You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2017/03/27 23:23:46 UTC
ranger git commit: RANGER-1477: 'show databases' fails with
access-denied when user doesn't have access to some of the databases
Repository: ranger
Updated Branches:
refs/heads/master 3bfdf4ee9 -> 25435ffa1
RANGER-1477: 'show databases' fails with access-denied when user doesn't have access to some of the databases
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/25435ffa
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/25435ffa
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/25435ffa
Branch: refs/heads/master
Commit: 25435ffa1a439f5db70b1c10e4bc67d19f8a7686
Parents: 3bfdf4e
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Mar 27 16:20:35 2017 -0700
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Mon Mar 27 16:20:35 2017 -0700
----------------------------------------------------------------------
.../contextenricher/RangerTagEnricher.java | 2 +-
.../plugin/policyengine/TestPolicyEngine.java | 7 +
.../resourceTags_for_show_databases.json | 47 ++++
.../test_policyengine_descendant_tags.json | 4 +-
...olicyengine_tag_hive_for_show_databases.json | 218 +++++++++++++++++++
5 files changed, 275 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/25435ffa/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index f6638ba..ad7f2a7 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -189,7 +189,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
Set<RangerTagForEval> tagsForEmptyResourceAndAnyAccess = new HashSet<>();
for (Map.Entry<Long, RangerTag> entry : serviceTags.getTags().entrySet()) {
- tagsForEmptyResourceAndAnyAccess.add(new RangerTagForEval(entry.getValue(), RangerPolicyResourceMatcher.MatchType.ANCESTOR));
+ tagsForEmptyResourceAndAnyAccess.add(new RangerTagForEval(entry.getValue(), RangerPolicyResourceMatcher.MatchType.DESCENDANT));
}
enrichedServiceTags = new EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie, tagsForEmptyResourceAndAnyAccess);
http://git-wip-us.apache.org/repos/asf/ranger/blob/25435ffa/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 87b5830..5948a74 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -263,6 +263,13 @@ public class TestPolicyEngine {
runTestsFromResourceFiles(conditionsTestResourceFiles);
}
+ @Test
+ public void testPolicyEngine_hiveForShowDatabases() {
+ String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_tag_hive_for_show_databases.json" };
+
+ runTestsFromResourceFiles(conditionsTestResourceFiles);
+ }
+
@Test
public void testPolicyEngine_descendant_tags() {
String[] resourceFiles = {"/policyengine/test_policyengine_descendant_tags.json"};
http://git-wip-us.apache.org/repos/asf/ranger/blob/25435ffa/agents-common/src/test/resources/policyengine/resourceTags_for_show_databases.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/resourceTags_for_show_databases.json b/agents-common/src/test/resources/policyengine/resourceTags_for_show_databases.json
new file mode 100644
index 0000000..6773eeb
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/resourceTags_for_show_databases.json
@@ -0,0 +1,47 @@
+{
+ "op":"add_or_update",
+ "tagModel":"resource_private",
+ "serviceName": "cl1_hive",
+ "tagDefinitions": {
+ "1": {
+ "name": "EXPIRES_ON",
+ "attributeDefs": [ { "name": "expiry_date", "type": "datetime" } ],
+ "id": 1,
+ "guid": "tagdefinition-expires-on-guid"
+ }
+ },
+ "tags": {
+ "1": {
+ "type": "EXPIRES_ON",
+ "attributes": { "expiry_date": "2016/12/31" },
+ "id": 1,
+ "guid": "tag-expires-on-1-guid"
+ }
+ },
+ "serviceResources": [
+ {
+ "serviceName": "cl1_hive",
+ "resourceElements": {
+ "database": { "values": [ "employee" ] },
+ "table": { "values": [ "personal" ] },
+ "column": { "values": [ "ssn" ] }
+ },
+ "id": 1,
+ "guid": "employee.personal.ssn-guid"
+ }
+ ,
+ {
+ "serviceName": "cl1_hive",
+ "resourceElements": {
+ "database": { "values": [ "vendors" ] }
+ },
+ "id": 2,
+ "guid": "vendors-guid"
+ }
+ ],
+ "resourceToTagIds": {
+ "1": [ 1 ],
+ "2": [ 1 ]
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/ranger/blob/25435ffa/agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json b/agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json
index 757b37d..a2ec460 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json
@@ -284,12 +284,12 @@
}
,
{
- "name":"DENY 'show databases;' for hive",
+ "name":"ALLOW 'show databases;' for hive",
"request":{
"resource":{"elements":{}},
"accessType":"","user":"hive","userGroups":[],"requestData":"'show databases;' for hive"
},
- "result":{"isAudited":true,"isAllowed":false,"policyId":3}
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
}
]
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/25435ffa/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_for_show_databases.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_for_show_databases.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_for_show_databases.json
new file mode 100644
index 0000000..f42df3e
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_for_show_databases.json
@@ -0,0 +1,218 @@
+{
+ "serviceName":"hivedev",
+
+ "serviceDef":{
+ "name":"hive",
+ "id":3,
+ "resources":[
+ {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Database","description":"Hive Database"},
+ {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Table","description":"Hive Table"},
+ {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"},
+ {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Column","description":"Hive Column"}
+ ],
+ "accessTypes":[
+ {"name":"select","label":"Select"},
+ {"name":"update","label":"Update"},
+ {"name":"create","label":"Create"},
+ {"name":"grant","label":"Grant"},
+ {"name":"drop","label":"Drop"},
+ {"name":"alter","label":"Alter"},
+ {"name":"index","label":"Index"},
+ {"name":"lock","label":"Lock"},
+ {"name":"all","label":"All",
+ "impliedGrants": [
+ "select",
+ "update",
+ "create",
+ "grant",
+ "drop",
+ "alter",
+ "index",
+ "lock"
+ ]
+ }
+ ]
+ },
+
+ "policies":[
+ {"id":101,"name":"db=*: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", "user2"],"groups":["public"],"delegateAdmin":false}
+ ]
+ },
+ {"id":102,"name":"db=*, udf=*: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"database":{"values":["*"]},"udf":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", "user2"],"groups":["public"],"delegateAdmin":false}
+ ]
+ }
+ ],
+ "tagPolicyInfo": {
+
+ "serviceName":"tagdev",
+ "serviceDef": {
+ "name": "tag",
+ "id": 100,
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "tag",
+ "type": "string",
+ "level": 1,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": false
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "TAG",
+ "description": "TAG"
+ }
+ ],
+ "accessTypes": [
+ {
+ "itemId": 1,
+ "name": "hive:select",
+ "label": "hive:select"
+ },
+ {
+ "itemId": 2,
+ "name": "hive:update",
+ "label": "hive:update"
+ },
+ {
+ "itemId": 3,
+ "name": "hive:create",
+ "label": "hive:create"
+ }
+ ,
+ {
+ "itemId": 4,
+ "name": "hive:grant",
+ "label": "hive:grant"
+ }
+ ,
+ {
+ "itemId": 5,
+ "name": "hive:drop",
+ "label": "hive:drop"
+ }
+ ,
+ {
+ "itemId": 6,
+ "name": "hive:alter",
+ "label": "hive:alter"
+ },
+ {
+ "itemId": 7,
+ "name": "hive:index",
+ "label": "hive:index"
+ },
+ {
+ "itemId": 8,
+ "name": "hive:lock",
+ "label": "hive:lock"
+ },
+ {
+ "itemId": 9,
+ "name": "hive:all",
+ "label": "hive:all",
+ "impliedGrants":
+ [
+ "hive:select",
+ "hive:update",
+ "hive:create",
+ "hive:grant",
+ "hive:drop",
+ "hive:alter",
+ "hive:index",
+ "hive:lock"
+ ]
+ }
+ ],
+ "contextEnrichers": [
+ {
+ "itemId": 1,
+ "name" : "TagEnricher",
+ "enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
+ "enricherOptions" : {"tagRetrieverClassName":"org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever", "tagRefresherPollingInterval":60000, "serviceTagsFileName":"/policyengine/resourceTags_for_show_databases.json"}
+ }
+ ],
+ "policyConditions": [
+ {
+ "itemId":1,
+ "name":"enforce-expiry",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
+ "evaluatorOptions" : { "scriptTemplate":"ctx.isAccessedAfter('expiry_date');" },
+ "label":"Deny access after expiry_date?",
+ "description": "Deny access after expiry_date? (yes/no)"
+ }
+ ]
+ },
+ "tagPolicies":[
+ {"id":1,"name":"EXPIRES_ON","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"tag":{"values":["EXPIRES_ON"],"isRecursive":false}},
+ "denyPolicyItems":[
+ {"accesses":[{"type":"hive:all","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false,
+ "conditions":[{"type":"enforce-expiry","values":["yes"]}]
+ }
+ ]
+ ,
+ "denyExceptions":[
+ {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["dataloader"],"groups":[],"delegateAdmin":false}
+ ]
+ }
+ ]
+ },
+
+ "tests":[
+ {"name":"ALLOW 'show databases;' for hive",
+ "request":{
+ "resource":{"elements":{}},
+ "accessType":"","user":"hive","userGroups":["public"],"requestData":"show databases for hive"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+ }
+ ,
+ {"name":"ALLOW 'use default;' for hive",
+ "request":{
+ "resource":{"elements":{"database":"default"}},
+ "accessType":"","user":"hive","userGroups":["public"],"requestData":"use default for hive"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+ }
+ ,
+ {"name":"ALLOW 'use employee;' for hive",
+ "request":{
+ "resource":{"elements":{"database":"employee"}},
+ "accessType":"","user":"hive","userGroups":["public"],"requestData":"use employee for hive"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+ }
+ ,
+ {"name":"DENY 'select ssn from employee.personal;' for hive",
+ "request":{
+ "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}},
+ "accessType":"select","user":"hive","userGroups":["public"],"requestData":"select ssn from employee.personal for hive"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":1}
+ }
+ ,
+ {"name":"DENY 'use vendors;' for hive",
+ "request":{
+ "resource":{"elements":{"database":"vendors"}},
+ "accessType":"","user":"hive","userGroups":["public"],"requestData":"use vendors; for hive"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":1}
+ }
+ ]
+}
+