RANGER-683: access should not be be allowed if denied by either a tag-based policy or a resource-based policy
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/689dc76b Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/689dc76b Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/689dc76b Branch: refs/heads/master Commit: 689dc76bc49da8e669e6e6e1ffd865f16a11aacc Parents: 8194269 Author: Madhan Neethiraj <[email protected]> Authored: Wed Oct 7 13:54:13 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Oct 7 17:30:31 2015 -0700 ---------------------------------------------------------------------- .../policyengine/RangerPolicyEngineImpl.java | 132 ++-- .../RangerDefaultPolicyEvaluator.java | 57 +- .../RangerOptimizedPolicyEvaluator.java | 13 +- .../plugin/policyengine/TestPolicyEngine.java | 5 - .../test_policyengine_tag_hdfs.json | 769 +++++++++++++++---- 5 files changed, 729 insertions(+), 247 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/689dc76b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 5d1140b..8adab7b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -324,37 +324,38 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } } - if (!ret.getIsAccessDetermined() || !ret.getIsAuditedDetermined()) { - if (hasResourcePolicies()) { - boolean foundInCache = policyRepository.setAuditEnabledFromCache(request, ret); - RangerPolicyEvaluator allowedEvaluator = null; + boolean isAllowedByTags = ret.getIsAccessDetermined() && ret.getIsAllowed(); + boolean isDeniedByTags = ret.getIsAccessDetermined() && !ret.getIsAllowed(); + boolean evaluateResourcePolicies = hasResourcePolicies() && (!isDeniedByTags || !ret.getIsAuditedDetermined()); - List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators(); - for (RangerPolicyEvaluator evaluator : evaluators) { - evaluator.evaluate(request, ret); + if (evaluateResourcePolicies) { + boolean findAuditByResource = !ret.getIsAuditedDetermined(); + boolean foundInCache = findAuditByResource ? policyRepository.setAuditEnabledFromCache(request, ret) : false; - if(allowedEvaluator == null && ret.getIsAllowed()) { - allowedEvaluator = evaluator; - } + if(isAllowedByTags) { + ret.setIsAccessDetermined(false); // discard allowed result by tag-policies, to evaluate resource policies for possible deny + } - // stop once isAccessDetermined==true && isAuditedDetermined==true - if(ret.getIsAuditedDetermined()) { - if(ret.getIsAccessDetermined() || (allowedEvaluator != null && !evaluator.hasDeny())) { - break; // Break out of policy-evaluation loop for this tag - } - } - } + List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators(); + for (RangerPolicyEvaluator evaluator : evaluators) { + evaluator.evaluate(request, ret); - if(!ret.getIsAccessDetermined() && allowedEvaluator != null) { - ret.setIsAllowed(true); - ret.setPolicyId(allowedEvaluator.getPolicy().getId()); + if(ret.getIsAllowed() && !evaluator.hasDeny()) { // all policies having deny have been evaluated ret.setIsAccessDetermined(true); } - if (!foundInCache) { - policyRepository.storeAuditEnabledInCache(request, ret); + if(ret.getIsAuditedDetermined() && ret.getIsAccessDetermined()) { + break; // Break out of policy-evaluation loop } } + + if(ret.getIsAllowed()) { + ret.setIsAccessDetermined(true); + } + + if (findAuditByResource && !foundInCache) { + policyRepository.storeAuditEnabledInCache(request, ret); + } } } @@ -365,9 +366,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { return ret; } - protected RangerAccessResult isAccessAllowedForTagPolicies(final RangerAccessRequest request, RangerAccessResult result) { + protected void isAccessAllowedForTagPolicies(final RangerAccessRequest request, RangerAccessResult result) { if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ")"); + LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ", " + result + ")"); } List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(); @@ -376,90 +377,75 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); if(CollectionUtils.isNotEmpty(tags)) { - boolean someTagAllowedAudit = false; - RangerAccessResult savedAccessResult = createAccessResult(request); - List<RangerTagAuditEvent> tagAuditEvents = new ArrayList<RangerTagAuditEvent>(); - for (RangerTag tag : tags) { if (LOG.isDebugEnabled()) { LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + tag.getType() + ")"); } - RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request); - RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest); - RangerPolicyEvaluator allowedEvaluator = null; + RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request); + RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest); + + // carry fwd results from earlier tags, to optimize the current evaluation + // - if access was already allowed by a tag, only deny needs to be looked into + // - if audit was already determined, evaluation can bail out as soon as access is determined + if(result.getIsAllowed()) { + tagEvalResult.setIsAllowed(result.getIsAllowed()); + } + tagEvalResult.setAuditResultFrom(result); for (RangerPolicyEvaluator evaluator : evaluators) { + if(! evaluator.isMatch(tagEvalRequest.getResource())) + continue; + evaluator.evaluate(tagEvalRequest, tagEvalResult); - if(allowedEvaluator == null && tagEvalResult.getIsAllowed()) { - allowedEvaluator = evaluator; + if(tagEvalResult.getIsAllowed() && !evaluator.hasDeny()) { // all policies having deny have been evaluated + tagEvalResult.setIsAccessDetermined(true); } - if(tagEvalResult.getIsAuditedDetermined()) { - if(tagEvalResult.getIsAccessDetermined() || (allowedEvaluator != null && !evaluator.hasDeny())) { - if (LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag (" + tag.getType() + ") with authorization=" + tagEvalResult.getIsAllowed()); - } - break; // Break out of policy-evaluation loop for this tag + if(tagEvalResult.getIsAuditedDetermined() && tagEvalResult.getIsAccessDetermined()) { + if (LOG.isDebugEnabled()) { + LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag (" + tag.getType() + ") with authorization=" + tagEvalResult.getIsAllowed()); } + + break; // Break out of policy-evaluation loop for this tag } } - if(!tagEvalResult.getIsAccessDetermined() && allowedEvaluator != null) { - tagEvalResult.setIsAllowed(true); - tagEvalResult.setPolicyId(allowedEvaluator.getPolicy().getId()); + if(tagEvalResult.getIsAllowed()) { tagEvalResult.setIsAccessDetermined(true); } - if (tagEvalResult.getIsAuditedDetermined()) { - someTagAllowedAudit = true; - // And generate an audit event - if (tagEvalResult.getIsAccessDetermined()) { - RangerTagAuditEvent event = new RangerTagAuditEvent(tag.getType(), tagEvalResult); - tagAuditEvents.add(event); - } + if (tagEvalResult.getIsAudited()) { + result.setIsAudited(true); } - if (tagEvalResult.getIsAccessDetermined()) { - savedAccessResult.setAccessResultFrom(tagEvalResult); - - if (!tagEvalResult.getIsAllowed()) { - if (LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag-policies as tag (" + tag.getType() + "), tag-policy-id=" + tagEvalResult.getPolicyId() + " denied access."); + if(!result.getIsAccessDetermined() && tagEvalResult.getIsAccessDetermined()) { + if(! tagEvalResult.getIsAllowed()) { // access is denied for this tag + result.setAccessResultFrom(tagEvalResult); + } else { // access is allowed for this tag + // if a policy evaluated earlier allowed the access, don't update with current tag result + if(! result.getIsAllowed()) { + result.setAccessResultFrom(tagEvalResult); + result.setIsAccessDetermined(false); // so that evaluation will continue for deny } - break; // Break out of tags evaluation loop altogether } } - } - - result.setAccessResultFrom(savedAccessResult); - if (someTagAllowedAudit) { - if (LOG.isDebugEnabled()) { - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: at least one tag-policy requires generation of audit event"); + if(result.getIsAuditedDetermined() && result.getIsAccessDetermined()) { + break; // Break out of policy-evaluation loop } - result.setIsAudited(true); - - boolean isAccessDenied = result.getIsAccessDetermined() && !result.getIsAllowed(); - - RangerTagAuditEvent.processTagEvents(tagAuditEvents, isAccessDenied); - // Set processed list into result - // result.setAuxilaryAuditInfo(tagAuditEvents); } if (LOG.isDebugEnabled()) { LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : result=" + result); - LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : auditEventList=" + tagAuditEvents); } } } if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + result + ")" ); + LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ", " + result + ")" ); } - - return result; } private void setResourceServiceDef(RangerAccessRequest request) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/689dc76b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 1764b60..da15c00 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -147,28 +147,13 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (!isResourceMatch) { if (attemptResourceHeadMatch && !isResourceHeadMatchAttempted) { isResourceHeadMatch = matchResourceHead(request.getResource()); - isResourceHeadMatchAttempted = true; + isResourceHeadMatchAttempted = true; } } + // Go further to evaluate access only if match or head match was found at this point if (isResourceMatch || isResourceHeadMatch) { - RangerPolicyItemEvaluator matchedPolicyItem = getDeterminingPolicyItem(request); - - if(matchedPolicyItem != null) { - RangerPolicy policy = getPolicy(); - - if(matchedPolicyItem.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) { - if(isResourceMatch) { - result.setIsAllowed(false); - result.setPolicyId(policy.getId()); - result.setReason(matchedPolicyItem.getComments()); - } - } else { - result.setIsAllowed(true); - result.setPolicyId(policy.getId()); - result.setReason(matchedPolicyItem.getComments()); - } - } + evaluatePolicyItems(request, result, isResourceMatch); } } } @@ -178,28 +163,38 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } - protected RangerPolicyItemEvaluator getDeterminingPolicyItem(RangerAccessRequest request) { + protected void evaluatePolicyItems(RangerAccessRequest request, RangerAccessResult result, boolean isResourceMatch) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + request + ")"); + LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")"); } - RangerPolicyItemEvaluator ret = null; + RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators); - /* - * 1. if a deny matches without hitting any deny-exception, return that - * 2. if an allow matches without hitting any allow-exception, return that - */ - ret = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators); + if(matchedPolicyItem == null && !result.getIsAllowed()) { // if not denied, evaluate allowItems only if not already allowed + matchedPolicyItem = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators); + } - if(ret == null) { - ret = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators); + if(matchedPolicyItem != null) { + RangerPolicy policy = getPolicy(); + + if(matchedPolicyItem.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) { + if(isResourceMatch) { + result.setIsAllowed(false); + result.setPolicyId(policy.getId()); + result.setReason(matchedPolicyItem.getComments()); + } + } else { + if(! result.getIsAllowed()) { // if access is not yet allowed by another policy + result.setIsAllowed(true); + result.setPolicyId(policy.getId()); + result.setReason(matchedPolicyItem.getComments()); + } + } } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + request + "): " + ret); + LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")"); } - - return ret; } protected RangerPolicyItemEvaluator getDeterminingPolicyItem(String user, Set<String> userGroups, String accessType) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/689dc76b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java index a118466..a3da6bb 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java @@ -26,6 +26,7 @@ import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; @@ -228,27 +229,23 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator } @Override - protected RangerPolicyItemEvaluator getDeterminingPolicyItem(RangerAccessRequest request) { + protected void evaluatePolicyItems(RangerAccessRequest request, RangerAccessResult result, boolean isResourceMatch) { if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerOptimizedPolicyEvaluator.isPolicyItemsMatch()"); + LOG.debug("==> RangerOptimizedPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")"); } - RangerPolicyItemEvaluator ret = null; - if (hasPublicGroup || users.contains(request.getUser()) || CollectionUtils.containsAny(groups, request.getUserGroups())) { // No need to reject based on users and groups if (request.isAccessTypeAny() || (request.isAccessTypeDelegatedAdmin() && delegateAdmin) || hasAllPerms || accessPerms.contains(request.getAccessType())) { // No need to reject based on aggregated access permissions - ret = super.getDeterminingPolicyItem(request); + super.evaluatePolicyItems(request, result, isResourceMatch); } } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerOptimizedPolicyEvaluator.isPolicyItemsMatch(): " + ret); + LOG.debug("<== RangerOptimizedPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")"); } - - return ret; } private void preprocessPolicyItems(List<RangerPolicy.RangerPolicyItem> policyItems) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/689dc76b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index d7801b9..b59ae1f 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -23,13 +23,8 @@ import com.google.gson.*; import com.google.gson.reflect.TypeToken; import org.apache.commons.lang.StringUtils; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.FSDataOutputStream; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.fs.FileSystem; import org.apache.ranger.audit.provider.AuditHandler; import org.apache.ranger.audit.provider.AuditProviderFactory; -import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerTag; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/689dc76b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json index ed42d5c..15fd4cd 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json @@ -1,11 +1,10 @@ { "serviceName":"hdfsdev", - "serviceDef":{ "name":"hdfs", "id":1, "resources":[ - {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Resource Path","description":"HDFS file or directory path"} + {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Resource Path","description":"HDFS file or directory path"} ], "accessTypes":[ {"name":"read","label":"Read"}, @@ -13,171 +12,681 @@ {"name":"execute","label":"Execute"} ] }, - "policies":[ - ], - "tagPolicyInfo": { - - "serviceName":"tagdev", - "serviceDef": { - "name": "tag", - "id": 100, - "resources": [ + { + "id": 1, + "name": "/resource: allow: users=user-ra, user-ra-ta, user-ra-td; deny: user=user-rd, user-rd-ta, user-rd-td", + "isEnabled": true, + "isAuditEnabled": true, + "resources": { + "path": { "values": [ "/resource" ], "isRecursive": true } + }, + "policyItems": [ { - "itemId": 1, - "name": "tag", - "type": "string", - "level": 1, - "parent": "", - "mandatory": true, - "lookupSupported": true, - "recursiveSupported": false, - "excludesSupported": false, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { - "wildCard": true, - "ignoreCase": false - }, - "validationRegEx": "", - "validationMessage": "", - "uiHint": "", - "label": "TAG", - "description": "TAG" + "accesses":[ + {"type":"read"}, + {"type":"write"} + ], + "users":["user-ra", "user-ra-ta", "user-ra-td"], + "groups":["finance"], + "delegateAdmin":false, + "conditions" : [] } ], - "accessTypes": [ - { - "itemId": 1, - "name": "hdfs:read", - "label": "hdfs:Read" - }, - { - "itemId": 2, - "name": "hdfs:write", - "label": "hdfs:Write" - }, - { - "itemId": 3, - "name": "hdfs:execute", - "label": "hdfs:Execute" - } - , + "allowExceptions":[ ], + "denyPolicyItems": [ { - "itemId": 4, - "name": "hive:grant", - "label": "hive:grant" - } - , - { - "itemId": 5, - "name": "kms:dek", - "label": "kms:dek" - } - , - { - "itemId": 6, - "name": "delete", - "label": "delete" + "accesses": [ + { "type": "read" }, + { "type": "execute" }, + { "type": "write" } + ], + "users": [ "user-rd", "user-rd-ta", "user-rd-td" ], + "groups": [], + "delegateAdmin": false, + "conditions": [ + ] } ], - "contextEnrichers": [ + "denyExceptions":[ ] + }, + { + "id": 2, + "name": "/unaudited-resource: allow: users=user-ra, user-ra-ta, user-ra-td; deny: user=user-rd, user-rd-ta, user-rd-td", + "isEnabled": true, + "isAuditEnabled": false, + "resources": { + "path": { "values": [ "/unaudited-resource" ], "isRecursive": true } + }, + "policyItems": [ { - "itemId": 1, - "name" : "TagEnricher", - "enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", - "enricherOptions" : {"tagRetrieverClassName":"org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever", "tagRefresherPollingInterval":60000, "dataFile":"/etc/ranger/data/resourceTags.txt"} + "accesses":[ + {"type":"read" }, + {"type":"write" } + ], + "users":["user-ra", "user-ra-ta", "user-ra-td"], + "groups":["finance"], + "delegateAdmin":false, + "conditions" : [] } ], - "policyConditions": [ + "allowExceptions":[ ], + "denyPolicyItems": [ { - "itemId":1, - "name":"ScriptConditionEvaluator", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", - "evaluatorOptions" : {"engineName":"JavaScript"}, - "label":"Script", - "description": "Script to execute" + "accesses": [ + { "type": "read" }, + { "type": "execute" }, + { "type": "write" } + ], + "users": [ "user-rd", "user-rd-ta", "user-rd-td" ], + "groups": [], + "delegateAdmin": false, + "conditions": [ + ] } - ] + ], + "denyExceptions":[ ] + } + ], + + "tagPolicyInfo": { + "serviceName":"tagdev", + "serviceDef": { + "name": "tag", + "id": 100, + "resources": [ + { "name": "tag", "type": "string", "level": 1, "mandatory": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": false, "ignoreCase": false }, "label": "TAG", "description": "TAG" } + ], + "accessTypes": [ + { "name": "hdfs:read", "label": "hdfs:Read" }, + { "name": "hdfs:write", "label": "hdfs:Write" }, + { "name": "hdfs:execute", "label": "hdfs:Execute" } + ], + "contextEnrichers": [ ], + "policyConditions": [ ] }, "tagPolicies":[ - {"id":101,"name":"PII with expiry","isEnabled":true,"isAuditEnabled":true, + { + "id":101, + "name":"PII", + "isEnabled":true, + "isAuditEnabled":true, "resources":{"tag":{"values":["PII"],"isRecursive":false}}, "policyItems":[ { "accesses":[ - {"type":"hdfs:read", "isAllowed":true}, - {"type":"hive:grant", "isAllowed":true}, - {"type":"delete", "isAllowed":true}, - {"type":"hdfs:write", "isAllowed":true} - ], - "users":["user1"], - "groups":["finance"], - "delegateAdmin":false, - "conditions" : [] + {"type":"hdfs:read", "isAllowed":true}, + {"type":"hdfs:write", "isAllowed":true} + ], + "users":["user-ta", "user-ra-ta", "user-rd-ta"], + "groups":["finance"], + "delegateAdmin":false, + "conditions" : [] } ], + "allowExceptions":[ ], "denyPolicyItems":[ { "accesses":[ - {"type":"hdfs:read", "isAllowed":true}, - {"type":"hive:grant", "isAllowed":true}, - {"type":"delete", "isAllowed":true}, - {"type":"hdfs:write", "isAllowed":true} - ], - "users":[""], - "groups":["public"], - "delegateAdmin":false, - "conditions" : [ - {"type":"ScriptConditionEvaluator", "values": [ - "ctx.result = true; importPackage(java.util); var accessDate = ctx.accessTime; var expiryDate = ctx.getTagAttributeAsDate('PII','expiry_date'); expiryDate.getTime() < accessDate.getTime();" - ]} - ] + {"type":"hdfs:read" }, + {"type":"hdfs:write" } + ], + "users":["user-td", "user-ra-td", "user-rd-td"], + "groups":[], + "delegateAdmin":false, + "conditions" : [ ] } ], - "denyExceptions":[ + "denyExceptions":[ ] + }, + { + "id":102, + "name":"Unaudited-TAG", + "isEnabled":true, + "isAuditEnabled":false, + "resources":{"tag":{"values":["Unaudited-TAG"],"isRecursive":false}}, + "policyItems":[ { "accesses":[ - {"type":"hdfs:read", "isAllowed":true}, - {"type":"hive:grant", "isAllowed":true}, - {"type":"delete", "isAllowed":true}, - {"type":"hdfs:write", "isAllowed":true} - ], - "users":["user1"], - "groups":["finance"], - "delegateAdmin":false, - "conditions" : [] + {"type":"hdfs:read" }, + {"type":"hdfs:write" } + ], + "users":["user-ta", "user-ra-ta", "user-rd-ta"], + "groups":["finance"], + "delegateAdmin":false, + "conditions" : [] } - ] + ], + "allowExceptions":[ ], + "denyPolicyItems":[ + { + "accesses":[ + {"type":"hdfs:read" }, + {"type":"hdfs:write" } + ], + "users":["user-td", "user-ra-td", "user-rd-td"], + "groups":[], + "delegateAdmin":false, + "conditions" : [ ] + } + ], + "denyExceptions":[ ] } ] }, "tests":[ - {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance", - "request":{ - "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, - "accessType":"read","user":"userx","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db", - "context": {"TAGS":"[{\"type\":\"PII\",\"attributes\":{\"expiry_date\":\"2015/09/01\"}}]"} - }, - "result":{"isAudited":true,"isAllowed":true,"policyId":101} + { + "name": "ALLOW 'read /resource' for u=user-ra", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-ra", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": true, "policyId": 1 } + }, + { + "name": "ALLOW 'read /resource' for u=user-ra-ta", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-ra-ta", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": true, "policyId": 101 } + }, + { + "name": "DENY 'read /resource' for u=user-ra-td", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-ra-td", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 101 } + }, + { + "name": "DENY 'read /resource' for u=user-rd", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-rd", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 1 } + }, + { + "name": "DENY 'read /resource' for u=user-rd-ta", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-rd-ta", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 1 } + }, + { + "name": "DENY 'read /resource' for u=user-rd-td", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-rd-td", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 101 } + }, + { + "name": "ALLOW 'read /resource' for u=user-ta", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-ta", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": true, "policyId": 101 } + }, + { + "name": "DENY 'read /resource' for u=user-td", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-td", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 101 } + }, + { + "name": "DENY 'read /resource' for u=user-unknown", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-unknown", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": -1 } } , - {"name":"ALLOW 'read /finance/restricted/sales.db' for u=user1", - "request":{ - "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, - "accessType":"read","user":"user1","userGroups":["employee"],"requestData":"read /finance/restricted/sales.db", - "context": {"TAGS":"[{\"type\":\"PII\",\"attributes\":{\"expiry_date\":\"2015/09/01\"}}]"} - }, - "result":{"isAudited":true,"isAllowed":true,"policyId":101} + + { + "name": "ALLOW 'read /resource' for u=user-ra", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-ra", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": true, "policyId": 1 } + }, + { + "name": "ALLOW 'read /resource' for u=user-ra-ta", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-ra-ta", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": true, "policyId": 102 } + }, + { + "name": "DENY 'read /resource' for u=user-ra-td", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-ra-td", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 102 } + }, + { + "name": "DENY 'read /resource' for u=user-rd", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-rd", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 1 } + }, + { + "name": "DENY 'read /resource' for u=user-rd-ta", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-rd-ta", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 1 } + }, + { + "name": "DENY 'read /resource' for u=user-rd-td", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-rd-td", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 102 } + }, + { + "name": "ALLOW 'read /resource' for u=user-ta", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-ta", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": true, "policyId": 102 } + }, + { + "name": "DENY 'read /resource' for u=user-td", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-td", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 102 } + }, + { + "name": "DENY 'read /resource' for u=user-unknown", + "request": { + "resource": { "elements": { "path": "/resource" } }, + "accessType": "read", + "user": "user-unknown", + "userGroups": [ ], + "requestData": "read /resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": -1 } } , - {"name":"DENY 'read /finance/restricted/sales.db' for u=user2", - "request":{ - "resource":{"elements":{"path":"/finance/restricted/sales.db"}}, - "accessType":"read","user":"user2","userGroups":["employee"],"requestData":"read /finance/restricted/sales.db", - "context": {"TAGS":"[{\"type\":\"PII\",\"attributes\":{\"expiry_date\":\"2015/09/01\"}}]"} - }, - "result":{"isAudited":true,"isAllowed":false,"policyId":101} + + { + "name": "ALLOW 'read /unaudited-resource' for u=user-ra", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-ra", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": true, "policyId": 2 } + }, + { + "name": "ALLOW 'read /unaudited-resource' for u=user-ra-ta", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-ra-ta", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": true, "policyId": 101 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-ra-td", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-ra-td", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 101 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-rd", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-rd", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 2 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-rd-ta", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-rd-ta", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 2 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-rd-td", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-rd-td", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 101 } + }, + { + "name": "ALLOW 'read /unaudited-resource' for u=user-ta", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-ta", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": true, "policyId": 101 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-td", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-td", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": 101 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-unknown", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-unknown", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"PII\"}]" + } + }, + "result": { "isAudited": true, "isAllowed": false, "policyId": -1 } + } + , + + { + "name": "ALLOW 'read /unaudited-resource' for u=user-ra", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-ra", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": false, "isAllowed": true, "policyId": 2 } + }, + { + "name": "ALLOW 'read /unaudited-resource' for u=user-ra-ta", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-ra-ta", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": false, "isAllowed": true, "policyId": 102 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-ra-td", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-ra-td", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": false, "isAllowed": false, "policyId": 102 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-rd", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-rd", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": false, "isAllowed": false, "policyId": 2 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-rd-ta", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-rd-ta", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": false, "isAllowed": false, "policyId": 2 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-rd-td", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-rd-td", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": false, "isAllowed": false, "policyId": 102 } + }, + { + "name": "ALLOW 'read /unaudited-resource' for u=user-ta", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-ta", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": false, "isAllowed": true, "policyId": 102 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-td", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-td", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": false, "isAllowed": false, "policyId": 102 } + }, + { + "name": "DENY 'read /unaudited-resource' for u=user-unknown", + "request": { + "resource": { "elements": { "path": "/unaudited-resource" } }, + "accessType": "read", + "user": "user-unknown", + "userGroups": [ ], + "requestData": "read /unaudited-resource", + "context": { + "TAGS": "[{\"type\":\"Unaudited-TAG\"}]" + } + }, + "result": { "isAudited": false, "isAllowed": false, "policyId": -1 } } + + ] }
