Repository: incubator-ranger Updated Branches: refs/heads/stack 82400d2b6 -> ee9ecde98
RANGER-203: added tests for HDFS access requests. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ee9ecde9 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ee9ecde9 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ee9ecde9 Branch: refs/heads/stack Commit: ee9ecde98fc38be97ea100cd5227b945e7ed0f57 Parents: 82400d2 Author: Madhan Neethiraj <[email protected]> Authored: Fri Jan 9 09:59:36 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Fri Jan 9 09:59:36 2015 -0800 ---------------------------------------------------------------------- .../RangerPathResourceMatcher.java | 12 +- .../service-defs/ranger-servicedef-hdfs.json | 4 +- .../plugin/policyengine/TestPolicyEngine.java | 30 ++-- .../policyengine/test_policyengine_hdfs.json | 140 +++++++++++++++++++ 4 files changed, 173 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java index 79f68c0..2cf3a68 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java @@ -62,9 +62,17 @@ public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher { for(String policyValue : policyValues) { if(policyIsRecursive) { - ret = optWildCard ? isRecursiveWildCardMatch(resource, policyValue) : StringUtils.startsWith(resource, policyValue); + ret = StringUtils.startsWith(resource, policyValue); + + if(! ret && optWildCard) { + ret = isRecursiveWildCardMatch(resource, policyValue) ; + } } else { - ret = optWildCard ? FilenameUtils.wildcardMatch(resource, policyValue) : StringUtils.equals(resource, policyValue); + ret = StringUtils.equals(resource, policyValue); + + if(! ret && optWildCard) { + ret = FilenameUtils.wildcardMatch(resource, policyValue); + } } if(ret) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json index b2431c7..907b6d3 100644 --- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json +++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json @@ -34,13 +34,13 @@ [ {"name":"username","type":"string","mandatory":true,"label":"Username"}, {"name":"password","type":"password","mandatory":true,"label":"Password"}, - {"name":"hadoop.security.authorization","type":"bool","mandatory":true,"defaultValue":"false"}, + {"name":"hadoop.security.authorization","type":"bool","subType":"TrueFalse","mandatory":true,"defaultValue":"false"}, {"name":"hadoop.security.authentication","type":"enum","subType":"authnType","mandatory":true,"defaultValue":"simple"}, {"name":"hadoop.security.auth_to_local","type":"string","mandatory":false}, {"name":"dfs.datanode.kerberos.principal","type":"string","mandatory":false}, {"name":"dfs.namenode.kerberos.principal","type":"string","mandatory":false}, {"name":"dfs.secondary.namenode.kerberos.principal","type":"string","mandatory":false}, - {"name":"hadoop.rpc.protection","type":"rpcProtection","mandatory":false,"defaultValue":"authentication"}, + {"name":"hadoop.rpc.protection","type":"enum","subType":"rpcProtection","mandatory":false,"defaultValue":"authentication"}, {"name":"certificate.cn","type":"string","mandatory":false,"label":"Common Name for Certificate"} ], "resources": http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 553a0d7..811c873 100644 --- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -61,24 +61,36 @@ public class TestPolicyEngine { } @Test + public void testPolicyEngine_hdfs() { + String[] hdfsTestResourceFiles = { "/policyengine/test_policyengine_hdfs.json" }; + + runTestsFromResourceFiles(hdfsTestResourceFiles); + } + + @Test public void testPolicyEngine_hive() { - String filename = "/policyengine/test_policyengine_hive.json"; - InputStream inStream = this.getClass().getResourceAsStream(filename); - InputStreamReader reader = new InputStreamReader(inStream); + String[] hiveTestResourceFiles = { "/policyengine/test_policyengine_hive.json" }; - runTests(reader, filename); + runTestsFromResourceFiles(hiveTestResourceFiles); } @Test public void testPolicyEngine_hbase() { - String filename = "/policyengine/test_policyengine_hbase.json"; - InputStream inStream = this.getClass().getResourceAsStream(filename); - InputStreamReader reader = new InputStreamReader(inStream); + String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase.json" }; - runTests(reader, filename); + runTestsFromResourceFiles(hbaseTestResourceFiles); + } + + private void runTestsFromResourceFiles(String[] resourceNames) { + for(String resourceName : resourceNames) { + InputStream inStream = this.getClass().getResourceAsStream(resourceName); + InputStreamReader reader = new InputStreamReader(inStream); + + runTests(reader, resourceName); + } } - public void runTests(InputStreamReader reader, String testName) { + private void runTests(InputStreamReader reader, String testName) { try { PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json new file mode 100644 index 0000000..b9afd8b --- /dev/null +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -0,0 +1,140 @@ +{ + "serviceName":"hdfsdev", + + "serviceDef":{ + "name":"hdfs", + "id":1, + "resources":[ + {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Resource Path","description":"HDFS file or directory path"} + ], + "accessTypes":[ + {"name":"read","label":"Read"}, + {"name":"write","label":"Write"}, + {"name":"execute","label":"Execute"} + ] + }, + + "policies":[ + {"id":1,"name":"audit-all-access under /finance/restricted/","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/finance/restricted/"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false, + "resources":{"path":{"values":["/public/"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":3,"name":"allow-read-to-finance under /finance/restricted","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/finance/restricted"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false} + ] + } + ], + + "tests":[ + {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":3}}} + } + , + {"name":"ALLOW 'read /finance/restricted/hr/payroll.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":3}}} + } + , + {"name":"DENY 'read /operations/visitors.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /operations/visitors.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /public/technology/blogs.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}} + } + , + + {"name":"DENY 'read /finance/restricted/sales.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"FALSE 'read /finance/restricted/hr/payroll.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'read /operations/visitors.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}} + } + , + + {"name":"DENY 'read /finance/restricted/sales.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'read /finance/restricted/hr/payroll.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + } + , + {"name":"DENY 'read /operations/visitors.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /operations/visitors.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}} + } + ] +} +
