Repository: incubator-ranger Updated Branches: refs/heads/stack 67dbdc45a -> 1201f2e3f
RANGER-203: RangerAccessRequest updated to support a single accessType (instead of a list). This makes the API simple to intrepret the result. If/when it becomes necessry to support more complex cases - like authorization of multiple accessTypes and/or resources in a single request, policy engine should be updated with an equally complex result. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/1201f2e3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/1201f2e3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/1201f2e3 Branch: refs/heads/stack Commit: 1201f2e3f06693f5c8cc115835020a9dbf185c20 Parents: 67dbdc4 Author: Madhan Neethiraj <[email protected]> Authored: Wed Jan 28 20:44:25 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Jan 28 20:44:25 2015 -0800 ---------------------------------------------------------------------- .../namenode/RangerFSPermissionChecker.java | 53 ++-- .../authorizer/RangerHiveAccessRequest.java | 4 +- .../hive/authorizer/RangerHiveAuditHandler.java | 15 +- .../hive/authorizer/RangerHiveAuthorizer.java | 9 +- .../plugin/audit/RangerDefaultAuditHandler.java | 66 ++--- .../policyengine/RangerAccessRequest.java | 2 +- .../policyengine/RangerAccessRequestImpl.java | 29 +-- .../plugin/policyengine/RangerAccessResult.java | 246 +++---------------- .../policyengine/RangerPolicyEngineImpl.java | 12 +- .../RangerDefaultPolicyEvaluator.java | 67 ++--- .../plugin/policyengine/TestPolicyEngine.java | 3 +- .../policyengine/test_policyengine_hbase.json | 56 ++--- .../policyengine/test_policyengine_hdfs.json | 60 +++-- .../policyengine/test_policyengine_hive.json | 108 ++++---- 14 files changed, 254 insertions(+), 476 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java index 4132706..d8f2556 100644 --- a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java +++ b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java @@ -51,6 +51,21 @@ import com.google.common.collect.Sets; public class RangerFSPermissionChecker { private static final Log LOG = LogFactory.getLog(RangerFSPermissionChecker.class); + private static Map<FsAction, Set<String>> access2ActionListMapper = null ; + + static { + access2ActionListMapper = new HashMap<FsAction, Set<String>>(); + + access2ActionListMapper.put(FsAction.NONE, new HashSet<String>()); + access2ActionListMapper.put(FsAction.ALL, Sets.newHashSet(READ_ACCCESS_TYPE, WRITE_ACCCESS_TYPE, EXECUTE_ACCCESS_TYPE)); + access2ActionListMapper.put(FsAction.READ, Sets.newHashSet(READ_ACCCESS_TYPE)); + access2ActionListMapper.put(FsAction.READ_WRITE, Sets.newHashSet(READ_ACCCESS_TYPE, WRITE_ACCCESS_TYPE)); + access2ActionListMapper.put(FsAction.READ_EXECUTE, Sets.newHashSet(READ_ACCCESS_TYPE, EXECUTE_ACCCESS_TYPE)); + access2ActionListMapper.put(FsAction.WRITE, Sets.newHashSet(WRITE_ACCCESS_TYPE)); + access2ActionListMapper.put(FsAction.WRITE_EXECUTE, Sets.newHashSet(WRITE_ACCCESS_TYPE, EXECUTE_ACCCESS_TYPE)); + access2ActionListMapper.put(FsAction.EXECUTE, Sets.newHashSet(EXECUTE_ACCCESS_TYPE)); + } + private static final boolean addHadoopAuth = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_PROP, RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_DEFAULT) ; @@ -104,11 +119,22 @@ public class RangerFSPermissionChecker { } if (rangerPlugin != null) { - RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(aPathName, aPathOwnerName, access, user, groups); + Set<String> accessTypes = access2ActionListMapper.get(access); + + boolean isAllowed = true; + for(String accessType : accessTypes) { + RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(aPathName, aPathOwnerName, access, accessType, user, groups); + + RangerAccessResult result = rangerPlugin.isAccessAllowed(request, getCurrentAuditHandler()); - RangerAccessResult result = rangerPlugin.isAccessAllowed(request, getCurrentAuditHandler()); + isAllowed = result.getIsAllowed(); + + if(!isAllowed) { + break; + } + } - accessGranted = (result != null && result.getResult() == RangerAccessResult.Result.ALLOWED); + accessGranted = isAllowed; } } @@ -196,24 +222,9 @@ class RangerHdfsResource implements RangerResource { } class RangerHdfsAccessRequest extends RangerAccessRequestImpl { - private static Map<FsAction, Set<String>> access2ActionListMapper = null ; - - static { - access2ActionListMapper = new HashMap<FsAction, Set<String>>(); - - access2ActionListMapper.put(FsAction.NONE, new HashSet<String>()); - access2ActionListMapper.put(FsAction.ALL, Sets.newHashSet(READ_ACCCESS_TYPE, WRITE_ACCCESS_TYPE, EXECUTE_ACCCESS_TYPE)); - access2ActionListMapper.put(FsAction.READ, Sets.newHashSet(READ_ACCCESS_TYPE)); - access2ActionListMapper.put(FsAction.READ_WRITE, Sets.newHashSet(READ_ACCCESS_TYPE, WRITE_ACCCESS_TYPE)); - access2ActionListMapper.put(FsAction.READ_EXECUTE, Sets.newHashSet(READ_ACCCESS_TYPE, EXECUTE_ACCCESS_TYPE)); - access2ActionListMapper.put(FsAction.WRITE, Sets.newHashSet(WRITE_ACCCESS_TYPE)); - access2ActionListMapper.put(FsAction.WRITE_EXECUTE, Sets.newHashSet(WRITE_ACCCESS_TYPE, EXECUTE_ACCCESS_TYPE)); - access2ActionListMapper.put(FsAction.EXECUTE, Sets.newHashSet(EXECUTE_ACCCESS_TYPE)); - } - - public RangerHdfsAccessRequest(String path, String pathOwner, FsAction access, String user, Set<String> groups) { + public RangerHdfsAccessRequest(String path, String pathOwner, FsAction access, String accessType, String user, Set<String> groups) { super.setResource(new RangerHdfsResource(path, pathOwner)); - super.setAccessTypes(access2ActionListMapper.get(access)); + super.setAccessType(accessType); super.setUser(user); super.setUserGroups(groups); super.setAccessTime(StringUtil.getUTCDate()); @@ -279,7 +290,7 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler { auditEvent.setResourcePath(pathToBeValidated); auditEvent.setResourceType(resourceType) ; auditEvent.setAccessType(request.getAction()); - auditEvent.setAccessResult((short)(result.getResult() == RangerAccessResult.Result.ALLOWED ? 1 : 0)); + auditEvent.setAccessResult((short)(result.getIsAllowed() ? 1 : 0)); auditEvent.setClientIP(request.getClientIPAddress()); auditEvent.setEventTime(request.getAccessTime()); auditEvent.setAclEnforcer(RangerModuleName); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java index cb35eac..7617a6f 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java @@ -68,7 +68,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl { } } - public HiveAccessType getAccessType() { + public HiveAccessType getHiveAccessType() { return accessType; } @@ -76,7 +76,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl { RangerHiveAccessRequest ret = new RangerHiveAccessRequest(); ret.setResource(getResource()); - ret.setAccessTypes(getAccessTypes()); + ret.setAccessType(getAccessType()); ret.setUser(getUser()); ret.setUserGroups(getUserGroups()); ret.setAccessTime(getAccessTime()); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index e24c094..ac8113b 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -30,7 +30,6 @@ import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerAccessResult.Result; public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { private static final String RangerModuleName = RangerConfiguration.getInstance().get(RangerHadoopConstants.AUDITLOG_RANGER_MODULE_ACL_NAME_PROP , RangerHadoopConstants.DEFAULT_RANGER_MODULE_ACL_NAME) ; @@ -52,15 +51,14 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { RangerHiveAccessRequest request = (RangerHiveAccessRequest)result.getAccessRequest(); RangerHiveResource resource = (RangerHiveResource)request.getResource(); - boolean isAllowed = result.getResult() == Result.ALLOWED; auditEvent.setAclEnforcer(RangerModuleName); auditEvent.setSessionId(request.getSessionId()); auditEvent.setResourceType("@" + StringUtil.toLower(resource.getObjectType().name())); // to be consistent with earlier release - auditEvent.setAccessType(request.getAccessType().toString()); + auditEvent.setAccessType(request.getHiveAccessType().toString()); auditEvent.setAction(request.getAction()); auditEvent.setUser(request.getUser()); - auditEvent.setAccessResult((short)(isAllowed ? 1 : 0)); + auditEvent.setAccessResult((short)(result.getIsAllowed() ? 1 : 0)); auditEvent.setPolicyId(result.getPolicyId()); auditEvent.setClientIP(request.getClientIPAddress()); auditEvent.setClientType(request.getClientType()); @@ -88,7 +86,6 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { RangerHiveAccessRequest request = (RangerHiveAccessRequest)result.getAccessRequest(); RangerHiveResource resource = (RangerHiveResource)request.getResource(); - boolean isAllowed = result.getResult() == Result.ALLOWED; AuthzAuditEvent auditEvent = auditEvents.get(result.getPolicyId()); if(auditEvent == null) { @@ -98,10 +95,10 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { auditEvent.setAclEnforcer(RangerModuleName); auditEvent.setSessionId(request.getSessionId()); auditEvent.setResourceType("@" + StringUtil.toLower(resource.getObjectType().name())); // to be consistent with earlier release - auditEvent.setAccessType(request.getAccessType().toString()); + auditEvent.setAccessType(request.getHiveAccessType().toString()); auditEvent.setAction(request.getAction()); auditEvent.setUser(request.getUser()); - auditEvent.setAccessResult((short)(isAllowed ? 1 : 0)); + auditEvent.setAccessResult((short)(result.getIsAllowed() ? 1 : 0)); auditEvent.setPolicyId(result.getPolicyId()); auditEvent.setClientIP(request.getClientIPAddress()); auditEvent.setClientType(request.getClientType()); @@ -110,13 +107,13 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { auditEvent.setRepositoryName(result.getServiceName()) ; auditEvent.setRequestData(request.getRequestData()); auditEvent.setResourcePath(getResourceValueAsString(resource, result.getServiceDef())); - } else if(isAllowed){ + } else if(result.getIsAllowed()){ auditEvent.setResourcePath(auditEvent.getResourcePath() + "," + resource.getColumn()); } else { auditEvent.setResourcePath(getResourceValueAsString(resource, result.getServiceDef())); } - if(!isAllowed) { + if(!result.getIsAllowed()) { auditEvent.setResourcePath(getResourceValueAsString(resource, result.getServiceDef())); break; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index df19603..b3d8055 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -53,7 +53,6 @@ import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerAccessResult.Result; import org.apache.ranger.plugin.service.RangerBasePlugin; import com.google.common.collect.Sets; @@ -339,7 +338,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { for(RangerAccessResult colResult : colResults) { result = colResult; - if(result.getResult() != Result.ALLOWED) { + if(!result.getIsAllowed()) { break; } } @@ -348,11 +347,11 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { result = hivePlugin.isAccessAllowed(request, auditHandler); } - if(result != null && result.getResult() != Result.ALLOWED) { + if(result != null && !result.getIsAllowed()) { String path = auditHandler.getResourceValueAsString(request.getResource(), result.getServiceDef()); throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", - user, request.getAccessType().name(), path)); + user, request.getHiveAccessType().name(), path)); } } } finally { @@ -674,7 +673,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { if(requests != null && resource != null) { for(RangerHiveAccessRequest request : requests) { - if(request.getAccessType() == accessType && request.getResource().equals(resource)) { + if(request.getHiveAccessType() == accessType && request.getResource().equals(resource)) { ret = true; break; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java index afc03b2..feb6e98 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java @@ -22,7 +22,6 @@ package org.apache.ranger.plugin.audit; import java.util.ArrayList; import java.util.Collection; import java.util.List; -import java.util.Map; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -33,7 +32,6 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerResource; -import org.apache.ranger.plugin.policyengine.RangerAccessResult.ResultDetail; public class RangerDefaultAuditHandler implements RangerAuditHandler { @@ -51,9 +49,9 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + result + ")"); } - Collection<AuthzAuditEvent> events = getAuthzEvents(result); + AuthzAuditEvent event = getAuthzEvents(result); - logAuthzAudits(events); + logAuthzAudit(event); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + result + ")"); @@ -76,12 +74,12 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { } - public Collection<AuthzAuditEvent> getAuthzEvents(RangerAccessResult result) { + public AuthzAuditEvent getAuthzEvents(RangerAccessResult result) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultAuditHandler.getAuthzEvents(" + result + ")"); } - List<AuthzAuditEvent> ret = null; + AuthzAuditEvent ret = null; RangerAccessRequest request = result != null ? result.getAccessRequest() : null; @@ -90,37 +88,25 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { String resourceType = getResourceName(request.getResource(), serviceDef); String resourcePath = getResourceValueAsString(request.getResource(), serviceDef); - // TODO: optimize the number of audit logs created - for(Map.Entry<String, ResultDetail> e : result.getAccessTypeResults().entrySet()) { - String accessType = e.getKey(); - ResultDetail accessResult = e.getValue(); - - AuthzAuditEvent event = createAuthzAuditEvent(); - - event.setRepositoryName(result.getServiceName()); - event.setRepositoryType(result.getServiceType()); - event.setResourceType(resourceType); - event.setResourcePath(resourcePath); - event.setRequestData(request.getRequestData()); - event.setEventTime(request.getAccessTime()); - event.setUser(request.getUser()); - event.setAccessType(request.getAction()); - event.setAccessResult((short)(accessResult.isAllowed() ? 1 : 0)); - event.setPolicyId(result.getPolicyId()); - event.setAclEnforcer("ranger-acl"); // TODO: review - event.setAction(accessType); - event.setClientIP(request.getClientIPAddress()); - event.setClientType(request.getClientType()); - event.setAgentHostname(null); - event.setAgentId(null); - event.setEventId(null); - - if(ret == null) { - ret = new ArrayList<AuthzAuditEvent>(); - } - - ret.add(event); - } + ret = createAuthzAuditEvent(); + + ret.setRepositoryName(result.getServiceName()); + ret.setRepositoryType(result.getServiceType()); + ret.setResourceType(resourceType); + ret.setResourcePath(resourcePath); + ret.setRequestData(request.getRequestData()); + ret.setEventTime(request.getAccessTime()); + ret.setUser(request.getUser()); + ret.setAccessType(request.getAction()); + ret.setAccessResult((short)(result.getIsAllowed() ? 1 : 0)); + ret.setPolicyId(result.getPolicyId()); + ret.setAclEnforcer("ranger-acl"); // TODO: review + ret.setAction(request.getAccessType()); + ret.setClientIP(request.getClientIPAddress()); + ret.setClientType(request.getClientType()); + ret.setAgentHostname(null); + ret.setAgentId(null); + ret.setEventId(null); } if(LOG.isDebugEnabled()) { @@ -140,9 +126,9 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { if(results != null) { // TODO: optimize the number of audit logs created for(RangerAccessResult result : results) { - Collection<AuthzAuditEvent> events = getAuthzEvents(result); + AuthzAuditEvent event = getAuthzEvents(result); - if(events == null) { + if(event == null) { continue; } @@ -150,7 +136,7 @@ public class RangerDefaultAuditHandler implements RangerAuditHandler { ret = new ArrayList<AuthzAuditEvent>(); } - ret.addAll(events); + ret.add(event); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java index fc4d954..56a55ae 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java @@ -26,7 +26,7 @@ import java.util.Set; public interface RangerAccessRequest { RangerResource getResource(); - Set<String> getAccessTypes(); + String getAccessType(); String getUser(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java index 083f861..fff8d4c 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java @@ -30,7 +30,7 @@ import org.apache.commons.lang.StringUtils; public class RangerAccessRequestImpl implements RangerAccessRequest { private RangerResource resource = null; - private Set<String> accessTypes = null; + private String accessType = null; private String user = null; private Set<String> userGroups = null; private Date accessTime = null; @@ -46,9 +46,9 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { this(null, null, null, null); } - public RangerAccessRequestImpl(RangerResource resource, Set<String> accessTypes, String user, Set<String> userGroups) { + public RangerAccessRequestImpl(RangerResource resource, String accessType, String user, Set<String> userGroups) { setResource(resource); - setAccessTypes(accessTypes); + setAccessType(accessType); setUser(user); setUserGroups(userGroups); @@ -68,8 +68,8 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { } @Override - public Set<String> getAccessTypes() { - return accessTypes; + public String getAccessType() { + return accessType; } @Override @@ -123,15 +123,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { } public void setAccessType(String accessType) { - this.accessTypes = new HashSet<String>(); - - if(! StringUtils.isEmpty(accessType)) { - this.accessTypes.add(accessType); - } - } - - public void setAccessTypes(Set<String> accessTypes) { - this.accessTypes = (accessTypes == null) ? new HashSet<String>() : accessTypes; + this.accessType = accessType; } public void setUser(String user) { @@ -183,14 +175,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { sb.append("RangerAccessRequestImpl={"); sb.append("resource={").append(resource).append("} "); - - sb.append("accessTypes={"); - if(accessTypes != null) { - for(String accessType : accessTypes) { - sb.append(accessType).append(" "); - } - } - + sb.append("accessType={").append(accessType).append("} "); sb.append("user={").append(user).append("} "); sb.append("userGroups={"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java index b64a441..20aadf6 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java @@ -19,37 +19,31 @@ package org.apache.ranger.plugin.policyengine; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -import org.apache.commons.collections.MapUtils; -import org.apache.commons.lang.StringUtils; import org.apache.ranger.plugin.model.RangerServiceDef; public class RangerAccessResult { - public enum Result { ALLOWED, DENIED, PARTIALLY_ALLOWED }; - private String serviceName = null; private RangerServiceDef serviceDef = null; private RangerAccessRequest request = null; - private boolean isAudited = false; - private Map<String, ResultDetail> accessTypeResults = null; + private boolean isAllowed = false; + private boolean isAudited = false; + private long policyId = -1; + private String reason = null; public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, RangerAccessRequest request) { - this(serviceName, serviceDef, request, false, null); + this(serviceName, serviceDef, request, false, false, -1, null); } - public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, RangerAccessRequest request, boolean isAudited, Map<String, ResultDetail> accessTypeResults) { + public RangerAccessResult(String serviceName, RangerServiceDef serviceDef, RangerAccessRequest request, boolean isAllowed, boolean isAudited, long policyId, String reason) { this.serviceName = serviceName; this.serviceDef = serviceDef; this.request = request; + this.isAllowed = isAllowed; this.isAudited = isAudited; - - setAccessTypeResults(accessTypeResults); + this.policyId = policyId; + this.reason = reason; } /** @@ -74,96 +68,45 @@ public class RangerAccessResult { } /** - * @return the isAudited - */ - public boolean getIsAudited() { - return isAudited; - } - - /** - * @param isAudited the isAudited to set + * @return the isAllowed */ - public void setIsAudited(boolean isAudited) { - this.isAudited = isAudited; + public boolean getIsAllowed() { + return isAllowed; } /** - * @return the accessTypeResults + * @param isAllowed the isAllowed to set */ - public Map<String, ResultDetail> getAccessTypeResults() { - return accessTypeResults; + public void setIsAllowed(boolean isAllowed) { + this.isAllowed = isAllowed; } /** - * @param result the result to set + * @return the isAudited */ - public void setAccessTypeResults(Map<String, ResultDetail> accessTypeResults) { - this.accessTypeResults = accessTypeResults == null ? new HashMap<String, ResultDetail>() : accessTypeResults; - - // ensure that accessTypeResults has all the accessTypes in the request - if(request != null && request.getAccessTypes() != null) { - for(String accessType : request.getAccessTypes()) { - if(! this.accessTypeResults.containsKey(accessType)) { - this.accessTypeResults.put(accessType, new ResultDetail()); - } - } - } + public boolean getIsAudited() { + return isAudited; } /** - * @param accessType the accessType - * @return the accessTypeResult + * @param isAudited the isAudited to set */ - public ResultDetail getAccessTypeResult(String accessType) { - return accessTypeResults == null ? null : accessTypeResults.get(accessType); + public void setIsAudited(boolean isAudited) { + this.isAudited = isAudited; } /** - * @param accessType the accessType - * @param result the result to set + * @return the policyId */ - public void setAccessTypeResult(String accessType, ResultDetail result) { - if(accessTypeResults == null) { - accessTypeResults = new HashMap<String, ResultDetail>(); - } - - accessTypeResults.put(accessType, result); + public long getPolicyId() { + return policyId; } /** - * @return the overall result + * @return the policyId */ - public Result getResult() { - Result ret = Result.ALLOWED; - - if(accessTypeResults != null && !accessTypeResults.isEmpty()) { - boolean anyAllowed = false; - boolean anyNotAllowed = false; - - for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) { - ResultDetail result = e.getValue(); - - if(result.isAllowed) { - anyAllowed = true; - } else { - anyNotAllowed = true; - } - - if(anyAllowed && anyNotAllowed) { - break; - } - } - - if(anyAllowed && anyNotAllowed) { - ret = Result.PARTIALLY_ALLOWED; - } else if(anyNotAllowed) { - ret = Result.DENIED; - } else { - ret = Result.ALLOWED; - } - } - - return ret; + public void setPolicyId(long policyId) { + this.policyId = policyId; } public int getServiceType() { @@ -176,30 +119,6 @@ public class RangerAccessResult { return ret; } - public long getPolicyId() { - long ret = -1; - - if(! MapUtils.isEmpty(accessTypeResults)) { - ResultDetail detail = accessTypeResults.values().iterator().next(); - - ret = detail.getPolicyId(); - } - - return ret; - } - - public Set<Long> getPolicyIds() { - Set<Long> ret = new HashSet<Long>(); - - if(! MapUtils.isEmpty(accessTypeResults)) { - for(ResultDetail detail : accessTypeResults.values()) { - ret.add(detail.getPolicyId()); - } - } - - return ret; - } - @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -212,118 +131,13 @@ public class RangerAccessResult { public StringBuilder toString(StringBuilder sb) { sb.append("RangerAccessResult={"); + sb.append("isAllowed={").append(isAllowed).append("} "); sb.append("isAudited={").append(isAudited).append("} "); - sb.append("accessTypeResults={"); - if(accessTypeResults != null) { - for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) { - sb.append(e.getKey()).append("={").append(e.getValue()).append("} "); - } - } - sb.append("} "); + sb.append("policyId={").append(policyId).append("} "); + sb.append("reason={").append(reason).append("} "); sb.append("}"); return sb; } - - public static class ResultDetail { - private boolean isAllowed; - private long policyId; - private String reason; - - public ResultDetail() { - setIsAllowed(false); - setPolicyId(RangerPolicyEngine.UNKNOWN_POLICY); - setReason(null); - } - - /** - * @return the isAllowed - */ - public boolean isAllowed() { - return isAllowed; - } - - /** - * @param isAllowed the isAllowed to set - */ - public void setIsAllowed(boolean isAllowed) { - this.isAllowed = isAllowed; - } - - /** - * @return the policyId - */ - public long getPolicyId() { - return policyId; - } - - /** - * @param policyId the policyId to set - */ - public void setPolicyId(long policyId) { - this.policyId = policyId; - } - - /** - * @return the reason - */ - public String getReason() { - return reason; - } - - /** - * @param reason the reason to set - */ - public void setReason(String reason) { - this.reason = reason; - } - - @Override - public boolean equals(Object obj) { - boolean ret = false; - - if(obj != null && (obj instanceof ResultDetail)) { - ResultDetail other = (ResultDetail)obj; - - ret = (this == other); - - if(! ret) { - ret = this.isAllowed == other.isAllowed && - this.policyId == other.policyId && - StringUtils.equals(this.reason, other.reason); - } - } - - return ret; - } - - @Override - public int hashCode() { - int ret = 7; - - ret = 31 * ret + (isAllowed ? 1 : 0); - ret = 31 * ret + (int)policyId; - ret = 31 * ret + (reason == null ? 0 : reason.hashCode()); - - return ret; - } - - @Override - public String toString( ) { - StringBuilder sb = new StringBuilder(); - - toString(sb); - - return sb.toString(); - } - - public StringBuilder toString(StringBuilder sb) { - sb.append("isAllowed={").append(isAllowed).append("} "); - sb.append("policyId={").append(policyId).append("} "); - sb.append("reason={").append(reason).append("} "); - - return sb; - } - } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index e18c63e..14d0c92 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -24,6 +24,7 @@ import java.util.Collection; import java.util.List; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.audit.RangerAuditHandler; @@ -184,21 +185,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerAccessResult ret = createAccessResult(request); if(request != null) { - if(CollectionUtils.isEmpty(request.getAccessTypes())) { - request.getAccessTypes().add(ANY_ACCESS); - } - - for(String accessType : request.getAccessTypes()) { - ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail()); - } - List<RangerPolicyEvaluator> evaluators = policyEvaluators; if(evaluators != null) { for(RangerPolicyEvaluator evaluator : evaluators) { evaluator.evaluate(request, ret); - if(ret.getIsAudited() && ret.getResult() == RangerAccessResult.Result.ALLOWED) { + // stop once allowed=true && audited==true + if(ret.getIsAllowed() && ret.getIsAudited()) { break; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 7fea4b6..cc1ee1e 100644 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -92,74 +92,57 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if(policy != null && request != null && result != null) { boolean isResourceMatch = matchResource(request.getResource()); boolean isResourceHeadMatch = isResourceMatch || matchResourceHead(request.getResource()); + String accessType = request.getAccessType(); - if(isResourceMatch && policy.getIsAuditEnabled()) { - result.setIsAudited(true); + if(StringUtils.isEmpty(accessType)) { + accessType = RangerPolicyEngine.ANY_ACCESS; } - for(RangerPolicyItem policyItem : policy.getPolicyItems()) { - boolean isUserGroupMatch = matchUserGroup(policyItem, request.getUser(), request.getUserGroups()); - boolean isCustomConditionsMatch = matchCustomConditions(policyItem, request); + boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS); - if(! isCustomConditionsMatch) { - continue; + if(isResourceMatch || (isResourceHeadMatch && isAnyAccess)) { + if(policy.getIsAuditEnabled()) { + result.setIsAudited(true); } - for(String accessType : request.getAccessTypes()) { - RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType); - - // are we done with this accessType? - if(accessResult.isAllowed()) { - continue; + for(RangerPolicyItem policyItem : policy.getPolicyItems()) { + if(result.getIsAllowed()) { + break; } - boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS); - - // partial match is only for "any" access - if(!isResourceMatch) { - if(!isResourceHeadMatch || !isAnyAccess) { - continue; - } + if(CollectionUtils.isEmpty(policyItem.getAccesses())) { + continue; } - if(policy.getIsAuditEnabled()) { - result.setIsAudited(true); - } + boolean isUserGroupMatch = matchUserGroup(policyItem, request.getUser(), request.getUserGroups()); - if(!isUserGroupMatch) { + if(! isUserGroupMatch) { continue; } - if(CollectionUtils.isEmpty(policyItem.getAccesses())) { + boolean isCustomConditionsMatch = matchCustomConditions(policyItem, request); + + if(! isCustomConditionsMatch) { continue; } - + if(isAnyAccess) { for(RangerPolicyItemAccess access : policyItem.getAccesses()) { - if(!accessResult.isAllowed() && access.getIsAllowed()) { - accessResult.setIsAllowed(true); - accessResult.setPolicyId(policy.getId()); + if(access.getIsAllowed()) { + result.setIsAllowed(true); + result.setPolicyId(policy.getId()); + break; } - - break; } } else { RangerPolicyItemAccess access = getAccess(policyItem, accessType); - if(access == null) { - continue; - } - - if(!accessResult.isAllowed() && access.getIsAllowed()) { - accessResult.setIsAllowed(true); - accessResult.setPolicyId(policy.getId()); + if(access != null && access.getIsAllowed()) { + result.setIsAllowed(true); + result.setPolicyId(policy.getId()); } } } - - if(result.getIsAudited() && result.getResult() == RangerAccessResult.Result.ALLOWED) { - break; - } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 5462b7e..f940c30 100644 --- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -103,8 +103,9 @@ public class TestPolicyEngine { RangerAccessResult result = policyEngine.isAccessAllowed(test.request, null); assertNotNull(test.name, result); + assertEquals(test.name, expected.getIsAllowed(), result.getIsAllowed()); assertEquals(test.name, expected.getIsAudited(), result.getIsAudited()); - assertEquals(test.name, expected.getAccessTypeResults(), result.getAccessTypeResults()); + assertEquals(test.name, expected.getPolicyId(), result.getPolicyId()); } } catch(Throwable excp) { excp.printStackTrace(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json index 270f687..35768cb 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hbase.json @@ -46,113 +46,113 @@ {"name":"ALLOW 'scan finance restricted-cf;' for finance", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["read"],"user":"user1","userGroups":["users","finance"],"requestData":"scan finance restricted-cf" + "accessType":"read","user":"user1","userGroups":["users","finance"],"requestData":"scan finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'put finance restricted-cf;' for finance", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["write"],"user":"user1","userGroups":["users","finance"],"requestData":"put finance restricted-cf" + "accessType":"write","user":"user1","userGroups":["users","finance"],"requestData":"put finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"write":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"DENY 'create finance restricted-cf;' for finance", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users","finance"],"requestData":"create finance restricted-cf" + "accessType":"create","user":"user1","userGroups":["users","finance"],"requestData":"create finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'grant finance restricted-cf;' for finance", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["admin"],"user":"user1","userGroups":["users","finance"],"requestData":"grant finance restricted-cf" + "accessType":"admin","user":"user1","userGroups":["users","finance"],"requestData":"grant finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"admin":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'scan finance restricted-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["read"],"user":"user1","userGroups":["users"],"requestData":"scan finance restricted-cf" + "accessType":"read","user":"user1","userGroups":["users"],"requestData":"scan finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'put finance restricted-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["write"],"user":"user1","userGroups":["users"],"requestData":"put finance restricted-cf" + "accessType":"write","user":"user1","userGroups":["users"],"requestData":"put finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"write":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'create finance restricted-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create finance restricted-cf" + "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'grant finance restricted-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["admin"],"user":"user1","userGroups":["users"],"requestData":"grant finance restricted-cf" + "accessType":"admin","user":"user1","userGroups":["users"],"requestData":"grant finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"admin":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"ALLOW 'scan finance restricted-cf;' for finance-admin", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["read"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"scan finance restricted-cf" + "accessType":"read","user":"user1","userGroups":["users","finance-admin"],"requestData":"scan finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'put finance restricted-cf;' for finance-admin", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["write"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"put finance restricted-cf" + "accessType":"write","user":"user1","userGroups":["users","finance-admin"],"requestData":"put finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"write":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'create finance restricted-cf;' for finance-admin", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"create finance restricted-cf" + "accessType":"create","user":"user1","userGroups":["users","finance-admin"],"requestData":"create finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'grant finance restricted-cf;' for finance-admin", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["admin"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"grant finance restricted-cf" + "accessType":"admin","user":"user1","userGroups":["users","finance-admin"],"requestData":"grant finance restricted-cf" }, - "result":{"isAudited":true,"accessTypeResults":{"admin":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'scan finance regular-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"regular-cf"}}, - "accessTypes":["read"],"user":"user1","userGroups":["users"],"requestData":"scan finance regular-cf" + "accessType":"read","user":"user1","userGroups":["users"],"requestData":"scan finance regular-cf" }, - "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":true,"policyId":3}}} + "result":{"isAudited":false,"isAllowed":true,"policyId":3} } , {"name":"DENY 'put finance regular-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"regular-cf"}}, - "accessTypes":["write"],"user":"user1","userGroups":["users"],"requestData":"put finance regular-cf" + "accessType":"write","user":"user1","userGroups":["users"],"requestData":"put finance regular-cf" }, - "result":{"isAudited":false,"accessTypeResults":{"write":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} } ] } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json index 0ede13d..943fe80 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -41,107 +41,115 @@ {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance", "request":{ "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db" + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db" }, - "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":true,"policyId":3}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":3} } , {"name":"ALLOW 'read /finance/restricted/hr/payroll.db' for g=finance", "request":{ "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/hr/payroll.db" + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/hr/payroll.db" }, - "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":true,"policyId":3}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":3} } , {"name":"DENY 'read /operations/visitors.db' for g=finance", "request":{ "resource":{"elements":{"path":"/operations/visitors.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /operations/visitors.db" + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /operations/visitors.db" }, - "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} } , {"name":"ALLOW 'read /public/technology/blogs.db' for g=finance", "request":{ "resource":{"elements":{"path":"/public/technology/blogs.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /public/technology/blogs.db" + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /public/technology/blogs.db" }, - "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":false,"isAllowed":true,"policyId":2} } , {"name":"DENY 'read /finance/restricted/sales.db' for g=hr", "request":{ "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db" + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db" }, - "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"FALSE 'read /finance/restricted/hr/payroll.db' for g=hr", "request":{ "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db" + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db" }, - "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'read /operations/visitors.db' for g=hr", "request":{ "resource":{"elements":{"path":"/operations/visitors.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db" + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db" }, - "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} } , {"name":"ALLOW 'read /public/technology/blogs.db' for g=hr", "request":{ "resource":{"elements":{"path":"/public/technology/blogs.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db" + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db" }, - "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":false,"isAllowed":true,"policyId":2} } , {"name":"DENY 'read /finance/restricted/sales.db' for u=user1", "request":{ "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db" + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db" }, - "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'read /finance/restricted/hr/payroll.db' for u=user1", "request":{ "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db" + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db" }, - "result":{"isAudited":true,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'read /operations/visitors.db' for u=user1", "request":{ "resource":{"elements":{"path":"/operations/visitors.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /operations/visitors.db" + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /operations/visitors.db" }, - "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} } , {"name":"ALLOW 'read /public/technology/blogs.db' for u=user1", "request":{ "resource":{"elements":{"path":"/public/technology/blogs.db"}}, - "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" }, - "result":{"isAudited":false,"accessTypeResults":{"read":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":false,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'read /public/technology' for u=user1", "request":{ "resource":{"elements":{"path":"/public/technology/blogs.db"}}, - "accessTypes":["read","execute"],"user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" }, - "result":{"isAudited":false,"accessTypeResults":{"execute":{"isAllowed":true,"policyId":2},"read":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'read /public/technology' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"execute","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} } ] } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1201f2e3/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json ---------------------------------------------------------------------- diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json index 3fa7cf4..2ac90ae 100644 --- a/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json +++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hive.json @@ -44,217 +44,217 @@ {"name":"ALLOW 'use default;' for user1", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use default" + "accessType":"","user":"user1","userGroups":["users"],"requestData":"use default" }, - "result":{"isAudited":true,"accessTypeResults":{"_any":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'use default;' for user2", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user2","userGroups":["users"],"requestData":"use default" + "accessType":"","user":"user2","userGroups":["users"],"requestData":"use default" }, - "result":{"isAudited":true,"accessTypeResults":{"_any":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"DENY 'use default;' to user3", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user3","userGroups":["users"],"requestData":"use default" + "accessType":"","user":"user3","userGroups":["users"],"requestData":"use default" }, - "result":{"isAudited":true,"accessTypeResults":{"_any":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"ALLOW 'use default;' to group1", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user3","userGroups":["users", "group1"],"requestData":"use default" + "accessType":"","user":"user3","userGroups":["users", "group1"],"requestData":"use default" }, - "result":{"isAudited":true,"accessTypeResults":{"_any":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'use default;' to group2", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user3","userGroups":["users", "group2"],"requestData":"use default" + "accessType":"","user":"user3","userGroups":["users", "group2"],"requestData":"use default" }, - "result":{"isAudited":true,"accessTypeResults":{"_any":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"DENY 'use default;' to user3/group3", "request":{ "resource":{"elements":{"database":"default"}}, - "accessTypes":[],"user":"user3","userGroups":["users", "group3"],"requestData":"use default" + "accessType":"","user":"user3","userGroups":["users", "group3"],"requestData":"use default" }, - "result":{"isAudited":true,"accessTypeResults":{"_any":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'use finance;' to user3/group3", "request":{ "resource":{"elements":{"database":"finance"}}, - "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use finance" + "accessType":"","user":"user1","userGroups":["users"],"requestData":"use finance" }, - "result":{"isAudited":false,"accessTypeResults":{"_any":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} } , {"name":"ALLOW 'select col1 from default.testtable;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" + "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" }, - "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'select col1 from default.testtable;' to user2", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable" + "accessType":"select","user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable" }, - "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"DENY 'select col1 from default.testtable;' to user3", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable" + "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable" }, - "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"ALLOW 'select col1 from default.testtable;' to group1", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable" + "accessType":"select","user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable" }, - "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'select col1 from default.testtable;' to group2", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable" + "accessType":"select","user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable" }, - "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"DENY 'select col1 from default.testtable;' to user3/group3", "request":{ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable" + "accessType":"select","user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable" }, - "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'select col1 from default.table1;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, - "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1" + "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1" }, - "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'create table default.testtable1;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" + "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'create table default.testtable1;' to user1/group1", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1" + "accessType":"create","user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"ALLOW 'create table default.testtable1;' to admin", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["create"],"user":"admin","userGroups":["users"],"requestData":"create table default.testtable1" + "accessType":"create","user":"admin","userGroups":["users"],"requestData":"create table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'create table default.testtable1;' to user1/admin", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" + "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"DENY 'drop table default.testtable1;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" + "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'drop table default.testtable1;' to user1/group1", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["drop"],"user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1" + "accessType":"drop","user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"ALLOW 'drop table default.testtable1;' to admin", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["drop"],"user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1" + "accessType":"drop","user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'drop table default.testtable1;' to user1/admin", "request":{ "resource":{"elements":{"database":"default","table":"testtable1"}}, - "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" + "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"DENY 'create table default.table1;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" + "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'create table default.table1;' to user1/admin", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" + "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"create":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'drop table default.table1;' to user1", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, - "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" + "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'drop table default.table1;' to user1/admin", "request":{ "resource":{"elements":{"database":"default","table":"table1"}}, - "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" + "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" }, - "result":{"isAudited":true,"accessTypeResults":{"drop":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'select col1 from default.table1;' to user3", "request":{ "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, - "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1" + "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1" }, - "result":{"isAudited":true,"accessTypeResults":{"select":{"isAllowed":false,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } ] }
