http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java new file mode 100644 index 0000000..f1c8adf --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java @@ -0,0 +1,125 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.util; + + +import java.util.Date; +import java.util.List; + +import javax.xml.bind.annotation.XmlAccessType; +import javax.xml.bind.annotation.XmlAccessorType; +import javax.xml.bind.annotation.XmlRootElement; + +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.codehaus.jackson.annotate.JsonAutoDetect; +import org.codehaus.jackson.annotate.JsonIgnoreProperties; +import org.codehaus.jackson.annotate.JsonAutoDetect.Visibility; +import org.codehaus.jackson.map.annotate.JsonSerialize; + +@JsonAutoDetect(getterVisibility=Visibility.NONE, setterVisibility=Visibility.NONE, fieldVisibility=Visibility.ANY) +@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL ) +@JsonIgnoreProperties(ignoreUnknown=true) +@XmlRootElement +@XmlAccessorType(XmlAccessType.FIELD) +public class ServicePolicies implements java.io.Serializable { + private static final long serialVersionUID = 1L; + + private String serviceName; + private Long serviceId; + private RangerServiceDef serviceDef; + private Long policyVersion; + private Date policyUpdateTime; + private List<RangerPolicy> policies; + + + /** + * @return the serviceName + */ + public String getServiceName() { + return serviceName; + } + /** + * @param serviceName the serviceName to set + */ + public void setServiceName(String serviceName) { + this.serviceName = serviceName; + } + /** + * @return the serviceId + */ + public Long getServiceId() { + return serviceId; + } + /** + * @param serviceId the serviceId to set + */ + public void setServiceId(Long serviceId) { + this.serviceId = serviceId; + } + /** + * @return the serviceDef + */ + public RangerServiceDef getServiceDef() { + return serviceDef; + } + /** + * @param serviceDef the serviceDef to set + */ + public void setServiceDef(RangerServiceDef serviceDef) { + this.serviceDef = serviceDef; + } + /** + * @return the policyVersion + */ + public Long getPolicyVersion() { + return policyVersion; + } + /** + * @param policyVersion the policyVersion to set + */ + public void setPolicyVersion(Long policyVersion) { + this.policyVersion = policyVersion; + } + /** + * @return the policyUpdateTime + */ + public Date getPolicyUpdateTime() { + return policyUpdateTime; + } + /** + * @param policyUpdateTime the policyUpdateTime to set + */ + public void setPolicyUpdateTime(Date policyUpdateTime) { + this.policyUpdateTime = policyUpdateTime; + } + /** + * @return the policies + */ + public List<RangerPolicy> getPolicies() { + return policies; + } + /** + * @param policies the policies to set + */ + public void setPolicies(List<RangerPolicy> policies) { + this.policies = policies; + } +}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/main/resources/service-defs/ranger-servicedef-hbase.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-hbase.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-hbase.json new file mode 100644 index 0000000..e04ee15 --- /dev/null +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-hbase.json @@ -0,0 +1,50 @@ +{ + "id":2, + "name":"hbase", + "implClass":"org.apache.ranger.services.hbase.RangerServiceHBase", + "label":"HBase", + "description":"HBase", + "guid":"d6cea1f0-2509-4791-8fc1-7b092399ba3b", + "createTime":"20141208-22:50:22.426--0800", + "updateTime":"20141208-22:50:22.426--0800", + "version":1, + "enums": + [ + { + "name":"authnType", + "elements": + [ + {"name":"simple", "label":"Simple"}, + {"name":"kerberos","label":"Kerberos"} + ], + "defaultIndex":0 + } + ], + "configs": + [ + {"name":"username", "type":"string", "subType":"", "mandatory":true, "label":"Username"}, + {"name":"password", "type":"password","subType":"", "mandatory":true, "label":"Password"}, + {"name":"hadoop.security.authentication", "type":"enum", "subType":"authnType","mandatory":true, "defaultValue":"simple"}, + {"name":"hbase.master.kerberos.principal", "type":"string", "subType":"", "mandatory":false,"defaultValue":""}, + {"name":"hbase.security.authentication", "type":"enum", "subType":"authnType","mandatory":true, "defaultValue":"simple"}, + {"name":"hbase.zookeeper.property.clientPort","type":"int", "subType":"", "mandatory":true, "defaultValue":"2181"}, + {"name":"hbase.zookeeper.quorum", "type":"string", "subType":"", "mandatory":true, "defaultValue":""}, + {"name":"zookeeper.znode.parent", "type":"string", "subType":"", "mandatory":true, "defaultValue":"/hbase"} + ], + "resources": + [ + {"name":"table", "type":"string","level":1,"parent":"", "mandatory":true,"lookupSupported":true, "recursiveSupported":false,"excludesSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Table","description":"HBase Table"}, + {"name":"column-family","type":"string","level":2,"parent":"table", "mandatory":true,"lookupSupported":true, "recursiveSupported":false,"excludesSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column-family","description":"HBase Column-family"}, + {"name":"column", "type":"string","level":3,"parent":"column-family","mandatory":true,"lookupSupported":false,"recursiveSupported":false,"excludesSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column","description":"HBase Column"} + ], + "accessTypes": + [ + {"name":"read", "label":"Read"}, + {"name":"write", "label":"Write"}, + {"name":"create","label":"Create"}, + {"name":"admin", "label":"Admin","impliedGrants":["read","write","create"]} + ], + "policyConditions": + [ + ] +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json new file mode 100644 index 0000000..cf8f008 --- /dev/null +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json @@ -0,0 +1,60 @@ +{ + "id":1, + "name":"hdfs", + "implClass":"org.apache.ranger.services.hdfs.RangerServiceHdfs", + "label":"HDFS Repository", + "description":"HDFS Repository", + "guid":"0d047247-bafe-4cf8-8e9b-d5d377284b2d", + "createTime":"20141208-22:04:25.233--0800", + "updateTime":"20141208-22:04:25.233--0800", + "version":1, + "enums": + [ + { + "name":"authnType", + "elements": + [ + {"name":"simple", "label":"Simple"}, + {"name":"kerberos","label":"Kerberos"} + ], + "defaultIndex":0 + }, + { + "name":"rpcProtection", + "elements": + [ + {"name":"authentication","label":"Authentication"}, + {"name":"integrity", "label":"Integrity"}, + {"name":"privacy", "label":"Privacy"} + ], + "defaultIndex":0 + }, + ], + "configs": + [ + {"name":"username", "type":"string", "subType":"", "mandatory":true, "label":"Username"}, + {"name":"password", "type":"password","subType":"", "mandatory":true, "label":"Password"}, + {"name":"fs.default.name", "type":"string", "subType":"", "mandatory":true, "label":"Namenode URL"}, + {"name":"hadoop.security.authorization", "type":"bool", "subType":"TrueFalse", "mandatory":true, "defaultValue":"false"}, + {"name":"hadoop.security.authentication", "type":"enum", "subType":"authnType", "mandatory":true, "defaultValue":"simple"}, + {"name":"hadoop.security.auth_to_local", "type":"string", "subType":"", "mandatory":false}, + {"name":"dfs.datanode.kerberos.principal", "type":"string", "subType":"", "mandatory":false}, + {"name":"dfs.namenode.kerberos.principal", "type":"string", "subType":"", "mandatory":false}, + {"name":"dfs.secondary.namenode.kerberos.principal","type":"string", "subType":"", "mandatory":false}, + {"name":"hadoop.rpc.protection", "type":"enum", "subType":"rpcProtection","mandatory":false,"defaultValue":"authentication"}, + {"name":"certificate.cn", "type":"string", "subType":"", "mandatory":false,"label":"Common Name for Certificate"} + ], + "resources": + [ + {"name":"path","type":"path","level":1,"parent":"","mandatory":true,"lookupSupported":true,"recursiveSupported":true,"excludesSupported":false,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Resource Path","description":"HDFS file or directory path"} + ], + "accessTypes": + [ + {"name":"read","label":"Read"}, + {"name":"write","label":"Write"}, + {"name":"execute","label":"Execute"} + ], + "policyConditions": + [ + ] +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json new file mode 100644 index 0000000..6414fe3 --- /dev/null +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json @@ -0,0 +1,43 @@ +{ + "id":3, + "name":"hive", + "implClass":"org.apache.ranger.services.hive.RangerServiceHive", + "label":"Hive Server2", + "description":"Hive Server2", + "guid":"3e1afb5a-184a-4e82-9d9c-87a5cacc243c", + "createTime":"20141208-22:51:20.732--0800", + "updateTime":"20141208-22:51:20.732--0800", + "version":1, + "enums": + [ + ], + "configs": + [ + {"name":"username", "type":"string", "mandatory":true, "label":"Username"}, + {"name":"password", "type":"password","mandatory":true, "label":"Password"}, + {"name":"jdbc.driverClassName","type":"string", "mandatory":true, "defaultValue":"org.apache.hive.jdbc.HiveDriver"}, + {"name":"jdbc.url", "type":"string", "mandatory":true, "defaultValue":""}, + {"name":"certificate.cn", "type":"string", "mandatory":false,"label":"Common Name for Certificate"} + ], + "resources": + [ + {"name":"database","type":"string","level":1,"parent":"", "mandatory":true,"lookupSupported":true,"recursiveSupported":false,"excludesSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Database","description":"Hive Database"}, + {"name":"table", "type":"string","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"recursiveSupported":false,"excludesSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Table","description":"Hive Table"}, + {"name":"udf", "type":"string","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"recursiveSupported":false,"excludesSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive UDF","description":"Hive UDF"}, + {"name":"column", "type":"string","level":3,"parent":"table", "mandatory":true,"lookupSupported":true,"recursiveSupported":false,"excludesSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Column","description":"Hive Column"} + ], + "accessTypes": + [ + {"name":"select","label":"select"}, + {"name":"update","label":"update"}, + {"name":"create","label":"Create"}, + {"name":"drop", "label":"Drop"}, + {"name":"alter", "label":"Alter"}, + {"name":"index", "label":"Index"}, + {"name":"lock", "label":"Lock"}, + {"name":"all", "label":"All"} + ], + "policyConditions": + [ + ] +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/main/resources/service-defs/ranger-servicedef-knox.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-knox.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-knox.json new file mode 100644 index 0000000..f6a7157 --- /dev/null +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-knox.json @@ -0,0 +1,34 @@ +{ + "id":5, + "name":"knox", + "implClass":"org.apache.ranger.services.knox.RangerServiceKnox", + "label":"Knox Gateway", + "description":"Knox Gateway", + "guid":"84b481b5-f23b-4f71-b8b6-ab33977149ca", + "createTime":"20141208-22:48:42.238--0800", + "updateTime":"20141208-22:48:42.238--0800", + "version":1, + "enums": + [ + ], + "configs": + [ + {"name":"username", "type":"string", "mandatory":true, "label":"Username"}, + {"name":"password", "type":"password","mandatory":true, "label":"Password"}, + {"name":"knox.url", "type":"string", "mandatory":true, "defaultValue":""}, + {"name":"certificate.cn","type":"string", "mandatory":false,"label":"Common Name for Certificate"} + ], + "resources": + [ + {"name":"topology","type":"string","level":1,"parent":"", "mandatory":true,"lookupSupported":true,"recursiveSupported":false,"excludesSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Knox Topology","description":"Knox Topology"}, + {"name":"service", "type":"string","level":2,"parent":"topology","mandatory":true,"lookupSupported":true,"recursiveSupported":false,"excludesSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Knox Service","description":"Knox Service"} + ], + "accessTypes": + [ + {"name":"allow","label":"Allow"} + ], + "policyConditions": + [ + {"name":"ip-range","evaluator":"org.apache.ranger.knox.IpRangeCondition","evaluatorOptions":"","label":"IP Address Range","description":"IP Address Range"} + ] +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/main/resources/service-defs/ranger-servicedef-storm.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-storm.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-storm.json new file mode 100644 index 0000000..fce10c0 --- /dev/null +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-storm.json @@ -0,0 +1,46 @@ +{ + "id":6, + "name":"storm", + "implClass":"org.apache.ranger.services.storm.RangerServiceStorm", + "label":"Storm", + "description":"Storm", + "guid":"2a60f427-edcf-4e20-834c-a9a267b5b963", + "createTime":"20141208-22:55:47.095--0800", + "updateTime":"20141208-22:55:47.095--0800", + "version":1, + "enums": + [ + ], + "configs": + [ + {"name":"username", "type":"string", "mandatory":true, "label":"Username"}, + {"name":"password", "type":"password","mandatory":true, "label":"Password"}, + {"name":"nimbus.url", "type":"string", "mandatory":true, "label":"Nimbus URL","defaultValue":""}, + {"name":"certificate.cn","type":"string", "mandatory":false,"label":"Common Name for Certificate"} + ], + "resources": + [ + {"name":"topology","type":"string","level":1,"mandatory":true,"lookupSupported":true,"recursiveSupported":false,"excludesSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Storm Topology","description":"Storm Topology"} + ], + "accessTypes": + [ + {"name":"topology-submit", "label":"Submit Topology"}, + {"name":"file-upload", "label":"File Upload"}, + {"name":"nimbus-conf-get", "label":"Get Nimbus Conf"}, + {"name":"cluster-conf-get", "label":"Get Cluster Conf"}, + {"name":"cluster-info-get", "label":"Get Cluster Info"}, + {"name":"file-download", "label":"File Download"}, + {"name":"topology-kill", "label":"Kill Topology"}, + {"name":"rebalance", "label":"Rebalance"}, + {"name":"activate", "label":"Activate"}, + {"name":"deactivate", "label":"Deactivate"}, + {"name":"topology-conf-get", "label":"Get Topology Conf"}, + {"name":"topology-get", "label":"Get Topology"}, + {"name":"topology-user-get", "label":"Get User Topology"}, + {"name":"topology-info-get", "label":"Get Topology Info"}, + {"name":"new-credential-upload","label":"Upload New Credential"} + ], + "policyConditions": + [ + ] +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java new file mode 100644 index 0000000..f940c30 --- /dev/null +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -0,0 +1,145 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import static org.junit.Assert.*; + +import java.io.InputStream; +import java.io.InputStreamReader; +import java.lang.reflect.Type; +import java.util.List; + +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.google.gson.JsonDeserializationContext; +import com.google.gson.JsonDeserializer; +import com.google.gson.JsonElement; +import com.google.gson.JsonParseException; + + +public class TestPolicyEngine { + static RangerPolicyEngineImpl policyEngine = null; + static Gson gsonBuilder = null; + + + @BeforeClass + public static void setUpBeforeClass() throws Exception { + policyEngine = new RangerPolicyEngineImpl(); + gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") + .setPrettyPrinting() + .registerTypeAdapter(RangerAccessRequest.class, new RangerAccessRequestDeserializer()) + .registerTypeAdapter(RangerResource.class, new RangerResourceDeserializer()) + .create(); + } + + @AfterClass + public static void tearDownAfterClass() throws Exception { + } + + @Test + public void testPolicyEngine_hdfs() { + String[] hdfsTestResourceFiles = { "/policyengine/test_policyengine_hdfs.json" }; + + runTestsFromResourceFiles(hdfsTestResourceFiles); + } + + @Test + public void testPolicyEngine_hive() { + String[] hiveTestResourceFiles = { "/policyengine/test_policyengine_hive.json" }; + + runTestsFromResourceFiles(hiveTestResourceFiles); + } + + @Test + public void testPolicyEngine_hbase() { + String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase.json" }; + + runTestsFromResourceFiles(hbaseTestResourceFiles); + } + + private void runTestsFromResourceFiles(String[] resourceNames) { + for(String resourceName : resourceNames) { + InputStream inStream = this.getClass().getResourceAsStream(resourceName); + InputStreamReader reader = new InputStreamReader(inStream); + + runTests(reader, resourceName); + } + } + + private void runTests(InputStreamReader reader, String testName) { + try { + PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class); + + assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null); + + policyEngine.setPolicies(testCase.serviceName, testCase.serviceDef, testCase.policies); + + for(TestData test : testCase.tests) { + RangerAccessResult expected = test.result; + RangerAccessResult result = policyEngine.isAccessAllowed(test.request, null); + + assertNotNull(test.name, result); + assertEquals(test.name, expected.getIsAllowed(), result.getIsAllowed()); + assertEquals(test.name, expected.getIsAudited(), result.getIsAudited()); + assertEquals(test.name, expected.getPolicyId(), result.getPolicyId()); + } + } catch(Throwable excp) { + excp.printStackTrace(); + } + + } + + static class PolicyEngineTestCase { + public String serviceName; + public RangerServiceDef serviceDef; + public List<RangerPolicy> policies; + public List<TestData> tests; + + class TestData { + public String name; + public RangerAccessRequest request; + public RangerAccessResult result; + } + } + + static class RangerAccessRequestDeserializer implements JsonDeserializer<RangerAccessRequest> { + @Override + public RangerAccessRequest deserialize(JsonElement jsonObj, Type type, + JsonDeserializationContext context) throws JsonParseException { + return gsonBuilder.fromJson(jsonObj, RangerAccessRequestImpl.class); + } + } + + static class RangerResourceDeserializer implements JsonDeserializer<RangerResource> { + @Override + public RangerResource deserialize(JsonElement jsonObj, Type type, + JsonDeserializationContext context) throws JsonParseException { + return gsonBuilder.fromJson(jsonObj, RangerResourceImpl.class); + } + } +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java b/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java new file mode 100644 index 0000000..4771085 --- /dev/null +++ b/agents-common/src/test/java/org/apache/ranger/plugin/store/TestServiceStore.java @@ -0,0 +1,248 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.store; + +import static org.junit.Assert.*; + +import java.util.List; + +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; +import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.store.ServiceStore; +import org.apache.ranger.plugin.store.ServiceStoreFactory; +import org.apache.ranger.plugin.util.SearchFilter; +import org.apache.ranger.plugin.util.ServicePolicies; +import org.junit.BeforeClass; +import org.junit.Test; + +public class TestServiceStore { + static ServiceStore svcStore = null; + static SearchFilter filter = null; + + static final String sdName = "svcDef-unit-test-TestServiceStore"; + static final String serviceName = "svc-unit-test-TestServiceStore"; + static final String policyName = "testPolicy-1"; + + @BeforeClass + public static void setupTest() throws Exception { + svcStore = ServiceStoreFactory.instance().getServiceStore(); + + // cleanup if the test service and service-def if they already exist + List<RangerService> services = svcStore.getServices(filter); + for(RangerService service : services) { + if(service.getName().startsWith(serviceName)) { + svcStore.deleteService(service.getId()); + } + } + + List<RangerServiceDef> serviceDefs = svcStore.getServiceDefs(filter); + for(RangerServiceDef serviceDef : serviceDefs) { + if(serviceDef.getName().startsWith(sdName)) { + svcStore.deleteServiceDef(serviceDef.getId()); + } + } + } + + @Test + public void testServiceStore() throws Exception { + String updatedName, updatedDescription; + + List<RangerServiceDef> sds = svcStore.getServiceDefs(filter); + + int initSdCount = sds == null ? 0 : sds.size(); + + RangerServiceDef sd = new RangerServiceDef(sdName, "org.apache.ranger.services.TestService", "TestService", "test servicedef description", null, null, null, null, null); + + RangerServiceDef createdSd = svcStore.createServiceDef(sd); + assertNotNull("createServiceDef() failed", createdSd != null); + + sds = svcStore.getServiceDefs(filter); + assertEquals("createServiceDef() failed", initSdCount + 1, sds == null ? 0 : sds.size()); + + updatedDescription = sd.getDescription() + ": updated"; + createdSd.setDescription(updatedDescription); + RangerServiceDef updatedSd = svcStore.updateServiceDef(createdSd); + assertNotNull("updateServiceDef(updatedDescription) failed", updatedSd); + assertEquals("updateServiceDef(updatedDescription) failed", updatedDescription, updatedSd.getDescription()); + + sds = svcStore.getServiceDefs(filter); + assertEquals("updateServiceDef(updatedDescription) failed", initSdCount + 1, sds == null ? 0 : sds.size()); + + /* + updatedName = sd.getName() + "-Renamed"; + updatedSd.setName(updatedName); + updatedSd = sdMgr.update(updatedSd); + assertNotNull("updateServiceDef(updatedName) failed", updatedSd); + assertEquals("updateServiceDef(updatedName) failed", updatedName, updatedSd.getName()); + + sds = getAllServiceDef(); + assertEquals("updateServiceDef(updatedName) failed", initSdCount + 1, sds == null ? 0 : sds.size()); + */ + + List<RangerService> services = svcStore.getServices(filter); + + int initServiceCount = services == null ? 0 : services.size(); + + RangerService svc = new RangerService(sdName, serviceName, "test service description", null); + + RangerService createdSvc = svcStore.createService(svc); + assertNotNull("createService() failed", createdSvc); + + services = svcStore.getServices(filter); + assertEquals("createServiceDef() failed", initServiceCount + 1, services == null ? 0 : services.size()); + + updatedDescription = createdSvc.getDescription() + ": updated"; + createdSvc.setDescription(updatedDescription); + RangerService updatedSvc = svcStore.updateService(createdSvc); + assertNotNull("updateService(updatedDescription) failed", updatedSvc); + assertEquals("updateService(updatedDescription) failed", updatedDescription, updatedSvc.getDescription()); + + services = svcStore.getServices(filter); + assertEquals("updateService(updatedDescription) failed", initServiceCount + 1, services == null ? 0 : services.size()); + + updatedName = serviceName + "-Renamed"; + updatedSvc.setName(updatedName); + updatedSvc = svcStore.updateService(updatedSvc); + assertNotNull("updateService(updatedName) failed", updatedSvc); + assertEquals("updateService(updatedName) failed", updatedName, updatedSvc.getName()); + + services = svcStore.getServices(filter); + assertEquals("updateService(updatedName) failed", initServiceCount + 1, services == null ? 0 : services.size()); + + List<RangerPolicy> policies = svcStore.getPolicies(filter); + + int initPolicyCount = policies == null ? 0 : policies.size(); + + RangerPolicy policy = new RangerPolicy(updatedSvc.getName(), policyName, "test policy description", null, null); + policy.getResources().put("path", new RangerPolicyResource("/demo/test/finance", Boolean.FALSE, Boolean.TRUE)); + + RangerPolicyItem item1 = new RangerPolicyItem(); + item1.getAccesses().add(new RangerPolicyItemAccess("read")); + item1.getAccesses().add(new RangerPolicyItemAccess("write")); + item1.getAccesses().add(new RangerPolicyItemAccess("execute")); + item1.getUsers().add("admin"); + item1.getGroups().add("finance"); + + RangerPolicyItem item2 = new RangerPolicyItem(); + item2.getAccesses().add(new RangerPolicyItemAccess("read")); + item2.getGroups().add("public"); + + policy.getPolicyItems().add(item1); + policy.getPolicyItems().add(item2); + + RangerPolicy createdPolicy = svcStore.createPolicy(policy); + assertNotNull(createdPolicy); + assertNotNull(createdPolicy.getPolicyItems()); + assertEquals(createdPolicy.getPolicyItems().size(), 2); + + RangerPolicyItem createItem1 = createdPolicy.getPolicyItems().get(0); + RangerPolicyItem createItem2 = createdPolicy.getPolicyItems().get(1); + + assertNotNull(createItem1.getAccesses()); + assertEquals(createItem1.getAccesses().size(), 3); + assertNotNull(createItem1.getUsers()); + assertEquals(createItem1.getUsers().size(), 1); + assertNotNull(createItem1.getGroups()); + assertEquals(createItem1.getGroups().size(), 1); + + assertNotNull(createItem2.getAccesses()); + assertEquals(createItem2.getAccesses().size(), 1); + assertNotNull(createItem2.getUsers()); + assertEquals(createItem2.getUsers().size(), 0); + assertNotNull(createItem2.getGroups()); + assertEquals(createItem2.getGroups().size(), 1); + + policies = svcStore.getPolicies(filter); + assertEquals("createPolicy() failed", initPolicyCount + 1, policies == null ? 0 : policies.size()); + + updatedDescription = policy.getDescription() + ":updated"; + createdPolicy.setDescription(updatedDescription); + RangerPolicy updatedPolicy = svcStore.updatePolicy(createdPolicy); + assertNotNull("updatePolicy(updatedDescription) failed", updatedPolicy != null); + + policies = svcStore.getPolicies(filter); + assertEquals("updatePolicy(updatedDescription) failed", initPolicyCount + 1, policies == null ? 0 : policies.size()); + + updatedName = policyName + "-Renamed"; + updatedPolicy.setName(updatedName); + updatedPolicy = svcStore.updatePolicy(updatedPolicy); + assertNotNull("updatePolicy(updatedName) failed", updatedPolicy); + + policies = svcStore.getPolicies(filter); + assertEquals("updatePolicy(updatedName) failed", initPolicyCount + 1, policies == null ? 0 : policies.size()); + + // rename the service; all the policies for this service should reflect the new service name + updatedName = serviceName + "-Renamed2"; + updatedSvc.setName(updatedName); + updatedSvc = svcStore.updateService(updatedSvc); + assertNotNull("updateService(updatedName2) failed", updatedSvc); + assertEquals("updateService(updatedName2) failed", updatedName, updatedSvc.getName()); + + services = svcStore.getServices(filter); + assertEquals("updateService(updatedName2) failed", initServiceCount + 1, services == null ? 0 : services.size()); + + updatedPolicy = svcStore.getPolicy(createdPolicy.getId()); + assertNotNull("updateService(updatedName2) failed", updatedPolicy); + assertEquals("updateService(updatedName2) failed", updatedPolicy.getService(), updatedSvc.getName()); + + ServicePolicies svcPolicies = svcStore.getServicePoliciesIfUpdated(updatedSvc.getName(), 0l); + assertNotNull("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies); + assertNotNull("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies.getPolicies()); + assertEquals("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies.getServiceName(), updatedSvc.getName()); + assertEquals("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies.getServiceId(), updatedSvc.getId()); + assertEquals("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies.getPolicyVersion(), updatedSvc.getPolicyVersion()); + assertEquals("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies.getPolicyUpdateTime(), updatedSvc.getPolicyUpdateTime()); + assertEquals("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies.getServiceDef().getId(), updatedSd.getId()); + assertEquals("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies.getPolicies().size(), 1); + assertEquals("getServicePolicies(" + updatedSvc.getName() + ") failed", svcPolicies.getPolicies().get(0).getName(), updatedPolicy.getName()); + + ServicePolicies updatedPolicies = svcStore.getServicePoliciesIfUpdated(updatedSvc.getName(), svcPolicies.getPolicyVersion()); + assertNotNull(updatedPolicies); + assertEquals(0, updatedPolicies.getPolicies().size()); + + filter = new SearchFilter(); + filter.setParam(SearchFilter.POLICY_NAME, policyName); + policies = svcStore.getPolicies(filter); + assertEquals("getPolicies(filter=origPolicyName) failed", 0, policies == null ? 0 : policies.size()); + filter = null; + + filter = new SearchFilter(); + filter.setParam(SearchFilter.POLICY_NAME, updatedPolicy.getName()); + policies = svcStore.getPolicies(filter); + assertEquals("getPolicies(filter=origPolicyName) failed", 1, policies == null ? 0 : policies.size()); + filter = null; + + svcStore.deletePolicy(policy.getId()); + policies = svcStore.getPolicies(filter); + assertEquals("deletePolicy() failed", initPolicyCount, policies == null ? 0 : policies.size()); + + svcStore.deleteService(svc.getId()); + services = svcStore.getServices(filter); + assertEquals("deleteService() failed", initServiceCount, services == null ? 0 : services.size()); + + svcStore.deleteServiceDef(sd.getId()); + sds = svcStore.getServiceDefs(filter); + assertEquals("deleteServiceDef() failed", initSdCount, sds == null ? 0 : sds.size()); + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/test/java/org/apache/ranger/plugin/util/TestPolicyRefresher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/util/TestPolicyRefresher.java b/agents-common/src/test/java/org/apache/ranger/plugin/util/TestPolicyRefresher.java new file mode 100644 index 0000000..4cf7e3c --- /dev/null +++ b/agents-common/src/test/java/org/apache/ranger/plugin/util/TestPolicyRefresher.java @@ -0,0 +1,183 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.util; + +import static org.junit.Assert.*; + +import java.util.List; + +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; +import org.apache.ranger.plugin.store.ServiceStore; +import org.apache.ranger.plugin.store.ServiceStoreFactory; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; + + +public class TestPolicyRefresher { + static RangerPolicyEngineImpl policyEngine = null; + static ServiceStore svcStore = null; + static PolicyRefresher refresher = null; + + static final long pollingIntervalInMs = 5 * 1000; + static final long sleepTimeInMs = pollingIntervalInMs + (5 * 1000); + static final String sdName = "hbase"; + static final String svcName = "svc-unit-test-TestPolicyRefresher"; + + static RangerService svc = null; + static RangerPolicy policy1 = null; + static RangerPolicy policy2 = null; + + static boolean isPolicyRefreshed = false; + static long policyCount = 0; + + + /** + * @throws java.lang.Exception + */ + @BeforeClass + public static void setUpBeforeClass() throws Exception { + svcStore = ServiceStoreFactory.instance().getServiceStore(); + + // cleanup if the test service already exists + svc = svcStore.getServiceByName(svcName); + if(svc != null) { + svcStore.deleteService(svc.getId()); + } + + policyEngine = new RangerPolicyEngineImpl() { + @Override + public void setPolicies(String serviceName, RangerServiceDef serviceDef, List<RangerPolicy> policies) { + isPolicyRefreshed = true; + policyCount = policies != null ? policies.size() : 0; + + super.setPolicies(serviceName, serviceDef, policies); + } + }; + + refresher = new PolicyRefresher(policyEngine, sdName, svcName, svcStore, pollingIntervalInMs, null); + refresher.start(); + + // create a service + svc = new RangerService(sdName, svcName, "test service description", null); + + svc = svcStore.createService(svc); + assertNotNull("createService(" + svcName + ") failed", svc); + } + + /** + * @throws java.lang.Exception + */ + @AfterClass + public static void tearDownAfterClass() throws Exception { + if(refresher != null) { + refresher.stopRefresher(); + } + + if(svcStore != null) { + if(policy1 != null) { + svcStore.deletePolicy(policy1.getId()); + } + + if(policy2 != null) { + svcStore.deletePolicy(policy2.getId()); + } + + if(svc != null) { + svcStore.deleteService(svc.getId()); + } + } + } + + @Test + public void testRefresher() throws Exception { + assertEquals("policy count - initial", 0, policyCount); + + RangerPolicy policy = new RangerPolicy(svc.getName(), "policy1", "test policy description", null, null); + policy.getResources().put("table", new RangerPolicyResource("employee", Boolean.FALSE, Boolean.TRUE)); + policy.getResources().put("column-family", new RangerPolicyResource("personal", Boolean.FALSE, Boolean.TRUE)); + policy.getResources().put("column", new RangerPolicyResource("ssn", Boolean.FALSE, Boolean.TRUE)); + + RangerPolicyItem item1 = new RangerPolicyItem(); + item1.getAccesses().add(new RangerPolicyItemAccess("admin")); + item1.getUsers().add("admin"); + item1.getGroups().add("hr"); + + RangerPolicyItem item2 = new RangerPolicyItem(); + item2.getAccesses().add(new RangerPolicyItemAccess("read")); + item2.getGroups().add("public"); + + policy.getPolicyItems().add(item1); + policy.getPolicyItems().add(item2); + + policy1 = svcStore.createPolicy(policy); + + policy = new RangerPolicy(svc.getName(), "policy2", "test policy description", null, null); + policy.getResources().put("table", new RangerPolicyResource("employee", Boolean.FALSE, Boolean.TRUE)); + policy.getResources().put("column-family", new RangerPolicyResource("finance", Boolean.FALSE, Boolean.TRUE)); + policy.getResources().put("column", new RangerPolicyResource("balance", Boolean.FALSE, Boolean.TRUE)); + + item1 = new RangerPolicyItem(); + item1.getAccesses().add(new RangerPolicyItemAccess("admin")); + item1.getUsers().add("admin"); + item1.getGroups().add("finance"); + + policy.getPolicyItems().add(item1); + + policy2 = svcStore.createPolicy(policy); + + Thread.sleep(sleepTimeInMs); + assertTrue("policy refresh - after two new policies", isPolicyRefreshed); + assertEquals("policy count - after two new policies", 2, policyCount); + isPolicyRefreshed = false; + + Thread.sleep(sleepTimeInMs); + assertFalse("policy refresh - after no new policies", isPolicyRefreshed); + assertEquals("policy count - after no new policies", 2, policyCount); + isPolicyRefreshed = false; + + item2 = new RangerPolicyItem(); + item2.getAccesses().add(new RangerPolicyItemAccess("read")); + item2.getGroups().add("public"); + policy2.getPolicyItems().add(item2); + + policy2 = svcStore.updatePolicy(policy2); + + Thread.sleep(sleepTimeInMs); + assertTrue("policy refresh - after update policy", isPolicyRefreshed); + assertEquals("policy count - after update policy", 2, policyCount); + isPolicyRefreshed = false; + + svcStore.deletePolicy(policy2.getId()); + + Thread.sleep(sleepTimeInMs); + assertTrue("policy refresh - after delete policy", isPolicyRefreshed); + assertEquals("policy count - after delete policy", 1, policyCount); + isPolicyRefreshed = false; + policy2 = null; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/test/resources/policyengine/test_policyengine_hbase.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hbase.json b/agents-common/src/test/resources/policyengine/test_policyengine_hbase.json new file mode 100644 index 0000000..35768cb --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hbase.json @@ -0,0 +1,159 @@ +{ + "serviceName":"hbasedev", + + "serviceDef":{ + "name":"hbase", + "id":2, + "resources":[ + {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Table","description":"HBase Table"}, + {"name":"column-family","level":2,"table":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column-Family","description":"HBase Column-Family"}, + {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column","description":"HBase Column"} + ], + "accessTypes":[ + {"name":"read","label":"Read"}, + {"name":"write","label":"Write"}, + {"name":"create","label":"Create"}, + {"name":"admin","label":"Admin","impliedGrants":["read","write","create"]} + ] + }, + + "policies":[ + {"id":1,"name":"table=finance; column-family=restricted*: audit-all-access","isEnabled":true,"isAuditEnabled":true, + "resources":{"table":{"values":["finance"]},"column-family":{"values":["restricted*"]}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"table=finance; column-family=restricted*","isEnabled":true,"isAuditEnabled":true, + "resources":{"table":{"values":["finance"]},"column-family":{"values":["restricted*"]}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false} + , + {"accesses":[{"type":"admin","isAllowed":true}],"users":[],"groups":["finance-admin"],"delegateAdmin":true} + ] + } + , + {"id":3,"name":"table=*; column-family=<excluding>restricted*","isEnabled":true,"isAuditEnabled":false, + "resources":{"table":{"values":["*"]},"column-family":{"values":["restricted*"],"isExcludes":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + ], + + "tests":[ + {"name":"ALLOW 'scan finance restricted-cf;' for finance", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"read","user":"user1","userGroups":["users","finance"],"requestData":"scan finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'put finance restricted-cf;' for finance", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"write","user":"user1","userGroups":["users","finance"],"requestData":"put finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"DENY 'create finance restricted-cf;' for finance", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"create","user":"user1","userGroups":["users","finance"],"requestData":"create finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'grant finance restricted-cf;' for finance", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"admin","user":"user1","userGroups":["users","finance"],"requestData":"grant finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'scan finance restricted-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"read","user":"user1","userGroups":["users"],"requestData":"scan finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'put finance restricted-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"write","user":"user1","userGroups":["users"],"requestData":"put finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'create finance restricted-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'grant finance restricted-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"admin","user":"user1","userGroups":["users"],"requestData":"grant finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'scan finance restricted-cf;' for finance-admin", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"read","user":"user1","userGroups":["users","finance-admin"],"requestData":"scan finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'put finance restricted-cf;' for finance-admin", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"write","user":"user1","userGroups":["users","finance-admin"],"requestData":"put finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'create finance restricted-cf;' for finance-admin", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"create","user":"user1","userGroups":["users","finance-admin"],"requestData":"create finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'grant finance restricted-cf;' for finance-admin", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, + "accessType":"admin","user":"user1","userGroups":["users","finance-admin"],"requestData":"grant finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'scan finance regular-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"regular-cf"}}, + "accessType":"read","user":"user1","userGroups":["users"],"requestData":"scan finance regular-cf" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":3} + } + , + {"name":"DENY 'put finance regular-cf;' for user1", + "request":{ + "resource":{"elements":{"table":"finance","column-family":"regular-cf"}}, + "accessType":"write","user":"user1","userGroups":["users"],"requestData":"put finance regular-cf" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + ] +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json new file mode 100644 index 0000000..943fe80 --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -0,0 +1,156 @@ +{ + "serviceName":"hdfsdev", + + "serviceDef":{ + "name":"hdfs", + "id":1, + "resources":[ + {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Resource Path","description":"HDFS file or directory path"} + ], + "accessTypes":[ + {"name":"read","label":"Read"}, + {"name":"write","label":"Write"}, + {"name":"execute","label":"Execute"} + ] + }, + + "policies":[ + {"id":1,"name":"audit-all-access under /finance/restricted/","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/finance/restricted/"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false, + "resources":{"path":{"values":["/public/"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":3,"name":"allow-read-to-finance under /finance/restricted","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/finance/restricted"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false} + ] + } + ], + + "tests":[ + {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":3} + } + , + {"name":"ALLOW 'read /finance/restricted/hr/payroll.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":3} + } + , + {"name":"DENY 'read /operations/visitors.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /operations/visitors.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + + {"name":"DENY 'read /finance/restricted/sales.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"FALSE 'read /finance/restricted/hr/payroll.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /operations/visitors.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + + {"name":"DENY 'read /finance/restricted/sales.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /finance/restricted/hr/payroll.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /operations/visitors.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /operations/visitors.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'read /public/technology' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'read /public/technology' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"execute","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + ] +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-common/src/test/resources/policyengine/test_policyengine_hive.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json new file mode 100644 index 0000000..2ac90ae --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json @@ -0,0 +1,261 @@ +{ + "serviceName":"hivedev", + + "serviceDef":{ + "name":"hive", + "id":3, + "resources":[ + {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Database","description":"Hive Database"}, + {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Table","description":"Hive Table"}, + {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive UDF","description":"Hive UDF"}, + {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Column","description":"Hive Column"} + ], + "accessTypes":[ + {"name":"select","label":"Select"}, + {"name":"update","label":"Update"}, + {"name":"create","label":"Create"}, + {"name":"drop","label":"Drop"}, + {"name":"alter","label":"Alter"}, + {"name":"index","label":"Index"}, + {"name":"lock","label":"Lock"}, + {"name":"all","label":"All"} + ] + }, + + "policies":[ + {"id":1,"name":"db=default: audit-all-access","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["default"]},"table":{"values":["*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"db=default; table=test*; column=*","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["default"]},"table":{"values":["test*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false} + , + {"accesses":[{"type":"create","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["admin"],"groups":["admin"],"delegateAdmin":true} + ] + } + ], + + "tests":[ + {"name":"ALLOW 'use default;' for user1", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"","user":"user1","userGroups":["users"],"requestData":"use default" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'use default;' for user2", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"","user":"user2","userGroups":["users"],"requestData":"use default" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"DENY 'use default;' to user3", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"","user":"user3","userGroups":["users"],"requestData":"use default" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'use default;' to group1", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"","user":"user3","userGroups":["users", "group1"],"requestData":"use default" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'use default;' to group2", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"","user":"user3","userGroups":["users", "group2"],"requestData":"use default" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"DENY 'use default;' to user3/group3", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"","user":"user3","userGroups":["users", "group3"],"requestData":"use default" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'use finance;' to user3/group3", + "request":{ + "resource":{"elements":{"database":"finance"}}, + "accessType":"","user":"user1","userGroups":["users"],"requestData":"use finance" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'select col1 from default.testtable;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'select col1 from default.testtable;' to user2", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"DENY 'select col1 from default.testtable;' to user3", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'select col1 from default.testtable;' to group1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'select col1 from default.testtable;' to group2", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"DENY 'select col1 from default.testtable;' to user3/group3", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}}, + "accessType":"select","user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'select col1 from default.table1;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, + "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'create table default.testtable1;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'create table default.testtable1;' to user1/group1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"create","user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'create table default.testtable1;' to admin", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"create","user":"admin","userGroups":["users"],"requestData":"create table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'create table default.testtable1;' to user1/admin", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"DENY 'drop table default.testtable1;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'drop table default.testtable1;' to user1/group1", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"drop","user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'drop table default.testtable1;' to admin", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"drop","user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'drop table default.testtable1;' to user1/admin", + "request":{ + "resource":{"elements":{"database":"default","table":"testtable1"}}, + "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , + {"name":"DENY 'create table default.table1;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'create table default.table1;' to user1/admin", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'drop table default.table1;' to user1", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'drop table default.table1;' to user1/admin", + "request":{ + "resource":{"elements":{"database":"default","table":"table1"}}, + "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'select col1 from default.table1;' to user3", + "request":{ + "resource":{"elements":{"database":"default","table":"table1","column":"col1"}}, + "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + ] +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/agents-impl/.gitignore ---------------------------------------------------------------------- diff --git a/agents-impl/.gitignore b/agents-impl/.gitignore index 0f63015..20e1ada 100644 --- a/agents-impl/.gitignore +++ b/agents-impl/.gitignore @@ -1,2 +1,3 @@ /target/ /bin/ +/target http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/hbase-agent/pom.xml ---------------------------------------------------------------------- diff --git a/hbase-agent/pom.xml b/hbase-agent/pom.xml index 2749ca4..2fee01f 100644 --- a/hbase-agent/pom.xml +++ b/hbase-agent/pom.xml @@ -53,11 +53,6 @@ <version>${project.version}</version> </dependency> <dependency> - <groupId>org.apache.ranger</groupId> - <artifactId>plugin-common</artifactId> - <version>${project.version}</version> - </dependency> - <dependency> <groupId>com.google.code.gson</groupId> <artifactId>gson</artifactId> <version>${gson.version}</version> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/hdfs-agent/pom.xml ---------------------------------------------------------------------- diff --git a/hdfs-agent/pom.xml b/hdfs-agent/pom.xml index 5867ac8..db0fbee 100644 --- a/hdfs-agent/pom.xml +++ b/hdfs-agent/pom.xml @@ -75,11 +75,6 @@ <groupId>org.mockito</groupId> <artifactId>mockito-core</artifactId> </dependency> - <dependency> - <groupId>org.apache.ranger</groupId> - <artifactId>plugin-common</artifactId> - <version>${project.version}</version> - </dependency> </dependencies> <build> <!-- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/hive-agent/pom.xml ---------------------------------------------------------------------- diff --git a/hive-agent/pom.xml b/hive-agent/pom.xml index c6d41be..1b19025 100644 --- a/hive-agent/pom.xml +++ b/hive-agent/pom.xml @@ -108,10 +108,5 @@ <artifactId>ranger-plugins-audit</artifactId> <version>${project.version}</version> </dependency> - <dependency> - <groupId>org.apache.ranger</groupId> - <artifactId>plugin-common</artifactId> - <version>${project.version}</version> - </dependency> </dependencies> </project> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/jisql/.gitignore ---------------------------------------------------------------------- diff --git a/jisql/.gitignore b/jisql/.gitignore new file mode 100644 index 0000000..798e8dd --- /dev/null +++ b/jisql/.gitignore @@ -0,0 +1,4 @@ +/target/ +/bin/ +/bin/ +/target http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/lookup-client/.gitignore ---------------------------------------------------------------------- diff --git a/lookup-client/.gitignore b/lookup-client/.gitignore index 0f63015..20e1ada 100644 --- a/lookup-client/.gitignore +++ b/lookup-client/.gitignore @@ -1,2 +1,3 @@ /target/ /bin/ +/target http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java deleted file mode 100644 index 45a63c2..0000000 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerAuditHandler.java +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.audit; - -import java.util.Collection; - -import org.apache.ranger.plugin.policyengine.RangerAccessResult; - - -public interface RangerAuditHandler { - void logAudit(RangerAccessResult result); - - void logAudit(Collection<RangerAccessResult> results); -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java deleted file mode 100644 index feb6e98..0000000 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java +++ /dev/null @@ -1,231 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.audit; - -import java.util.ArrayList; -import java.util.Collection; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.ranger.audit.model.AuthzAuditEvent; -import org.apache.ranger.audit.provider.AuditProviderFactory; -import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; -import org.apache.ranger.plugin.policyengine.RangerAccessRequest; -import org.apache.ranger.plugin.policyengine.RangerAccessResult; -import org.apache.ranger.plugin.policyengine.RangerResource; - - -public class RangerDefaultAuditHandler implements RangerAuditHandler { - private static final Log LOG = LogFactory.getLog(RangerDefaultAuditHandler.class); - - private static final String RESOURCE_SEP = "/"; - - - public RangerDefaultAuditHandler() { - } - - @Override - public void logAudit(RangerAccessResult result) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + result + ")"); - } - - AuthzAuditEvent event = getAuthzEvents(result); - - logAuthzAudit(event); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + result + ")"); - } - } - - @Override - public void logAudit(Collection<RangerAccessResult> results) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.logAudit(" + results + ")"); - } - - Collection<AuthzAuditEvent> events = getAuthzEvents(results); - - logAuthzAudits(events); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.logAudit(" + results + ")"); - } - } - - - public AuthzAuditEvent getAuthzEvents(RangerAccessResult result) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.getAuthzEvents(" + result + ")"); - } - - AuthzAuditEvent ret = null; - - RangerAccessRequest request = result != null ? result.getAccessRequest() : null; - - if(request != null && result != null && result.getIsAudited()) { - RangerServiceDef serviceDef = result.getServiceDef(); - String resourceType = getResourceName(request.getResource(), serviceDef); - String resourcePath = getResourceValueAsString(request.getResource(), serviceDef); - - ret = createAuthzAuditEvent(); - - ret.setRepositoryName(result.getServiceName()); - ret.setRepositoryType(result.getServiceType()); - ret.setResourceType(resourceType); - ret.setResourcePath(resourcePath); - ret.setRequestData(request.getRequestData()); - ret.setEventTime(request.getAccessTime()); - ret.setUser(request.getUser()); - ret.setAccessType(request.getAction()); - ret.setAccessResult((short)(result.getIsAllowed() ? 1 : 0)); - ret.setPolicyId(result.getPolicyId()); - ret.setAclEnforcer("ranger-acl"); // TODO: review - ret.setAction(request.getAccessType()); - ret.setClientIP(request.getClientIPAddress()); - ret.setClientType(request.getClientType()); - ret.setAgentHostname(null); - ret.setAgentId(null); - ret.setEventId(null); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.getAuthzEvents(" + result + "): " + ret); - } - - return ret; - } - - public Collection<AuthzAuditEvent> getAuthzEvents(Collection<RangerAccessResult> results) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.getAuthzEvents(" + results + ")"); - } - - List<AuthzAuditEvent> ret = null; - - if(results != null) { - // TODO: optimize the number of audit logs created - for(RangerAccessResult result : results) { - AuthzAuditEvent event = getAuthzEvents(result); - - if(event == null) { - continue; - } - - if(ret == null) { - ret = new ArrayList<AuthzAuditEvent>(); - } - - ret.add(event); - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.getAuthzEvents(" + results + "): " + ret); - } - - return ret; - } - - public void logAuthzAudit(AuthzAuditEvent auditEvent) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.logAuthzAudit(" + auditEvent + ")"); - } - - if(auditEvent != null) { - AuditProviderFactory.getAuditProvider().log(auditEvent); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.logAuthzAudit(" + auditEvent + ")"); - } - } - - public void logAuthzAudits(Collection<AuthzAuditEvent> auditEvents) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultAuditHandler.logAuthzAudits(" + auditEvents + ")"); - } - - if(auditEvents != null) { - for(AuthzAuditEvent auditEvent : auditEvents) { - logAuthzAudit(auditEvent); - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultAuditHandler.logAuthzAudits(" + auditEvents + ")"); - } - } - - public AuthzAuditEvent createAuthzAuditEvent() { - return new AuthzAuditEvent(); - } - - public String getResourceName(RangerResource resource, RangerServiceDef serviceDef) { - String ret = null; - - if(resource != null && serviceDef != null && serviceDef.getResources() != null) { - List<RangerResourceDef> resourceDefs = serviceDef.getResources(); - - for(int idx = resourceDefs.size() - 1; idx >= 0; idx--) { - RangerResourceDef resourceDef = resourceDefs.get(idx); - - if(resourceDef == null || !resource.exists(resourceDef.getName())) { - continue; - } - - ret = resourceDef.getName(); - - break; - } - } - - return ret; - } - - public String getResourceValueAsString(RangerResource resource, RangerServiceDef serviceDef) { - String ret = null; - - if(resource != null && serviceDef != null && serviceDef.getResources() != null) { - StringBuilder sb = new StringBuilder(); - - for(RangerResourceDef resourceDef : serviceDef.getResources()) { - if(resourceDef == null || !resource.exists(resourceDef.getName())) { - continue; - } - - if(sb.length() > 0) { - sb.append(RESOURCE_SEP); - } - - sb.append(resource.getValue(resourceDef.getName())); - } - - if(sb.length() > 0) { - ret = sb.toString(); - } - } - - return ret; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/217e1892/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerBaseModelObject.java ---------------------------------------------------------------------- diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerBaseModelObject.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerBaseModelObject.java deleted file mode 100644 index b90d387..0000000 --- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerBaseModelObject.java +++ /dev/null @@ -1,179 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.plugin.model; - -import java.util.Date; - -import javax.xml.bind.annotation.XmlAccessType; -import javax.xml.bind.annotation.XmlAccessorType; -import javax.xml.bind.annotation.XmlRootElement; - -import org.codehaus.jackson.annotate.JsonAutoDetect; -import org.codehaus.jackson.annotate.JsonAutoDetect.Visibility; -import org.codehaus.jackson.annotate.JsonIgnoreProperties; -import org.codehaus.jackson.map.annotate.JsonSerialize; - -@JsonAutoDetect(getterVisibility=Visibility.NONE, setterVisibility=Visibility.NONE, fieldVisibility=Visibility.ANY) -@JsonSerialize(include=JsonSerialize.Inclusion.NON_NULL ) -@JsonIgnoreProperties(ignoreUnknown=true) -@XmlRootElement -@XmlAccessorType(XmlAccessType.FIELD) -public class RangerBaseModelObject implements java.io.Serializable { - private static final long serialVersionUID = 1L; - - private Long id = null; - private String guid = null; - private Boolean isEnabled = null; - private String createdBy = null; - private String updatedBy = null; - private Date createTime = null; - private Date updateTime = null; - private Long version = null; - - /** - * - */ - public RangerBaseModelObject() { - setIsEnabled(null); - } - - public void updateFrom(RangerBaseModelObject other) { - setIsEnabled(other.getIsEnabled()); - } - - /** - * @return the id - */ - public Long getId() { - return id; - } - /** - * @param id the id to set - */ - public void setId(Long id) { - this.id = id; - } - /** - * @return the guid - */ - public String getGuid() { - return guid; - } - /** - * @param guid the guid to set - */ - public void setGuid(String guid) { - this.guid = guid; - } - /** - * @return the isEnabled - */ - public Boolean getIsEnabled() { - return isEnabled; - } - /** - * @param isEnabled the isEnabled to set - */ - public void setIsEnabled(Boolean isEnabled) { - this.isEnabled = isEnabled == null ? Boolean.TRUE : isEnabled; - } - /** - * @return the createdBy - */ - public String getCreatedBy() { - return createdBy; - } - /** - * @param createdBy the createdBy to set - */ - public void setCreatedBy(String createdBy) { - this.createdBy = createdBy; - } - /** - * @return the updatedBy - */ - public String getUpdatedBy() { - return updatedBy; - } - /** - * @param updatedBy the updatedBy to set - */ - public void setUpdatedBy(String updatedBy) { - this.updatedBy = updatedBy; - } - /** - * @return the createTime - */ - public Date getCreateTime() { - return createTime; - } - /** - * @param createTime the createTime to set - */ - public void setCreateTime(Date createTime) { - this.createTime = createTime; - } - /** - * @return the updateTime - */ - public Date getUpdateTime() { - return updateTime; - } - /** - * @param updateTime the updateTime to set - */ - public void setUpdateTime(Date updateTime) { - this.updateTime = updateTime; - } - /** - * @return the version - */ - public Long getVersion() { - return version; - } - /** - * @param version the version to set - */ - public void setVersion(Long version) { - this.version = version; - } - - @Override - public String toString( ) { - StringBuilder sb = new StringBuilder(); - - toString(sb); - - return sb.toString(); - } - - public StringBuilder toString(StringBuilder sb) { - sb.append("id={").append(id).append("} "); - sb.append("guid={").append(guid).append("} "); - sb.append("isEnabled={").append(isEnabled).append("} "); - sb.append("createdBy={").append(createdBy).append("} "); - sb.append("updatedBy={").append(updatedBy).append("} "); - sb.append("createTime={").append(createTime).append("} "); - sb.append("updateTime={").append(updateTime).append("} "); - sb.append("version={").append(version).append("} "); - - return sb; - } -}
