Repository: ranger Updated Branches: refs/heads/master 0688f5eb7 -> 2a1406df8
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/policyengine/test_policydb_hive.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policydb_hive.json b/agents-common/src/test/resources/policyengine/test_policydb_hive.json new file mode 100644 index 0000000..3342d13 --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policydb_hive.json @@ -0,0 +1,441 @@ +{ + "servicePolicies": { + "serviceName": "hivedev", + "serviceDef": { + "name": "hive", + "id": 3, + "resources": [ + { + "name": "database", + "level": 1, + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Database", + "description": "Hive Database" + }, + { + "name": "table", + "level": 2, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Table", + "description": "Hive Table" + }, + { + "name": "udf", + "level": 2, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive UDF", + "description": "Hive UDF" + }, + { + "name": "column", + "level": 3, + "parent": "table", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Column", + "description": "Hive Column" + } + ], + "accessTypes": [ + { + "name": "select", + "label": "Select" + }, + { + "name": "update", + "label": "Update" + }, + { + "name": "create", + "label": "Create" + }, + { + "name": "drop", + "label": "Drop" + }, + { + "name": "alter", + "label": "Alter" + }, + { + "name": "index", + "label": "Index" + }, + { + "name": "lock", + "label": "Lock" + }, + { + "name": "all", + "label": "All" + } + ] + }, + "policies": [ + { + "id": 1, + "name": "db=default: audit-all-access", + "isEnabled": true, + "isAuditEnabled": true, + "resources": { + "database": { + "values": [ + "default" + ] + }, + "table": { + "values": [ + "*" + ] + }, + "column": { + "values": [ + "*" + ] + } + }, + "policyItems": [ + { + "accesses": [], + "users": [], + "groups": [ + "public" + ], + "delegateAdmin": false + } + ] + }, + { + "id": 2, + "name": "db=default; table=test1,test2; column=column1", + "isEnabled": true, + "isAuditEnabled": true, + "resources": { + "database": { + "values": [ + "default" + ] + }, + "table": { + "values": [ + "test1", "test2" + ] + }, + "column": { + "values": [ + "column1" + ] + } + }, + "policyItems": [ + { + "accesses": [ + { + "type": "select", + "isAllowed": true + } + ], + "users": [ + "user1", + "user2" + ], + "groups": [ + "group1", + "group2" + ], + "delegateAdmin": false + }, + { + "accesses": [ + { + "type": "create", + "isAllowed": true + }, + { + "type": "drop", + "isAllowed": true + } + ], + "users": [ + "admin" + ], + "groups": [ + "cluster-admin" + ], + "delegateAdmin": true + } + ] + }, + { + "id": 21, + "name": "db=default; table=test1,test2; column=column2", + "isEnabled": true, + "isAuditEnabled": true, + "resources": { + "database": { + "values": [ + "default" + ] + }, + "table": { + "values": [ + "test1", "test2" + ] + }, + "column": { + "values": [ + "column2" + ] + } + }, + "policyItems": [ + { + "accesses": [ + { + "type": "select", + "isAllowed": true + } + ], + "users": [ + "user1", + "user2" + ], + "groups": [ + "group1", + "group2" + ], + "delegateAdmin": false + }, + { + "accesses": [ + { + "type": "create", + "isAllowed": true + }, + { + "type": "drop", + "isAllowed": true + } + ], + "users": [ + "admin" + ], + "groups": [ + "cluster-admin" + ], + "delegateAdmin": true + } + ] + }, + { + "id": 3, + "name": "db=finance; table=fin_*; column=*", + "isEnabled": true, + "isAuditEnabled": true, + "resources": { + "database": { + "values": [ + "finance" + ] + }, + "table": { + "values": [ + "fin_*" + ] + }, + "column": { + "values": [ + "*" + ] + } + }, + "policyItems": [ + { + "accesses": [ + { + "type": "select", + "isAllowed": true + } + ], + "users": [ + "user1", + "user2" + ], + "groups": [ + "finance-controller" + ], + "delegateAdmin": true + } + ] + }, + { + "id": 4, + "name": "db=db1; table=tmp; column=tmp*", + "isEnabled": true, + "isAuditEnabled": true, + "resources": { + "database": { + "values": [ + "db1" + ] + }, + "table": { + "values": [ + "tmp" + ] + }, + "column": { + "values": [ + "tmp*" + ], + "isExcludes": false + } + }, + "policyItems": [ + { + "accesses": [ + { + "type": "select", + "isAllowed": true + }, + { + "type": "create", + "isAllowed": true + } + ], + "users": [ + "user1", + "user2" + ], + "groups": [ + "cluster-admin", + "finance-controller" + ], + "delegateAdmin": true + } + ] + }, + { + "id": 5, + "name": "db=hr", + "isEnabled": true, + "isAuditEnabled": true, + "resources": { + "database": { + "values": [ + "hr" + ] + }, + "udf": { + "values": [ + "udf" + ] + } + }, + "policyItems": [ + { + "accesses": [ + { + "type": "select", + "isAllowed": true + }, + { + "type": "create", + "isAllowed": true + } + ], + "users": [ + "user1", + "user2" + ], + "groups": [ + "cluster-admin" + ], + "delegateAdmin": true + } + ] + } + ] + }, + + "tests":[ + {"name":"ALLOW '_admin access on resource [database=db1, table=tmp, column=tmp1]' for g=cluster-admin", + "resources":{"database":{"values":["db1"]}, "table":{"values":["tmp"]}, "column":{"values":["tmp1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin", + "result":true + }, + {"name":"DENY '_admin access on resource [database=db1, table=tmp, column=column1]' for g=cluster-admin", + "resources":{"database":{"values":["db1"]}, "table":{"values":["tmp"]}, "column":{"values":["column1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin", + "result":false + }, + {"name":"DENY '_admin access on resource [database=hr]' for g=cluster-admin", + "resources":{"database":{"values":["hr"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin", + "result":false + }, + {"name":"DENY '_admin access on resource [database=db1:default, table=tmp:test*, column=tmp1:column1]' for g=cluster-admin", + "resources":{"database":{"values":["db1", "default"]}, "table":{"values":["tmp", "test*"]}, "column":{"values":["tmp1", "column1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin", + "result":false + }, + {"name":"ALLOW '_admin access on resource [database=default, table=test1:test2, column=column1]' for g=cluster-admin", + "resources":{"database":{"values":["default"]}, "table":{"values":["test1", "test2"]}, "column":{"values":["column1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin", + "result":true + }, + {"name":"DENY '_admin access on resource [database=default, table=test1:test2:test3, column=column1]' for g=cluster-admin", + "resources":{"database":{"values":["default"]}, "table":{"values":["test1", "test2", "test3"]}, "column":{"values":["column1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin", + "result":false + }, + {"name":"DENY '_admin access on resource [database=default, table=test1:test2, column=column1,column2]' for g=cluster-admin", + "resources":{"database":{"values":["default"]}, "table":{"values":["test1", "test2"]}, "column":{"values":["column1","column2"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin", + "result":false + }, + {"name":"DENY '_admin access on resource [database=default, table=test1:test2, column=column1]' for g=cluster-admin", + "resources":{"database":{"values":["default"]}, "table":{"values":["test1", "test2", "test3"]}, "column":{"values":["column1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin", + "result":false + }, + + {"name":"4 'create allowed policies' for g=cluster-admin", + "user":"testuser","userGroups":["cluster-admin","users"],"accessType":"create","allowedPolicies":[2, 21, 4, 5] + } + , + {"name":"2 'select allowed policies' for g=finance-controller", + "user":"testuser","userGroups":["finance-controller","users"],"accessType":"select","allowedPolicies":[3, 4] + } + , + {"name":"0 'drop allowed policies' for g=finance-controller", + "user":"testuser","userGroups":["finance-controller","users"],"accessType":"drop","allowedPolicies":[] + } + , + {"name":"0 'select allowed policies' for u=testuser", + "user":"testuser","userGroups":["public","users"],"accessType":"select","allowedPolicies":[] + } + , + {"name":"5 'select allowed policies' for u=user1", + "user":"user1","userGroups":["public","users"],"accessType":"select","allowedPolicies":[2, 21, 3, 4, 5] + } + ] +} + http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json index cba7a21..211e0ed 100644 --- a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json +++ b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json @@ -133,8 +133,8 @@ } , { - "name": "MATCH for parent 'finance:tax'", - "type": "ancestorMatch", + "name": "MATCH for exact 'finance:tax'", + "type": "exactMatch", "resource": { "elements": {"database": "finance","table": "tax"} }, @@ -277,8 +277,8 @@ } , { - "name": "MATCH for parent 'finance:tax'", - "type": "ancestorMatch", + "name": "MATCH for exact 'finance:tax'", + "type": "exactMatch", "resource": { "elements": {"database": "finance","table": "tax"} }, @@ -411,8 +411,8 @@ } , { - "name": "MATCH for parent 'finance'", - "type": "ancestorMatch", + "name": "MATCH for exact 'finance'", + "type": "exactMatch", "resource": { "elements": {"database": "finance"} }, @@ -440,8 +440,8 @@ }, "tests": [ { - "name": "MATCH for parent 'finance.tax.ssn'", - "type": "ancestorMatch", + "name": "MATCH for exact 'finance.tax.ssn'", + "type": "exactMatch", "resource": { "elements": {"database": "finance", "table":"tax", "column":"ssn"} }, @@ -606,8 +606,8 @@ }, "tests": [ { - "name": "MATCH for parent 'finance.tax.ssn'", - "type": "ancestorMatch", + "name": "MATCH for exact 'finance.tax.ssn'", + "type": "exactMatch", "resource": { "elements": {"database": "finance", "table":"tax", "column":"ssn"} }, @@ -647,8 +647,8 @@ }, "tests": [ { - "name": "MATCH for parent 'finance.tax.ssn'", - "type": "ancestorMatch", + "name": "MATCH for exact 'finance.tax.ssn'", + "type": "exactMatch", "resource": { "elements": {"database": "finance", "table":"tax", "column":"ssn"} }, @@ -767,8 +767,8 @@ }, "tests": [ { - "name": "MATCH for parent 'finance.tax.ssn'", - "type": "ancestorMatch", + "name": "MATCH for exact 'finance.tax.ssn'", + "type": "exactMatch", "resource": { "elements": {"database": "finance", "table":"tax", "column":"ssn"} }, http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json new file mode 100644 index 0000000..ddb171d --- /dev/null +++ b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json @@ -0,0 +1,410 @@ +{ + "serviceDef": { + "name": "hive", + "id": 3, + "resources": [ + { + "name": "database", + "level": 1, + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Database", + "description": "Hive Database" + }, + { + "name": "table", + "level": 2, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Table", + "description": "Hive Table" + }, + { + "name": "udf", + "level": 2, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive UDF", + "description": "Hive UDF" + }, + { + "name": "column", + "level": 3, + "parent": "table", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Column", + "description": "Hive Column" + } + ], + "accessTypes": [ + { + "name": "select", + "label": "Select" + }, + { + "name": "update", + "label": "Update" + }, + { + "name": "create", + "label": "Create" + }, + { + "name": "drop", + "label": "Drop" + }, + { + "name": "alter", + "label": "Alter" + }, + { + "name": "index", + "label": "Index" + }, + { + "name": "lock", + "label": "Lock" + }, + { + "name": "all", + "label": "All" + } + ] + }, + "testCases": [ + { + "name": "database=*:table=*:column:demo", + "policyResources": { + "database": {"values": ["*"]}, + "table": {"values": ["*"]}, + "column":{"values":["demo"]} + }, + "tests": [ + { + "name": "Exact match for 'tmp:*:demo' policy", + "type": "exactMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["tmp"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["demo"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + } + ] + }, + { + "name": "database=finance:table=tax:column:refund", + "policyResources": { + "database": {"values": ["finance"]}, + "table": {"values": ["tax"]}, + "column":{"values":["refund"]} + }, + "tests": [ + { + "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", + "type": "exactMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + }, + { + "name": "Descendant match for 'finance,hr,tmp*:tax,employee,tmp*:' policy", + "type": "descendantMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + }, + { + "name": "No match for '*:*:*' policy", + "type": "anyMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : false + } + ] + }, + { + "name": "database=hr:table=*:column=refund", + "policyResources": { + "database": {"values": ["hr"]}, + "table": {"values": ["*"]}, + "column":{"values":["refund"]} + }, + "tests": [ + { + "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", + "type": "exactMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + } + , + { + "name": "No match for 'finance,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", + "type": "anyMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : false + } + ] + }, + { + "name": "database=hr:table=*:column=*", + "policyResources": { + "database": {"values": ["hr"]}, + "table": {"values": ["*"]}, + "column":{"values":["*"]} + }, + "tests": [ + { + "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", + "type": "exactMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + }, + { + "name": "Ancestor match for 'finance,hr,tmp*:tax,employee,tmp*:' policy", + "type": "ancestorMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + }, + { + "name": "Exact match for 'finance,hr,tmp*:*,employee,tmp*:*,salary,tmp*' policy", + "type": "exactMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "table": {"values": ["*","employee","tmp*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["*","salary","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + }, + { + "name": "No match for 'finance,hr,tmp*::refund,salary,tmp*' policy", + "type": "anyMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, + "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : false + }, + { + "name": "Ancestor match for 'finance,hr,tmp*::' policy", + "type": "ancestorMatch", + "policy" : { + "service" : "any", + "name" : "test", + "policyType":0, + "description":"", + "resourceSignature":"", + "isAuditEnabled":true, + "resources" : { + "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false} + }, + "policyItems":[], + "denyPolicyItems":[], + "allowExceptions":[], + "denyExceptions":[], + "dataMaskPolicyItems":[], + "rowFilterPolicyItems":[] + }, + "evalContext": {}, + "result" : true + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json deleted file mode 100644 index 489cc13..0000000 --- a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json +++ /dev/null @@ -1,315 +0,0 @@ -{ - "serviceDef": { - "name": "hive", - "id": 3, - "resources": [ - { - "name": "database", - "level": 1, - "mandatory": true, - "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { - "wildCard": true, - "ignoreCase": true - }, - "label": "Hive Database", - "description": "Hive Database" - }, - { - "name": "table", - "level": 2, - "parent": "database", - "mandatory": true, - "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { - "wildCard": true, - "ignoreCase": true - }, - "label": "Hive Table", - "description": "Hive Table" - }, - { - "name": "udf", - "level": 2, - "parent": "database", - "mandatory": true, - "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { - "wildCard": true, - "ignoreCase": true - }, - "label": "Hive UDF", - "description": "Hive UDF" - }, - { - "name": "column", - "level": 3, - "parent": "table", - "mandatory": true, - "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { - "wildCard": true, - "ignoreCase": true - }, - "label": "Hive Column", - "description": "Hive Column" - } - ], - "accessTypes": [ - { - "name": "select", - "label": "Select" - }, - { - "name": "update", - "label": "Update" - }, - { - "name": "create", - "label": "Create" - }, - { - "name": "drop", - "label": "Drop" - }, - { - "name": "alter", - "label": "Alter" - }, - { - "name": "index", - "label": "Index" - }, - { - "name": "lock", - "label": "Lock" - }, - { - "name": "all", - "label": "All" - } - ] - }, - "testCases": [ - { - "name": "database=*:table=*:column:demo", - "policyResources": { - "database": {"values": ["*"]}, - "table": {"values": ["*"]}, - "column":{"values":["demo"]} - }, - "tests": [ - { - "name": "Exact match for 'tmp:*:demo' policy", - "type": "exactMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["tmp"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["demo"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : true - } - ] - }, - { - "name": "database=finance:table=tax:column:refund", - "policyResources": { - "database": {"values": ["finance"]}, - "table": {"values": ["tax"]}, - "column":{"values":["refund"]} - }, - "tests": [ - { - "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", - "type": "exactMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : true - }, - { - "name": "No match for '*:*:*' policy", - "type": "anyMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : false - } - ] - }, - { - "name": "database=hr:table=*:column:refund", - "policyResources": { - "database": {"values": ["hr"]}, - "table": {"values": ["*"]}, - "column":{"values":["refund"]} - }, - "tests": [ - { - "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", - "type": "exactMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : true - } - , - { - "name": "No match for 'finance,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", - "type": "anyMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "tmp*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : false - } - ] - }, - { - "name": "database=hr:table=*:column:*", - "policyResources": { - "database": {"values": ["hr"]}, - "table": {"values": ["*"]}, - "column":{"values":["*"]} - }, - "tests": [ - { - "name": "Ancestor match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", - "type": "ancestorMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : true - }, - { - "name": "Ancestor match for 'finance,hr,tmp*:*,employee,tmp*:*,salary,tmp*' policy", - "type": "ancestorMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["*","employee","tmp*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["*","salary","tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : true - } - ] - } - ] -} http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json deleted file mode 100644 index 4373647..0000000 --- a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json +++ /dev/null @@ -1,335 +0,0 @@ -{ - "serviceDef": { - "name": "hive", - "id": 3, - "resources": [ - { - "name": "database", - "level": 1, - "mandatory": true, - "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { - "wildCard": true, - "ignoreCase": true - }, - "label": "Hive Database", - "description": "Hive Database" - }, - { - "name": "table", - "level": 2, - "parent": "database", - "mandatory": true, - "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { - "wildCard": true, - "ignoreCase": true - }, - "label": "Hive Table", - "description": "Hive Table" - }, - { - "name": "udf", - "level": 2, - "parent": "database", - "mandatory": true, - "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { - "wildCard": true, - "ignoreCase": true - }, - "label": "Hive UDF", - "description": "Hive UDF" - }, - { - "name": "column", - "level": 3, - "parent": "table", - "mandatory": true, - "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { - "wildCard": true, - "ignoreCase": true - }, - "label": "Hive Column", - "description": "Hive Column" - } - ], - "accessTypes": [ - { - "name": "select", - "label": "Select" - }, - { - "name": "update", - "label": "Update" - }, - { - "name": "create", - "label": "Create" - }, - { - "name": "drop", - "label": "Drop" - }, - { - "name": "alter", - "label": "Alter" - }, - { - "name": "index", - "label": "Index" - }, - { - "name": "lock", - "label": "Lock" - }, - { - "name": "all", - "label": "All" - } - ] - }, - "testCases": [ - { - "name": "database=*:table=*:column:demo", - "policyResources": { - "database": {"values": ["*"]}, - "table": {"values": ["*"]}, - "column":{"values":["demo"]} - }, - "tests": [ - { - "name": "Exact match for 'tmp:*:demo' policy", - "type": "exactMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["tmp"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["demo"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : true - } - ] - }, - { - "name": "database=finance:table=tax:column:refund", - "policyResources": { - "database": {"values": ["finance"]}, - "table": {"values": ["tax"]}, - "column":{"values":["refund"]} - }, - "tests": [ - { - "name": "Descendant match for 'finance,hr,tmp*:tax,employee,tmp*:' policy", - "type": "descendantMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : true - }, - { - "name": "No match for '*:*:*' policy", - "type": "anyMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : false - } - ] - }, - { - "name": "database=hr:table=*:column:refund", - "policyResources": { - "database": {"values": ["hr"]}, - "table": {"values": ["*"]}, - "column":{"values":["refund"]} - }, - "tests": [ - { - "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", - "type": "exactMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : true - } - , - { - "name": "No match for 'finance,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy", - "type": "anyMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "tmp*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : false - } - ] - }, - { - "name": "database=hr:table=*:column:*", - "policyResources": { - "database": {"values": ["hr"]}, - "table": {"values": ["*"]}, - "column":{"values":["*"]} - }, - "tests": [ - { - "name": "Ancestor match for 'finance,hr,tmp*:tax,employee,tmp*:' policy", - "type": "ancestorMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, - "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : true - }, - { - "name": "No match for 'finance,hr,tmp*::refund,salary,tmp*' policy", - "type": "anyMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}, - "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : false - }, - { - "name": "Ancestor match for 'finance,hr,tmp*::' policy", - "type": "ancestorMatch", - "policy" : { - "service" : "any", - "name" : "test", - "policyType":0, - "description":"", - "resourceSignature":"", - "isAuditEnabled":true, - "resources" : { - "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false} - }, - "policyItems":[], - "denyPolicyItems":[], - "allowExceptions":[], - "denyExceptions":[], - "dataMaskPolicyItems":[], - "rowFilterPolicyItems":[] - }, - "evalContext": {}, - "result" : true - } - ] - } - ] -} http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/ranger-tools/src/test/resources/testdata/test_modules.txt ---------------------------------------------------------------------- diff --git a/ranger-tools/src/test/resources/testdata/test_modules.txt b/ranger-tools/src/test/resources/testdata/test_modules.txt index a355ec8..d2b4f50 100644 --- a/ranger-tools/src/test/resources/testdata/test_modules.txt +++ b/ranger-tools/src/test/resources/testdata/test_modules.txt @@ -23,3 +23,5 @@ RangerPolicyEngine.preProcess RangerPolicyEngine.isAccessAllowedNoAudit RangerPolicyEngine.reorderPolicyEvaluators RangerPolicyEngine.usage +RangerDefaultPolicyResourceMatcher.init +RangerDefaultPolicyResourceMatcher.getMatchType