You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/01/08 09:55:08 UTC
[1/2] incubator-ranger git commit: RANGER-203: policy evaluation
updated to handle "any" access requirement, currently used in Hive.
Repository: incubator-ranger
Updated Branches:
refs/heads/stack 1f458f00f -> 7d00538b3
RANGER-203: policy evaluation updated to handle "any" access requirement, currently used in Hive.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e8b58a91
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e8b58a91
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e8b58a91
Branch: refs/heads/stack
Commit: e8b58a91306be000894f6f4a7b0d98bdd5e3b6fb
Parents: bd8c234
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu Jan 8 00:53:58 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Jan 8 00:53:58 2015 -0800
----------------------------------------------------------------------
.../ranger/plugin/model/RangerPolicy.java | 80 +++++++--
.../ranger/plugin/model/RangerService.java | 11 +-
.../ranger/plugin/model/RangerServiceDef.java | 101 +++++++++--
.../plugin/policyengine/RangerAccessResult.java | 14 +-
.../plugin/policyengine/RangerPolicyEngine.java | 1 +
.../policyengine/RangerPolicyEngineImpl.java | 28 +--
.../RangerDefaultPolicyEvaluator.java | 176 ++++++++-----------
.../RangerAbstractResourceMatcher.java | 60 ++++++-
.../RangerDefaultResourceMatcher.java | 40 +----
.../RangerPathResourceMatcher.java | 41 +----
.../resourcematcher/RangerResourceMatcher.java | 5 +-
.../service-defs/ranger-servicedef-hbase.json | 3 +-
.../policyengine/test_policyengine_01.json | 46 ++---
13 files changed, 370 insertions(+), 236 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index bab79a1..2457ae1 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -170,7 +170,15 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
* @param configs the resources to set
*/
public void setResources(Map<String, RangerPolicyResource> resources) {
- this.resources = new HashMap<String, RangerPolicyResource>();
+ if(this.resources == null) {
+ this.resources = new HashMap<String, RangerPolicyResource>();
+ }
+
+ if(this.resources == resources) {
+ return;
+ }
+
+ this.resources.clear();
if(resources != null) {
for(Map.Entry<String, RangerPolicyResource> e : resources.entrySet()) {
@@ -190,7 +198,15 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
* @param policyItems the policyItems to set
*/
public void setPolicyItems(List<RangerPolicyItem> policyItems) {
- this.policyItems = new ArrayList<RangerPolicyItem>();
+ if(this.policyItems == null) {
+ this.policyItems = new ArrayList<RangerPolicyItem>();
+ }
+
+ if(this.policyItems == policyItems) {
+ return;
+ }
+
+ this.policyItems.clear();
if(policyItems != null) {
for(RangerPolicyItem policyItem : policyItems) {
@@ -258,10 +274,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
public RangerPolicyResource(String value, Boolean isExcludes, Boolean isRecursive) {
- List<String> values = new ArrayList<String>();
- values.add(value);
-
- setValues(values);
+ setValue(value);
setIsExcludes(isExcludes);
setIsRecursive(isRecursive);
}
@@ -283,7 +296,15 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
* @param values the values to set
*/
public void setValues(List<String> values) {
- this.values = new ArrayList<String>();
+ if(this.values == null) {
+ this.values = new ArrayList<String>();
+ }
+
+ if(this.values == values) {
+ return;
+ }
+
+ this.values.clear();
if(values != null) {
for(String value : values) {
@@ -293,6 +314,19 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
/**
+ * @param value the value to set
+ */
+ public void setValue(String value) {
+ if(this.values == null) {
+ this.values = new ArrayList<String>();
+ }
+
+ this.values.clear();
+
+ this.values.add(value);
+ }
+
+ /**
* @return the isExcludes
*/
public Boolean getIsExcludes() {
@@ -377,7 +411,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
* @param accesses the accesses to set
*/
public void setAccesses(List<RangerPolicyItemAccess> accesses) {
- this.accesses = new ArrayList<RangerPolicyItemAccess>();
+ if(this.accesses == null) {
+ this.accesses = new ArrayList<RangerPolicyItemAccess>();
+ }
+
+ if(this.accesses == accesses) {
+ return;
+ }
if(accesses != null) {
for(RangerPolicyItemAccess access : accesses) {
@@ -395,7 +435,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
* @param users the users to set
*/
public void setUsers(List<String> users) {
- this.users = new ArrayList<String>();
+ if(this.users == null) {
+ this.users = new ArrayList<String>();
+ }
+
+ if(this.users == users) {
+ return;
+ }
if(users != null) {
for(String user : users) {
@@ -413,7 +459,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
* @param groups the groups to set
*/
public void setGroups(List<String> groups) {
- this.groups = new ArrayList<String>();
+ if(this.groups == null) {
+ this.groups = new ArrayList<String>();
+ }
+
+ if(this.groups == groups) {
+ return;
+ }
if(groups != null) {
for(String group : groups) {
@@ -431,7 +483,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
* @param conditions the conditions to set
*/
public void setConditions(List<RangerPolicyItemCondition> conditions) {
- this.conditions = new ArrayList<RangerPolicyItemCondition>();
+ if(this.conditions == null) {
+ this.conditions = new ArrayList<RangerPolicyItemCondition>();
+ }
+
+ if(this.conditions == conditions) {
+ return;
+ }
if(conditions != null) {
for(RangerPolicyItemCondition condition : conditions) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
index 65de02a..2f8d5e5 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
@@ -46,7 +46,6 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri
private String name = null;
private String description = null;
private Boolean isEnabled = null;
- @JsonDeserialize(using = CustomizedMapDeserializer.class)
private Map<String, String> configs = null;
@@ -151,7 +150,15 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri
* @param configs the configs to set
*/
public void setConfigs(Map<String, String> configs) {
- this.configs = new HashMap<String, String>();
+ if(this.configs == null) {
+ this.configs = new HashMap<String, String>();
+ }
+
+ if(this.configs == configs) {
+ return;
+ }
+
+ this.configs.clear();
if(configs != null) {
for(Map.Entry<String, String> e : configs.entrySet()) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
index 4bc50c7..0be4a8b 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
@@ -20,6 +20,7 @@
package org.apache.ranger.plugin.model;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.List;
import javax.xml.bind.annotation.XmlAccessType;
@@ -178,7 +179,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
* @param configs the configs to set
*/
public void setConfigs(List<RangerServiceConfigDef> configs) {
- this.configs = new ArrayList<RangerServiceConfigDef>();
+ if(this.configs == null) {
+ this.configs = new ArrayList<RangerServiceConfigDef>();
+ } else
+
+ if(this.configs == configs) {
+ return;
+ }
+
+ this.configs.clear();
if(configs != null) {
for(RangerServiceConfigDef config : configs) {
@@ -198,7 +207,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
* @param resources the resources to set
*/
public void setResources(List<RangerResourceDef> resources) {
- this.resources = new ArrayList<RangerResourceDef>();
+ if(this.resources == null) {
+ this.resources = new ArrayList<RangerResourceDef>();
+ }
+
+ if(this.resources == resources) {
+ return;
+ }
+
+ this.resources.clear();
if(resources != null) {
for(RangerResourceDef resource : resources) {
@@ -218,7 +235,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
* @param accessTypes the accessTypes to set
*/
public void setAccessTypes(List<RangerAccessTypeDef> accessTypes) {
- this.accessTypes = new ArrayList<RangerAccessTypeDef>();
+ if(this.accessTypes == null) {
+ this.accessTypes = new ArrayList<RangerAccessTypeDef>();
+ }
+
+ if(this.accessTypes == accessTypes) {
+ return;
+ }
+
+ this.accessTypes.clear();
if(accessTypes != null) {
for(RangerAccessTypeDef accessType : accessTypes) {
@@ -238,7 +263,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
* @param policyConditions the policyConditions to set
*/
public void setPolicyConditions(List<RangerPolicyConditionDef> policyConditions) {
- this.policyConditions = new ArrayList<RangerPolicyConditionDef>();
+ if(this.policyConditions == null) {
+ this.policyConditions = new ArrayList<RangerPolicyConditionDef>();
+ }
+
+ if(this.policyConditions == policyConditions) {
+ return;
+ }
+
+ this.policyConditions.clear();
if(policyConditions != null) {
for(RangerPolicyConditionDef policyCondition : policyConditions) {
@@ -258,7 +291,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
* @param enums the enums to set
*/
public void setEnums(List<RangerEnumDef> enums) {
- this.enums = new ArrayList<RangerEnumDef>();
+ if(this.enums == null) {
+ this.enums = new ArrayList<RangerEnumDef>();
+ }
+
+ if(this.enums == enums) {
+ return;
+ }
+
+ this.enums.clear();
if(enums != null) {
for(RangerEnumDef enum1 : enums) {
@@ -387,7 +428,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
* @param elements the elements to set
*/
public void setElements(List<RangerEnumElementDef> elements) {
- this.elements = new ArrayList<RangerEnumElementDef>();
+ if(this.elements == null) {
+ this.elements = new ArrayList<RangerEnumElementDef>();
+ }
+
+ if(this.elements == elements) {
+ return;
+ }
+
+ this.elements.clear();
if(elements != null) {
for(RangerEnumElementDef element : elements) {
@@ -974,19 +1023,21 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
public static class RangerAccessTypeDef implements java.io.Serializable {
private static final long serialVersionUID = 1L;
- private String name = null;
- private String label = null;
- private String rbKeyLabel = null;
+ private String name = null;
+ private String label = null;
+ private String rbKeyLabel = null;
+ private Collection<String> impliedAccessTypes = null;
public RangerAccessTypeDef() {
- this(null, null, null);
+ this(null, null, null, null);
}
- public RangerAccessTypeDef(String name, String label, String rbKeyLabel) {
+ public RangerAccessTypeDef(String name, String label, String rbKeyLabel, Collection<String> impliedAccessTypes) {
setName(name);
setLabel(label);
setRbKeyLabel(rbKeyLabel);
+ setImpliedAccessTypes(impliedAccessTypes);
}
/**
@@ -1031,6 +1082,34 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
this.rbKeyLabel = rbKeyLabel;
}
+ /**
+ * @return the impliedAccessTypes
+ */
+ public Collection<String> getImpliedAccessTypes() {
+ return impliedAccessTypes;
+ }
+
+ /**
+ * @param impliedAccessTypes the impliedAccessTypes to set
+ */
+ public void setImpliedAccessTypes(Collection<String> impliedAccessTypes) {
+ if(this.impliedAccessTypes == null) {
+ this.impliedAccessTypes = new ArrayList<String>();
+ }
+
+ if(this.impliedAccessTypes == impliedAccessTypes) {
+ return;
+ }
+
+ this.impliedAccessTypes.clear();
+
+ if(impliedAccessTypes != null) {
+ for(String impliedAccessType : impliedAccessTypes) {
+ this.impliedAccessTypes.add(impliedAccessType);
+ }
+ }
+ }
+
@Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index a5a1ef3..57094a4 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -58,7 +58,19 @@ public class RangerAccessResult {
* @return the accessTypeResult
*/
public ResultDetail getAccessTypeResult(String accessType) {
- return accessTypeResults == null ? null : accessTypeResults.get(accessType);
+ if(accessTypeResults == null) {
+ accessTypeResults = new HashMap<String, ResultDetail>();
+ }
+
+ ResultDetail ret = accessTypeResults.get(accessType);
+
+ if(ret == null) {
+ ret = new ResultDetail();
+
+ accessTypeResults.put(accessType, ret);
+ }
+
+ return ret;
}
/**
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 565f2c4..0f70b09 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -28,6 +28,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
public interface RangerPolicyEngine {
public static final String GROUP_PUBLIC = "public";
+ public static final String ACCESS_ANY = "any";
public static final long UNKNOWN_POLICY = -1;
void setPolicies(String serviceName, RangerServiceDef serviceDef, List<RangerPolicy> policies);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 0016c15..4b26c27 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -24,10 +24,10 @@ import java.util.Collection;
import java.util.List;
import java.util.Map;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessResult.ResultDetail;
@@ -348,18 +348,24 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
RangerAccessResult ret = new RangerAccessResult();
- List<RangerPolicyEvaluator> evaluators = policyEvaluators;
-
- if(request != null && request.getAccessTypes() != null && evaluators != null) {
- for(String accessType : request.getAccessTypes()) {
- ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail());
+ if(request != null) {
+ if(CollectionUtils.isEmpty(request.getAccessTypes())) {
+ ret.setAccessTypeResult(RangerPolicyEngine.ACCESS_ANY, new RangerAccessResult.ResultDetail());
+ } else {
+ for(String accessType : request.getAccessTypes()) {
+ ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail());
+ }
}
- for(RangerPolicyEvaluator evaluator : evaluators) {
- evaluator.evaluate(request, ret);
-
- if(ret.isAllAllowedAndAudited()) {
- break;
+ List<RangerPolicyEvaluator> evaluators = policyEvaluators;
+
+ if(evaluators != null) {
+ for(RangerPolicyEvaluator evaluator : evaluators) {
+ evaluator.evaluate(request, ret);
+
+ if(ret.isAllAllowedAndAudited()) {
+ break;
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 99c45d3..ee2503f 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -23,8 +23,8 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
-import java.util.Map;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -45,7 +45,7 @@ import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyEvaluator.class);
- private List<ResourceDefMatcher> matchers = null;
+ private List<RangerResourceMatcher> matchers = null;
@Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef) {
@@ -55,20 +55,19 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
super.init(policy, serviceDef);
- this.matchers = new ArrayList<ResourceDefMatcher>();
+ this.matchers = new ArrayList<RangerResourceMatcher>();
- if(policy != null && policy.getResources() != null) {
- for(Map.Entry<String, RangerPolicyResource> e : policy.getResources().entrySet()) {
- String resourceName = e.getKey();
- RangerPolicyResource policyResource = e.getValue();
- RangerResourceDef resourceDef = getResourceDef(resourceName);
+ if(policy != null && policy.getResources() != null && serviceDef != null) {
+ for(RangerResourceDef resourceDef : serviceDef.getResources()) {
+ String resourceName = resourceDef.getName();
+ RangerPolicyResource policyResource = policy.getResources().get(resourceName);
RangerResourceMatcher matcher = createResourceMatcher(resourceDef, policyResource);
if(matcher != null) {
- matchers.add(new ResourceDefMatcher(resourceDef, matcher));
+ matchers.add(matcher);
} else {
- // TODO: ERROR: no matcher found for resourceName
+ LOG.error("failed to find matcher for resource " + resourceName);
}
}
}
@@ -89,34 +88,74 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if(policy != null && request != null && result != null) {
if(matchResource(request.getResource())) {
for(RangerPolicyItem policyItem : policy.getPolicyItems()) {
- for(String accessType : request.getAccessTypes()) {
- RangerPolicyItemAccess access = getAccess(policyItem, accessType);
+
+ // if no access is requested, grant if ***any*** access is available
+ if(CollectionUtils.isEmpty(request.getAccessTypes())) {
+ RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(RangerPolicyEngine.ACCESS_ANY);
- if(access == null) {
+ if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
+ accessResult.setIsAudited(true);
+ }
+
+ if(! matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) {
continue;
}
- RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType);
-
- if(accessResult.isAllowed() && accessResult.isAudited()) {
+ if(! matchCustomConditions(policyItem, request)) {
continue;
}
- if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
- accessResult.setIsAudited(true);
+ if(CollectionUtils.isEmpty(policyItem.getAccesses())) {
+ continue;
}
- if(matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) {
- if(matchCustomConditions(policyItem, request)) {
- if(!accessResult.isAllowed() && access.getIsAllowed()) {
- accessResult.setIsAllowed(true);
- accessResult.setPolicyId(policy.getId());
- }
+ for(RangerPolicyItemAccess access : policyItem.getAccesses()) {
+ if(!accessResult.isAllowed() && access.getIsAllowed()) {
+ accessResult.setIsAllowed(true);
+ accessResult.setPolicyId(policy.getId());
+
+ break;
}
}
+ } else {
+ if(! matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) {
+ continue;
+ }
+
+ if(! matchCustomConditions(policyItem, request)) {
+ continue;
+ }
+
+ for(String accessType : request.getAccessTypes()) {
+ RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType);
- if(result.isAllAllowedAndAudited()) {
- break;
+ if(CollectionUtils.isEmpty(policyItem.getAccesses())) {
+ if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
+ accessResult.setIsAudited(true);
+ }
+
+ continue;
+ }
+
+ RangerPolicyItemAccess access = getAccess(policyItem, accessType);
+
+ if(access == null) {
+ continue;
+ }
+
+
+ if(accessResult.isAllowed() && accessResult.isAudited()) {
+ continue;
+ }
+
+ if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
+ accessResult.setIsAudited(true);
+ }
+
+ if(!accessResult.isAllowed() && access.getIsAllowed()) {
+ accessResult.setIsAllowed(true);
+ accessResult.setPolicyId(policy.getId());
+ }
}
}
@@ -142,13 +181,11 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if(matchers != null && !matchers.isEmpty()) {
ret = true;
- for(ResourceDefMatcher matcher : matchers) {
- String resourceName = matcher.getResourceName();
+ for(RangerResourceMatcher matcher : matchers) {
+ String resourceName = matcher.getResourceDef().getName();
String resourceValue = resource.getValue(resourceName);
- if(resourceValue != null) {
- ret = matcher.isMatch(resourceValue);
- }
+ ret = matcher.isMatch(resourceValue);
if(! ret) {
break;
@@ -229,32 +266,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
- protected RangerResourceDef getResourceDef(String resourceName) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceDef(" + resourceName + ")");
- }
-
- RangerResourceDef ret = null;
-
- RangerServiceDef serviceDef = getServiceDef();
-
- if(serviceDef != null && resourceName != null) {
- for(RangerResourceDef resourceDef : serviceDef.getResources()) {
- if(StringUtils.equalsIgnoreCase(resourceName, resourceDef.getName())) {
- ret = resourceDef;
-
- break;
- }
- }
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceDef(" + resourceName + "): " + ret);
- }
-
- return ret;
- }
-
protected RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDef, RangerPolicyResource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.createResourceMatcher(" + resourceDef + ", " + resource + ")");
@@ -286,7 +297,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
if(ret != null) {
- ret.init(resource, options);
+ ret.init(resourceDef, resource, options);
}
if(LOG.isDebugEnabled()) {
@@ -303,10 +314,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
sb.append("matchers={");
if(matchers != null) {
- for(ResourceDefMatcher matcher : matchers) {
- sb.append("{");
- matcher.toString(sb);
- sb.append("} ");
+ for(RangerResourceMatcher matcher : matchers) {
+ sb.append("{").append(matcher).append("} ");
}
}
sb.append("} ");
@@ -315,47 +324,4 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return sb;
}
-
- class ResourceDefMatcher {
- RangerResourceDef resourceDef = null;
- RangerResourceMatcher resourceMatcher = null;
-
- ResourceDefMatcher(RangerResourceDef resourceDef, RangerResourceMatcher resourceMatcher) {
- this.resourceDef = resourceDef;
- this.resourceMatcher = resourceMatcher;
- }
-
- String getResourceName() {
- return resourceDef.getName();
- }
-
- boolean isMatch(String value) {
- return resourceMatcher.isMatch(value);
- }
-
- boolean isMatch(Collection<String> values) {
- boolean ret = false;
-
- if(values == null || values.isEmpty()) {
- ret = resourceMatcher.isMatch(null);
- } else {
- for(String value : values) {
- ret = resourceMatcher.isMatch(value);
-
- if(! ret) {
- break;
- }
- }
- }
-
- return ret;
- }
-
- public StringBuilder toString(StringBuilder sb) {
- sb.append("resourceDef={").append(resourceDef).append("} ");
- sb.append("resourceMatcher={").append(resourceMatcher).append("} ");
-
- return sb;
- }
- }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index 68ff85a..e194e54 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -19,36 +19,47 @@
package org.apache.ranger.plugin.resourcematcher;
+import java.util.ArrayList;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
public abstract class RangerAbstractResourceMatcher implements RangerResourceMatcher {
private static final Log LOG = LogFactory.getLog(RangerAbstractResourceMatcher.class);
+ public final String WILDCARD_PATTERN = ".*";
+
public final String OPTIONS_SEP = ";";
public final String OPTION_NV_SEP = "=";
public final String OPTION_IGNORE_CASE = "ignoreCase";
public final String OPTION_WILD_CARD = "wildCard";
+ private RangerResourceDef resourceDef = null;
private RangerPolicyResource policyResource = null;
private String optionsString = null;
private Map<String, String> options = null;
- protected boolean optIgnoreCase = false;
- protected boolean optWildCard = false;
+ protected boolean optIgnoreCase = false;
+ protected boolean optWildCard = false;
+
+ protected List<String> policyValues = null;
+ protected boolean policyIsExcludes = false;
+ protected boolean isMatchAny = false;
@Override
- public void init(RangerPolicyResource policyResource, String optionsString) {
+ public void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String optionsString) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerAbstractResourceMatcher.init(" + policyResource + ", " + optionsString + ")");
+ LOG.debug("==> RangerAbstractResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")");
}
+ this.resourceDef = resourceDef;
this.policyResource = policyResource;
this.optionsString = optionsString;
@@ -76,12 +87,46 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
optIgnoreCase = getBooleanOption(OPTION_IGNORE_CASE, true);
optWildCard = getBooleanOption(OPTION_WILD_CARD, true);
+ policyValues = new ArrayList<String>();
+ policyIsExcludes = policyResource == null ? false : policyResource.getIsExcludes();
+
+ if(policyResource != null && policyResource.getValues() != null) {
+ for(String policyValue : policyResource.getValues()) {
+ if(policyValue == null) {
+ continue;
+ }
+
+ if(optIgnoreCase) {
+ policyValue = policyValue.toLowerCase();
+ }
+
+ if(optWildCard) {
+ policyValue = getWildCardPattern(policyValue);
+ }
+
+ if(policyValue.equals(WILDCARD_PATTERN)) {
+ isMatchAny = true;
+ }
+
+ policyValues.add(policyValue);
+ }
+ }
+
+ if(policyValues.isEmpty()) {
+ isMatchAny = true;
+ }
+
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerAbstractResourceMatcher.init(" + policyResource + ", " + optionsString + ")");
+ LOG.debug("<== RangerAbstractResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")");
}
}
@Override
+ public RangerResourceDef getResourceDef() {
+ return resourceDef;
+ }
+
+ @Override
public RangerPolicyResource getPolicyResource() {
return policyResource;
}
@@ -149,6 +194,11 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
public StringBuilder toString(StringBuilder sb) {
sb.append("RangerAbstractResourceMatcher={");
+ sb.append("resourceDef={");
+ if(resourceDef != null) {
+ resourceDef.toString(sb);
+ }
+ sb.append("} ");
sb.append("policyResource={");
if(policyResource != null) {
policyResource.toString(sb);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
index af413ff..13500dc 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
@@ -19,56 +19,28 @@
package org.apache.ranger.plugin.resourcematcher;
-import java.util.ArrayList;
-import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher {
private static final Log LOG = LogFactory.getLog(RangerDefaultResourceMatcher.class);
- private List<String> policyValues = null;
- private boolean policyIsExcludes = false;
@Override
- public void init(RangerPolicyResource policyResource, String optionsString) {
+ public void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String optionsString) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultResourceMatcher.init(" + policyResource + ", " + optionsString + ")");
+ LOG.debug("==> RangerDefaultResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")");
}
- super.init(policyResource, optionsString);
-
- policyValues = new ArrayList<String>();
- policyIsExcludes = false;
-
- if(policyResource != null) {
- policyIsExcludes = policyResource.getIsExcludes();
-
- if(policyResource.getValues() != null) {
- for(String policyValue : policyResource.getValues()) {
- if(policyValue == null) {
- continue;
- }
-
- if(optIgnoreCase) {
- policyValue = policyValue.toLowerCase();
- }
-
- if(optWildCard) {
- policyValue = getWildCardPattern(policyValue);
- }
-
- policyValues.add(policyValue);
- }
- }
- }
+ super.init(resourceDef, policyResource, optionsString);
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultResourceMatcher.init(" + policyResource + ", " + optionsString + ")");
+ LOG.debug("<== RangerDefaultResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")");
}
}
@@ -92,6 +64,8 @@ public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher
break;
}
}
+ } else {
+ ret = isMatchAny;
}
if(policyIsExcludes) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index d5c2f6f..79f68c0 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -19,56 +19,31 @@
package org.apache.ranger.plugin.resourcematcher;
-import java.util.ArrayList;
-import java.util.List;
-
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher {
private static final Log LOG = LogFactory.getLog(RangerPathResourceMatcher.class);
- private List<String> policyValues = null;
- private boolean policyIsExcludes = false;
- private boolean policyIsRecursive = false;
+ private boolean policyIsRecursive = false;
@Override
- public void init(RangerPolicyResource policyResource, String optionsString) {
+ public void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String optionsString) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPathResourceMatcher.init(" + policyResource + ", " + optionsString + ")");
+ LOG.debug("==> RangerPathResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")");
}
- super.init(policyResource, optionsString);
-
- policyValues = new ArrayList<String>();
- policyIsExcludes = false;
- policyIsRecursive = false;
-
- if(policyResource != null) {
- policyIsExcludes = policyResource.getIsExcludes();
- policyIsRecursive = policyResource.getIsRecursive();
-
- if(policyResource.getValues() != null) {
- for(String policyValue : policyResource.getValues()) {
- if(policyValue == null) {
- continue;
- }
-
- if(optIgnoreCase) {
- policyValue = policyValue.toLowerCase();
- }
+ super.init(resourceDef, policyResource, optionsString);
- policyValues.add(policyValue);
- }
- }
- }
+ policyIsRecursive = policyResource == null ? false : policyResource.getIsRecursive();
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPathResourceMatcher.init(" + policyResource + ", " + optionsString + ")");
+ LOG.debug("<== RangerPathResourceMatcher.init(" + resourceDef + ", " + policyResource + ", " + optionsString + ")");
}
}
@@ -96,6 +71,8 @@ public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher {
break;
}
}
+ } else {
+ ret = isMatchAny;
}
if(policyIsExcludes) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
index 3c9b687..c750cd8 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
@@ -20,9 +20,12 @@
package org.apache.ranger.plugin.resourcematcher;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
public interface RangerResourceMatcher {
- void init(RangerPolicyResource policyResource, String optionsString);
+ void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String optionsString);
+
+ RangerResourceDef getResourceDef();
RangerPolicyResource getPolicyResource();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json
index 04127bb..696f5a9 100644
--- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json
+++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json
@@ -41,7 +41,8 @@
[
{"name":"read","label":"Read"},
{"name":"write","label":"Write"},
- {"name":"create","label":"Create"}
+ {"name":"create","label":"Create"},
+ {"name":"admin","label":"Admin","impliedAccessTypes":["read","write","create"]}
],
"policyConditions":
[
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
index a63d24a..ef45c84 100644
--- a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
+++ b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
@@ -26,7 +26,7 @@
{"id":1,"name":"audit-all-select","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
- {"accesses":[{"type":"select","isAllowed":false}],"users":[],"groups":["public"],"delegateAdmin":false}
+ {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
]
}
,
@@ -41,60 +41,60 @@
],
"tests":[
- {"name":"'use default;' as user1 ==> ALLOWED",
+ {"name":"'use default;' as user1 ==> DENIED",
"request":{
"resource":{"elements":{"database":"default"}},
- "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"use default"
+ "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use default"
},
- "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'use default;' as user2 ==> ALLOWED",
+ {"name":"'use default;' as user2 ==> DENIED",
"request":{
"resource":{"elements":{"database":"default"}},
- "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"use default"
+ "accessTypes":[],"user":"user2","userGroups":["users"],"requestData":"use default"
},
- "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
{"name":"'use default;' as user3 ==> DENIED",
"request":{
"resource":{"elements":{"database":"default"}},
- "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"use default"
+ "accessTypes":[],"user":"user3","userGroups":["users"],"requestData":"use default"
},
- "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'use default;' as user3, group1 ==> ALLOWED",
+ {"name":"'use default;' as user3, group1 ==> DENIED",
"request":{
"resource":{"elements":{"database":"default"}},
- "accessTypes":["select"],"user":"user3","userGroups":["users", "group1"],"requestData":"use default"
+ "accessTypes":[],"user":"user3","userGroups":["users", "group1"],"requestData":"use default"
},
- "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'use default;' as user3, group2 ==> ALLOWED",
+ {"name":"'use default;' as user3, group2 ==> DENIED",
"request":{
"resource":{"elements":{"database":"default"}},
- "accessTypes":["select"],"user":"user3","userGroups":["users", "group2"],"requestData":"use default"
+ "accessTypes":[],"user":"user3","userGroups":["users", "group2"],"requestData":"use default"
},
- "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
{"name":"'use default;' as user3, group3 ==> DENIED",
"request":{
"resource":{"elements":{"database":"default"}},
- "accessTypes":["select"],"user":"user3","userGroups":["users", "group3"],"requestData":"use default"
+ "accessTypes":[],"user":"user3","userGroups":["users", "group3"],"requestData":"use default"
},
- "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
{"name":"'use finance;' as user3, group3 ==> DENIED",
"request":{
"resource":{"elements":{"database":"finance"}},
- "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"use finance"
+ "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use finance"
},
- "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
{"name":"'select col1 from default.testtable;' as user1 ==> ALLOWED",
@@ -222,7 +222,7 @@
"resource":{"elements":{"database":"default","table":"table1"}},
"accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1"
},
- "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+ "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
{"name":"'create table default.table1;' as user1, admin ==> DENIED",
@@ -230,7 +230,7 @@
"resource":{"elements":{"database":"default","table":"table1"}},
"accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1"
},
- "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+ "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
{"name":"'drop table default.table1;' as user1 ==> DENIED",
@@ -238,7 +238,7 @@
"resource":{"elements":{"database":"default","table":"table1"}},
"accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1"
},
- "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+ "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
{"name":"'drop table default.table1;' as user1, admin ==> DENIED",
@@ -246,7 +246,7 @@
"resource":{"elements":{"database":"default","table":"table1"}},
"accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1"
},
- "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+ "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
{"name":"'select col1 from default.table1;' as user3 ==> DENIED",
[2/2] incubator-ranger git commit: Merge branch 'stack' of
https://git-wip-us.apache.org/repos/asf/incubator-ranger into stack
Posted by ma...@apache.org.
Merge branch 'stack' of https://git-wip-us.apache.org/repos/asf/incubator-ranger into stack
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7d00538b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7d00538b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7d00538b
Branch: refs/heads/stack
Commit: 7d00538b372442f663c06177d19ce0e6346ea69c
Parents: e8b58a9 1f458f0
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu Jan 8 00:54:39 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Jan 8 00:54:39 2015 -0800
----------------------------------------------------------------------
.gitignore | 1 +
.../manager/CustomizedMapDeserializer.java | 50 ------
.../service-defs/ranger-servicedef-hbase.json | 4 +-
.../service-defs/ranger-servicedef-hdfs.json | 2 +-
.../scripts/models/BackboneFormDataType.js | 78 ++++++++
.../scripts/views/policies/GroupPermList.js | 29 +--
.../views/policies/RangerPolicyCreate.js | 11 +-
.../scripts/views/policies/RangerPolicyForm.js | 179 +++----------------
.../views/policies/RangerPolicyTableLayout.js | 56 +++++-
.../scripts/views/policies/UserPermList.js | 34 ++--
.../scripts/views/service/ServiceCreate.js | 2 +-
.../webapp/scripts/views/service/ServiceForm.js | 39 +---
.../templates/policies/GroupPermItem.html | 2 +-
.../webapp/templates/policies/UserPermItem.html | 2 +-
14 files changed, 206 insertions(+), 283 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7d00538b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json
----------------------------------------------------------------------