Repository: incubator-ranger Updated Branches: refs/heads/master 0e4ced2f8 -> 06fe51834
RANGER-278 Interim commit to enable policy validation Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/06fe5183 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/06fe5183 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/06fe5183 Branch: refs/heads/master Commit: 06fe51834e0f34b33dabe6f90ba7458e7de01a94 Parents: 0e4ced2 Author: Alok Lal <[email protected]> Authored: Sat Apr 25 13:36:28 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Sat Apr 25 18:08:57 2015 -0700 ---------------------------------------------------------------------- .../model/validation/RangerPolicyValidator.java | 3 ++- .../validation/TestRangerPolicyValidator.java | 21 ++++++++++---------- .../org/apache/ranger/rest/ServiceREST.java | 13 ++++++------ .../rest/TestServiceRESTForValidation.java | 15 +++++--------- 4 files changed, 25 insertions(+), 27 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/06fe5183/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index ae5bd68..991b641 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -239,7 +239,8 @@ public class RangerPolicyValidator extends RangerValidator { boolean valid = true; if (serviceDef != null) { // following checks can't be done meaningfully otherwise - valid = isValidResourceNames(policy, failures, serviceDef); +// TODO - disabled till a more robust fix for Hive resources definition can be found +// valid = isValidResourceNames(policy, failures, serviceDef); Map<String, RangerPolicyResource> resourceMap = policy.getResources(); if (resourceMap != null) { // following checks can't be done meaningfully otherwise valid = isValidResourceValues(resourceMap, failures, serviceDef) && valid; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/06fe5183/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java index 55404b2..90d7c06 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java @@ -401,16 +401,17 @@ public class TestRangerPolicyValidator { // one mandatory is missing (tbl) and one unknown resource is specified (extra), and values of option resource don't conform to validation pattern (col) Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad); when(_policy.getResources()).thenReturn(policyResources); - for (Action action : cu) { - for (boolean isAdmin : new boolean[] { true, false }) { - _failures.clear(); assertFalse(_validator.isValid(_policy, action, isAdmin, _failures)); - _utils.checkFailureForMissingValue(_failures, "resources", "tbl"); // for missing resource: tbl - _utils.checkFailureForSemanticError(_failures, "resources", "extra"); // for spurious resource: "extra" - _utils.checkFailureForSemanticError(_failures, "resource-values", "col"); // for spurious resource: "extra" - _utils.checkFailureForSemanticError(_failures, "isRecursive", "db"); // for specifying it as true when def did not allow it - _utils.checkFailureForSemanticError(_failures, "isExcludes", "col"); // for specifying it as true when def did not allow it - } - } +// TODO disabled till a more robust fix for Hive resources definition can be found +// for (Action action : cu) { +// for (boolean isAdmin : new boolean[] { true, false }) { +// _failures.clear(); assertFalse(_validator.isValid(_policy, action, isAdmin, _failures)); +// _utils.checkFailureForMissingValue(_failures, "resources", "tbl"); // for missing resource: tbl +// _utils.checkFailureForSemanticError(_failures, "resources", "extra"); // for spurious resource: "extra" +// _utils.checkFailureForSemanticError(_failures, "resource-values", "col"); // for spurious resource: "extra" +// _utils.checkFailureForSemanticError(_failures, "isRecursive", "db"); // for specifying it as true when def did not allow it +// _utils.checkFailureForSemanticError(_failures, "isExcludes", "col"); // for specifying it as true when def did not allow it +// } +// } // create the right resource def but let it clash with another policy with matching resource-def policyResources = _utils.createPolicyResourceMap(policyResourceMap_good); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/06fe5183/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index ad04a26..a02b932 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -63,6 +63,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.validation.RangerPolicyValidator; import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator; import org.apache.ranger.plugin.model.validation.RangerServiceValidator; import org.apache.ranger.plugin.model.validation.RangerValidator.Action; @@ -883,8 +884,8 @@ public class ServiceREST { LOG.debug("Policy did not have its name set! Ok, setting name to [" + name + "]"); } } - // RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - // validator.validate(policy, Action.CREATE, bizUtil.isAdmin()); + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + validator.validate(policy, Action.CREATE, bizUtil.isAdmin()); ensureAdminAccess(policy.getService(), policy.getResources()); @@ -917,8 +918,8 @@ public class ServiceREST { RangerPolicy ret = null; try { - // RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - // validator.validate(policy, Action.UPDATE, bizUtil.isAdmin()); + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + validator.validate(policy, Action.UPDATE, bizUtil.isAdmin()); ensureAdminAccess(policy.getService(), policy.getResources()); @@ -945,8 +946,8 @@ public class ServiceREST { } try { - // RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); - // validator.validate(id, Action.DELETE); + RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore); + validator.validate(id, Action.DELETE); RangerPolicy policy = svcStore.getPolicy(id); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/06fe5183/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java index c81f2e9..57a6f1f 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java @@ -205,9 +205,8 @@ public class TestServiceRESTForValidation { } } - @Ignore("Disabled pending with hive policy creation-failure") @Test - public void testPolicy_happyPath() { + final public void testPolicy_happyPath() { setupBizUtils(); try { @@ -222,9 +221,8 @@ public class TestServiceRESTForValidation { } } - @Ignore("Disabled pending with hive policy creation-failure") @Test - public void testPolicy_happyPath_deletion() { + final public void testPolicy_happyPath_deletion() { setupBizUtils(); try { @@ -238,9 +236,8 @@ public class TestServiceRESTForValidation { } } - @Ignore("Disabled pending with hive policy creation-failure") @Test - public void testPolicy_validatorFailure() throws Exception { + final public void testPolicy_validatorFailure() throws Exception { // let's have bizutil return true everytime setupBizUtils(); @@ -282,9 +279,8 @@ public class TestServiceRESTForValidation { } } - @Ignore("Disabled pending with hive policy creation-failure") @Test - public void testPolicy_storeFailure() throws Exception { + final public void testPolicy_storeFailure() throws Exception { // let's have bizutils return true for now setupBizUtils(); @@ -314,9 +310,8 @@ public class TestServiceRESTForValidation { } } - @Ignore("Disabled pending with hive policy creation-failure") @Test - public void testPolicy_storeFailure_forDelete() throws Exception { + final public void testPolicy_storeFailure_forDelete() throws Exception { // let's have bizutils return true for now setupBizUtils();
