Repository: incubator-ranger Updated Branches: refs/heads/tag-policy d8f7a9605 -> 51fba28de
Made OptimizedPolicyEvaluator as default; changed RangerPolicy.isFinal to a bit-map. Tested passing Java map to basic JavaScript engine. Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/51fba28d Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/51fba28d Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/51fba28d Branch: refs/heads/tag-policy Commit: 51fba28de89992a92e06804711823370a3e674b9 Parents: d8f7a96 Author: Abhay Kulkarni <[email protected]> Authored: Mon May 25 18:26:44 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Tue May 26 18:24:08 2015 -0700 ---------------------------------------------------------------------- .../RangerTagAttributeEvaluator.java | 130 ++++++++++++++++++- ...gerTagAttributeEvaluatorResultProcessor.java | 30 +++++ .../ScriptingLanguageFinderUtil.java | 35 +++++ .../ranger/plugin/model/RangerPolicy.java | 26 +++- .../ranger/plugin/model/RangerResource.java | 36 +++++ .../policyengine/RangerPolicyEngineImpl.java | 2 +- .../policyengine/RangerPolicyRepository.java | 7 +- .../RangerDefaultPolicyEvaluator.java | 6 +- .../RangerOptimizedPolicyEvaluator.java | 6 + .../policyevaluator/RangerPolicyEvaluator.java | 2 +- .../policyengine/test_policyengine_hdfs.json | 9 +- 11 files changed, 267 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java index 324ae4c..1f12bb8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluator.java @@ -19,31 +19,155 @@ package org.apache.ranger.plugin.conditionevaluator; +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerResource; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; + +import javax.script.ScriptEngine; +import javax.script.ScriptEngineManager; +import javax.script.ScriptException; +import java.util.List; +import java.util.Map; public class RangerTagAttributeEvaluator extends RangerAbstractConditionEvaluator { private static final Log LOG = LogFactory.getLog(RangerTagAttributeEvaluator.class); + private ScriptEngine scriptEngine; + @Override public void init() { + if (LOG.isDebugEnabled()) { LOG.debug("==> RangerTagAttributeEvaluator.init(" + condition + ")"); } super.init(); + + Map<String, String> evalOptions = conditionDef.getEvaluatorOptions(); + + if (evalOptions != null) { + String engineType = evalOptions.get("interpreter"); + if (StringUtils.equals(engineType, "JavaScript")) { + ScriptEngineManager manager = new ScriptEngineManager(); + scriptEngine = manager.getEngineByName("JavaScript"); + } + } + + //scriptEngine.put("conditionDef", conditionDef); + //scriptEngine.put("condition", condition); + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerTagAttributeEvaluator.init(" + condition + ")"); + } } @Override public boolean isMatched(RangerAccessRequest request) { // TODO // Set up environment: selected parts of request - // Invoke python interpreter if (LOG.isDebugEnabled()) { - LOG.debug("RangerTagAttributeEvaluator.isMatched()"); + LOG.debug("==>RangerTagAttributeEvaluator.isMatched()"); + } + + Map<String, Object> requestContext = request.getContext(); + + @SuppressWarnings("unchecked") + RangerResource.RangerResourceTag tagObject = (RangerResource.RangerResourceTag)requestContext.get(RangerPolicyEngine.KEY_CONTEXT_TAG_OBJECT); + + if (tagObject == null) { + LOG.error("RangerTagAttributeEvalator.isMatched(), No tag object found in the context. Weird!!!!"); + return false; + } + + String tagAsJSON = tagObject.getJSONRepresentation(); + + if (LOG.isDebugEnabled()) { + LOG.debug("RangerTagAttributeEvaluator.isMatched(), tagObject as JSON=" + tagAsJSON); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("RangerTagAttributeEvaluator.isMatched(), tagObject=" + tagObject); + } + + RangerTagAttributeEvaluatorResultProcessor resultProcessor = new RangerTagAttributeEvaluatorResultProcessor(); + + /* + Map<String, String> map = new HashMap<String, String>(); + map.put("bye", "now"); + */ + /* + // Convert it to a NativeObject (yes, this could have been done directly) + NativeObject nobj = new NativeObject(); + for (Map.Entry<String, String> entry : map.entrySet()) { + nobj.defineProperty(entry.getKey(), entry.getValue(), NativeObject.READONLY); } + + // Place native object into the context + scriptEngine.put("map", nobj); + */ + + /* + try { + //scriptEngine.eval("println(map.bye)"); + + scriptEngine.eval("var map = " + new Gson().toJson(map) + ";\n" + + "println(map.bye);"); + } catch (Exception e) { + System.out.println("Failed"); + } + System.out.println("Succeeded"); return true; - } + */ + + // Place remaining objects directly into context + /* + scriptEngine.put("tagName", tagObject.getName()); + scriptEngine.put("request", request); + */ + scriptEngine.put("result", resultProcessor); + + String preamble = "var tag = " + tagAsJSON +";\n"; + + List<String> values = condition.getValues(); + + if (LOG.isDebugEnabled()) { + LOG.debug("RangerTagAttributeEvaluator.isMatched(), values=" + values); + } + + if (!CollectionUtils.isEmpty(values)) { + String script = values.get(0); + + if (!StringUtils.isEmpty(script)) { + + if (LOG.isDebugEnabled()) { + LOG.debug("RangerTagAttributeEvaluator.isMatched(), evaluating script '" + script +"'"); + } + if (scriptEngine != null) { + try { + scriptEngine.eval(preamble+script); + } catch (ScriptException exception) { + LOG.error("RangerTagAttributeEvaluator.isMatched(): failed to evaluate script," + + " exception=" + exception); + } + } else { + LOG.error("RangerTagAttributeEvaluator.isMatched(), No engine to evaluate script '" + script + "'"); + resultProcessor.setFailed(); + } + + } + + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<==RangerTagAttributeEvaluator.isMatched(), result=" + resultProcessor.getResult()); + } + + return resultProcessor.getResult(); + + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java new file mode 100644 index 0000000..0deeefc --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerTagAttributeEvaluatorResultProcessor.java @@ -0,0 +1,30 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.conditionevaluator; + +public class RangerTagAttributeEvaluatorResultProcessor { + private boolean result = false; + + RangerTagAttributeEvaluatorResultProcessor() {} + + public void setSucceeded() { this.result = true; } + public void setFailed() { this.result = false; } + boolean getResult() { return this.result; } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java new file mode 100644 index 0000000..bd6b435 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/ScriptingLanguageFinderUtil.java @@ -0,0 +1,35 @@ +package org.apache.ranger.plugin.conditionevaluator; + +import java.util.*; +import javax.script.*; + +public class ScriptingLanguageFinderUtil { + + public static void main( String[] args ) { + + ScriptEngineManager mgr = new ScriptEngineManager(); + List<ScriptEngineFactory> factories = mgr.getEngineFactories(); + + for (ScriptEngineFactory factory : factories) { + + System.out.println("ScriptEngineFactory Info"); + + String engName = factory.getEngineName(); + String engVersion = factory.getEngineVersion(); + String langName = factory.getLanguageName(); + String langVersion = factory.getLanguageVersion(); + + System.out.printf("\tScript Engine: %s (%s)%n", engName, engVersion); + + List<String> engNames = factory.getNames(); + for(String name : engNames) { + System.out.printf("\tEngine Alias: %s%n", name); + } + + System.out.printf("\tLanguage: %s (%s)%n", langName, langVersion); + + } + + } + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java index d634ea7..6d9c929 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java @@ -41,13 +41,18 @@ import org.codehaus.jackson.map.annotate.JsonSerialize; @XmlRootElement @XmlAccessorType(XmlAccessType.FIELD) public class RangerPolicy extends RangerBaseModelObject implements java.io.Serializable { - public static final int FINAL_ACCESS_DECIDER_POLICY_TYPE = 1; + // For future use private static final long serialVersionUID = 1L; + public static final int POLICY_TYPE_DEFAULT = 0x0; + public static final int POLICY_TYPE_FINAL = 0x1 << 0; + public static final int POLICY_TYPE_DENIER = 0x1 << 1; + + private String service = null; private String name = null; - private Integer policyType = null; + private Integer policyType = POLICY_TYPE_DEFAULT; private String description = null; private String resourceSignature = null; private Boolean isAuditEnabled = null; @@ -59,7 +64,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria * @param */ public RangerPolicy() { - this(null, null, null, null, null, null, null); + this(null, null, POLICY_TYPE_DEFAULT, null, null, null, null); } /** @@ -212,6 +217,14 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } } + final public void setPolicyTypeDefault() { + policyType = POLICY_TYPE_DEFAULT; + } + + final public void setPolicyTypeFinal() { + this.policyType |= POLICY_TYPE_FINAL; + } + /** * @return the policyItems */ @@ -240,14 +253,17 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria } } - public boolean isFinalDecider() { + final public boolean isPolicyTypeFinal() { boolean isFinalDecidingPolicy = true; - if (getPolicyType() == null || getPolicyType() != FINAL_ACCESS_DECIDER_POLICY_TYPE) { + if (this.policyType == null) { + isFinalDecidingPolicy = false; + } else if ((this.policyType.intValue() & POLICY_TYPE_FINAL) == 0x0) { isFinalDecidingPolicy = false; } return isFinalDecidingPolicy; } + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java index 23bb098..2ffedbe 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerResource.java @@ -19,7 +19,11 @@ package org.apache.ranger.plugin.model; +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import org.apache.commons.lang.StringUtils; import org.codehaus.jackson.annotate.JsonAutoDetect; +import org.codehaus.jackson.annotate.JsonIgnore; import org.codehaus.jackson.annotate.JsonIgnoreProperties; import org.codehaus.jackson.map.annotate.JsonSerialize; @@ -111,9 +115,20 @@ public class RangerResource extends RangerBaseModelObject { public static class RangerResourceTag implements java.io.Serializable { + private static Gson gsonBuilder; + private String name = null; private Map<String, Object> attributeValues = null; // Will be JSON string with (name, value) pairs of tag attributes in database + @JsonIgnore + private transient String jSONRepresentation = null; + + static { + gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") + .setPrettyPrinting() + .create(); + } + public RangerResourceTag(String name, Map<String, Object> attributeValues) { super(); setName(name); @@ -134,10 +149,31 @@ public class RangerResource extends RangerBaseModelObject { public void setName(String name) { this.name = name; + this.jSONRepresentation = null; } public void setAttributeValues(Map<String, Object> attributeValues) { this.attributeValues = attributeValues; + this.jSONRepresentation = null; + } + + public String getJSONRepresentation() { + if (StringUtils.isEmpty(jSONRepresentation)) { + jSONRepresentation = gsonBuilder.toJson(this); + } + return jSONRepresentation; + } + public RangerResourceTag deepCopy() { + + RangerResourceTag tag; + + if (StringUtils.isEmpty(getJSONRepresentation())) { + tag = new RangerResourceTag(); + } else { + tag = gsonBuilder.fromJson(jSONRepresentation, this.getClass()); + } + + return tag; } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 0dc7981..7b6eb35 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -393,7 +393,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { evaluator.evaluate(tagEvalRequest, tagEvalResult); - if (evaluator.isFinalDecider() || + if (evaluator.isFinal() || (tagEvalResult.getIsAccessDetermined() && tagEvalResult.getIsAuditedDetermined())) { if (LOG.isDebugEnabled()) { LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval for tag-policy-id=" + tagEvalResult.getPolicyId() + " for tag (" + resourceTag.getName() + ") with authorization=" + tagEvalResult.getIsAllowed()); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index c1c71f0..cc90abc 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -28,7 +28,6 @@ import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator; -import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator; import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.util.ServicePolicies; @@ -201,13 +200,11 @@ public class RangerPolicyRepository { RangerPolicyEvaluator ret; if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_DEFAULT)) { - ret = new RangerDefaultPolicyEvaluator(); + ret = new RangerOptimizedPolicyEvaluator(); } else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED)) { ret = new RangerOptimizedPolicyEvaluator(); - } else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED)) { - ret = new RangerCachedPolicyEvaluator(); } else { - ret = new RangerDefaultPolicyEvaluator(); + ret = new RangerCachedPolicyEvaluator(); } ret.init(policy, serviceDef, options); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index fe98c4b..6b577f0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -226,7 +226,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator boolean matchResult = false; boolean isHeadMatchAttempted = false; boolean headMatchResult = false; - final boolean isPolicyFinalDecider = isFinalDecider(); + final boolean isPolicyFinalDecider = isFinal(); if (!result.getIsAuditedDetermined()) { // Need to match request.resource first. If it matches (or head matches), then only more progress can be made @@ -876,7 +876,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } @Override - public boolean isFinalDecider() { - return getPolicy().isFinalDecider(); + public boolean isFinal() { + return getPolicy().isPolicyTypeFinal(); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java index 26d5223..24ad15d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java @@ -54,6 +54,8 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator private static final int RANGER_POLICY_EVAL_IS_RECURSIVE_PREMIUM = 25; private static final int RANGER_POLICY_EVAL_PUBLIC_GROUP_ACCESS_PREMIUM = 25; private static final int RANGER_POLICY_EVAL_ALL_ACCESS_TYPES_PREMIUM = 25; + private static final int RANGER_POLICY_EVAL_FINAL_POLICY_PREMIUM = 400; + private static final int RANGER_POLICY_EVAL_RESERVED_SLOTS_NUMBER = 10000; private static final int RANGER_POLICY_EVAL_RESERVED_SLOTS_PER_LEVEL_NUMBER = 1000; @@ -196,6 +198,10 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator priorityLevel -= Math.round(((float)RANGER_POLICY_EVAL_ALL_ACCESS_TYPES_PREMIUM * accessPerms.size()) / serviceDef.getAccessTypes().size()); + if (policy.isPolicyTypeFinal()) { + priorityLevel -= RANGER_POLICY_EVAL_FINAL_POLICY_PREMIUM; + } + if(LOG.isDebugEnabled()) { LOG.debug("<== RangerOptimizedPolicyEvaluator.computeEvalOrder(), policyName:" + policy.getName() + ", priority:" + priorityLevel); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index b018f3a..4bc5809 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -57,5 +57,5 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); - boolean isFinalDecider(); + boolean isFinal(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/51fba28d/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json index 4ef634c..ea2c87a 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -91,9 +91,9 @@ "itemId":1, "name":"Default_TagAttributeValueEvaluator", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerTagAttributeEvaluator", - "evaluatorOptions" : {"interpreter":"python"}, - "label":"Python-Script", - "description": "Python script to execute" + "evaluatorOptions" : {"interpreter":"JavaScript"}, + "label":"JavaScript script", + "description": "JavaScript script to execute" } ] }, @@ -102,7 +102,8 @@ "resources":{"tag":{"values":["restricte?"],"isRecursive":false}}, "policyItems":[ {"accesses":[{"type":"hdfs:read","isAllowed":true}],"users":["user1"],"groups":["finance"],"delegateAdmin":false, - "conditions" : [{"type":"Default_TagAttributeValueEvaluator", "values":["Test_Script"]}]} + "conditions" : [{"type":"Default_TagAttributeValueEvaluator", "values":[ + "result.setFailed(); var tagName = tag.name; var attrValues = tag.attributeValues; var expiryDate = attrValues[\"expiry_date\"]; println(expiryDate); result.setSucceeded();"]}]} ] } ,
