You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2016/12/07 00:16:03 UTC

incubator-ranger git commit: RANGER-1229: fix resource-matcher to correctly handle policy containing only one resource whose value is '*'

Repository: incubator-ranger
Updated Branches:
  refs/heads/ranger-0.6 ffbb138d1 -> 2fcd7f7cc


RANGER-1229: fix resource-matcher to correctly handle policy containing only one resource whose value is '*'

Signed-off-by: Madhan Neethiraj <ma...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2fcd7f7c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2fcd7f7c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2fcd7f7c

Branch: refs/heads/ranger-0.6
Commit: 2fcd7f7cc175c0734443638b99c359e24c0f88ff
Parents: ffbb138
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Tue Nov 29 10:44:50 2016 -0800
Committer: rmani <rm...@hortonworks.com>
Committed: Tue Dec 6 16:15:44 2016 -0800

----------------------------------------------------------------------
 .../RangerAbstractResourceMatcher.java          |  2 +-
 .../RangerPathResourceMatcher.java              |  7 +-
 .../plugin/policyengine/TestPolicyEngine.java   |  7 ++
 ...engine_hbase_multiple_matching_policies.json | 75 ++++++++++++++++++++
 4 files changed, 89 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2fcd7f7c/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index 4a96fd7..574f2eb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -267,7 +267,7 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
 	ResourceMatcher getMatcher(String policyValue) {
 		final int len = policyValue != null ? policyValue.length() : 0;
 
-		if (len == 0 || (optWildCard && policyValue.equals(WILDCARD_ASTERISK))) {
+		if (len == 0) {
 			return null;
 		}
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2fcd7f7c/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index 97df061..1ab15eb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -92,10 +92,15 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
 
 		final int len = policyValue != null ? policyValue.length() : 0;
 
-		if (len == 0 || (optWildCard && policyValue.equals(WILDCARD_ASTERISK))) {
+		if (len == 0) {
 			return null;
 		}
 
+		// To ensure that when policyValue is single '*', ResourceMatcher created here returns true for isMatchAny()
+		if (optWildCard && policyValue.equals(WILDCARD_ASTERISK)) {
+			return new CaseInsensitiveStringMatcher("");
+		}
+
 		boolean isWildcardPresent = false;
 
 		if (optWildCard) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2fcd7f7c/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 9937757..aebc869 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -215,6 +215,13 @@ public class TestPolicyEngine {
 	}
 
 	@Test
+	public void testPolicyEngine_hbase_with_multiple_matching_policies() {
+		String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase_multiple_matching_policies.json" };
+
+		runTestsFromResourceFiles(hbaseTestResourceFiles);
+	}
+
+	@Test
 	public void testPolicyEngine_conditions() {
 		String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_conditions.json" };
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2fcd7f7c/agents-common/src/test/resources/policyengine/test_policyengine_hbase_multiple_matching_policies.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hbase_multiple_matching_policies.json b/agents-common/src/test/resources/policyengine/test_policyengine_hbase_multiple_matching_policies.json
new file mode 100644
index 0000000..f9957bb
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hbase_multiple_matching_policies.json
@@ -0,0 +1,75 @@
+{
+  "serviceName":"hbasedev",
+
+  "serviceDef":{
+    "name":"hbase",
+    "id":2,
+    "resources":[
+      {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Table","description":"HBase Table"},
+      {"name":"column-family","level":2,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column-Family","description":"HBase Column-Family"},
+      {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column","description":"HBase Column"}
+    ],
+    "accessTypes":[
+      {"name":"read","label":"Read"},
+      {"name":"write","label":"Write"},
+      {"name":"create","label":"Create"},
+      {"name":"admin","label":"Admin","impliedGrants":["read","write","create"]}
+    ]
+  },
+
+  "policies":[
+    {"id":1,"name":"table=default,*; column-family=default,*; column=default, *: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+     "resources":{"table":{"values":["default", "*"]},"column-family":{"values":["default", "*"]}, "column":{"values":["default", "*"]}},
+     "policyItems":[
+       {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}, {"type":"create", "isAllowed":true},
+         {"type":"admin", "isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
+       ,
+       {"accesses":[{"type":"read","isAllowed":true}],"users":["hrt_qa"],"groups":[],"delegateAdmin":false}
+     ]
+    }
+    ,
+    {"id":2,"name":"table=*; column-family=*; column=*: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"table":{"values":["*"]},"column-family":{"values":["*"]}, "column":{"values":["*"]}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}, {"type":"create", "isAllowed":true},
+          {"type":"admin", "isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
+      ,
+        {"accesses":[{"type":"read","isAllowed":true}, {"type":"write", "isAllowed":true}],"users":["hrt_qa"],"groups":[],"delegateAdmin":false}
+      ]
+    }
+  ],
+
+  "tests":[
+    {"name":"TEST!!! ALLOW 'scan finance restricted-cf;' for hrt_qa",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+        "accessType":"read","user":"hrt_qa","userGroups":[],"requestData":"scan finance restricted-cf; for hrt_qa"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+    }
+  ,
+    {"name":"TEST!!! ALLOW 'put finance restricted-cf;' for hrt_qa",
+     "request":{
+      "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+      "accessType":"write","user":"hrt_qa","userGroups":[],"requestData":"put finance restricted-cf; for hrt_qa"
+     },
+     "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+    },
+    {"name":"TEST!!! DENY 'create finance restricted-cf;' for hrt_qa",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+        "accessType":"create","user":"hrt_qa","userGroups":[],"requestData":"create finance restricted-cf; for hrt_qa"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+    }
+    ,
+    {"name":"TEST!!! ALLOW 'create finance restricted-cf;' for user1",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+        "accessType":"create","user":"user1","userGroups":[],"requestData":"create finance restricted-cf; for user1"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+    }
+  ]
+}
+