Repository: incubator-ranger Updated Branches: refs/heads/master b3e31fadd -> c7727f571
RANGER-278: Re-enable policy validation code and tests Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/c7727f57 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/c7727f57 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/c7727f57 Branch: refs/heads/master Commit: c7727f571fc36b8aaf9c7a2054f23856f456d4f5 Parents: b3e31fa Author: Alok Lal <[email protected]> Authored: Mon Apr 13 17:24:21 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Apr 16 22:37:59 2015 -0700 ---------------------------------------------------------------------- .../org/apache/ranger/rest/ServiceREST.java | 23 ++-- .../rest/TestServiceRESTForValidation.java | 120 +++++++++++-------- .../src/test/resources/log4j.properties | 36 ++++++ 3 files changed, 116 insertions(+), 63 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c7727f57/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index a9ade43..01f2b7c 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -59,16 +59,17 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.validation.RangerPolicyValidator; import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator; import org.apache.ranger.plugin.model.validation.RangerServiceValidator; -import org.apache.ranger.plugin.model.validation.RangerValidatorFactory; import org.apache.ranger.plugin.model.validation.RangerValidator.Action; -import org.apache.ranger.plugin.model.RangerService; -import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngineCache; -import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.model.validation.RangerValidatorFactory; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineCache; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.service.ResourceLookupContext; @@ -863,8 +864,8 @@ public class ServiceREST { RangerPolicy ret = null; try { - // RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - // validator.validate(policy, Action.CREATE, bizUtil.isAdmin()); + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + validator.validate(policy, Action.CREATE, bizUtil.isAdmin()); ensureAdminAccess(policy.getService(), policy.getResources()); @@ -897,8 +898,8 @@ public class ServiceREST { RangerPolicy ret = null; try { - // RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - // validator.validate(policy, Action.UPDATE, bizUtil.isAdmin()); + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + validator.validate(policy, Action.UPDATE, bizUtil.isAdmin()); ensureAdminAccess(policy.getService(), policy.getResources()); @@ -925,8 +926,8 @@ public class ServiceREST { } try { - // RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - // validator.validate(id, Action.DELETE); + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + validator.validate(id, Action.DELETE); RangerPolicy policy = svcStore.getPolicy(id); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c7727f57/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java index f4534a1..1003213 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java @@ -34,6 +34,7 @@ import javax.ws.rs.WebApplicationException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.biz.ServiceDBStore; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.plugin.model.RangerPolicy; @@ -42,9 +43,8 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.validation.RangerPolicyValidator; import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator; import org.apache.ranger.plugin.model.validation.RangerServiceValidator; -import org.apache.ranger.plugin.model.validation.RangerValidatorFactory; import org.apache.ranger.plugin.model.validation.RangerValidator.Action; -import org.apache.ranger.rest.ServiceREST; +import org.apache.ranger.plugin.model.validation.RangerValidatorFactory; import org.junit.Before; import org.junit.Test; import org.mockito.Mockito; @@ -59,6 +59,8 @@ public class TestServiceRESTForValidation { // inject out store in it _store = mock(ServiceDBStore.class); _serviceRest.svcStore = _store; + _bizUtils = mock(RangerBizUtil.class); + _serviceRest.bizUtil = _bizUtils; // and our validator factory _factory = mock(RangerValidatorFactory.class); @@ -202,15 +204,17 @@ public class TestServiceRESTForValidation { @Test public void testPolicy_happyPath() { + setupBizUtils(); + try { -// _serviceRest.updatePolicy(_policy); -// verify(_policyValidator).validate(_policy, Action.UPDATE); + _serviceRest.updatePolicy(_policy); + verify(_policyValidator).validate(_policy, Action.UPDATE, true); _serviceRest.deletePolicy(3L); verify(_policyValidator).validate(3L, Action.DELETE); -// _serviceRest.createPolicy(_policy); -// verify(_policyValidator).validate(_policy, Action.CREATE); + _serviceRest.createPolicy(_policy); + verify(_policyValidator).validate(_policy, Action.CREATE, true); } catch (Exception e) { LOG.debug(e); fail("unexpected exception"); @@ -219,30 +223,33 @@ public class TestServiceRESTForValidation { @Test public void testPolicy_validatorFailure() throws Exception { + + // let's have bizutil return true everytime + setupBizUtils(); -// doThrow(_exception).when(_policyValidator).validate(_policy, Action.CREATE); -// try { -// _serviceRest.createPolicy(_policy); -// fail("Should have thrown exception!"); -// } catch (WebApplicationException t) { -// verify(_policyValidator).validate(_policy, Action.CREATE); -// verify(_store, never()).createPolicy(_policy); -// } catch (Throwable t) { -// LOG.debug(t); -// fail("Unexpected exception!"); -// } -// -// doThrow(_exception).when(_policyValidator).validate(_policy, Action.UPDATE); -// try { -// _serviceRest.updatePolicy(_policy); -// fail("Should have thrown exception!"); -// } catch (WebApplicationException t) { -// verify(_policyValidator).validate(_policy, Action.UPDATE); -// verify(_store, never()).updatePolicy(_policy); -// } catch (Throwable t) { -// LOG.debug(t); -// fail("Unexpected exception!"); -// } + doThrow(_exception).when(_policyValidator).validate(_policy, Action.CREATE, true); + try { + _serviceRest.createPolicy(_policy); + fail("Should have thrown exception!"); + } catch (WebApplicationException t) { + verify(_policyValidator).validate(_policy, Action.CREATE, true); + verify(_store, never()).createPolicy(_policy); + } catch (Throwable t) { + LOG.debug(t); + fail("Unexpected exception!"); + } + + doThrow(_exception).when(_policyValidator).validate(_policy, Action.UPDATE, true); + try { + _serviceRest.updatePolicy(_policy); + fail("Should have thrown exception!"); + } catch (WebApplicationException t) { + verify(_policyValidator).validate(_policy, Action.UPDATE, true); + verify(_store, never()).updatePolicy(_policy); + } catch (Throwable t) { + LOG.debug(t); + fail("Unexpected exception!"); + } doThrow(_exception).when(_policyValidator).validate(4L, Action.DELETE); try { @@ -259,29 +266,33 @@ public class TestServiceRESTForValidation { @Test public void testPolicy_storeFailure() throws Exception { -// doThrow(_exception).when(_store).createPolicy(_policy); -// try { -// _serviceRest.createPolicy(_policy); -// fail("Should have thrown exception!"); -// } catch (WebApplicationException e) { -// verify(_policyValidator).validate(_policy, Action.CREATE); -// verify(_store).createPolicy(_policy); -// } catch (Throwable t) { -// LOG.debug(t); -// fail("Unexpected exception!"); -// } -// -// doThrow(_exception).when(_store).updatePolicy(_policy); -// try { -// _serviceRest.updatePolicy(_policy); -// fail("Should have thrown exception!"); -// } catch (WebApplicationException e) { -// verify(_policyValidator).validate(_policy, Action.UPDATE); -// verify(_store).updatePolicy(_policy); -// } catch (Throwable t) { -// LOG.debug(t); -// fail("Unexpected exception!"); -// } + + // let's have bizutils return true for now + setupBizUtils(); + + doThrow(_exception).when(_store).createPolicy(_policy); + try { + _serviceRest.createPolicy(_policy); + fail("Should have thrown exception!"); + } catch (WebApplicationException e) { + verify(_policyValidator).validate(_policy, Action.CREATE, true); + verify(_store).createPolicy(_policy); + } catch (Throwable t) { + LOG.debug(t); + fail("Unexpected exception!"); + } + + doThrow(_exception).when(_store).updatePolicy(_policy); + try { + _serviceRest.updatePolicy(_policy); + fail("Should have thrown exception!"); + } catch (WebApplicationException e) { + verify(_policyValidator).validate(_policy, Action.UPDATE, true); + verify(_store).updatePolicy(_policy); + } catch (Throwable t) { + LOG.debug(t); + fail("Unexpected exception!"); + } doThrow(_exception).when(_store).deletePolicy(5L); try { @@ -401,6 +412,10 @@ public class TestServiceRESTForValidation { } } + void setupBizUtils() { + when(_bizUtils.isAdmin()).thenReturn(true); + } + private RangerValidatorFactory _factory; private RangerServiceValidator _serviceValidator; private RangerPolicyValidator _policyValidator; @@ -410,6 +425,7 @@ public class TestServiceRESTForValidation { private ServiceREST _serviceRest; private Exception _exception; private RESTErrorUtil _restErrorUtil; + private RangerBizUtil _bizUtils; private RangerService _service; private RangerPolicy _policy; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c7727f57/security-admin/src/test/resources/log4j.properties ---------------------------------------------------------------------- diff --git a/security-admin/src/test/resources/log4j.properties b/security-admin/src/test/resources/log4j.properties new file mode 100644 index 0000000..bd8197d --- /dev/null +++ b/security-admin/src/test/resources/log4j.properties @@ -0,0 +1,36 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +##-- To prevent junits from cluttering the build run by default all test runs send output to null appender +log4j.appender.devnull=org.apache.log4j.varia.NullAppender +log4j.rootLogger=FATAL, devnull + +##-- uncomment the following line during during development/debugging so see debug messages during test run to be emitted to console +# ranger.root.logger=DEBUG,console + +# Define the root logger to the system property "hbase.root.logger". +log4j.rootLogger=${ranger.root.logger} + +# Logging Threshold +log4j.threshold=ALL + +# +# console +# Add "console" to rootlogger above if you want to use this +# +log4j.appender.console=org.apache.log4j.ConsoleAppender +log4j.appender.console.target=System.err +log4j.appender.console.layout=org.apache.log4j.PatternLayout +log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %m%n
