "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"DENY 'use default;' to user3", - "request":{ - "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user3","userGroups":["users"],"requestData":"use default" - }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"ALLOW 'use default;' to group1", - "request":{ - "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user3","userGroups":["users", "group1"],"requestData":"use default" - }, - "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"ALLOW 'use default;' to group2", - "request":{ - "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user3","userGroups":["users", "group2"],"requestData":"use default" - }, - "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"DENY 'use default;' to user3/group3", - "request":{ - "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user3","userGroups":["users", "group3"],"requestData":"use default" - }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"DENY 'use finance;' to user3/group3", - "request":{ - "resource":{"elements":{"database":"finance"}}, - "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use finance" - }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":false,"policyId":-1}}} - } - , - {"name":"ALLOW 'select col1 from default.testtable;' to user1", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" - }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"ALLOW 'select col1 from default.testtable;' to user2", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable" - }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"DENY 'select col1 from default.testtable;' to user3", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable" - }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"ALLOW 'select col1 from default.testtable;' to group1", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable" - }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"ALLOW 'select col1 from default.testtable;' to group2", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable" - }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"DENY 'select col1 from default.testtable;' to user3/group3", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable" - }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"DENY 'select col1 from default.table1;' to user1", - "request":{ - "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, - "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1" - }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"DENY 'create table default.testtable1;' to user1", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" - }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"DENY 'create table default.testtable1;' to user1/group1", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1" - }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"ALLOW 'create table default.testtable1;' to admin", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["create"],"user":"admin","userGroups":["users"],"requestData":"create table default.testtable1" - }, - "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"ALLOW 'create table default.testtable1;' to user1/admin", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" - }, - "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"DENY 'drop table default.testtable1;' to user1", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" - }, - "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"DENY 'drop table default.testtable1;' to user1/group1", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["drop"],"user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1" - }, - "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"ALLOW 'drop table default.testtable1;' to admin", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["drop"],"user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1" - }, - "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"ALLOW 'drop table default.testtable1;' to user1/admin", - "request":{ - "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" - }, - "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}} - } - , - {"name":"DENY 'create table default.table1;' to user1", - "request":{ - "resource":{"elements":{"database":"default","table":"table1"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" - }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"DENY 'create table default.table1;' to user1/admin", - "request":{ - "resource":{"elements":{"database":"default","table":"table1"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" - }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"DENY 'drop table default.table1;' to user1", - "request":{ - "resource":{"elements":{"database":"default","table":"table1"}}, - "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" - }, - "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"DENY 'drop table default.table1;' to user1/admin", - "request":{ - "resource":{"elements":{"database":"default","table":"table1"}}, - "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" - }, - "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - , - {"name":"DENY 'select col1 from default.table1;' to user3", - "request":{ - "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1" - }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} - } - ] -} - http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/82400d2b/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json new file mode 100644 index 0000000..48c684d --- /dev/null +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json @@ -0,0 +1,159 @@ +{ + "serviceName":"hbasedev", + + "serviceDef":{ + "name":"hbase", + "id":2, + "resources":[ + {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Table","description":"HBase Table"}, + {"name":"column-family","level":2,"table":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column-Family","description":"HBase Column-Family"}, + {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column","description":"HBase Column"} + ], + "accessTypes":[ + {"name":"read","label":"Read"}, + {"name":"write","label":"Write"}, + {"name":"create","label":"Create"}, + {"name":"admin","label":"Admin","impliedAccessGrants":["read","write","create"]} + ] + }, + + "policies":[ + {"id":1,"name":"table=finance; column-family=restricted*: audit-all-access","isEnabled":true,"isAuditEnabled":true, + "resources":{"table":{"values":["finance"]},"column-family":{"values":["restricted*"]}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"table=finance; column-family=restricted*","isEnabled":true,"isAuditEnabled":true, + "resources":{"table":{"values":["finance"]},"column-family":{"values":["restricted*"]}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false} + , + {"accesses":[{"type":"admin","isAllowed":true}],"users":[],"groups":["finance-admin"],"delegateAdmin":true} + ] + } + , + {"id":3,"name":"table=*; column-family=<excluding>restricted*","isEnabled":true,"isAuditEnabled":false, + "resources":{"table":{"values":["*"]},"column-family":{"values":["restricted*"],"isExcludes":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + ], + + "tests":[ + {"name":"ALLOW 'scan finance restricted-cf;' for finance", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["read"],"user":"user1","userGroups":["users","finance"],"requestData":"scan finance restricted-cf" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'put finance restricted-cf;' for finance", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["write"],"user":"user1","userGroups":["users","finance"],"requestData":"put finance restricted-cf" + }, + "result":{"accessTypeResults":{"write":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"DENY 'create finance restricted-cf;' for finance", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["create"],"user":"user1","userGroups":["users","finance"],"requestData":"create finance restricted-cf" + }, + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'grant finance restricted-cf;' for finance", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["admin"],"user":"user1","userGroups":["users","finance"],"requestData":"grant finance restricted-cf" + }, + "result":{"accessTypeResults":{"admin":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'scan finance restricted-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["read"],"user":"user1","userGroups":["users"],"requestData":"scan finance restricted-cf" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'put finance restricted-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["write"],"user":"user1","userGroups":["users"],"requestData":"put finance restricted-cf" + }, + "result":{"accessTypeResults":{"write":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'create finance restricted-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create finance restricted-cf" + }, + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'grant finance restricted-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["admin"],"user":"user1","userGroups":["users"],"requestData":"grant finance restricted-cf" + }, + "result":{"accessTypeResults":{"admin":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"ALLOW 'scan finance restricted-cf;' for finance-admin", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["read"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"scan finance restricted-cf" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'put finance restricted-cf;' for finance-admin", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["write"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"put finance restricted-cf" + }, + "result":{"accessTypeResults":{"write":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'create finance restricted-cf;' for finance-admin", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["create"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"create finance restricted-cf" + }, + "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'grant finance restricted-cf;' for finance-admin", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessTypes":["admin"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"grant finance restricted-cf" + }, + "result":{"accessTypeResults":{"admin":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'scan finance regular-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"regular-cf"}}, + "accessTypes":["read"],"user":"user1","userGroups":["users"],"requestData":"scan finance regular-cf" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":3}}} + } + , + {"name":"DENY 'put finance regular-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"regular-cf"}}, + "accessTypes":["write"],"user":"user1","userGroups":["users"],"requestData":"put finance regular-cf" + }, + "result":{"accessTypeResults":{"write":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + } + ] +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/82400d2b/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json new file mode 100644 index 0000000..d4dcc55 --- /dev/null +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json @@ -0,0 +1,261 @@ +{ + "serviceName":"hivedev", + + "serviceDef":{ + "name":"hive", + "id":3, + "resources":[ + {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Database","description":"Hive Database"}, + {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Table","description":"Hive Table"}, + {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive UDF","description":"Hive UDF"}, + {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Column","description":"Hive Column"} + ], + "accessTypes":[ + {"name":"select","label":"Select"}, + {"name":"update","label":"Update"}, + {"name":"create","label":"Create"}, + {"name":"drop","label":"Drop"}, + {"name":"alter","label":"Alter"}, + {"name":"index","label":"Index"}, + {"name":"lock","label":"Lock"}, + {"name":"all","label":"All"} + ] + }, + + "policies":[ + {"id":1,"name":"db=default: audit-all-access","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["default"]},"table":{"values":["*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"db=default; table=test*; column=*","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["default"]},"table":{"values":["test*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false} + , + {"accesses":[{"type":"create","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["admin"],"groups":["admin"],"delegateAdmin":true} + ] + } + ], + + "tests":[ + {"name":"ALLOW 'use default;' for user1", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use default" + }, + "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'use default;' for user2", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessTypes":[],"user":"user2","userGroups":["users"],"requestData":"use default" + }, + "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"DENY 'use default;' to user3", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessTypes":[],"user":"user3","userGroups":["users"],"requestData":"use default" + }, + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"ALLOW 'use default;' to group1", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessTypes":[],"user":"user3","userGroups":["users", "group1"],"requestData":"use default" + }, + "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'use default;' to group2", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessTypes":[],"user":"user3","userGroups":["users", "group2"],"requestData":"use default" + }, + "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"DENY 'use default;' to user3/group3", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessTypes":[],"user":"user3","userGroups":["users", "group3"],"requestData":"use default" + }, + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'use finance;' to user3/group3", + "request":{ + "resource":{"elements":{"database":"finance"}}, + "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use finance" + }, + "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + } + , + {"name":"ALLOW 'select col1 from default.testtable;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" + }, + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'select col1 from default.testtable;' to user2", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable" + }, + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"DENY 'select col1 from default.testtable;' to user3", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable" + }, + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"ALLOW 'select col1 from default.testtable;' to group1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessTypes":["select"],"user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable" + }, + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'select col1 from default.testtable;' to group2", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessTypes":["select"],"user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable" + }, + "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"DENY 'select col1 from default.testtable;' to user3/group3", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessTypes":["select"],"user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable" + }, + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'select col1 from default.table1;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, + "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1" + }, + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'create table default.testtable1;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" + }, + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'create table default.testtable1;' to user1/group1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessTypes":["create"],"user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1" + }, + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"ALLOW 'create table default.testtable1;' to admin", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessTypes":["create"],"user":"admin","userGroups":["users"],"requestData":"create table default.testtable1" + }, + "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'create table default.testtable1;' to user1/admin", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" + }, + "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"DENY 'drop table default.testtable1;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" + }, + "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'drop table default.testtable1;' to user1/group1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessTypes":["drop"],"user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1" + }, + "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"ALLOW 'drop table default.testtable1;' to admin", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessTypes":["drop"],"user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1" + }, + "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"ALLOW 'drop table default.testtable1;' to user1/admin", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" + }, + "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}} + } + , + {"name":"DENY 'create table default.table1;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" + }, + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'create table default.table1;' to user1/admin", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" + }, + "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'drop table default.table1;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" + }, + "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'drop table default.table1;' to user1/admin", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" + }, + "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'select col1 from default.table1;' to user3", + "request":{ + "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, + "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1" + }, + "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + ] +} +
