Repository: incubator-ranger Updated Branches: refs/heads/master a2c729021 -> a03a31749
Added tests for geo location data where IP addresses are provided as long integers, combined long and dot format tests together Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/03083e74 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/03083e74 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/03083e74 Branch: refs/heads/master Commit: 03083e74ded843060f385d119875e8ee9eb8ddc1 Parents: 7f8e060 Author: Abhay Kulkarni <[email protected]> Authored: Wed Sep 2 16:07:24 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Sep 3 21:24:13 2015 -0700 ---------------------------------------------------------------------- .../RangerAbstractGeolocationProvider.java | 25 +-- .../plugin/geo/RangerGeolocationData.java | 11 +- .../main/resources/etc/ranger/geo/geo_long.txt | 29 +++ .../plugin/policyengine/TestPolicyEngine.java | 7 + .../policyengine/test_policyengine_geo.json | 212 +++++++++++++++++++ .../policyengine/test_policyengine_hdfs.json | 2 +- 6 files changed, 255 insertions(+), 31 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractGeolocationProvider.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractGeolocationProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractGeolocationProvider.java index 3f52001..e98fe04 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractGeolocationProvider.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractGeolocationProvider.java @@ -39,7 +39,6 @@ public abstract class RangerAbstractGeolocationProvider extends RangerAbstractCo private static final Log LOG = LogFactory.getLog(RangerAbstractGeolocationProvider.class); - public static final String ENRICHER_OPTION_GEOLOCATION_SOURCE_LOADER_OPTIONS = "geolocation.source.loader.options"; public static final String ENRICHER_OPTION_GEOLOCATION_META_PREFIX = "geolocation.meta.prefix"; public static final String KEY_CONTEXT_GEOLOCATION_PREFIX = "LOCATION_"; @@ -63,30 +62,8 @@ public abstract class RangerAbstractGeolocationProvider extends RangerAbstractCo String geoSourceLoader = getGeoSourceLoader(); - String geoSourceLoaderOptions = getOption(ENRICHER_OPTION_GEOLOCATION_SOURCE_LOADER_OPTIONS); - if (StringUtils.isBlank(geoSourceLoaderOptions)) { - geoSourceLoaderOptions = "{}"; - } - - Map<String, String> context = null; GeolocationStore geoStore = null; - - - try { - Gson gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") - .setPrettyPrinting() - .create(); - - Type mapType = new TypeToken<Map<String, String>>() {}.getType(); - context = gsonBuilder.fromJson(geoSourceLoaderOptions, mapType); - - } catch (JsonSyntaxException exception) { - LOG.error("RangerAbstractGeolocationProvider.init() - Cannot initialize geolocation.source.loader.options map, valueString=" + - geoSourceLoaderOptions + ", exception=" + exception); - } catch (JsonParseException exception) { - LOG.error("RangerAbstractGeolocationProvider.init() - Cannot initilize geolocation.source.loader.options map, valueString=" + - geoSourceLoaderOptions + ", exception=" + exception); - } + Map<String, String> context = enricherDef.getEnricherOptions(); if (context != null) { try { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationData.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationData.java b/agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationData.java index 9cc1a3f..6f1f3f3 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationData.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationData.java @@ -46,13 +46,12 @@ public class RangerGeolocationData implements Comparable<RangerGeolocationData>, if (RangerGeolocationData.validateAsIP(startAddress, useDotFormat) && RangerGeolocationData.validateAsIP(endAddress, useDotFormat)) { long startIP, endIP; - if (useDotFormat) { - startIP = RangerGeolocationData.ipAddressToLong(startAddress); - endIP = RangerGeolocationData.ipAddressToLong(endAddress); - } else { - startIP = Long.valueOf(startAddress); - endIP = Long.valueOf(endAddress); + if (!useDotFormat) { + startAddress = RangerGeolocationData.unsignedIntToIPAddress(Long.valueOf(startAddress)); + endAddress = RangerGeolocationData.unsignedIntToIPAddress(Long.valueOf(endAddress)); } + startIP = RangerGeolocationData.ipAddressToLong(startAddress); + endIP = RangerGeolocationData.ipAddressToLong(endAddress); if ((endIP - startIP) >= 0) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/main/resources/etc/ranger/geo/geo_long.txt ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/etc/ranger/geo/geo_long.txt b/agents-common/src/main/resources/etc/ranger/geo/geo_long.txt new file mode 100644 index 0000000..f0cf287 --- /dev/null +++ b/agents-common/src/main/resources/etc/ranger/geo/geo_long.txt @@ -0,0 +1,29 @@ +# This is a sample geolocation data format used by Ranger +# If a line contains '#' as a first-nonblank character then it is considered a comment line +# First non-comment line in the file must be metadata line; metadata line contains '!' as first character +# Format of metadata and data lines is strictly Comma-Separated-Values. Spaces are not allowed to surround commas. +# Only IP-4 address values in dot-notation are supported. +# +FROM_IP,TO_IP,COUNTRY_CODE,COUNTRY_NAME,STATE,CITY,ZIP,LAT,LONG +167772415,167772928,US,United States,CA +335570020,335570029,US,United States,MT +335570000,335570009,CA,Canada +335570030,335570039,BR,Brazil +335569990,335569993,IN,India +335570040,335570049,NG,Nigeria +335570010,335570014,AUS,Austalia +335569994,335569999,AN,Angola +335570015,335570019,UK,United Kingdom +3229639681,3229639755,FR,France +16777216,16777471,AU,Australia,Queensland,Brisbane +16777472,16778239,CN,China,Fujian,Fuzhou, +16778240,16778495,AU,Australia,Victoria,Melbourne, +16778496,16779263,AU,Australia,-,-, +16779264,16781311,CN,China,Guangdong,Guangzhou, +4294967040,4294967295,CN,China,Guangdong,Guangzhou, +16781312,16785407,JP,Japan,Tokyo,Tokyo, +16785408,16793599,CN,China,Guangdong,Guangzhou, +16793600,16797695,JP,Japan,Hiroshima,Hiroshima, +16797696,16798719,JP,Japan,Tokyo,Tokyo, +2154128740,2154128895,US,United States,Minnesota,Minneapolis +#16797696,16798719,JP,Japan,Tokyo,Tokyo http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index a6d0812..3a7448f 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -179,6 +179,13 @@ public class TestPolicyEngine { runTestsFromResourceFiles(conditionsTestResourceFiles); } + @Test + public void testPolicyEngine_geo() { + String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_geo.json" }; + + runTestsFromResourceFiles(conditionsTestResourceFiles); + } + private void runTestsFromResourceFiles(String[] resourceNames) { for(String resourceName : resourceNames) { InputStream inStream = this.getClass().getResourceAsStream(resourceName); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/test/resources/policyengine/test_policyengine_geo.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_geo.json b/agents-common/src/test/resources/policyengine/test_policyengine_geo.json new file mode 100644 index 0000000..eab1223 --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_geo.json @@ -0,0 +1,212 @@ +{ + "serviceName":"hdfsdev", + + "serviceDef":{ + "name":"hdfs", + "id":1, + "resources":[ + {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Resource Path","description":"HDFS file or directory path"} + ], + "accessTypes":[ + {"name":"read","label":"Read"}, + {"name":"write","label":"Write"}, + {"name":"execute","label":"Execute"} + ], + "contextEnrichers": + [ + { + "itemId":1, + "name" : "GeolocationEnricher_format_long", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", + "enricherOptions" : { + "FilePath":"/etc/ranger/geo/geo_long.txt", "ForceRead":"false", "IPInDotFormat":"false" + ,"geolocation.meta.prefix": "FORMAT_LONG_" + } + }, + { + "itemId":2, + "name" : "GeolocationEnricher_format_dot", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", + "enricherOptions" : { + "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true" + ,"geolocation.meta.prefix": "FORMAT_DOT_" + } + } + ], + "policyConditions": [ + { + "itemId":1, + "name":"ScriptConditionEvaluator", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", + "evaluatorOptions" : {"engineName":"JavaScript"}, + "label":"Script", + "description": "Script to execute" + } + ] + }, + + "policies":[ + {"id":1,"name":"audit-all-access under /finance/restricted/","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/finance/restricted/"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false, + "resources":{"path":{"values":["/public/*"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":3,"name":"allow-read-to-finance under /finance/restricted","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/finance/restricted"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false, + "conditions":[{ + "type":"ScriptConditionEvaluator", + "values":["var country_code_format_long = ctx.getRequestContextAttribute('LOCATION_FORMAT_LONG_COUNTRY_CODE'); var country_code_format_dot = ctx.getRequestContextAttribute('LOCATION_FORMAT_DOT_COUNTRY_CODE');ctx.result = (!!country_code_format_long && !!country_code_format_dot && (country_code_format_long == country_code_format_dot));"] + }]} + ] + } + ], + + "tests":[ + {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance; valid clientIPAddress", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db", + "clientIPAddress":"255.255.255.255" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":3} + } + , + {"name":"DENY 'read /finance/restricted/sales.db' for g=finance; invalid clientIPAddress", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db", + "clientIPAddress":"128.101.101.99" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance; no clientIPAddress", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /finance/restricted/hr/payroll.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/hr/payroll.db", + "clientIPAddress":"128.101.101.101" + + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":3} + } + , + {"name":"DENY 'read /operations/visitors.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /operations/visitors.db", + "clientIPAddress":"128.101.101.99" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for g=finance", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + + {"name":"DENY 'read /finance/restricted/sales.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"FALSE 'read /finance/restricted/hr/payroll.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /operations/visitors.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for g=hr", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + + {"name":"DENY 'read /finance/restricted/sales.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /finance/restricted/hr/payroll.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'read /operations/visitors.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/operations/visitors.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /operations/visitors.db" + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'read /public/technology/blogs.db' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'read /public/technology' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + , + {"name":"ALLOW 'read /public/technology' for u=user1", + "request":{ + "resource":{"elements":{"path":"/public/technology/blogs.db"}}, + "accessType":"execute","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db" + }, + "result":{"isAudited":false,"isAllowed":true,"policyId":2} + } + ] +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json index db92668..a7f355c 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json @@ -19,7 +19,7 @@ "name" : "GeolocationEnricher", "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", "enricherOptions" : { - "geolocation.source.loader.options": "{'FilePath':'/etc/ranger/geo/geo.txt', 'ForceRead':'false', 'IPInDotFormat':'true' }" + "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true" ,"geolocation.meta.prefix": "TEST_" } }
