Repository: incubator-ranger Updated Branches: refs/heads/stack 604d3bb79 -> 9f559d5fe
RANGER-232 Knox plugin review comments Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9f559d5f Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9f559d5f Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9f559d5f Branch: refs/heads/stack Commit: 9f559d5fe955dc103792a5bd40caa7cb12d4c5c7 Parents: 604d3bb Author: Alok Lal <[email protected]> Authored: Sun Feb 8 18:11:08 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Feb 12 00:03:42 2015 -0800 ---------------------------------------------------------------------- .../RangerConditionEvaluator.java | 3 +- .../conditionevaluator/RangerIpMatcher.java | 217 ++++++++++++---- .../policyengine/RangerAccessRequest.java | 2 - .../policyengine/RangerAccessRequestImpl.java | 20 -- .../RangerDefaultPolicyEvaluator.java | 67 +++-- .../conditionevaluator/RangerIpMatcherTest.java | 258 +++++++++++++------ .../RangerDefaultPolicyEvaluatorTest.java | 111 ++++++-- .../authorization/knox/KnoxRangerPlugin.java | 11 +- .../RangerPDPKnoxDeploymentContributor.java | 2 +- 9 files changed, 466 insertions(+), 225 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java index 9dc61a7..345a017 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java @@ -1,9 +1,10 @@ package org.apache.ranger.plugin.conditionevaluator; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; public interface RangerConditionEvaluator { void init(RangerPolicyItemCondition condition); - boolean isMatched(String value); + boolean isMatched(RangerAccessRequest request); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java index f21f7f4..f7b3a91 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.java @@ -21,12 +21,16 @@ package org.apache.ranger.plugin.conditionevaluator; import java.util.ArrayList; +import java.util.Iterator; import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; /** * Credits: Large parts of this file have been lifted as is from org.apache.ranger.pdp.knox.URLBasedAuthDB. Credits for those are due to Dilli Arumugam. @@ -36,82 +40,183 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; public class RangerIpMatcher implements RangerConditionEvaluator { private static final Log LOG = LogFactory.getLog(RangerIpMatcher.class); - private List<String> _ipAddresses = new ArrayList<String>(); + private List<String> _exactIps = new ArrayList<String>(); + private List<String> _wildCardIps = new ArrayList<String>(); private boolean _allowAny = false; - + public static final String ConditionName = "ip-range"; + @Override - public void init(RangerPolicyItemCondition condition) { - if (condition != null) { - List<String> ipAddresses = condition.getValues(); - if (CollectionUtils.isNotEmpty(ipAddresses)) { - _ipAddresses.addAll(ipAddresses); - // do this once, contains on a list is O(n) operation! - if (_ipAddresses.contains("*")) { + public void init(final RangerPolicyItemCondition condition) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerIpMatcher.init(" + condition + ")"); + } + + if (condition == null) { + LOG.debug("init: null policy condition! Will match always!"); + _allowAny = true; + } else if (CollectionUtils.isEmpty(condition.getValues())) { + LOG.debug("init: empty conditions collection on policy condition! Will match always!"); + _allowAny = true; + } else if (condition.getValues().contains("*")) { + _allowAny = true; + LOG.debug("init: wildcard value found. Will match always."); + } else { + for (String ip : condition.getValues()) { + String digestedIp = digestPolicyIp(ip); + if (digestedIp.isEmpty()) { + LOG.debug("init: digested ip was empty! Will match always"); _allowAny = true; + } else if (digestedIp.equals(ip)) { + _exactIps.add(ip); + } else { + _wildCardIps.add(digestedIp); } } } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerIpMatcher.init(" + condition + "): exact-ips[" + _exactIps + "], wildcard-ips[" + _wildCardIps + "]"); + } } @Override - public boolean isMatched(String requestIp) { - boolean ipMatched = false; - if (LOG.isDebugEnabled()) { - LOG.debug("Checking ipMatch for rolePermissionIpList: " + _ipAddresses + - ", requestIP: " + requestIp); - } - if (CollectionUtils.isEmpty(_ipAddresses)) { - LOG.debug("RolePermission does not require IP Matching"); - ipMatched = true; - } else if (_allowAny) { - LOG.debug("RolePermission allows any IP: *"); - ipMatched = true; + public boolean isMatched(final RangerAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerIpMatcher.isMatched(" + request + ")"); + } + + boolean ipMatched = true; + if (_allowAny) { + LOG.debug("isMatched: allowAny flag is true. Matched!"); } else { - for (String ip : _ipAddresses) { - if (ipMatches(ip, requestIp)) { - LOG.debug("RolePermission IP matches request IP"); - ipMatched = true; - break;// break out of ipList - } + String requestIp = extractIp(request); + if (requestIp == null) { + LOG.debug("isMatched: couldn't get ip address from request. Ok. Implicitly matched!"); + } else { + ipMatched = isWildcardMatched(_wildCardIps, requestIp) || isExactlyMatched(_exactIps, requestIp); } } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerIpMatcher.isMatched(" + request+ "): " + ipMatched); + } + return ipMatched; } - private boolean ipMatches(String policyIp, String requestIp) { - if (policyIp == null) { - return false; - } - policyIp = policyIp.trim(); - if (policyIp.isEmpty()) { - return false; - } - boolean ipMatched = false; - boolean wildEnd = false; - if (policyIp.contains(".")) { - while (policyIp.endsWith(".*")) { - wildEnd = true; - policyIp = policyIp.substring(0, policyIp.lastIndexOf(".*")); - } - if (wildEnd) { - policyIp = policyIp + "."; - } - } else if (policyIp.contains(":")) { - while (policyIp.endsWith(":*")) { - wildEnd = true; - policyIp = policyIp.substring(0, policyIp.lastIndexOf(":*")); + /** + * Pre-digests the policy ip address to drop any trailing wildcard specifiers such that a simple beginsWith match can be done to check for match during authorization calls + * @param ip + * @return + */ + static final Pattern allWildcards = Pattern.compile("^((\\*(\\.\\*)*)|(\\*(:\\*)*))$"); // "*", "*.*", "*.*.*", "*:*", "*:*:*", etc. + static final Pattern trailingWildcardsIp4 = Pattern.compile("(\\.\\*)+$"); // "blah.*", "blah.*.*", etc. + static final Pattern trailingWildcardsIp6 = Pattern.compile("(:\\*)+$"); // "blah:*", "blah:*:*", etc. + + String digestPolicyIp(final String policyIp) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerIpMatcher.digestPolicyIp(" + policyIp + ")"); + } + + String result; + Matcher matcher = allWildcards.matcher(policyIp); + if (matcher.matches()) { + if (LOG.isDebugEnabled()) { + LOG.debug("digestPolicyIp: policyIP[" + policyIp +"] all wildcards."); } - if (wildEnd) { - policyIp = policyIp + ":"; + result = ""; + } else if (policyIp.contains(".")) { + matcher = trailingWildcardsIp4.matcher(policyIp); + result = matcher.replaceFirst("."); + } else { + matcher = trailingWildcardsIp6.matcher(policyIp); + // also lower cases the ipv6 items + result = matcher.replaceFirst(":").toLowerCase(); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerIpMatcher.digestPolicyIp(" + policyIp + "): " + policyIp); + } + return result; + } + + boolean isWildcardMatched(final List<String> ips, final String requestIp) { + + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerIpMatcher.isWildcardMatched(" + ips+ ", " + requestIp + ")"); + } + + boolean matchFound = false; + Iterator<String> iterator = ips.iterator(); + while (iterator.hasNext() && !matchFound) { + String ip = iterator.next(); + if (requestIp.contains(".") && requestIp.startsWith(ip)) { + if (LOG.isDebugEnabled()) { + LOG.debug("Wildcard Policy IP[" + ip + "] matches request IPv4[" + requestIp + "]."); + } + matchFound = true; + } else if (requestIp.toLowerCase().startsWith(ip)) { + if (LOG.isDebugEnabled()) { + LOG.debug("Wildcard Policy IP[" + ip + "] matches request IPv6[" + requestIp + "]."); + } + matchFound = true; + } else { + LOG.debug("Wildcard policy IP[" + ip + "] did not match request IP[" + requestIp + "]."); } } - if (wildEnd && requestIp.toLowerCase().startsWith(policyIp.toLowerCase())) { - ipMatched = true; - } else if (policyIp.equalsIgnoreCase(requestIp)) { - ipMatched = true; + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerIpMatcher.isWildcardMatched(" + ips+ ", " + requestIp + "): " + matchFound); } - return ipMatched; + return matchFound; + } + + boolean isExactlyMatched(final List<String> ips, final String requestIp) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerIpMatcher.isExactlyMatched(" + ips+ ", " + requestIp + ")"); + } + + boolean matchFound = false; + if (requestIp.contains(".")) { + matchFound = ips.contains(requestIp); + } else { + matchFound = ips.contains(requestIp.toLowerCase()); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerIpMatcher.isExactlyMatched(" + ips+ ", " + requestIp + "): " + matchFound); + } + return matchFound; } + + /** + * Extracts and returns the ip address from the request. Returns null if one can't be obtained out of the request. + * @param request + * @return + */ + String extractIp(final RangerAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerIpMatcher.extractIp(" + request+ ")"); + } + String ip = null; + if (request == null) { + LOG.debug("isMatched: Unexpected: null request. Implicitly matched!"); + } else if (request.getContext() == null) { + LOG.debug("isMatched: Context map of request is null. Ok. Implicitly matched!"); + } else if (CollectionUtils.isEmpty(request.getContext().entrySet())) { + LOG.debug("isMatched: Missing context on request. Ok. Condition isn't applicable. Implicitly matched!"); + } else if (!request.getContext().containsKey(ConditionName)) { + if (LOG.isDebugEnabled()) { + LOG.debug("isMatched: Unexpected: Context did not have data for condition[" + ConditionName + "]. Implicitly matched!"); + } + } else { + ip = (String)request.getContext().get(ConditionName); + } + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerIpMatcher.extractIp(" + request+ "): " + ip); + } + return ip; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java index 3f4570d..56a55ae 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java @@ -45,6 +45,4 @@ public interface RangerAccessRequest { String getSessionId(); Map<String, Object> getContext(); - - Map<String, String> getConditions(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java index 1114804..bc23763 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java @@ -38,8 +38,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { private String requestData = null; private String sessionId = null; private Map<String, Object> context = null; - private Map<String, String> conditions = null; - public RangerAccessRequestImpl() { this(null, null, null, null); @@ -59,7 +57,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { setRequestData(null); setSessionId(null); setContext(null); - setConditions(null); } @Override @@ -117,11 +114,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { return context; } - @Override - public Map<String, String> getConditions() { - return conditions; - } - public void setResource(RangerResource resource) { this.resource = resource; } @@ -166,10 +158,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { this.context = (context == null) ? new HashMap<String, Object>() : context; } - public void setConditions(final Map<String, String> conditions) { - this.conditions = (conditions == null) ? new HashMap<String, String>() : conditions; - } - @Override public String toString( ) { StringBuilder sb = new StringBuilder(); @@ -210,14 +198,6 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { } sb.append("} "); - sb.append("conditions={"); - if(conditions != null) { - for(Map.Entry<String, String> e : conditions.entrySet()) { - sb.append(e.getKey()).append("={").append(e.getValue()).append("} "); - } - } - sb.append("} "); - sb.append("}"); return sb; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 7d05d30..e3535ac 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -186,18 +186,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator Class<RangerConditionEvaluator> matcherClass = (Class<RangerConditionEvaluator>)Class.forName(className); evaluator = matcherClass.newInstance(); - } catch(ClassNotFoundException excp) { - LOG.error("Caught ClassNotFoundException: error instantiating object of class[" + className + "]. Returning null!"); - excp.printStackTrace(); - } catch (InstantiationException excp) { - LOG.error("Caught InstantiationException: error instantiating object of class[" + className + "]. Returning null!"); - excp.printStackTrace(); - } catch (IllegalAccessException excp) { - LOG.error("Caught IllegalAccessException: error instantiating object of class[" + className + "]. Returning null!"); - excp.printStackTrace(); - } catch (Throwable t) { - LOG.error("Caught Throwable: unexpected error instantiating object of class[" + className + "]. Returning null!"); - t.printStackTrace(); + } catch(Throwable t) { + LOG.error("Caught Throwable: unexpected error instantiating object of class[" + className + "]. Returning null!", t); } if(LOG.isDebugEnabled()) { @@ -252,7 +242,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator continue; } - boolean isCustomConditionsMatch = matchCustomConditions(request, conditionEvaluators); + boolean isCustomConditionsMatch = matchCustomConditions(policyItem, request, conditionEvaluators); if(! isCustomConditionsMatch) { continue; @@ -458,43 +448,50 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } // takes map in as argument for testability - protected boolean matchCustomConditions(RangerAccessRequest request, Map<String, RangerConditionEvaluator> evaluatorMap) { + protected boolean matchCustomConditions(RangerPolicyItem policyItem, RangerAccessRequest request, Map<String, RangerConditionEvaluator> evaluatorMap) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.matchCustomConditions(" + request + ")"); } - boolean matched = true; - - Map<String, String> input = request.getConditions(); - if (input == null || input.size() == 0) { - // if input didn't even have certain inputs then it could never fail the check. - matched = true; // assignment only to document in code the result + boolean result = true; + if (policyItem == null) { + LOG.debug("matchCustomConditions: Unexpected: policyItem was null"); + } else if (CollectionUtils.isEmpty(policyItem.getConditions())) { + LOG.debug("matchCustomConditions: policy item does not have any conditions! Ok, implicitly passed."); } else { - // we want to abort the minute we find a mismatch - Iterator<Map.Entry<String, String>> iterator = input.entrySet().iterator(); + Iterator<RangerPolicyItemCondition> iterator = policyItem.getConditions().iterator(); + /* + * We need to let the request be evaluated by the condition evaluator for each condition on the policy item. + * We bail out as soon as we find a mismatch, i.e. ALL conditions must succeed for condition evaluation to return true. + */ + boolean matched = true; while (iterator.hasNext() && matched) { - Map.Entry<String, String> anEntry = iterator.next(); - String conditionName = anEntry.getKey(); - String value = anEntry.getValue(); - RangerConditionEvaluator evaluator = evaluatorMap.get(conditionName); - if (evaluator == null) { - // it is possible that due to mis-configuration no evaluator was found. - LOG.warn("No evaluator found for condition[" + conditionName + "]! Check implicitly passed. Context: value[" + value + "]"); + RangerPolicyItemCondition itemCondition = iterator.next(); + if (itemCondition == null) { + LOG.debug("matchCustomConditions: Unexpected: Item condition on policy item was null! Ignoring..."); } else { - matched = evaluator.isMatched(value); - if (LOG.isDebugEnabled()) { - String format = "Condition evaluation verdict for condition[%s] with value[%s]: %s"; - LOG.debug(String.format(format, conditionName, value, matched)); + String conditionName = itemCondition.getType(); + if (StringUtils.isBlank(conditionName)) { + LOG.debug("matchCustomConditions: Unexpected: condition name on item conditon [" + conditionName + "] was null/empty/blank! Ignoring..."); + } else if (!evaluatorMap.containsKey(conditionName)) { + LOG.warn("matchCustomConditions: Unexpected: Could not find condition evaluator for condition[" + conditionName + "]! Ignoring..."); + } else { + RangerConditionEvaluator conditionEvaluator = evaluatorMap.get(conditionName); + matched = conditionEvaluator.isMatched(request); + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("matchCustomConditions: evaluator for condition[%s] returned[%s] for request[%s]", conditionName, matched, request)); + } } } } + result = result && matched; } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.matchCustomConditions(" + request + "): " + matched); + LOG.debug("<== RangerDefaultPolicyEvaluator.matchCustomConditions(" + request + "): " + result); } - return matched; + return result; } protected RangerPolicyItemAccess getAccess(RangerPolicyItem policyItem, String accessType) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java index 10c8697..e2d5c3c 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerIpMatcherTest.java @@ -20,18 +20,24 @@ package org.apache.ranger.plugin.conditionevaluator; -import static org.junit.Assert.*; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; import java.util.Arrays; +import java.util.HashMap; import java.util.List; +import java.util.Map; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.junit.After; import org.junit.Before; import org.junit.Test; -import static org.mockito.Mockito.*; - public class RangerIpMatcherTest { @Before @@ -45,116 +51,216 @@ public class RangerIpMatcherTest { } @Test - public void test() { + public void testUnexpected() { + // this documents some unexpected behavior of the ip matcher + RangerIpMatcher ipMatcher = createMatcher(new String[]{"1.2.3.*"} ); + // NOTE: absurd and downright illegal ipv4 address would match too! + assertTrue(ipMatcher.isMatched(createRequest("1.2.3.123567"))); + assertTrue(ipMatcher.isMatched(createRequest("1.2.3..123567"))); + assertTrue(ipMatcher.isMatched(createRequest("1.2.3.boo"))); + assertTrue(ipMatcher.isMatched(createRequest("1.2.3."))); + + // wildcard match happens only at the end + ipMatcher = createMatcher(new String[]{"1.*.3.4"} ); + assertFalse(ipMatcher.isMatched(createRequest("1.3.3.4"))); + assertFalse(ipMatcher.isMatched(createRequest("1.1.3.4"))); + // it becomes a literal match! + assertTrue(ipMatcher.isMatched(createRequest("1.*.3.4"))); + + // same is true of ipv6 + ipMatcher = createMatcher(new String[]{"99:a9:b9:c9:*"} ); + // NOTE: absurd and downright illegal ipv4 address would match too! + assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9:*"))); + assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9:1.3.4"))); + assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9: <:-) "))); + } + + @Test + public void test_isWildcardMatched() { + List<String> ips = Arrays.asList("1.2.3.", "1.3.", "2.", "a0:b0:c0:", "a0:b1:", "a2:"); + RangerIpMatcher matcher = new RangerIpMatcher(); + + assertTrue(matcher.isWildcardMatched(ips, "1.2.3.4")); + assertTrue(matcher.isWildcardMatched(ips, "1.3.3.4")); + assertTrue(matcher.isWildcardMatched(ips, "2.3.3.4")); + + assertTrue(matcher.isWildcardMatched(ips, "A0:B0:C0:D0:E0:F0")); + assertTrue(matcher.isWildcardMatched(ips, "A0:B1:C0:D0:E0:F0")); + assertTrue(matcher.isWildcardMatched(ips, "A2:B0:C1:D2:E3:F4")); + + assertFalse(matcher.isWildcardMatched(ips, "1.2.33.4")); + assertFalse(matcher.isWildcardMatched(ips, "1.33.3.4")); + assertFalse(matcher.isWildcardMatched(ips, "22.3.3.4")); + + assertFalse(matcher.isWildcardMatched(ips, "A0:B0:00:D0:E0:F0")); + assertFalse(matcher.isWildcardMatched(ips, "A0:B2:C0:D0:E0:F0")); + assertFalse(matcher.isWildcardMatched(ips, "22:B0:C1:D2:E3:F4")); + } + + @Test + public void test_isExactlyMatched() { + List<String> ips = Arrays.asList("1.2.3.1", "1.2.3.11", "1.2.3.111", "a0:b0:c0:d0:e0:f0", "a0:b0:c0:d0:e0:f1", "a0:b0:c0:d0:e0:f2"); + RangerIpMatcher matcher = new RangerIpMatcher(); + assertTrue(matcher.isExactlyMatched(ips, "1.2.3.1")); + assertTrue(matcher.isExactlyMatched(ips, "1.2.3.111")); + assertTrue(matcher.isExactlyMatched(ips, "A0:B0:C0:D0:E0:F1")); + assertTrue(matcher.isExactlyMatched(ips, "a0:b0:c0:d0:e0:f1")); + + assertFalse(matcher.isExactlyMatched(ips, "1.2.3.2")); + assertFalse(matcher.isExactlyMatched(ips, "a0:b0:c0:d0:e0:f3")); + } + + @Test + public void test_extractIp() { + RangerIpMatcher matcher = new RangerIpMatcher(); + assertNull(matcher.extractIp(null)); + + RangerAccessRequest request = mock(RangerAccessRequest.class); + when(request.getContext()).thenReturn(null); + assertNull(matcher.extractIp(request)); + + Map<String, Object> context = new HashMap<String, Object>(); + when(request.getContext()).thenReturn(context); + assertNull(matcher.extractIp(request)); + + // context does not contain the condition name we are looking for + context.put("!" + RangerIpMatcher.ConditionName, "value"); + assertNull(matcher.extractIp(request)); + + // value for the condition name itself isnull + context.clear(); + context.put(RangerIpMatcher.ConditionName, null); + assertNull(matcher.extractIp(request)); + + // get back what you put in + context.clear(); + context.put(RangerIpMatcher.ConditionName, "aValue"); + assertEquals("aValue", matcher.extractIp(request)); + } + + @Test + public void test_digestIp() { + // comlete wildcards get reduced to empty string. + RangerIpMatcher matcher = new RangerIpMatcher(); + assertEquals("", matcher.digestPolicyIp("*")); + assertEquals("", matcher.digestPolicyIp("*.*")); + assertEquals("", matcher.digestPolicyIp("*.*.*")); + assertEquals("", matcher.digestPolicyIp("*.*.*.*")); + assertEquals("", matcher.digestPolicyIp("*:*:*:*")); + assertEquals("", matcher.digestPolicyIp("*:*:*:*:*:*")); + + // wildcard parts get dropped; retails trailing ./: to avoid doing partial number match + assertEquals("10.", matcher.digestPolicyIp("10.*")); + assertEquals("10.", matcher.digestPolicyIp("10.*.*")); + assertEquals("10.", matcher.digestPolicyIp("10.*.*.*")); + assertEquals("10.20.", matcher.digestPolicyIp("10.20.*")); + assertEquals("10.20.", matcher.digestPolicyIp("10.20.*.*")); + assertEquals("10.20.30.", matcher.digestPolicyIp("10.20.30.*")); + + // ipv6 digested values are also lower cased to ensure sensible comparison later + assertEquals("a0:", matcher.digestPolicyIp("A0:*")); + assertEquals("a0:", matcher.digestPolicyIp("a0:*:*")); + assertEquals("a0:", matcher.digestPolicyIp("A0:*:*:*")); + assertEquals("a0:b0:c0:", matcher.digestPolicyIp("A0:B0:C0:*")); + } + + @Test + public void test_integration() { - RangerIpMatcher ipMatcher = new RangerIpMatcher(); - // uninitialized matcher shoudl behave sensibly! empty matcher matches everything! - assertTrue(ipMatcher.isMatched("1.2.3.4")); + RangerIpMatcher ipMatcher = createMatcher(null); + // Matcher initialized with null policy should behave sensibly! It matches everything! + assertTrue(ipMatcher.isMatched(createRequest("1.2.3.4"))); // empty ip-address list is same as null, i.e. matchs anything! ipMatcher = createMatcher(new String[]{}); - assertTrue(ipMatcher.isMatched("1.2.3.4")); + assertTrue(ipMatcher.isMatched(createRequest("1.2.3.4"))); // wildcard address will match anything -- ipv4 and ipv6 addresses ipMatcher = createMatcher(new String[]{"*"}); - assertTrue(ipMatcher.isMatched("1.2.3.4")); - assertTrue(ipMatcher.isMatched("1:2:3:4:5:6")); + assertTrue(ipMatcher.isMatched(createRequest("1.2.3.4"))); + assertTrue(ipMatcher.isMatched(createRequest("1:2:3:4:5:6"))); // partial wildcard matches work as expected. ipMatcher = createMatcher(new String[]{"1.2.3.*"} ); - assertTrue(ipMatcher.isMatched("1.2.3.4")); - assertTrue(ipMatcher.isMatched("1.2.3.123")); + assertTrue(ipMatcher.isMatched(createRequest("1.2.3.4"))); + assertTrue(ipMatcher.isMatched(createRequest("1.2.3.123"))); // NOTE: absurd ipv4 address but it should match too! - assertTrue(ipMatcher.isMatched("1.2.3.123567")); - assertTrue(ipMatcher.isMatched("1.2.3..123567")); - assertTrue(ipMatcher.isMatched("1.2.3.boo")); + assertTrue(ipMatcher.isMatched(createRequest("1.2.3.123567"))); + assertTrue(ipMatcher.isMatched(createRequest("1.2.3..123567"))); + assertTrue(ipMatcher.isMatched(createRequest("1.2.3.boo"))); // mismatches caught correctly - assertFalse(ipMatcher.isMatched("1.2.31.123567")); - assertFalse(ipMatcher.isMatched("1.2.33.123567")); + assertFalse(ipMatcher.isMatched(createRequest("1.2.31.123567"))); + assertFalse(ipMatcher.isMatched(createRequest("1.2.33.123567"))); // no address has special meaning - assertFalse(ipMatcher.isMatched("1.2.0.0")); - assertFalse(ipMatcher.isMatched("1.2.255.255")); - assertFalse(ipMatcher.isMatched("1.2.254.254")); - assertFalse(ipMatcher.isMatched("0.0.0.0")); - assertFalse(ipMatcher.isMatched("255.255.255.255")); + assertFalse(ipMatcher.isMatched(createRequest("1.2.0.0"))); + assertFalse(ipMatcher.isMatched(createRequest("1.2.255.255"))); + assertFalse(ipMatcher.isMatched(createRequest("1.2.254.254"))); + assertFalse(ipMatcher.isMatched(createRequest("0.0.0.0"))); + assertFalse(ipMatcher.isMatched(createRequest("255.255.255.255"))); // wild card can be more than one octets ipMatcher = createMatcher(new String[]{"11.22.*.*"} ); - assertTrue(ipMatcher.isMatched("11.22.33.4")); - assertTrue(ipMatcher.isMatched("11.22.33.44")); - assertTrue(ipMatcher.isMatched("11.22.253.190")); - assertTrue(ipMatcher.isMatched("11.22.253.190")); + assertTrue(ipMatcher.isMatched(createRequest("11.22.33.4"))); + assertTrue(ipMatcher.isMatched(createRequest("11.22.33.44"))); + assertTrue(ipMatcher.isMatched(createRequest("11.22.253.190"))); + assertTrue(ipMatcher.isMatched(createRequest("11.22.253.190"))); // mismatches - assertFalse(ipMatcher.isMatched("11.222.253.190")); - assertFalse(ipMatcher.isMatched("11.21.253.190")); + assertFalse(ipMatcher.isMatched(createRequest("11.222.253.190"))); + assertFalse(ipMatcher.isMatched(createRequest("11.21.253.190"))); // one need't provide all the octets; missing ones are treaetd as wild cards ipMatcher = createMatcher(new String[]{"193.214.*"} ); // note just 3 octets in pattern - assertTrue(ipMatcher.isMatched("193.214.3.4")); - assertFalse(ipMatcher.isMatched("193.21.253.190")); + assertTrue(ipMatcher.isMatched(createRequest("193.214.3.4"))); + assertFalse(ipMatcher.isMatched(createRequest("193.21.253.190"))); // can't match ipv6 address using a ipv4 policy - assertFalse(ipMatcher.isMatched("193:214:3:4")); + assertFalse(ipMatcher.isMatched(createRequest("193:214:3:4"))); // same holds for ipv6 addresses ipMatcher = createMatcher(new String[]{"193:214:*"} ); - assertTrue(ipMatcher.isMatched("193:214:3:4:5:6")); - assertTrue(ipMatcher.isMatched("193:214:13:94:a90:b4f")); + assertTrue(ipMatcher.isMatched(createRequest("193:214:3:4:5:6"))); + assertTrue(ipMatcher.isMatched(createRequest("193:214:13:94:a90:b4f"))); // mismatches work as expected - assertFalse(ipMatcher.isMatched("193:215:13:94:a90:b4f")); + assertFalse(ipMatcher.isMatched(createRequest("193:215:13:94:a90:b4f"))); // can't match ipv4 address against ipv6 policy - assertFalse(ipMatcher.isMatched("193.214.3.4")); + assertFalse(ipMatcher.isMatched(createRequest("193.214.3.4"))); // direct match works as expected ipMatcher = createMatcher(new String[]{"99:a9:b9:c9:d9:e9"} ); - assertTrue(ipMatcher.isMatched("99:a9:b9:c9:d9:e9")); - assertFalse(ipMatcher.isMatched("99:a9:b9:c9:d0:e9")); + assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9:d9:e9"))); + assertFalse(ipMatcher.isMatched(createRequest("99:a9:b9:c9:d0:e9"))); // Matcher can support multiple patterns of different domains - a mix of ipv4 and ipv6 addresses ipMatcher = createMatcher(new String[]{"10.20.30.*", "99:a9:b9:c9:d9:*"} ); - assertTrue(ipMatcher.isMatched("99:a9:b9:c9:d9:e9")); - assertTrue(ipMatcher.isMatched("99:a9:b9:c9:d9:e9")); - assertFalse(ipMatcher.isMatched("99:a9:b9:c9:dd:e9")); - assertFalse(ipMatcher.isMatched("89:a9:b9:c9:d9:e9")); - assertTrue(ipMatcher.isMatched("10.20.30.10")); - assertTrue(ipMatcher.isMatched("10.20.30.20")); - assertFalse(ipMatcher.isMatched("10.20.3.10")); - assertFalse(ipMatcher.isMatched("10.20.33.10")); + assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9:d9:e9"))); + assertTrue(ipMatcher.isMatched(createRequest("99:a9:b9:c9:d9:e9"))); + assertFalse(ipMatcher.isMatched(createRequest("99:a9:b9:c9:dd:e9"))); + assertFalse(ipMatcher.isMatched(createRequest("89:a9:b9:c9:d9:e9"))); + assertTrue(ipMatcher.isMatched(createRequest("10.20.30.10"))); + assertTrue(ipMatcher.isMatched(createRequest("10.20.30.20"))); + assertFalse(ipMatcher.isMatched(createRequest("10.20.3.10"))); + assertFalse(ipMatcher.isMatched(createRequest("10.20.33.10"))); } - @Test - public void testUnexpected() { - // this documents some unexpected behavior of the ip matcher - RangerIpMatcher ipMatcher = createMatcher(new String[]{"1.2.3.*"} ); - // NOTE: absurd and downright illegal ipv4 address would match too! - assertTrue(ipMatcher.isMatched("1.2.3.123567")); - assertTrue(ipMatcher.isMatched("1.2.3..123567")); - assertTrue(ipMatcher.isMatched("1.2.3.boo")); - assertTrue(ipMatcher.isMatched("1.2.3.")); - - // wildcard match happens only at the end - ipMatcher = createMatcher(new String[]{"1.*.3.4"} ); - assertFalse(ipMatcher.isMatched("1.3.3.4")); - assertFalse(ipMatcher.isMatched("1.1.3.4")); - // it becomes a literal match! - assertTrue(ipMatcher.isMatched("1.*.3.4")); - - // same is true of ipv6 - ipMatcher = createMatcher(new String[]{"99:a9:b9:c9:*"} ); - // NOTE: absurd and downright illegal ipv4 address would match too! - assertTrue(ipMatcher.isMatched("99:a9:b9:c9:*")); - assertTrue(ipMatcher.isMatched("99:a9:b9:c9:1.3.4")); - assertTrue(ipMatcher.isMatched("99:a9:b9:c9: <:-) ")); - } - RangerIpMatcher createMatcher(String[] ipArray) { - List<String> addresses = Arrays.asList(ipArray); - - RangerPolicyItemCondition condition = mock(RangerPolicyItemCondition.class); - - when(condition.getValues()).thenReturn(addresses); RangerIpMatcher matcher = new RangerIpMatcher(); - matcher.init(condition); + + if (ipArray == null) { + matcher.init(null); + } else { + RangerPolicyItemCondition condition = mock(RangerPolicyItemCondition.class); + List<String> addresses = Arrays.asList(ipArray); + when(condition.getValues()).thenReturn(addresses); + matcher.init(condition); + } return matcher; } + + RangerAccessRequest createRequest(String requestIp) { + Map<String, Object> context = new HashMap<String, Object>(); + context.put(RangerIpMatcher.ConditionName, requestIp); + RangerAccessRequest request = mock(RangerAccessRequest.class); + when(request.getContext()).thenReturn(context); + return request; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java index a42ad5b..036eff6 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluatorTest.java @@ -20,7 +20,11 @@ package org.apache.ranger.plugin.policyevaluator; -import static org.junit.Assert.*; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -199,7 +203,7 @@ public class RangerDefaultPolicyEvaluatorTest { // empty body! } @Override - public boolean isMatched(String value) { + public boolean isMatched(RangerAccessRequest request) { return true; } @@ -213,7 +217,7 @@ public class RangerDefaultPolicyEvaluatorTest { } @Override - public boolean isMatched(String value) { + public boolean isMatched(RangerAccessRequest request) { return false; } @@ -225,38 +229,66 @@ public class RangerDefaultPolicyEvaluatorTest { static class Evaluator4 extends AlwaysFail {} /** - * A request may contain a value for several conditions. A policy could contain evaluators for more conditions than that are in the request. - * check should fail if any condition check fails for the conditions that are contained in the request + * A request may contain a value for several conditions. A policy item could contain evaluators for more/different conditions than that are in the request. + * check should fail if condition evaluator for any policy fails for a conditions contained in the request. If request does not have data for a condition + * then it should succeed. Data in request for condition that are not part of the policy item shouldn't affect the result. */ @Test - public void test_matchCustomConditions_happyPath() { + public void test_matchCustomConditions_happyPath1() { + + // let's create the condition evaluator map for 4 conditions. + Map<String, RangerConditionEvaluator> evaluators = createEvaluatorMap(); - // let's first create a request with 3 different conditons - Map<String, String> requestValues = new HashMap<String, String>(); - requestValues.put("c1", "value1"); - requestValues.put("c2", "value2"); - // let's create the condition evaluator map for each of these conditions and some more. - RangerAccessRequest request = mock(RangerAccessRequest.class); - when(request.getConditions()).thenReturn(requestValues); - Map<String, RangerConditionEvaluator> evaluators = new HashMap<String, RangerConditionEvaluator>(); - evaluators.put("c1", new Evaluator1()); - evaluators.put("c2", new Evaluator2()); - evaluators.put("c3", new Evaluator3()); // conditions 3 and 4 would always fail! - evaluators.put("c4", new Evaluator4()); - // stuff the evaluator with this map + // let's first create a request with 2 different conditions + RangerAccessRequest request = createAccessRequestWithConditions(new String[] {"c1", "c2"}); + + // Create a policy item -- which also has same exact same number of policy conditions defined on it (2) + RangerPolicyItem policyItem = createPolicyItemForConditions(new String[] {"c1", "c2"} ); + + // check for success RangerDefaultPolicyEvaluator policyEvaluator = new RangerDefaultPolicyEvaluator(); - boolean result = policyEvaluator.matchCustomConditions(request, evaluators); + boolean result = policyEvaluator.matchCustomConditions(policyItem, request, evaluators); + assertTrue(result); + + // missing conditions on request are ok, too -- they always succeed + // policy item has conditions c1 and c2 where as context will only have c1. + request = createAccessRequestWithConditions(new String[] { "c1" } ); + result = policyEvaluator.matchCustomConditions(policyItem, request, evaluators); assertTrue(result); - // now check for failure - requestValues.clear(); - requestValues.put("c1", "value1"); - requestValues.put("c3", "value3"); - when(request.getConditions()).thenReturn(requestValues); - result = policyEvaluator.matchCustomConditions(request, evaluators); + // Extra conditions on request are ok, too -- they always succeed + // policy item has conditions c1 and c2 where as context has values for conditions c3 and c4 on it and we know their evaluators always fail! + request = createAccessRequestWithConditions(new String[] {"c3", "c4"}); + result = policyEvaluator.matchCustomConditions(policyItem, request, evaluators); + assertTrue(result); + } + + @Test + public void test_matchCustomConditions_happyPath2() { + // let's create the condition evaluator map for 4 conditions and some more. + Map<String, RangerConditionEvaluator> evaluators = createEvaluatorMap(); + + // create policy item with a condition that we know will always fail + RangerPolicyItem policyItem = createPolicyItemForConditions(new String[] { "c1", "c3" } ); + + // let's first create a request with 2 different conditions + RangerAccessRequest request = createAccessRequestWithConditions(new String[]{"c1", "c3"}); + + RangerDefaultPolicyEvaluator policyEvaluator = new RangerDefaultPolicyEvaluator(); + boolean result = policyEvaluator.matchCustomConditions(policyItem, request, evaluators); assertFalse(result); } + Map<String, RangerConditionEvaluator> createEvaluatorMap() { + Map<String, RangerConditionEvaluator> map = new HashMap<String, RangerConditionEvaluator>(); + map.put("c1", new Evaluator1()); + map.put("c2", new Evaluator2()); + map.put("c3", new Evaluator3()); // conditions 3 and 4 would always fail! + map.put("c4", new Evaluator4()); + + return map; + } + RangerPolicyItem getMockPolicyItem(String[] strings) { RangerPolicyItem policyItem = mock(RangerPolicyItem.class); if (strings == null) { @@ -294,4 +326,31 @@ public class RangerDefaultPolicyEvaluatorTest { return serviceDef; } + RangerPolicyItem createPolicyItemForConditions(String[] conditions) { + + List<RangerPolicyItemCondition> itemConditions = new ArrayList<RangerPolicy.RangerPolicyItemCondition>(conditions.length); + for (String conditionName : conditions) { + RangerPolicyItemCondition condition = mock(RangerPolicyItemCondition.class); + when(condition.getType()).thenReturn(conditionName); + itemConditions.add(condition); + } + + RangerPolicyItem policyItem = mock(RangerPolicyItem.class); + when(policyItem.getConditions()).thenReturn(itemConditions); + + return policyItem; + } + + RangerAccessRequest createAccessRequestWithConditions(String[] conditionNames) { + // let's first create a request with 2 different conditions + Map<String, Object> context = new HashMap<String, Object>(conditionNames.length); + for (String conditionName: conditionNames) { + // value is not important for our test + context.put(conditionName, conditionName + "-value"); + } + RangerAccessRequest request = mock(RangerAccessRequest.class); + when(request.getContext()).thenReturn(context); + + return request; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java ---------------------------------------------------------------------- diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java index 5eee332..d5095de 100644 --- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java +++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java @@ -24,9 +24,9 @@ import java.util.Map; import java.util.Set; import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.AccessType; -import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.Condition; import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.PluginConfiguration; import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.ResourceName; +import org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerResourceImpl; @@ -95,8 +95,8 @@ public class KnoxRangerPlugin extends RangerBasePlugin { request.setUserGroups(_groups); request.setResource(resource); // build condition for IP address - Map<String, String> conditions = Collections.singletonMap(Condition.IpRange, _clientIp); - request.setConditions(conditions); + Map<String, Object> conditions = Collections.singletonMap(RangerIpMatcher.ConditionName, (Object)_clientIp); + request.setContext(conditions); return request; } @@ -120,10 +120,5 @@ public class KnoxRangerPlugin extends RangerBasePlugin { static class AccessType { static final String Allow = "allow"; } - - // must match the corresponding string used in service definition file - static class Condition { - static final String IpRange = "ip-range"; - } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9f559d5f/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java index 6272f4a..4e497c2 100644 --- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java +++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/deploy/RangerPDPKnoxDeploymentContributor.java @@ -40,7 +40,7 @@ public class RangerPDPKnoxDeploymentContributor extends ProviderDeploymentContri @Override public String getName() { - return "XASecurePDPKnox"; + return "RangerPDPKnox"; } @Override
