Repository: incubator-ranger Updated Branches: refs/heads/ranger-0.5 df2d4eccd -> 3bfc2e12c
RANGER-889: Policy engine API to find list of users/groups having access to a resource Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3bfc2e12 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3bfc2e12 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3bfc2e12 Branch: refs/heads/ranger-0.5 Commit: 3bfc2e12c1ad825fedc4e339ae988d840d03b8ae Parents: df2d4ec Author: Madhan Neethiraj <[email protected]> Authored: Mon Mar 21 10:16:43 2016 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Mar 21 11:10:01 2016 -0700 ---------------------------------------------------------------------- .../plugin/policyengine/RangerPolicyEngine.java | 2 + .../policyengine/RangerPolicyEngineImpl.java | 19 ++++ .../policyengine/RangerResourceAccessInfo.java | 84 ++++++++++++++++ .../RangerAbstractPolicyItemEvaluator.java | 16 +++ .../RangerDefaultPolicyEvaluator.java | 88 ++++++++++------ .../policyevaluator/RangerPolicyEvaluator.java | 4 + .../RangerPolicyItemEvaluator.java | 6 +- .../ranger/plugin/service/RangerBasePlugin.java | 12 +++ .../plugin/policyengine/TestPolicyEngine.java | 31 ++++-- .../test_policyengine_resource_access_info.json | 100 +++++++++++++++++++ 10 files changed, 323 insertions(+), 39 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3bfc2e12/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index bff16c9..23c2178 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -58,4 +58,6 @@ public interface RangerPolicyEngine { List<RangerPolicy> getExactMatchPolicies(RangerAccessResource resource); List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType); + + RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3bfc2e12/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index b45358d..ae48a71 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -353,6 +353,25 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { return ret; } + @Override + public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.getResourceAccessInfo(" + request + ")"); + } + + RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request); + + for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + evaluator.getResourceAccessInfo(request, ret); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.getResourceAccessInfo(" + request + "): " + ret); + } + + return ret; + } + protected RangerAccessResult isAccessAllowedNoAudit(RangerAccessRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3bfc2e12/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java new file mode 100644 index 0000000..fe2e2d6 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java @@ -0,0 +1,84 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import java.util.HashSet; +import java.util.Set; + +public class RangerResourceAccessInfo { + final private RangerAccessRequest request; + final private Set<String> allowedUsers; + final private Set<String> allowedGroups; + + + public RangerResourceAccessInfo(RangerAccessRequest request) { + this.request = request; + this.allowedUsers = new HashSet<String>(); + this.allowedGroups = new HashSet<String>(); + } + + public RangerAccessRequest getRequest() { + return request; + } + + public Set<String> getAllowedUsers() { + return allowedUsers; + } + + public Set<String> getAllowedGroups() { + return allowedGroups; + } + + @Override + public String toString( ) { + StringBuilder sb = new StringBuilder(); + + toString(sb); + + return sb.toString(); + } + + public StringBuilder toString(StringBuilder sb) { + sb.append("RangerResourceAccessInfo={"); + + sb.append("request={"); + if(request != null) { + sb.append(request.toString()); + } + sb.append("} "); + + sb.append("allowedUsers={"); + for(String user : allowedUsers) { + sb.append(user).append(" "); + } + sb.append("} "); + + sb.append("allowedGroups={"); + for(String group : allowedGroups) { + sb.append(group).append(" "); + } + sb.append("} "); + + sb.append("}"); + + return sb; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3bfc2e12/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java index a986ca6..9dbd874 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java @@ -21,12 +21,15 @@ package org.apache.ranger.plugin.policyevaluator; import java.util.Collections; import java.util.List; +import java.util.Set; +import org.apache.commons.collections.CollectionUtils; import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyItemEvaluator { @@ -58,4 +61,17 @@ public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyI protected boolean getConditionsDisabledOption() { return options != null ? options.disableCustomConditions : false; } + + @Override + public void getResourceAccessInfo(RangerResourceAccessInfo result) { + if(policyItem != null && result != null) { + if(CollectionUtils.isNotEmpty(policyItem.getUsers())) { + result.getAllowedUsers().addAll(policyItem.getUsers()); + } + + if(CollectionUtils.isNotEmpty(policyItem.getGroups())) { + result.getAllowedGroups().addAll(policyItem.getGroups()); + } + } + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3bfc2e12/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index d570c6c..efc9f92 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -42,6 +42,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; import org.apache.ranger.plugin.util.RangerPerfTracer; @@ -130,28 +131,17 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } if (request != null && result != null) { - boolean isMatchAttempted = false; - boolean matchResult = false; - boolean isHeadMatchAttempted = false; - boolean headMatchResult = false; - final boolean attemptHeadMatch = request.isAccessTypeAny() || request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS; + boolean isMatchAttempted = false; + boolean matchResult = false; if (!result.getIsAuditedDetermined()) { // Need to match request.resource first. If it matches (or head matches), then only more progress can be made if (!isMatchAttempted) { - matchResult = isMatch(request.getResource()); + matchResult = isResourceMatch(request); isMatchAttempted = true; } - // Try head match only if match was not found and ANY access was requested - if (!matchResult) { - if (attemptHeadMatch && !isHeadMatchAttempted) { - headMatchResult = matchResourceHead(request.getResource()); - isHeadMatchAttempted = true; - } - } - - if (matchResult || headMatchResult) { + if (matchResult) { // We are done for determining if audit is needed for this policy if (isAuditEnabled()) { result.setIsAudited(true); @@ -162,24 +152,16 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (!result.getIsAccessDetermined()) { // Try Match only if it was not attempted as part of evaluating Audit requirement if (!isMatchAttempted) { - matchResult = isMatch(request.getResource()); + matchResult = isResourceMatch(request); isMatchAttempted = true; } - // Try Head Match only if no match was found so far AND a head match was not attempted as part of evaluating - // Audit requirement - if (!matchResult) { - if (attemptHeadMatch && !isHeadMatchAttempted) { - headMatchResult = matchResourceHead(request.getResource()); - isHeadMatchAttempted = true; - } - } - // Go further to evaluate access only if match or head match was found at this point - if (matchResult || headMatchResult) { - evaluatePolicyItemsForAccess(request, result); - } - } - } + // Go further to evaluate access only if match or head match was found at this point + if (matchResult) { + evaluatePolicyItemsForAccess(request, result); + } + } + } RangerPerfTracer.log(perf); @@ -285,6 +267,52 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } + @Override + public void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAccessInfo result) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ", " + result + ")"); + } + + boolean isResourceMatch = isResourceMatch(request); + + if(isResourceMatch) { + if(CollectionUtils.isNotEmpty(policyItemEvaluators)) { + for (RangerPolicyItemEvaluator policyItemEvaluator : policyItemEvaluators) { + if(policyItemEvaluator.matchAccessType(request.getAccessType()) && + policyItemEvaluator.matchCustomConditions(request)) { + policyItemEvaluator.getResourceAccessInfo(result); + } + } + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ", " + result + ")"); + } + } + + private boolean isResourceMatch(RangerAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.isResourceMatch(" + request + ")"); + } + + boolean ret = isMatch(request.getResource()); + + if(! ret) { + final boolean attemptHeadMatch = request.isAccessTypeAny() || request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS; + + if(attemptHeadMatch) { + ret = matchResourceHead(request.getResource()); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.isResourceMatch(" + request + "): " + ret); + } + + return ret; + } + protected boolean matchResourceHead(RangerAccessResource resource) { if(LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3bfc2e12/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index e6ec2ad..a0f99e4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -30,6 +30,8 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; + public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> { public static final String EVALUATOR_TYPE_AUTO = "auto"; @@ -57,4 +59,6 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType); boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); + + void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAccessInfo result); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3bfc2e12/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java index 9bbe4e3..6f0ac01 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java @@ -22,11 +22,9 @@ import java.util.List; import java.util.Set; import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; -import org.apache.ranger.plugin.model.RangerPolicy; -import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; +import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; public interface RangerPolicyItemEvaluator { @@ -52,4 +50,6 @@ public interface RangerPolicyItemEvaluator { boolean matchAccessType(String accessType); boolean matchCustomConditions(RangerAccessRequest request); + + void getResourceAccessInfo(RangerResourceAccessInfo result); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3bfc2e12/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 5f98b79..501aa0a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -169,6 +169,18 @@ public class RangerBasePlugin { return null; } + public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) { + RangerPolicyEngine policyEngine = this.policyEngine; + + if(policyEngine != null) { + policyEngine.preProcess(request); + + return policyEngine.getResourceAccessInfo(request); + } + + return null; + } + public RangerAccessResult createAccessResult(RangerAccessRequest request) { RangerPolicyEngine policyEngine = this.policyEngine; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3bfc2e12/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 59b7479..0fca742 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -88,6 +88,13 @@ public class TestPolicyEngine { runTestsFromResourceFiles(conditionsTestResourceFiles); } + @Test + public void testPolicyEngine_resourceAccessInfo() { + String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_resource_access_info.json" }; + + runTestsFromResourceFiles(conditionsTestResourceFiles); + } + private void runTestsFromResourceFiles(String[] resourceNames) { for(String resourceName : resourceNames) { InputStream inStream = this.getClass().getResourceAsStream(resourceName); @@ -112,13 +119,24 @@ public class TestPolicyEngine { for(TestData test : testCase.tests) { policyEngine.preProcess(test.request); - RangerAccessResult expected = test.result; - RangerAccessResult result = policyEngine.isAccessAllowed(test.request, null); + if(test.result != null) { + RangerAccessResult expected = test.result; + RangerAccessResult result = policyEngine.isAccessAllowed(test.request, null); + + assertNotNull("result was null! - " + test.name, result); + assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed()); + assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited()); + assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId()); + } + + if(test.resourceAccessInfo != null) { + RangerResourceAccessInfo expected = test.resourceAccessInfo; + RangerResourceAccessInfo result = policyEngine.getResourceAccessInfo(test.request); - assertNotNull("result was null! - " + test.name, result); - assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed()); - assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited()); - assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId()); + assertNotNull("result was null! - " + test.name, result); + assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers()); + assertEquals("allowedGroups mismatched! - " + test.name, expected.getAllowedGroups(), result.getAllowedGroups()); + } } } @@ -132,6 +150,7 @@ public class TestPolicyEngine { public String name; public RangerAccessRequest request; public RangerAccessResult result; + public RangerResourceAccessInfo resourceAccessInfo; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3bfc2e12/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json b/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json new file mode 100644 index 0000000..b94c87a --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json @@ -0,0 +1,100 @@ +{ + "serviceName":"hivedev", + + "serviceDef":{ + "name":"hive", + "id":3, + "resources":[ + {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Database","description":"Hive Database"}, + {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Table","description":"Hive Table"}, + {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"}, + {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Column","description":"Hive Column"} + ], + "accessTypes":[ + {"name":"select","label":"Select"}, + {"name":"update","label":"Update"}, + {"name":"create","label":"Create"}, + {"name":"drop","label":"Drop"}, + {"name":"alter","label":"Alter"}, + {"name":"index","label":"Index"}, + {"name":"lock","label":"Lock"}, + {"name":"all","label":"All"} + ] + }, + + "policies":[ + {"id":1,"name":"db=default: audit-all-access","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["default"]},"table":{"values":["*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"db=default; table=test*; column=*","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["default"]},"table":{"values":["test*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false} + , + {"accesses":[{"type":"create","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["admin"],"groups":["admin"],"delegateAdmin":true} + ] + } + , + {"id":3,"name":"db=db1; table=tbl*; column=*","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["db1"]},"table":{"values":["tbl*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false} + ] + } + ], + + "tests":[ + {"name":"use default;", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"","requestData":"use default" + }, + "resourceAccessInfo":{"allowedUsers":["admin", "user1", "user2"],"allowedGroups":["admin", "group1", "group2"]} + } + , + {"name":"select default.testtbl1", + "request":{ + "resource":{"elements":{"database":"default", "table":"testtbl1"}}, + "accessType":"select","requestData":"select default.testtbl1" + }, + "resourceAccessInfo":{"allowedUsers":["user1", "user2"],"allowedGroups":["group1", "group2"]} + } + , + {"name":"create default.testtbl1", + "request":{ + "resource":{"elements":{"database":"default", "table":"testtbl1"}}, + "accessType":"create","requestData":"create default.testtbl1" + }, + "resourceAccessInfo":{"allowedUsers":["admin"],"allowedGroups":["admin"]} + } + , + {"name":"select db1.tbl1", + "request":{ + "resource":{"elements":{"database":"db1", "table":"tbl1"}}, + "accessType":"select","requestData":"select db1.tbl1" + }, + "resourceAccessInfo":{"allowedUsers":["user1", "user2"],"allowedGroups":["group1", "group2"]} + } + , + {"name":"insert db1.tbl1", + "request":{ + "resource":{"elements":{"database":"db1", "table":"tb1"}}, + "accessType":"insert","requestData":"insert db1.tbl1" + }, + "resourceAccessInfo":{"allowedUsers":[],"allowedGroups":[]} + } + , + {"name":"select db2.tbl1", + "request":{ + "resource":{"elements":{"database":"db2", "table":"tb1"}}, + "accessType":"create","requestData":"select db2.tbl1" + }, + "resourceAccessInfo":{"allowedUsers":[],"allowedGroups":[]} + } + ] +} +
