Repository: incubator-ranger Updated Branches: refs/heads/master 9ea1d4ad7 -> 17dd5c335
RANGER-816: Added unit tests for file-based tag retriever Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/17dd5c33 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/17dd5c33 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/17dd5c33 Branch: refs/heads/master Commit: 17dd5c3359fe1dccd25c4540a02c6b995d74f16f Parents: 9ea1d4a Author: Abhay Kulkarni <[email protected]> Authored: Tue Jan 12 07:47:32 2016 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Tue Jan 12 17:28:33 2016 -0800 ---------------------------------------------------------------------- .../plugin/policyengine/TestPolicyEngine.java | 7 + .../resources/policyengine/resourceTags.json | 207 +++++++++++++ .../test_policyengine_tag_hive_filebased.json | 304 +++++++++++++++++++ 3 files changed, 518 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/17dd5c33/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index f199c44..f9ba62b 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -187,6 +187,13 @@ public class TestPolicyEngine { runTestsFromResourceFiles(conditionsTestResourceFiles); } + @Test + public void testPolicyEngine_hiveForTag_filebased() { + String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_tag_hive_filebased.json" }; + + runTestsFromResourceFiles(conditionsTestResourceFiles); + } + private void runTestsFromResourceFiles(String[] resourceNames) { for(String resourceName : resourceNames) { InputStream inStream = this.getClass().getResourceAsStream(resourceName); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/17dd5c33/agents-common/src/test/resources/policyengine/resourceTags.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/resourceTags.json b/agents-common/src/test/resources/policyengine/resourceTags.json new file mode 100644 index 0000000..9523ca0 --- /dev/null +++ b/agents-common/src/test/resources/policyengine/resourceTags.json @@ -0,0 +1,207 @@ +{ + "op":"add_or_update", + "tagModel":"resource_private", + "serviceName": "cl1_hive", + "tagDefinitions": { + "1": { + "name": "EXPIRES_ON", + "attributeDefs": [ { "name": "expiry_date", "type": "datetime" } ], + "id": 1, + "guid": "tagdefinition-expires-on-guid" + }, + "2": { + "name": "PII", + "attributeDefs": [ { "name": "expiry", "type": "datetime" } ], + "id": 2, + "guid": "tagdefinition-pii-guid" + }, + "3": { + "name": "PII-FINAL", + "attributeDefs": [ { "name": "expiry", "type": "datetime" } ], + "id": 3, + "guid": "tagdefinition-pii-final-guid" + }, + "4": { + "name": "RESTRICTED", + "attributeDefs": [ { "name": "activation_date", "type": "datetime" } ], + "id": 4, + "guid": "tagdefinition-restricted-guid" + }, + "5": { + "name": "RESTRICTED-FINAL", + "attributeDefs": [ { "name": "activation_date", "type": "datetime" } ], + "id": 5, + "guid": "tagdefinition-restricted-final-guid" + } + }, + "tags": { + "1": { + "type": "EXPIRES_ON", + "attributes": { "expiry_date": "2026/06/15" }, + "id": 1, + "guid": "tag-expires-on-1-guid" + }, + "2": { + "type": "EXPIRES_ON", + "attributes": { "expiry_date": "2015/08/10" }, + "id": 2, + "guid": "tag-expires-on-2-guid" + }, + "3": { + "type": "RESTRICTED", + "attributes": { "activation_date": "2015/08/10" }, + "id": 3, + "guid": "tag-restricted-3-guid" + }, + "4": { + "type": "RESTRICTED-FINAL", + "attributes": { "activation_date": "2026/06/15" }, + "id": 4, + "guid": "tag-restricted-final-4-guid" + }, + "5": { + "type": "PII", + "attributes": { "expiry": "2026/06/15" }, + "id": 5, + "guid": "tag-pii-5-guid" + }, + "6": { + "type": "PII-FINAL", + "attributes": { "expiry": "2026/06/15" }, + "id": 6, + "guid": "tag-pii-final-6-guid" + } + }, + "serviceResources": [ + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "employee" ] }, + "table": { "values": [ "personal" ] }, + "column": { "values": [ "ssn" ] } + }, + "id": 1, + "guid": "employee.personal.ssn-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "employee" ] }, + "table": { "values": [ "personal" ] }, + "column": { "values": [ "id" ] } + }, + "id": 2, + "guid": "employee.personal.id-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "employee" ] }, + "table": { "values": [ "personal" ] }, + "column": { "values": [ "city" ] } + }, + "id": 3, + "guid": "employee.personal.city-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "employee" ] }, + "table": { "values": [ "personal" ] }, + "column": { "values": [ "address" ] } + }, + "id": 4, + "guid": "employee.personal.address-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "employee" ] }, + "table": { "values": [ "personal" ] }, + "column": { "values": [ "salary" ] } + }, + "id": 5, + "guid": "employee.personal.salary-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "employee" ] }, + "table": { "values": [ "personal" ] }, + "column": { "values": [ "emp-number" ] } + }, + "id": 6, + "guid": "employee.personal.emp-number-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "employee" ] }, + "table": { "values": [ "personal" ] }, + "column": { "values": [ "name" ] } + }, + "id": 7, + "guid": "employee.personal.name-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "default" ] } + }, + "id": 8, + "guid": "default-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "default" ] }, + "table": { "values": [ "table1" ] } + }, + "id": 9, + "guid": "default.table1-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "default" ] }, + "table": { "values": [ "table1" ] }, + "column": { "values": [ "name" ] } + }, + "id": 10, + "guid": "default.table1.name-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "default" ] }, + "table": { "values": [ "table2" ] } + }, + "id": 11, + "guid": "default.table2-guid" + }, + { + "serviceName": "cl1_hive", + "resourceElements": { + "database": { "values": [ "default" ] }, + "table": { "values": [ "table3" ] }, + "column": { "values": [ "name" ] } + }, + "id": 12, + "guid": "default.table3.name-guid" + } + ], + "resourceToTagIds": { + "1": [ 1 ], + "2": [ 2 ], + "3": [ 3 ], + "4": [ 4 ], + "5": [ 2 ], + "6": [ 2 ], + "8": [ 6 ], + "9": [ 5 ], + "10": [ 6 ], + "11": [ 6 ], + "12": [ 5 ] + } +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/17dd5c33/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json new file mode 100644 index 0000000..da00ea3 --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json @@ -0,0 +1,304 @@ +{ + "serviceName":"hivedev", + + "serviceDef":{ + "name":"hive", + "id":3, + "resources":[ + {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Database","description":"Hive Database"}, + {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Table","description":"Hive Table"}, + {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"}, + {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Column","description":"Hive Column"} + ], + "accessTypes":[ + {"name":"select","label":"Select"}, + {"name":"update","label":"Update"}, + {"name":"create","label":"Create"}, + {"name":"drop","label":"Drop"}, + {"name":"alter","label":"Alter"}, + {"name":"index","label":"Index"}, + {"name":"lock","label":"Lock"}, + {"name":"all","label":"All", + "impliedGrants": [ + "select", + "update", + "create", + "drop", + "alter", + "index", + "lock" + ] + } + ] + }, + + "policies":[ + {"id":101,"name":"db=*: audit-all-access","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", "user2"],"groups":["public"],"delegateAdmin":false} + ] + }, + {"id":102,"name":"db=*, udf=*: audit-all-access","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["*"]},"udf":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", "user2"],"groups":["public"],"delegateAdmin":false} + ] + } + ], + "tagPolicyInfo": { + + "serviceName":"tagdev", + "serviceDef": { + "name": "tag", + "id": 100, + "resources": [ + { + "itemId": 1, + "name": "tag", + "type": "string", + "level": 1, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": false, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": false + }, + "validationRegEx": "", + "validationMessage": "", + "uiHint": "", + "label": "TAG", + "description": "TAG" + } + ], + "accessTypes": [ + { + "itemId": 1, + "name": "hive:select", + "label": "hive:select" + }, + { + "itemId": 2, + "name": "hive:update", + "label": "hive:update" + }, + { + "itemId": 3, + "name": "hive:create", + "label": "hive:create" + } + , + { + "itemId": 4, + "name": "hive:grant", + "label": "hive:grant" + } + , + { + "itemId": 5, + "name": "hive:drop", + "label": "hive:drop" + } + , + { + "itemId": 6, + "name": "hive:alter", + "label": "hive:alter" + }, + { + "itemId": 7, + "name": "hive:index", + "label": "hive:index" + }, + { + "itemId": 8, + "name": "hive:lock", + "label": "hive:lock" + }, + { + "itemId": 9, + "name": "hive:all", + "label": "hive:all" + } + ], + "contextEnrichers": [ + { + "itemId": 1, + "name" : "TagEnricher", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", + "enricherOptions" : {"tagRetrieverClassName":"org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever", "tagRefresherPollingInterval":60000, "serviceTagsFileName":"/policyengine/resourceTags.json"} + } + ], + "policyConditions": [ + { + "itemId":1, + "name":"ScriptConditionEvaluator", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", + "evaluatorOptions" : {"engineName":"JavaScript"}, + "label":"Script", + "description": "Script to execute" + }, + { + "itemId":2, + "name":"enforce-expiry", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", + "evaluatorOptions" : { "scriptTemplate":"ctx.isAccessedAfter('expiry_date');" }, + "label":"Deny access after expiry_date?", + "description": "Deny access after expiry_date? (yes/no)" + } + ] + }, + "tagPolicies":[ + {"id":1,"name":"RESTRICTED_TAG_POLICY","isEnabled":true,"isAuditEnabled":true, + "resources":{"tag":{"values":["RESTRICTED"],"isRecursive":false}}, + "policyItems":[ + { + "accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false, + "conditions":[{ + "type":"ScriptConditionEvaluator", + "values":["if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;"] + }] + } + ] + }, + {"id":2,"name":"PII_TAG_POLICY","isEnabled":true,"isAuditEnabled":true, + "resources":{"tag":{"values":["PII"],"isRecursive":false}}, + "policyItems":[ + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive"],"groups":[],"delegateAdmin":false} + ] + }, + {"id":3,"name":"PII_TAG_POLICY-FINAL","isEnabled":true,"isAuditEnabled":true, + "resources":{"tag":{"values":["PII-FINAL"],"isRecursive":false}}, + "denyPolicyItems":[ + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":[""],"groups":["public"],"delegateAdmin":false} + ] + , + "denyExceptions":[ + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive"],"groups":[],"delegateAdmin":false} + ] + }, + {"id":4,"name":"RESTRICTED_TAG_POLICY_FINAL","isEnabled":true,"isAuditEnabled":true,"policyType":1, + "resources":{"tag":{"values":["RESTRICTED-FINAL"],"isRecursive":false}}, + "denyPolicyItems":[ + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + ] + , + "denyExceptions":[ + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false, + "conditions":[{ + "type":"ScriptConditionEvaluator", + "values":["if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;"] + }] + } + ] + }, + {"id":5,"name":"EXPIRES_ON","isEnabled":true,"isAuditEnabled":true, + "resources":{"tag":{"values":["EXPIRES_ON"],"isRecursive":false}}, + "denyPolicyItems":[ + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false, + "conditions":[{"type":"enforce-expiry","values":["yes"]}] + } + ] + , + "denyExceptions":[ + {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["dataloader"],"groups":[],"delegateAdmin":false} + ] + } + ] + }, + + "tests":[ + {"name":"ALLOW 'select ssn from employee.personal;' for user1 using EXPIRES_ON tag", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1" + + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":101} + }, + {"name":"DENY 'select id from employee.personal;' for user1 using EXPIRES_ON tag", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"id"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select id from employee.personal;' for user1" + + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":5} + }, + {"name":"ALLOW 'select emp-number from employee.personal;' for dataloader using EXPIRES_ON tag", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"emp-number"}}, + "accessType":"select","user":"dataloader","userGroups":[],"requestData":"select emp-number from employee.personal;' for dataloader" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":101} + }, + {"name":"DENY 'select salary from employee.personal;' for user1 using EXPIRES_ON tag", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"salary"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select salary from employee.personal;' for user1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":5} + }, + {"name":"ALLOW 'select city from employee.personal;' for user1 using RESTRICTED tag", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"city"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select city from employee.personal;' for user1" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":101} + }, + {"name":"DENY 'select address from employee.personal;' for user2 using RESTRICTED-FINAL tag", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"address"}}, + "accessType":"select","user":"user2","userGroups":[],"requestData":"select address from employee.personal;' for user2" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":4} + }, + {"name":"ALLOW 'select name from employee.personal;' for user1 - no tag", + "request":{ + "resource":{"elements":{"database":"employee", "table":"personal", "column":"name"}}, + "accessType":"select","user":"user1","userGroups":[],"requestData":"select name from employee.personal;' for user1" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":101} + }, + {"name":"ALLOW 'select name from default.table1;' for hive using PII, PII-FINAL tags", + "request":{ + "resource":{"elements":{"database":"default", "table":"table1", "column":"name"}}, + "accessType":"select","user":"hive","userGroups":[],"requestData":"select name from default.table1;' for hive" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + }, + {"name":"ALLOW 'desc default.table1;' for hive using PII, PII-FINAL tags", + "request":{ + "resource":{"elements":{"database":"default", "table":"table1"}}, + "accessType":"","user":"hive","userGroups":[],"requestData":"desc default.table1;' for hive" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + }, + {"name":"DENY 'desc default.table2;' for user1 using PII-FINAL tag", + "request":{ + "resource":{"elements":{"database":"default", "table":"table2"}}, + "accessType":"","user":"user1","userGroups":[],"requestData":"desc default.table2;' for user1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":3} + }, + {"name":"DENY 'use default;' for user1 using PII, PII-FINAL tags", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"","user":"user1","userGroups":[],"requestData":"use default for user user1" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":3} + }, + {"name":"ALLOW 'select name from default.table3;' for hive using PII tag", + "request":{ + "resource":{"elements":{"database":"default", "table":"table3", "column":"name"}}, + "accessType":"select","user":"hive","userGroups":[],"requestData":"select name from default.table3 for user hive" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + + ] +} +
