Repository: incubator-ranger Updated Branches: refs/heads/stack 615e2c52e -> 7c4ff133b
RANGER-203: RangerAccessResult updated with addition of isAudited flag (moved from accessTypeResults). Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7c4ff133 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7c4ff133 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7c4ff133 Branch: refs/heads/stack Commit: 7c4ff133b6329c711ce2be093814f09a32d45f4f Parents: 615e2c5 Author: Madhan Neethiraj <[email protected]> Authored: Sun Jan 25 00:41:03 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Sun Jan 25 00:41:03 2015 -0800 ---------------------------------------------------------------------- .../plugin/audit/RangerDefaultAuditHandler.java | 6 +- .../plugin/policyengine/RangerAccessResult.java | 91 ++++++++++---------- .../policyengine/RangerPolicyEngineImpl.java | 2 +- .../RangerDefaultPolicyEvaluator.java | 14 +-- .../plugin/policyengine/TestPolicyEngine.java | 1 + .../policyengine/test_policyengine_hbase.json | 28 +++--- .../policyengine/test_policyengine_hdfs.json | 26 +++--- .../policyengine/test_policyengine_hive.json | 54 ++++++------ 8 files changed, 110 insertions(+), 112 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7c4ff133/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java index 82732e7..9c6f7cd 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java @@ -85,7 +85,7 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { RangerAccessRequest request = result != null ? result.getAccessRequest() : null; - if(request != null && result != null) { + if(request != null && result != null && result.getIsAudited()) { RangerServiceDef serviceDef = result.getServiceDef(); int serviceType = (serviceDef != null && serviceDef.getId() != null) ? serviceDef.getId().intValue() : -1; String serviceName = result.getServiceName(); @@ -97,10 +97,6 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { String accessType = e.getKey(); ResultDetail accessResult = e.getValue(); - if(! accessResult.isAudited()) { - continue; - } - AuthzAuditEvent event = createAuthzAuditEvent(); event.setRepositoryName(serviceName); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7c4ff133/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index 934864e..5f07402 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -32,16 +32,19 @@ public class RangerAccessResult { private String serviceName = null; private RangerServiceDef serviceDef = null; private RangerAccessRequest request = null; + + private boolean isAudited = false; private Map<String, ResultDetail> accessTypeResults = null; public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, RangerAccessRequest request) { - this(serviceName, serviceDef, request, null); + this(serviceName, serviceDef, request, false, null); } - public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, RangerAccessRequest request, Map<String, ResultDetail> accessTypeResults) { + public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, RangerAccessRequest request, boolean isAudited, Map<String, ResultDetail> accessTypeResults) { this.serviceName = serviceName; this.serviceDef = serviceDef; this.request = request; + this.isAudited = isAudited; setAccessTypeResults(accessTypeResults); } @@ -68,6 +71,20 @@ public class RangerAccessResult { } /** + * @return the isAudited + */ + public boolean getIsAudited() { + return isAudited; + } + + /** + * @param isAudited the isAudited to set + */ + public void setIsAudited(boolean isAudited) { + this.isAudited = isAudited; + } + + /** * @return the accessTypeResults */ public Map<String, ResultDetail> getAccessTypeResults() { @@ -79,6 +96,15 @@ public class RangerAccessResult { */ public void setAccessTypeResults(Map<String, ResultDetail> accessTypeResults) { this.accessTypeResults = accessTypeResults == null ? new HashMap<String, ResultDetail>() : accessTypeResults; + + // ensure that accessTypeResults has all the accessTypes in the request + if(request != null && request.getAccessTypes() != null) { + for(String accessType : request.getAccessTypes()) { + if(! this.accessTypeResults.containsKey(accessType)) { + this.accessTypeResults.put(accessType, new ResultDetail()); + } + } + } } /** @@ -101,47 +127,36 @@ public class RangerAccessResult { accessTypeResults.put(accessType, result); } - public boolean isAllAllowedAndAudited() { - boolean ret = true; - - if(accessTypeResults != null) { - for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) { - ResultDetail result = e.getValue(); - - ret = result.isAllowed && result.isAudited; - - if(! ret) { - break; - } - } - } - - return ret; - } - /** * @return the overall result */ public Result getResult() { Result ret = Result.ALLOWED; - if(accessTypeResults != null) { - int numAllowed = 0; + if(accessTypeResults != null && !accessTypeResults.isEmpty()) { + boolean anyAllowed = false; + boolean anyNotAllowed = false; for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) { ResultDetail result = e.getValue(); - + if(result.isAllowed) { - numAllowed++; + anyAllowed = true; + } else { + anyNotAllowed = true; + } + + if(anyAllowed && anyNotAllowed) { + break; } } - if(numAllowed == accessTypeResults.size()) { - ret = Result.ALLOWED; - } else if(numAllowed == 0) { + if(anyAllowed && anyNotAllowed) { + ret = Result.PARTIALLY_ALLOWED; + } else if(anyNotAllowed) { ret = Result.DENIED; } else { - ret = Result.PARTIALLY_ALLOWED; + ret = Result.ALLOWED; } } @@ -160,6 +175,7 @@ public class RangerAccessResult { public StringBuilder toString(StringBuilder sb) { sb.append("RangerAccessResult={"); + sb.append("isAudited={").append(isAudited).append("} "); sb.append("accessTypeResults={"); if(accessTypeResults != null) { for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) { @@ -175,13 +191,11 @@ public class RangerAccessResult { public static class ResultDetail { private boolean isAllowed; - private boolean isAudited; private long policyId; private String reason; public ResultDetail() { setIsAllowed(false); - setIsAudited(false); setPolicyId(RangerPolicyEngine.UNKNOWN_POLICY); setReason(null); } @@ -201,20 +215,6 @@ public class RangerAccessResult { } /** - * @return the isAudited - */ - public boolean isAudited() { - return isAudited; - } - - /** - * @param isAudited the isAudited to set - */ - public void setIsAudited(boolean isAudited) { - this.isAudited = isAudited; - } - - /** * @return the policyId */ public long getPolicyId() { @@ -253,7 +253,6 @@ public class RangerAccessResult { if(! ret) { ret = this.isAllowed == other.isAllowed && - this.isAudited == other.isAudited && this.policyId == other.policyId && StringUtils.equals(this.reason, other.reason); } @@ -267,7 +266,6 @@ public class RangerAccessResult { int ret = 7; ret = 31 * ret + (isAllowed ? 1 : 0); - ret = 31 * ret + (isAudited ? 1 : 0); ret = 31 * ret + (int)policyId; ret = 31 * ret + (reason == null ? 0 : reason.hashCode()); @@ -285,7 +283,6 @@ public class RangerAccessResult { public StringBuilder toString(StringBuilder sb) { sb.append("isAllowed={").append(isAllowed).append("} "); - sb.append("isAudited={").append(isAudited).append("} "); sb.append("policyId={").append(policyId).append("} "); sb.append("reason={").append(reason).append("} "); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7c4ff133/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index ee05351..3bb98ca 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -188,7 +188,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { for(RangerPolicyEvaluator evaluator : evaluators) { evaluator.evaluate(request, ret); - if(ret.isAllAllowedAndAudited()) { + if(ret.getIsAudited() && ret.getResult() == RangerAccessResult.Result.ALLOWED) { break; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7c4ff133/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 8a66ae6..0160347 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -93,6 +93,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator boolean isResourceMatch = matchResource(request.getResource()); boolean isResourceHeadMatch = isResourceMatch || matchResourceHead(request.getResource()); + if(isResourceMatch && policy.getIsAuditEnabled()) { + result.setIsAudited(true); + } + for(RangerPolicyItem policyItem : policy.getPolicyItems()) { boolean isUserGroupMatch = matchUserGroup(policyItem, request.getUser(), request.getUserGroups()); boolean isCustomConditionsMatch = matchCustomConditions(policyItem, request); @@ -105,7 +109,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType); // are we done with this accessType? - if(accessResult.isAllowed() && accessResult.isAudited()) { + if(accessResult.isAllowed()) { continue; } @@ -118,8 +122,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } - if(!accessResult.isAudited() && policy.getIsAuditEnabled()) { - accessResult.setIsAudited(true); + if(policy.getIsAuditEnabled()) { + result.setIsAudited(true); } if(!isUserGroupMatch) { @@ -141,7 +145,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } else { RangerPolicyItemAccess access = getAccess(policyItem, accessType); - + if(access == null) { continue; } @@ -153,7 +157,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } - if(result.isAllAllowedAndAudited()) { + if(result.getIsAudited() && result.getResult() == RangerAccessResult.Result.ALLOWED) { break; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7c4ff133/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 28f108e..5462b7e 100644 --- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -103,6 +103,7 @@ public class TestPolicyEngine { RangerAccessResult result = policyEngine.isAccessAllowed(test.request, null); assertNotNull(test.name, result); + assertEquals(test.name, expected.getIsAudited(), result.getIsAudited()); assertEquals(test.name, expected.getAccessTypeResults(), result.getAccessTypeResults()); } } catch(Throwable excp) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7c4ff133/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json index f563c28..270f687 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json @@ -48,7 +48,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["read"],"user":"user1","userGroups":["users","finance"],"requestData":"scan finance restricted-cf" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'put finance restricted-cf;' for finance", @@ -56,7 +56,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["write"],"user":"user1","userGroups":["users","finance"],"requestData":"put finance restricted-cf" }, - "result":{"accessTypeResults":{"write":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"write":{"isAllowed":true,"policyId":2}}} } , {"name":"DENY 'create finance restricted-cf;' for finance", @@ -64,7 +64,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["create"],"user":"user1","userGroups":["users","finance"],"requestData":"create finance restricted-cf" }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'grant finance restricted-cf;' for finance", @@ -72,7 +72,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["admin"],"user":"user1","userGroups":["users","finance"],"requestData":"grant finance restricted-cf" }, - "result":{"accessTypeResults":{"admin":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"admin":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'scan finance restricted-cf;' for user1", @@ -80,7 +80,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["read"],"user":"user1","userGroups":["users"],"requestData":"scan finance restricted-cf" }, - "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'put finance restricted-cf;' for user1", @@ -88,7 +88,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["write"],"user":"user1","userGroups":["users"],"requestData":"put finance restricted-cf" }, - "result":{"accessTypeResults":{"write":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"write":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'create finance restricted-cf;' for user1", @@ -96,7 +96,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create finance restricted-cf" }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'grant finance restricted-cf;' for user1", @@ -104,7 +104,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["admin"],"user":"user1","userGroups":["users"],"requestData":"grant finance restricted-cf" }, - "result":{"accessTypeResults":{"admin":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"admin":{"isAllowed":false,"policyId":-1}}} } , {"name":"ALLOW 'scan finance restricted-cf;' for finance-admin", @@ -112,7 +112,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["read"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"scan finance restricted-cf" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'put finance restricted-cf;' for finance-admin", @@ -120,7 +120,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["write"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"put finance restricted-cf" }, - "result":{"accessTypeResults":{"write":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"write":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'create finance restricted-cf;' for finance-admin", @@ -128,7 +128,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["create"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"create finance restricted-cf" }, - "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'grant finance restricted-cf;' for finance-admin", @@ -136,7 +136,7 @@ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, "accessTypes":["admin"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"grant finance restricted-cf" }, - "result":{"accessTypeResults":{"admin":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"admin":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'scan finance regular-cf;' for user1", @@ -144,7 +144,7 @@ "resource":{"elements":{"table":"finance","column-family":"regular-cf"}}, "accessTypes":["read"],"user":"user1","userGroups":["users"],"requestData":"scan finance regular-cf" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":3}}} + "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":true,"policyId":3}}} } , {"name":"DENY 'put finance regular-cf;' for user1", @@ -152,7 +152,7 @@ "resource":{"elements":{"table":"finance","column-family":"regular-cf"}}, "accessTypes":["write"],"user":"user1","userGroups":["users"],"requestData":"put finance regular-cf" }, - "result":{"accessTypeResults":{"write":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + "result":{"isAudited":false,"accessTypeResults":{"write":{"isAllowed":false,"policyId":-1}}} } ] } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7c4ff133/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json index 9579ace..0ede13d 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -43,7 +43,7 @@ "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":3}}} + "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":true,"policyId":3}}} } , {"name":"ALLOW 'read /finance/restricted/hr/payroll.db' for g=finance", @@ -51,7 +51,7 @@ "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/hr/payroll.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":3}}} + "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":true,"policyId":3}}} } , {"name":"DENY 'read /operations/visitors.db' for g=finance", @@ -59,7 +59,7 @@ "resource":{"elements":{"path":"/operations/visitors.db"}}, "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /operations/visitors.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} } , {"name":"ALLOW 'read /public/technology/blogs.db' for g=finance", @@ -67,7 +67,7 @@ "resource":{"elements":{"path":"/public/technology/blogs.db"}}, "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /public/technology/blogs.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}} + "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":true,"policyId":2}}} } , @@ -76,7 +76,7 @@ "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} } , {"name":"FALSE 'read /finance/restricted/hr/payroll.db' for g=hr", @@ -84,7 +84,7 @@ "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'read /operations/visitors.db' for g=hr", @@ -92,7 +92,7 @@ "resource":{"elements":{"path":"/operations/visitors.db"}}, "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} } , {"name":"ALLOW 'read /public/technology/blogs.db' for g=hr", @@ -100,7 +100,7 @@ "resource":{"elements":{"path":"/public/technology/blogs.db"}}, "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}} + "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":true,"policyId":2}}} } , @@ -109,7 +109,7 @@ "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'read /finance/restricted/hr/payroll.db' for u=user1", @@ -117,7 +117,7 @@ "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'read /operations/visitors.db' for u=user1", @@ -125,7 +125,7 @@ "resource":{"elements":{"path":"/operations/visitors.db"}}, "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /operations/visitors.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} } , {"name":"ALLOW 'read /public/technology/blogs.db' for u=user1", @@ -133,7 +133,7 @@ "resource":{"elements":{"path":"/public/technology/blogs.db"}}, "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}} + "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'read /public/technology' for u=user1", @@ -141,7 +141,7 @@ "resource":{"elements":{"path":"/public/technology/blogs.db"}}, "accessTypes":["read","execute"],"user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" }, - "result":{"accessTypeResults":{"execute":{"isAllowed":true,"isAudited":false,"policyId":2},"read":{"isAllowed":true,"isAudited":false,"policyId":2}}} + "result":{"isAudited":false,"accessTypeResults":{"execute":{"isAllowed":true,"policyId":2},"read":{"isAllowed":true,"policyId":2}}} } ] } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7c4ff133/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json index d4dcc55..6c277d1 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json @@ -46,7 +46,7 @@ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use default" }, - "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"any":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'use default;' for user2", @@ -54,7 +54,7 @@ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user2","userGroups":["users"],"requestData":"use default" }, - "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"any":{"isAllowed":true,"policyId":2}}} } , {"name":"DENY 'use default;' to user3", @@ -62,7 +62,7 @@ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user3","userGroups":["users"],"requestData":"use default" }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"any":{"isAllowed":false,"policyId":-1}}} } , {"name":"ALLOW 'use default;' to group1", @@ -70,7 +70,7 @@ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user3","userGroups":["users", "group1"],"requestData":"use default" }, - "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"any":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'use default;' to group2", @@ -78,7 +78,7 @@ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user3","userGroups":["users", "group2"],"requestData":"use default" }, - "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"any":{"isAllowed":true,"policyId":2}}} } , {"name":"DENY 'use default;' to user3/group3", @@ -86,7 +86,7 @@ "resource":{"elements":{"database":"default"}}, "accessTypes":[],"user":"user3","userGroups":["users", "group3"],"requestData":"use default" }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"any":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'use finance;' to user3/group3", @@ -94,7 +94,7 @@ "resource":{"elements":{"database":"finance"}}, "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use finance" }, - "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + "result":{"isAudited":false,"accessTypeResults":{"any":{"isAllowed":false,"policyId":-1}}} } , {"name":"ALLOW 'select col1 from default.testtable;' to user1", @@ -102,7 +102,7 @@ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'select col1 from default.testtable;' to user2", @@ -110,7 +110,7 @@ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable" }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":true,"policyId":2}}} } , {"name":"DENY 'select col1 from default.testtable;' to user3", @@ -118,7 +118,7 @@ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable" }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":false,"policyId":-1}}} } , {"name":"ALLOW 'select col1 from default.testtable;' to group1", @@ -126,7 +126,7 @@ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable" }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'select col1 from default.testtable;' to group2", @@ -134,7 +134,7 @@ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable" }, - "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":true,"policyId":2}}} } , {"name":"DENY 'select col1 from default.testtable;' to user3/group3", @@ -142,7 +142,7 @@ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, "accessTypes":["select"],"user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable" }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'select col1 from default.table1;' to user1", @@ -150,7 +150,7 @@ "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1" }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'create table default.testtable1;' to user1", @@ -158,7 +158,7 @@ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'create table default.testtable1;' to user1/group1", @@ -166,7 +166,7 @@ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1" }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} } , {"name":"ALLOW 'create table default.testtable1;' to admin", @@ -174,7 +174,7 @@ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["create"],"user":"admin","userGroups":["users"],"requestData":"create table default.testtable1" }, - "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'create table default.testtable1;' to user1/admin", @@ -182,7 +182,7 @@ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" }, - "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":true,"policyId":2}}} } , {"name":"DENY 'drop table default.testtable1;' to user1", @@ -190,7 +190,7 @@ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" }, - "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'drop table default.testtable1;' to user1/group1", @@ -198,7 +198,7 @@ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1" }, - "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":false,"policyId":-1}}} } , {"name":"ALLOW 'drop table default.testtable1;' to admin", @@ -206,7 +206,7 @@ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["drop"],"user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1" }, - "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":true,"policyId":2}}} } , {"name":"ALLOW 'drop table default.testtable1;' to user1/admin", @@ -214,7 +214,7 @@ "resource":{"elements":{"database":"default","table":"testtable1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" }, - "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":true,"policyId":2}}} } , {"name":"DENY 'create table default.table1;' to user1", @@ -222,7 +222,7 @@ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'create table default.table1;' to user1/admin", @@ -230,7 +230,7 @@ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'drop table default.table1;' to user1", @@ -238,7 +238,7 @@ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" }, - "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'drop table default.table1;' to user1/admin", @@ -246,7 +246,7 @@ "resource":{"elements":{"database":"default","table":"table1"}}, "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" }, - "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":false,"policyId":-1}}} } , {"name":"DENY 'select col1 from default.table1;' to user3", @@ -254,7 +254,7 @@ "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1" }, - "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":false,"policyId":-1}}} } ] }
