Repository: incubator-ranger Updated Branches: refs/heads/master 31c2b030c -> e5ca0fe51
RANGER-889: Policy engine API to find list of users/groups having access to a resource (cherry picked from commit 3bfc2e12c1ad825fedc4e339ae988d840d03b8ae) Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e5ca0fe5 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e5ca0fe5 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e5ca0fe5 Branch: refs/heads/master Commit: e5ca0fe51390c48d4a5f67ca46db9ecd53b41c0a Parents: 31c2b03 Author: Madhan Neethiraj <[email protected]> Authored: Mon Mar 21 10:16:43 2016 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Wed Mar 23 23:28:31 2016 -0700 ---------------------------------------------------------------------- .../plugin/policyengine/RangerPolicyEngine.java | 3 +- .../policyengine/RangerPolicyEngineImpl.java | 43 ++++++- .../policyengine/RangerResourceAccessInfo.java | 116 +++++++++++++++++++ .../RangerAbstractPolicyItemEvaluator.java | 2 + .../RangerDefaultPolicyEvaluator.java | 87 +++++++++++++- .../policyevaluator/RangerPolicyEvaluator.java | 4 + .../RangerPolicyItemEvaluator.java | 2 + .../ranger/plugin/service/RangerBasePlugin.java | 12 ++ .../plugin/policyengine/TestPolicyEngine.java | 22 +++- .../test_policyengine_resource_access_info.json | 106 +++++++++++++++++ 10 files changed, 391 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java index 64870d9..d19e3d0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java @@ -61,8 +61,9 @@ public interface RangerPolicyEngine { List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType); + RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request); + boolean preCleanup(); void cleanup(); - } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 9e817d7..51cab80 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -448,6 +448,47 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { return ret; } + @Override + public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerPolicyEngineImpl.getResourceAccessInfo(" + request + ")"); + } + + RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request); + + List<RangerPolicyEvaluator> tagPolicyEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators(); + List<RangerPolicyEvaluator> resPolicyEvaluators = policyRepository.getPolicyEvaluators(); + + if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) { + List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); + + if(CollectionUtils.isNotEmpty(tags)) { + for (RangerTag tag : tags) { + RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request); + + for (RangerPolicyEvaluator evaluator : tagPolicyEvaluators) { + evaluator.getResourceAccessInfo(tagEvalRequest, ret); + } + } + } + } + + if(CollectionUtils.isNotEmpty(resPolicyEvaluators)) { + for (RangerPolicyEvaluator evaluator : resPolicyEvaluators) { + evaluator.getResourceAccessInfo(request, ret); + } + } + + ret.getAllowedUsers().removeAll(ret.getDeniedUsers()); + ret.getAllowedGroups().removeAll(ret.getDeniedGroups()); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyEngineImpl.getResourceAccessInfo(" + request + "): " + ret); + } + + return ret; + } + protected RangerAccessResult isAccessAllowedNoAudit(RangerAccessRequest request) { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")"); @@ -513,7 +554,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ", " + result + ")"); } - List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(); + List<RangerPolicyEvaluator> evaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators(); if (CollectionUtils.isNotEmpty(evaluators)) { List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java new file mode 100644 index 0000000..44ec854 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java @@ -0,0 +1,116 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.policyengine; + +import java.util.HashSet; +import java.util.Set; + +public class RangerResourceAccessInfo { + final private RangerAccessRequest request; + final private Set<String> allowedUsers; + final private Set<String> allowedGroups; + final private Set<String> deniedUsers; + final private Set<String> deniedGroups; + + + public RangerResourceAccessInfo(RangerAccessRequest request) { + this.request = request; + this.allowedUsers = new HashSet<String>(); + this.allowedGroups = new HashSet<String>(); + this.deniedUsers = new HashSet<String>(); + this.deniedGroups = new HashSet<String>(); + } + + public RangerResourceAccessInfo(RangerResourceAccessInfo other) { + this.request = other.request; + this.allowedUsers = other.allowedUsers == null ? new HashSet<String>() : new HashSet<String>(other.allowedUsers); + this.allowedGroups = other.allowedGroups == null ? new HashSet<String>() : new HashSet<String>(other.allowedGroups); + this.deniedUsers = other.deniedUsers == null ? new HashSet<String>() : new HashSet<String>(other.deniedUsers); + this.deniedGroups = other.deniedGroups == null ? new HashSet<String>() : new HashSet<String>(other.deniedGroups); + } + + public RangerAccessRequest getRequest() { + return request; + } + + public Set<String> getAllowedUsers() { + return allowedUsers; + } + + public Set<String> getAllowedGroups() { + return allowedGroups; + } + + public Set<String> getDeniedUsers() { + return deniedUsers; + } + + public Set<String> getDeniedGroups() { + return deniedGroups; + } + + @Override + public String toString( ) { + StringBuilder sb = new StringBuilder(); + + toString(sb); + + return sb.toString(); + } + + public StringBuilder toString(StringBuilder sb) { + sb.append("RangerResourceAccessInfo={"); + + sb.append("request={"); + if(request != null) { + sb.append(request.toString()); + } + sb.append("} "); + + sb.append("allowedUsers={"); + for(String user : allowedUsers) { + sb.append(user).append(" "); + } + sb.append("} "); + + sb.append("allowedGroups={"); + for(String group : allowedGroups) { + sb.append(group).append(" "); + } + sb.append("} "); + + sb.append("deniedUsers={"); + for(String user : deniedUsers) { + sb.append(user).append(" "); + } + sb.append("} "); + + sb.append("deniedGroups={"); + for(String group : deniedGroups) { + sb.append(group).append(" "); + } + sb.append("} "); + + sb.append("}"); + + return sb; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java index 514884f..7a082dd 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java @@ -21,6 +21,7 @@ package org.apache.ranger.plugin.policyevaluator; import java.util.Collections; import java.util.List; +import java.util.Set; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; @@ -31,6 +32,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyItemEvaluator { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 2ce3a54..c48fb72 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -44,6 +44,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; import org.apache.ranger.plugin.util.RangerPerfTracer; @@ -170,10 +171,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } if (!result.getIsAccessDetermined()) { - // Attempt resource matching only if there may be a matchable policyItem if (hasMatchablePolicyItem(request)) { - // Try Match only if it was not attempted as part of evaluating Audit requirement if (!isResourceMatchAttempted) { isResourceMatch = isMatch(request.getResource()); @@ -357,6 +356,90 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } + @Override + public void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAccessInfo result) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ", " + result + ")"); + } + + final boolean isResourceMatch = isMatch(request.getResource()); + final boolean attemptResourceHeadMatch = request.isAccessTypeAny() || request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS; + final boolean isResourceHeadMatch = (!isResourceMatch && attemptResourceHeadMatch) ? matchResourceHead(request.getResource()) : false; + + if(isResourceMatch || isResourceHeadMatch) { + if (CollectionUtils.isNotEmpty(allowEvaluators)) { + Set<String> users = new HashSet<String>(); + Set<String> groups = new HashSet<String>(); + + getResourceAccessInfo(request, allowEvaluators, users, groups); + + if (CollectionUtils.isNotEmpty(allowExceptionEvaluators)) { + Set<String> exceptionUsers = new HashSet<String>(); + Set<String> exceptionGroups = new HashSet<String>(); + + getResourceAccessInfo(request, allowExceptionEvaluators, exceptionUsers, exceptionGroups); + + users.removeAll(exceptionUsers); + groups.removeAll(exceptionGroups); + } + + result.getAllowedUsers().addAll(users); + result.getAllowedGroups().addAll(groups); + } + } + + if(isResourceMatch) { + if(CollectionUtils.isNotEmpty(denyEvaluators)) { + Set<String> users = new HashSet<String>(); + Set<String> groups = new HashSet<String>(); + + getResourceAccessInfo(request, denyEvaluators, users, groups); + + if(CollectionUtils.isNotEmpty(denyExceptionEvaluators)) { + Set<String> exceptionUsers = new HashSet<String>(); + Set<String> exceptionGroups = new HashSet<String>(); + + getResourceAccessInfo(request, denyExceptionEvaluators, exceptionUsers, exceptionGroups); + + users.removeAll(exceptionUsers); + groups.removeAll(exceptionGroups); + } + + result.getDeniedUsers().addAll(users); + result.getDeniedGroups().addAll(groups); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ", " + result + ")"); + } + } + + + private void getResourceAccessInfo(RangerAccessRequest request, List<? extends RangerPolicyItemEvaluator> policyItems, Set<String> users, Set<String> groups) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ", " + policyItems + ", " + users + ", " + groups + ")"); + } + + if (CollectionUtils.isNotEmpty(policyItems)) { + for (RangerPolicyItemEvaluator policyItemEvaluator : policyItems) { + if (policyItemEvaluator.matchAccessType(request.getAccessType()) && policyItemEvaluator.matchCustomConditions(request)) { + if (CollectionUtils.isNotEmpty(policyItemEvaluator.getPolicyItem().getUsers())) { + users.addAll(policyItemEvaluator.getPolicyItem().getUsers()); + } + + if (CollectionUtils.isNotEmpty(policyItemEvaluator.getPolicyItem().getGroups())) { + groups.addAll(policyItemEvaluator.getPolicyItem().getGroups()); + } + } + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ", " + policyItems + ", " + users + ", " + groups + ")"); + } + } + protected boolean matchResourceHead(RangerAccessResource resource) { if(LOG.isDebugEnabled()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index 3c73082..25812a4 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -31,6 +31,8 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; + public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> { public static final String EVALUATOR_TYPE_AUTO = "auto"; @@ -66,4 +68,6 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups, String accessType); boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType); + + void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAccessInfo result); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java index 9ac2f93..53f6df6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java @@ -24,6 +24,8 @@ import java.util.Set; import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; +import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; public interface RangerPolicyItemEvaluator extends Comparable<RangerPolicyItemEvaluator> { public static final int POLICY_ITEM_TYPE_ALLOW = 0; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index be54d36..1ec88d5 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -182,6 +182,18 @@ public class RangerBasePlugin { return null; } + public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) { + RangerPolicyEngine policyEngine = this.policyEngine; + + if(policyEngine != null) { + policyEngine.preProcess(request); + + return policyEngine.getResourceAccessInfo(request); + } + + return null; + } + public RangerAccessResult createAccessResult(RangerAccessRequest request) { RangerPolicyEngine policyEngine = this.policyEngine; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index cd81836..05cbcde 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -181,6 +181,13 @@ public class TestPolicyEngine { } @Test + public void testPolicyEngine_resourceAccessInfo() { + String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_resource_access_info.json" }; + + runTestsFromResourceFiles(conditionsTestResourceFiles); + } + + @Test public void testPolicyEngine_geo() { String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_geo.json" }; @@ -238,7 +245,6 @@ public class TestPolicyEngine { RangerAccessRequest request = null; for(TestData test : testCase.tests) { - if (test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) || test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES)) { // Create a new AccessRequest @@ -332,6 +338,17 @@ public class TestPolicyEngine { assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue()); assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId()); } + + if(test.resourceAccessInfo != null) { + RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo); + RangerResourceAccessInfo result = policyEngine.getResourceAccessInfo(test.request); + + assertNotNull("result was null! - " + test.name, result); + assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers()); + assertEquals("allowedGroups mismatched! - " + test.name, expected.getAllowedGroups(), result.getAllowedGroups()); + assertEquals("deniedUsers mismatched! - " + test.name, expected.getDeniedUsers(), result.getDeniedUsers()); + assertEquals("deniedGroups mismatched! - " + test.name, expected.getDeniedGroups(), result.getDeniedGroups()); + } } } @@ -339,7 +356,7 @@ public class TestPolicyEngine { public String serviceName; public RangerServiceDef serviceDef; public List<RangerPolicy> policies; - public TagPolicyInfo tagPolicyInfo; + public TagPolicyInfo tagPolicyInfo; public List<TestData> tests; class TestData { @@ -347,6 +364,7 @@ public class TestPolicyEngine { public RangerAccessRequest request; public RangerAccessResult result; public RangerDataMaskResult dataMaskResult; + public RangerResourceAccessInfo resourceAccessInfo; } class TagPolicyInfo { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json b/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json new file mode 100644 index 0000000..04d5236 --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json @@ -0,0 +1,106 @@ +{ + "serviceName":"hivedev", + + "serviceDef":{ + "name":"hive", + "id":3, + "resources":[ + {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Database","description":"Hive Database"}, + {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Table","description":"Hive Table"}, + {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"}, + {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Column","description":"Hive Column"} + ], + "accessTypes":[ + {"name":"select","label":"Select"}, + {"name":"update","label":"Update"}, + {"name":"create","label":"Create"}, + {"name":"drop","label":"Drop"}, + {"name":"alter","label":"Alter"}, + {"name":"index","label":"Index"}, + {"name":"lock","label":"Lock"}, + {"name":"all","label":"All"} + ], + "options": { + "enableDenyAndExceptionsInPolicies":"true" + } + }, + + "policies":[ + {"id":1,"name":"db=default: audit-all-access","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["default"]},"table":{"values":["*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false} + ] + } + , + {"id":2,"name":"db=default; table=test*; column=*","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["default"]},"table":{"values":["test*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false} + , + {"accesses":[{"type":"create","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["admin"],"groups":["admin"],"delegateAdmin":true} + ] + } + , + {"id":3,"name":"db=db1; table=tbl*; column=*","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["db1"]},"table":{"values":["tbl*"]},"column":{"values":["*"]}}, + "policyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false} + ], + "denyPolicyItems":[ + {"accesses":[{"type":"select","isAllowed":true}],"users":["user3"],"groups":["group3"],"delegateAdmin":false} + ] + } + ], + + "tests":[ + {"name":"use default;", + "request":{ + "resource":{"elements":{"database":"default"}}, + "accessType":"","requestData":"use default" + }, + "resourceAccessInfo":{"allowedUsers":["admin", "user1", "user2"],"allowedGroups":["admin", "group1", "group2"]} + } + , + {"name":"select default.testtbl1", + "request":{ + "resource":{"elements":{"database":"default", "table":"testtbl1"}}, + "accessType":"select","requestData":"select default.testtbl1" + }, + "resourceAccessInfo":{"allowedUsers":["user1", "user2"],"allowedGroups":["group1", "group2"]} + } + , + {"name":"create default.testtbl1", + "request":{ + "resource":{"elements":{"database":"default", "table":"testtbl1"}}, + "accessType":"create","requestData":"create default.testtbl1" + }, + "resourceAccessInfo":{"allowedUsers":["admin"],"allowedGroups":["admin"]} + } + , + {"name":"select db1.tbl1", + "request":{ + "resource":{"elements":{"database":"db1", "table":"tbl1"}}, + "accessType":"select","requestData":"select db1.tbl1" + }, + "resourceAccessInfo":{"allowedUsers":["user1", "user2"],"allowedGroups":["group1", "group2"],"deniedUsers":["user3"],"deniedGroups":["group3"]} + } + , + {"name":"insert db1.tbl1", + "request":{ + "resource":{"elements":{"database":"db1", "table":"tb1"}}, + "accessType":"insert","requestData":"insert db1.tbl1" + }, + "resourceAccessInfo":{"allowedUsers":[],"allowedGroups":[]} + } + , + {"name":"select db2.tbl1", + "request":{ + "resource":{"elements":{"database":"db2", "table":"tb1"}}, + "accessType":"create","requestData":"select db2.tbl1" + }, + "resourceAccessInfo":{"allowedUsers":[],"allowedGroups":[]} + } + ] +} +
