You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/11/22 00:32:59 UTC
incubator-ranger git commit: RANGER-1222 : Unit test failure with
Java 8 in TestDefaultPolicyResourceMatcher
Repository: incubator-ranger
Updated Branches:
refs/heads/master b4651bc83 -> a6e0eb908
RANGER-1222 : Unit test failure with Java 8 in TestDefaultPolicyResourceMatcher
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/a6e0eb90
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/a6e0eb90
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/a6e0eb90
Branch: refs/heads/master
Commit: a6e0eb908e932ace080d2b9c9244be9e0727d2ee
Parents: b4651bc
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Fri Nov 18 17:09:49 2016 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Nov 21 15:22:09 2016 -0800
----------------------------------------------------------------------
.../RangerDefaultPolicyResourceMatcher.java | 80 +++++++++++++++++---
.../test_defaultpolicyresourcematcher.json | 50 ++++++++++++
2 files changed, 119 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a6e0eb90/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 5e2fa74..18e79e0 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -450,6 +450,11 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
} else {
ret = MatchType.DESCENDANT;
}
+ } else {
+ // Common part of several possible hierarchies matched
+ if (resourceKeysSize > index) {
+ ret = MatchType.ANCESTOR;
+ }
}
break;
}
@@ -464,37 +469,90 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
return ret;
}
+ private boolean isValidResourceDefHierachyForResource(List<RangerResourceDef> resourceHierarchy, RangerAccessResource resource) {
+ boolean foundAllResourceKeys = true;
+
+ for (String resourceKey : resource.getKeys()) {
+ boolean found = false;
+ for (RangerResourceDef resourceDef : resourceHierarchy) {
+ if (resourceDef.getName().equals(resourceKey)) {
+ found = true;
+ break;
+ }
+ }
+ if (!found) {
+ foundAllResourceKeys = false;
+ break;
+ }
+ }
+
+ return foundAllResourceKeys;
+ }
+
private boolean isValid(RangerAccessResource resource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isValid(" + resource + ")");
}
boolean ret = true;
- boolean skipped = false;
if (matchers != null && resource != null && resource.getKeys() != null) {
if (matchers.keySet().containsAll(resource.getKeys()) || resource.getKeys().containsAll(matchers.keySet())) {
- for (RangerResourceDef resourceDef : firstValidResourceDefHierarchy) {
- String resourceName = resourceDef.getName();
- String resourceValue = resource.getValue(resourceName);
+ List<RangerResourceDef> aValidHierarchy = null;
- if (resourceValue == null) {
- if (!skipped) {
- skipped = true;
- }
+ if (resource.getKeys().containsAll(matchers.keySet()) && resource.getKeys().size() > matchers.keySet().size()) {
+ if (isValidResourceDefHierachyForResource(firstValidResourceDefHierarchy, resource)) {
+ aValidHierarchy = firstValidResourceDefHierarchy;
} else {
- if (skipped) {
- ret = false;
- break;
+ RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef, false);
+ int policyType = policy != null && policy.getPolicyType() != null ? policy.getPolicyType() : RangerPolicy.POLICY_TYPE_ACCESS;
+ Set<List<RangerResourceDef>> validResourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType);
+
+ for (List<RangerResourceDef> resourceHierarchy : validResourceHierarchies) {
+ if (resourceHierarchy == firstValidResourceDefHierarchy) { // Pointer comparison
+ // firstValidResourceDefHierarchy is already checked before and it does not match
+ continue;
+ }
+
+ if (isValidResourceDefHierachyForResource(resourceHierarchy, resource)) {
+ aValidHierarchy = resourceHierarchy;
+ break;
+ }
}
}
+ } else {
+ aValidHierarchy = firstValidResourceDefHierarchy;
+ }
+
+ if (aValidHierarchy != null) {
+ boolean skipped = false;
+ for (RangerResourceDef resourceDef : aValidHierarchy) {
+
+ String resourceName = resourceDef.getName();
+ String resourceValue = resource.getValue(resourceName);
+
+ if (resourceValue == null) {
+ if (!skipped) {
+ skipped = true;
+ }
+ } else {
+ if (skipped) {
+ ret = false;
+ break;
+ }
+ }
+
+ }
+ } else {
+ ret = false;
}
} else {
ret = false;
}
}
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isValid(" + resource + "): " + ret);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a6e0eb90/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
index 71995dc..6c0d9b4 100644
--- a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
+++ b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
@@ -103,6 +103,26 @@
},
"tests": [
{
+ "name": "NO MATCH for invalid resource level",
+ "type": "anyMatch",
+ "resource" : {
+ "elements" : { "database":"finance", "invalid-resource-name":"any"}
+ },
+ "evalContext": {},
+ "result" : false
+ }
+ ,
+ {
+ "name": "NO MATCH for resource from different hierarchy 'finance:udf=some_udf",
+ "type": "anyMatch",
+ "resource" : {
+ "elements" : { "database":"finance", "udf":"some_udf"}
+ },
+ "evalContext": {},
+ "result" : false
+ }
+ ,
+ {
"name": "MATCH for parent 'finance.tax.ssn'",
"type": "ancestorMatch",
"resource": {
@@ -314,6 +334,16 @@
}
,
{
+ "name": "MATCH for parent 'finance:udf=compute_tax'",
+ "type": "ancestorMatch",
+ "resource": {
+ "elements": {"database": "finance","udf": "compute_tax"}
+ },
+ "evalContext": {},
+ "result": true
+ }
+ ,
+ {
"name": "MATCH for exact 'finance'",
"type": "exactMatch",
"resource": {
@@ -341,6 +371,16 @@
},
"tests": [
{
+ "name": "NO MATCH for invalid resource level",
+ "type": "anyMatch",
+ "resource" : {
+ "elements" : { "database":"finance", "invalid-resource-name":"any"}
+ },
+ "evalContext": {},
+ "result" : false
+ }
+ ,
+ {
"name": "MATCH for parent 'finance.tax.ssn'",
"type": "ancestorMatch",
"resource": {
@@ -361,6 +401,16 @@
}
,
{
+ "name": "MATCH for parent 'finance:udf=compute_tax'",
+ "type": "ancestorMatch",
+ "resource": {
+ "elements": {"database": "finance","udf": "compute_tax"}
+ },
+ "evalContext": {},
+ "result": true
+ }
+ ,
+ {
"name": "MATCH for parent 'finance'",
"type": "ancestorMatch",
"resource": {