You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2023/06/15 01:41:26 UTC
[ranger] branch master updated: RANGER-4286: allow security-zone to exist without any services/resources assigned
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new cbdd054d5 RANGER-4286: allow security-zone to exist without any services/resources assigned
cbdd054d5 is described below
commit cbdd054d59a94de787c6d8f980859982d22f467a
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Thu Jun 8 22:32:56 2023 -0700
RANGER-4286: allow security-zone to exist without any services/resources assigned
---
.../validation/RangerSecurityZoneValidator.java | 369 +++++++++------------
.../validation/RangerZoneResourceMatcher.java | 10 +-
.../plugin/store/SecurityZonePredicateUtil.java | 33 +-
.../apache/ranger/plugin/util/SearchFilter.java | 1 +
.../RangerSecurityZoneValidatorTest.java | 112 ++++++-
5 files changed, 292 insertions(+), 233 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
index cb4f37cc0..1a2b3160b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
@@ -23,10 +23,11 @@ import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.plugin.errors.ValidationErrorCode;
-import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerResourceTrie;
@@ -37,6 +38,7 @@ import org.apache.ranger.plugin.store.SecurityZoneStore;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.RangerResourceEvaluatorsRetriever;
import org.apache.ranger.plugin.util.SearchFilter;
+import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -48,6 +50,8 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
+import static org.apache.ranger.plugin.model.RangerPolicy.POLICY_TYPES;
+
public class RangerSecurityZoneValidator extends RangerValidator {
private static final Logger LOG = LoggerFactory.getLogger(RangerSecurityZoneValidator.class);
@@ -55,28 +59,27 @@ public class RangerSecurityZoneValidator extends RangerValidator {
public RangerSecurityZoneValidator(ServiceStore store, SecurityZoneStore securityZoneStore) {
super(store);
+
this.securityZoneStore = securityZoneStore;
}
public void validate(RangerSecurityZone securityZone, Action action) throws Exception {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.validate(%s, %s)", securityZone, action));
+ LOG.debug(String.format("==> RangerSecurityZoneValidator.validate(%s, %s)", securityZone, action));
}
List<ValidationFailureDetails> failures = new ArrayList<>();
+ boolean valid = isValid(securityZone, action, failures);
- boolean valid = isValid(securityZone, action, failures);
-
- String message;
try {
if (!valid) {
- message = serializeFailures(failures);
+ String message = serializeFailures(failures);
+
throw new Exception(message);
}
-
} finally {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.validate(%s, %s)", securityZone, action));
+ LOG.debug(String.format("<== RangerSecurityZoneValidator.validate(%s, %s)", securityZone, action));
}
}
}
@@ -84,7 +87,7 @@ public class RangerSecurityZoneValidator extends RangerValidator {
@Override
boolean isValid(String name, Action action, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s)", name, action, failures));
+ LOG.debug(String.format("==> RangerSecurityZoneValidator.isValid(%s, %s, %s)", name, action, failures));
}
boolean ret = true;
@@ -94,24 +97,20 @@ public class RangerSecurityZoneValidator extends RangerValidator {
failures.add(new ValidationFailureDetailsBuilder().isAnInternalError().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
ret = false;
- } else {
- if (StringUtils.isEmpty(name)) {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_FIELD;
+ } else if (StringUtils.isEmpty(name)) {
+ ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_FIELD;
- failures.add(new ValidationFailureDetailsBuilder().becauseOf("security zone name was null/missing").field("name").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage("name")).build());
- ret = false;
- } else {
- if (getSecurityZone(name) == null) {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
+ failures.add(new ValidationFailureDetailsBuilder().becauseOf("security zone name was null/missing").field("name").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage("name")).build());
+ ret = false;
+ } else if (getSecurityZone(name) == null) {
+ ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
- failures.add(new ValidationFailureDetailsBuilder().becauseOf("security zone does not exist").field("name").errorCode(error.getErrorCode()).becauseOf(error.getMessage(name)).build());
- ret = false;
- }
- }
+ failures.add(new ValidationFailureDetailsBuilder().becauseOf("security zone does not exist").field("name").errorCode(error.getErrorCode()).becauseOf(error.getMessage(name)).build());
+ ret = false;
}
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s) : %s", name, action, failures, ret));
+ LOG.debug(String.format("<== RangerSecurityZoneValidator.isValid(%s, %s, %s) : %s", name, action, failures, ret));
}
return ret;
@@ -120,7 +119,7 @@ public class RangerSecurityZoneValidator extends RangerValidator {
@Override
boolean isValid(Long id, Action action, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s)", id, action, failures));
+ LOG.debug(String.format("==> RangerSecurityZoneValidator.isValid(%s, %s, %s)", id, action, failures));
}
boolean ret = true;
@@ -136,32 +135,31 @@ public class RangerSecurityZoneValidator extends RangerValidator {
failures.add(new ValidationFailureDetailsBuilder().becauseOf("security zone id was null/missing").field("id").isMissing().errorCode(error.getErrorCode()).becauseOf(error.getMessage("id")).build());
ret = false;
} else if (getSecurityZone(id) == null) {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
+ ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_ZONE_ID;
- failures.add(new ValidationFailureDetailsBuilder().becauseOf("security zone id does not exist").field("id").errorCode(error.getErrorCode()).becauseOf(error.getMessage(id)).build());
- ret = false;
+ failures.add(new ValidationFailureDetailsBuilder().becauseOf("security zone id does not exist").field("id").errorCode(error.getErrorCode()).becauseOf(error.getMessage(id)).build());
+ ret = false;
}
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s) : %s", id, action, failures, ret));
+ LOG.debug(String.format("<== RangerSecurityZoneValidator.isValid(%s, %s, %s) : %s", id, action, failures, ret));
}
return ret;
}
- boolean isValid(RangerSecurityZone securityZone, Action action, List<ValidationFailureDetails> failures) {
+ private boolean isValid(RangerSecurityZone securityZone, Action action, List<ValidationFailureDetails> failures) {
if(LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s)", securityZone, action, failures));
+ LOG.debug(String.format("==> RangerSecurityZoneValidator.isValid(%s, %s, %s)", securityZone, action, failures));
}
if (!(action == Action.CREATE || action == Action.UPDATE)) {
- throw new IllegalArgumentException("isValid(RangerPolicy, ...) is only supported for create/update");
+ throw new IllegalArgumentException("isValid(RangerSecurityZone, ...) is only supported for create/update");
}
- boolean ret = true;
-
- RangerSecurityZone existingZone;
+ boolean ret = true;
final String zoneName = securityZone.getName();
+
if (StringUtils.isEmpty(StringUtils.trim(zoneName))) {
ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_FIELD;
@@ -169,9 +167,13 @@ public class RangerSecurityZoneValidator extends RangerValidator {
ret = false;
}
+ RangerSecurityZone existingZone;
+
if (action == Action.CREATE) {
securityZone.setId(-1L);
+
existingZone = getSecurityZone(zoneName);
+
if (existingZone != null) {
ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_NAME_CONFLICT;
@@ -179,7 +181,8 @@ public class RangerSecurityZoneValidator extends RangerValidator {
ret = false;
}
} else {
- Long zoneId = securityZone.getId();
+ Long zoneId = securityZone.getId();
+
existingZone = getSecurityZone(zoneId);
if (existingZone == null) {
@@ -191,12 +194,10 @@ public class RangerSecurityZoneValidator extends RangerValidator {
existingZone = getSecurityZone(zoneName);
if (existingZone != null) {
- if (!StringUtils.equals(existingZone.getName(), zoneName)) {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_NAME_CONFLICT;
+ ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_NAME_CONFLICT;
- failures.add(new ValidationFailureDetailsBuilder().becauseOf("security zone name").field("name").errorCode(error.getErrorCode()).becauseOf(error.getMessage(existingZone.getId())).build());
- ret = false;
- }
+ failures.add(new ValidationFailureDetailsBuilder().becauseOf("security zone name").field("name").errorCode(error.getErrorCode()).becauseOf(error.getMessage(existingZone.getId())).build());
+ ret = false;
}
}
}
@@ -206,7 +207,7 @@ public class RangerSecurityZoneValidator extends RangerValidator {
ret = ret && validateAgainstAllSecurityZones(securityZone, action, failures);
if(LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s) : %s", securityZone, action, failures, ret));
+ LOG.debug(String.format("<== RangerSecurityZoneValidator.isValid(%s, %s, %s) : %s", securityZone, action, failures, ret));
}
return ret;
@@ -214,25 +215,11 @@ public class RangerSecurityZoneValidator extends RangerValidator {
private boolean validateWithinSecurityZone(RangerSecurityZone securityZone, Action action, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.validateWithinSecurityZone(%s, %s, %s)", securityZone, action, failures));
+ LOG.debug(String.format("==> RangerSecurityZoneValidator.validateWithinSecurityZone(%s, %s, %s)", securityZone, action, failures));
}
boolean ret = true;
- // Validate each service for existence, not being tag-service and each resource-spec for validity
- if (MapUtils.isNotEmpty(securityZone.getServices())) {
- for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> serviceSpecification : securityZone.getServices().entrySet()) {
- String serviceName = serviceSpecification.getKey();
- RangerSecurityZone.RangerSecurityZoneService securityZoneService = serviceSpecification.getValue();
-
- ret = ret && validateSecurityZoneService(serviceName, securityZoneService, failures);
- }
- } else {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_SERVICES;
-
- failures.add(new ValidationFailureDetailsBuilder().becauseOf("security zone services").isMissing().field("services").errorCode(error.getErrorCode()).becauseOf(error.getMessage(securityZone.getName())).build());
- ret = false;
- }
// admin users, user-groups and roles collections can't be empty
if (CollectionUtils.isEmpty(securityZone.getAdminUsers()) && CollectionUtils.isEmpty(securityZone.getAdminUserGroups()) && CollectionUtils.isEmpty(securityZone.getAdminRoles())) {
ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_USER_AND_GROUPS_AND_ROLES;
@@ -248,90 +235,83 @@ public class RangerSecurityZoneValidator extends RangerValidator {
ret = false;
}
- if (securityZone.getServices() != null) {
- for (Map.Entry<String, RangerSecurityZoneService> serviceResourceMapEntry : securityZone.getServices()
- .entrySet()) {
- if (serviceResourceMapEntry.getValue().getResources() != null) {
- for (Map<String, List<String>> resource : serviceResourceMapEntry.getValue().getResources()) {
- if (resource != null) {
- for (Map.Entry<String, List<String>> entry : resource.entrySet()) {
- if (CollectionUtils.isEmpty(entry.getValue())) {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_RESOURCES;
- failures.add(new ValidationFailureDetailsBuilder().field("security zone resources")
- .subField("resources").isMissing()
- .becauseOf(error.getMessage(serviceResourceMapEntry.getKey()))
- .errorCode(error.getErrorCode()).build());
- ret = false;
- }
- }
- }
- }
- }
- }
- }
+ // Validate each service for existence, not being tag-service and each resource-spec for validity
+ if (MapUtils.isNotEmpty(securityZone.getServices())) {
+ for (Map.Entry<String, RangerSecurityZoneService> entry : securityZone.getServices().entrySet()) {
+ String serviceName = entry.getKey();
+ RangerSecurityZoneService securityZoneService = entry.getValue();
+
+ ret = validateSecurityZoneService(serviceName, securityZoneService, failures) && ret;
+ }
+ }
+
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.validateWithinSecurityZone(%s, %s, %s) : %s", securityZone, action, failures, ret));
+ LOG.debug(String.format("<== RangerSecurityZoneValidator.validateWithinSecurityZone(%s, %s, %s) : %s", securityZone, action, failures, ret));
}
+
return ret;
}
private boolean validateAgainstAllSecurityZones(RangerSecurityZone securityZone, Action action, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.validateAgainstAllSecurityZones(%s, %s, %s)", securityZone, action, failures));
+ LOG.debug(String.format("==> RangerSecurityZoneValidator.validateAgainstAllSecurityZones(%s, %s, %s)", securityZone, action, failures));
}
- boolean ret = true;
-
+ boolean ret = true;
final String zoneName;
if (securityZone.getId() != -1L) {
RangerSecurityZone existingZone = getSecurityZone(securityZone.getId());
+
zoneName = existingZone.getName();
} else {
zoneName = securityZone.getName();
}
- for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry: securityZone.getServices().entrySet()) {
- String serviceName = entry.getKey();
- RangerSecurityZone.RangerSecurityZoneService serviceResources = entry.getValue();
+ for (Map.Entry<String, RangerSecurityZoneService> entry: securityZone.getServices().entrySet()) {
+ String serviceName = entry.getKey();
+ RangerSecurityZoneService securityZoneService = entry.getValue();
- if (CollectionUtils.isNotEmpty(serviceResources.getResources())) {
- SearchFilter filter = new SearchFilter();
- List<RangerSecurityZone> zones = null;
+ if (CollectionUtils.isEmpty(securityZoneService.getResources())) {
+ continue;
+ }
- filter.setParam(SearchFilter.SERVICE_NAME, serviceName);
- filter.setParam(SearchFilter.ZONE_NAME, zoneName);
+ SearchFilter filter = new SearchFilter();
+ List<RangerSecurityZone> zones = null;
- try {
- zones = securityZoneStore.getSecurityZones(filter);
- } catch (Exception excp) {
- LOG.error("Failed to get Security-Zones", excp);
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
+ filter.setParam(SearchFilter.SERVICE_NAME, serviceName);
+ filter.setParam(SearchFilter.NOT_ZONE_NAME, zoneName);
- failures.add(new ValidationFailureDetailsBuilder().becauseOf(error.getMessage(excp.getMessage())).errorCode(error.getErrorCode()).build());
- ret = false;
- }
+ try {
+ zones = securityZoneStore.getSecurityZones(filter);
+ } catch (Exception excp) {
+ LOG.error("Failed to get Security-Zones", excp);
+ ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
+
+ failures.add(new ValidationFailureDetailsBuilder().becauseOf(error.getMessage(excp.getMessage())).errorCode(error.getErrorCode()).build());
+ ret = false;
+ }
- if (CollectionUtils.isNotEmpty(zones)) {
- RangerService service = getService(serviceName);
- RangerServiceDef serviceDef = service != null ? getServiceDef(service.getType()) : null;
+ if (CollectionUtils.isEmpty(zones)) {
+ continue;
+ }
- if (serviceDef == null) {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
+ RangerService service = getService(serviceName);
+ RangerServiceDef serviceDef = service != null ? getServiceDef(service.getType()) : null;
- failures.add(new ValidationFailureDetailsBuilder().becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
- ret = false;
+ if (serviceDef == null) {
+ ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
- } else {
- zones.add(securityZone);
- ret = ret && validateZoneServiceInAllZones(zones, serviceName, serviceDef, failures);
- }
- }
+ failures.add(new ValidationFailureDetailsBuilder().becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
+ ret = false;
+ } else {
+ zones.add(securityZone);
+ ret = ret && validateZoneServiceInAllZones(zones, serviceName, serviceDef, failures);
}
}
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.validateAgainstAllSecurityZones(%s, %s, %s) : %s", securityZone, action, failures, ret));
+ LOG.debug(String.format("<== RangerSecurityZoneValidator.validateAgainstAllSecurityZones(%s, %s, %s) : %s", securityZone, action, failures, ret));
}
return ret;
@@ -339,7 +319,7 @@ public class RangerSecurityZoneValidator extends RangerValidator {
private boolean validateZoneServiceInAllZones(List<RangerSecurityZone> zones, String serviceName, RangerServiceDef serviceDef, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.validateZoneServiceInAllZones(%s, %s, %s, %s)", zones, serviceName, serviceDef, failures));
+ LOG.debug(String.format("==> RangerSecurityZoneValidator.validateZoneServiceInAllZones(%s, %s, %s, %s)", zones, serviceName, serviceDef, failures));
}
boolean ret = true;
@@ -351,22 +331,26 @@ public class RangerSecurityZoneValidator extends RangerValidator {
// add this to list-of-evaluators
Map<String, List<RangerZoneResourceMatcher>> matchersForResourceDef = new HashMap<>();
+ RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
for (RangerSecurityZone zone : zones) {
- List<HashMap<String, List<String>>> resources = zone.getServices().get(serviceName).getResources();
+ Map<String, RangerSecurityZoneService> zoneServices = zone.getServices();
+ RangerSecurityZoneService zoneService = zoneServices != null ? zoneServices.get(serviceName) : null;
+ List<HashMap<String, List<String>>> resources = zoneService != null ? zoneService.getResources() : null;
+
+ if (CollectionUtils.isEmpty(resources)) {
+ continue;
+ }
for (Map<String, List<String>> resource : resources) {
- Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>();
+ Map<String, RangerPolicyResource> policyResources = new HashMap<>();
for (Map.Entry<String, List<String>> entry : resource.entrySet()) {
String resourceDefName = entry.getKey();
List<String> resourceValues = entry.getValue();
- RangerPolicy.RangerPolicyResource policyResource = new RangerPolicy.RangerPolicyResource();
+ RangerPolicyResource policyResource = new RangerPolicyResource(resourceValues, false, EmbeddedServiceDefsUtil.isRecursiveEnabled(serviceDef, resourceDefName));
- policyResource.setIsExcludes(false);
- policyResource.setIsRecursive(EmbeddedServiceDefsUtil.isRecursiveEnabled(serviceDef, resourceDefName));
- policyResource.setValues(resourceValues);
policyResources.put(resourceDefName, policyResource);
if (matchersForResourceDef.get(resourceDefName) == null) {
@@ -374,7 +358,7 @@ public class RangerSecurityZoneValidator extends RangerValidator {
}
}
- RangerZoneResourceMatcher matcher = new RangerZoneResourceMatcher(zone.getName(), policyResources, serviceDef);
+ RangerZoneResourceMatcher matcher = new RangerZoneResourceMatcher(zone.getName(), policyResources, serviceDefHelper);
for (String resourceDefName : resource.keySet()) {
matchersForResourceDef.get(resourceDefName).add(matcher);
@@ -385,21 +369,13 @@ public class RangerSecurityZoneValidator extends RangerValidator {
// Build a map of trie with list-of-evaluators with one entry corresponds to one resource-def if it exists in the list-of-resources
Map<String, RangerResourceTrie<RangerZoneResourceMatcher>> trieMap = new HashMap<>();
- List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
for (Map.Entry<String, List<RangerZoneResourceMatcher>> entry : matchersForResourceDef.entrySet()) {
- String resourceDefName = entry.getKey();
- List<RangerZoneResourceMatcher> matchers = entry.getValue();
- RangerServiceDef.RangerResourceDef resourceDef = null;
-
- for (RangerServiceDef.RangerResourceDef element : resourceDefs) {
- if (StringUtils.equals(element.getName(), resourceDefName)) {
- resourceDef = element;
- break;
- }
- }
+ String resourceDefName = entry.getKey();
+ List<RangerZoneResourceMatcher> matchers = entry.getValue();
+ RangerResourceDef resourceDef = ServiceDefUtil.getResourceDef(serviceDef, resourceDefName);
- trieMap.put(entry.getKey(), new RangerResourceTrie<>(resourceDef, matchers));
+ trieMap.put(resourceDefName, new RangerResourceTrie<>(resourceDef, matchers));
}
// For each zone, get list-of-resources corresponding to serviceName
@@ -413,7 +389,6 @@ public class RangerSecurityZoneValidator extends RangerValidator {
List<HashMap<String, List<String>>> resources = zone.getServices().get(serviceName).getResources();
for (Map<String, List<String>> resource : resources) {
-
Collection<RangerZoneResourceMatcher> smallestList = RangerResourceEvaluatorsRetriever.getEvaluators(trieMap, resource);
if (LOG.isDebugEnabled()) {
@@ -464,20 +439,18 @@ public class RangerSecurityZoneValidator extends RangerValidator {
}
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.validateZoneServiceInAllZones(%s, %s, %s, %s) : %s", zones, serviceName, serviceDef, failures, ret));
+ LOG.debug(String.format("<== RangerSecurityZoneValidator.validateZoneServiceInAllZones(%s, %s, %s, %s) : %s", zones, serviceName, serviceDef, failures, ret));
}
return ret;
}
- private boolean validateSecurityZoneService(String serviceName, RangerSecurityZone.RangerSecurityZoneService securityZoneService, List<ValidationFailureDetails> failures) {
+ private boolean validateSecurityZoneService(String serviceName, RangerSecurityZoneService securityZoneService, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.validateSecurityZoneService(%s, %s, %s)", serviceName, securityZoneService, failures));
+ LOG.debug(String.format("==> RangerSecurityZoneValidator.validateSecurityZoneService(%s, %s, %s)", serviceName, securityZoneService, failures));
}
- boolean ret = true;
-
- // Verify service with serviceName exists - get the service-type
- RangerService service = getService(serviceName);
+ boolean ret = true;
+ RangerService service = getService(serviceName); // Verify service with serviceName exists
if (service == null) {
ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_SERVICE_NAME;
@@ -489,68 +462,54 @@ public class RangerSecurityZoneValidator extends RangerValidator {
if (serviceDef == null) {
ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_SERVICE_TYPE;
+
failures.add(new ValidationFailureDetailsBuilder().field("security zone resource service-type").becauseOf(error.getMessage(service.getType())).errorCode(error.getErrorCode()).build());
ret = false;
} else {
- String serviceType = serviceDef.getName();
-
- if (StringUtils.equals(serviceType, EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) {
- if (CollectionUtils.isNotEmpty(securityZoneService.getResources())) {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_UNEXPECTED_RESOURCES;
- failures.add(new ValidationFailureDetailsBuilder().field("security zone resources").becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
- ret = false;
- }
- } else {
- if (CollectionUtils.isEmpty(securityZoneService.getResources())) {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_RESOURCES;
- failures.add(new ValidationFailureDetailsBuilder().field("security zone resources").isMissing().becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
- ret = false;
- } else {
- // For each resource-spec, verify that it forms valid hierarchy for some policy-type
- for (Map<String, List<String>> resource : securityZoneService.getResources()) {
- Set<String> resourceDefNames = resource.keySet();
- RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
- boolean isValidHierarchy = false;
-
- for (int policyType : RangerPolicy.POLICY_TYPES) {
- Set<List<RangerServiceDef.RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, resourceDefNames);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Size of resourceHierarchies for resourceDefNames:[" + resourceDefNames + ", policyType=" + policyType + "] = " + resourceHierarchies.size());
- }
-
- for (List<RangerServiceDef.RangerResourceDef> resourceHierarchy : resourceHierarchies) {
-
- if (RangerDefaultPolicyResourceMatcher.isHierarchyValidForResources(resourceHierarchy, resource)) {
- isValidHierarchy = true;
- break;
- } else {
- LOG.info("gaps found in resource, skipping hierarchy:[" + resourceHierarchies + "]");
- }
- }
+ if (CollectionUtils.isNotEmpty(securityZoneService.getResources())) {
+ // For each resource-spec, verify that it forms valid hierarchy for some policy-type
+ for (Map<String, List<String>> resource : securityZoneService.getResources()) {
+ Set<String> resourceDefNames = resource.keySet();
+ RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
+ boolean isValidHierarchy = false;
+
+ for (int policyType : POLICY_TYPES) {
+ Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, resourceDefNames);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Size of resourceHierarchies for resourceDefNames:[" + resourceDefNames + ", policyType=" + policyType + "] = " + resourceHierarchies.size());
}
- if (!isValidHierarchy) {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_RESOURCE_HIERARCHY;
-
- failures.add(new ValidationFailureDetailsBuilder().field("security zone resource hierarchy").becauseOf(error.getMessage(serviceName, resourceDefNames)).errorCode(error.getErrorCode()).build());
- ret = false;
+ for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
+ if (RangerDefaultPolicyResourceMatcher.isHierarchyValidForResources(resourceHierarchy, resource)) {
+ isValidHierarchy = true;
+ break;
+ } else {
+ LOG.info("gaps found in resource, skipping hierarchy:[" + resourceHierarchies + "]");
+ }
}
+ }
- /*
- * Ignore this check. It should be possible to have all wildcard resource in a zone if zone-admin so desires
- *
- boolean isValidResourceSpec = isAnyNonWildcardResource(resource, failures);
-
- if (!isValidResourceSpec) {
- ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ALL_WILDCARD_RESOURCE_VALUES;
+ if (!isValidHierarchy) {
+ ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INVALID_RESOURCE_HIERARCHY;
- failures.add(new ValidationFailureDetailsBuilder().field("security zone resource values").becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
+ failures.add(new ValidationFailureDetailsBuilder().field("security zone resource hierarchy").becauseOf(error.getMessage(serviceName, resourceDefNames)).errorCode(error.getErrorCode()).build());
ret = false;
- LOG.warn("RangerPolicyValidator.validateSecurityZoneService() : All wildcard resource-values specified for service :[" + serviceName + "]");
}
- */
+ for (Map.Entry<String, List<String>> resourceEntry : resource.entrySet()) {
+ String resourceName = resourceEntry.getKey();
+ List<String> resourceValues = resourceEntry.getValue();
+
+ if (CollectionUtils.isEmpty(resourceValues)) {
+ ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_RESOURCES;
+
+ failures.add(new ValidationFailureDetailsBuilder().field("security zone resources")
+ .subField("resources").isMissing()
+ .becauseOf(error.getMessage(resourceName))
+ .errorCode(error.getErrorCode()).build());
+ ret = false;
+ }
}
}
}
@@ -558,41 +517,9 @@ public class RangerSecurityZoneValidator extends RangerValidator {
}
if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.validateSecurityZoneService(%s, %s, %s) : %s", serviceName, securityZoneService, failures, ret));
- }
-
- return ret;
- }
-
- /*
- private boolean isAnyNonWildcardResource(Map<String, List<String>> resource, List<ValidationFailureDetails> failures) {
- if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("==> RangerPolicyValidator.isAnyNonWildcardResource(%s, %s)", resource, failures));
+ LOG.debug(String.format("<== RangerSecurityZoneValidator.validateSecurityZoneService(%s, %s, %s) : %s", serviceName, securityZoneService, failures, ret));
}
- boolean ret = false;
-
- for (Map.Entry<String, List<String>> resourceDefValue : resource.entrySet()) {
- boolean wildCardResourceFound = false;
- List<String> resourceValues = resourceDefValue.getValue();
-
- for (String resourceValue : resourceValues) {
- if (StringUtils.equals(resourceValue, RangerDefaultResourceMatcher.WILDCARD_ASTERISK)) {
- wildCardResourceFound = true;
- break;
- }
- }
-
- if (!wildCardResourceFound) {
- ret = true;
- break;
- }
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.isAnyNonWildcardResource(%s, %s) : %s", resource, failures, ret));
- }
return ret;
}
- */
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
index e079b7c46..bf4247660 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
@@ -42,11 +42,13 @@ public class RangerZoneResourceMatcher implements RangerResourceEvaluator {
private RangerServiceDef.RangerResourceDef leafResourceDef;
public RangerZoneResourceMatcher(final String securityZoneName, final Map<String, RangerPolicy.RangerPolicyResource> policyResource, final RangerServiceDef serviceDef) {
+ this(securityZoneName, policyResource, new RangerServiceDefHelper(serviceDef));
+ }
- RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
- final Collection<String> resourceKeys = policyResource.keySet();
-
- RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();
+ public RangerZoneResourceMatcher(final String securityZoneName, final Map<String, RangerPolicy.RangerPolicyResource> policyResource, final RangerServiceDefHelper serviceDefHelper) {
+ final RangerServiceDef serviceDef = serviceDefHelper.getServiceDef();
+ final Collection<String> resourceKeys = policyResource.keySet();
+ final RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();
matcher.setServiceDef(serviceDef);
matcher.setServiceDefHelper(serviceDefHelper);
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
index f2c381925..df5fc7956 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
@@ -38,7 +38,8 @@ public class SecurityZonePredicateUtil extends AbstractPredicateUtil {
addPredicateForServiceName(filter.getParam(SearchFilter.SERVICE_NAME), predicates);
addPredicateForMatchingZoneId(filter.getParam(SearchFilter.ZONE_ID), predicates);
- addPredicateForNonMatchingZoneName(filter.getParam(SearchFilter.ZONE_NAME), predicates);
+ addPredicateForMatchingZoneName(filter.getParam(SearchFilter.ZONE_NAME), predicates);
+ addPredicateForNonMatchingZoneName(filter.getParam(SearchFilter.NOT_ZONE_NAME), predicates);
}
private Predicate addPredicateForServiceName(final String serviceName, List<Predicate> predicates) {
@@ -105,6 +106,36 @@ public class SecurityZonePredicateUtil extends AbstractPredicateUtil {
return ret;
}
+ private Predicate addPredicateForMatchingZoneName(final String zoneName, List<Predicate> predicates) {
+
+ Predicate ret = new Predicate() {
+ @Override
+ public boolean evaluate(Object object) {
+ if(object == null) {
+ return false;
+ }
+
+ boolean ret = false;
+
+ if(object instanceof RangerSecurityZone) {
+ RangerSecurityZone securityZone = (RangerSecurityZone) object;
+
+ if (StringUtils.equals(zoneName, securityZone.getName())) {
+ ret = true;
+ }
+ }
+
+ return ret;
+ }
+ };
+
+ if(predicates != null) {
+ predicates.add(ret);
+ }
+
+ return ret;
+ }
+
private Predicate addPredicateForNonMatchingZoneName(final String zoneName, List<Predicate> predicates) {
Predicate ret = new Predicate() {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
index 4653dc31a..61f879894 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
@@ -59,6 +59,7 @@ public class SearchFilter {
public static final String POLICY_LABEL_ID = "policyLabelId"; // search, sort
public static final String ZONE_ID = "zoneId"; // search, sort
public static final String ZONE_NAME = "zoneName"; // search, sort
+ public static final String NOT_ZONE_NAME = "notZoneName"; // search
public static final String ROLE_ID = "roleId"; // search, sort
public static final String ROLE_NAME = "roleName"; // search, sort
public static final String GROUP_NAME = "groupName"; // search, sort
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
index dcc970c47..ef95c69aa 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
@@ -19,11 +19,17 @@
package org.apache.ranger.plugin.model.validation;
import static org.mockito.Mockito.mock;
+
import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.ranger.plugin.errors.ValidationErrorCode;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -34,6 +40,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.store.SecurityZoneStore;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.SearchFilter;
@@ -108,7 +115,7 @@ public class RangerSecurityZoneValidatorTest {
try{
rangerSecurityZoneValidator.validate(suppliedSecurityZone, RangerValidator.Action.DELETE);
}catch(IllegalArgumentException ex){
- Assert.assertEquals(ex.getMessage(), "isValid(RangerPolicy, ...) is only supported for create/update");
+ Assert.assertEquals(ex.getMessage(), "isValid(RangerSecurityZone, ...) is only supported for create/update");
}
}
@@ -161,9 +168,11 @@ public class RangerSecurityZoneValidatorTest {
rangerSecurityZoneValidator.validate(suppliedSecurityZone,
RangerValidator.Action.CREATE);
} catch (Exception ex) {
- Assert.assertEquals(
- ex.getMessage(),
- "(0) Validation failure: error code[3044], reason[No services specified for security-zone:[MyZone]], field[services], subfield[null], type[missing] (1) Validation failure: error code[3038], reason[users, user-groups and roles collections for the security zone were null/empty], field[security zone admin users/user-groups/roles], subfield[null], type[missing] (2) Validation failure: error code[3038], reason[users, user-groups and roles collections for the security zone were null/empty [...]
+ String failureMessage = ex.getMessage();
+ ValidationErrorCode expectedError = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_MISSING_USER_AND_GROUPS_AND_ROLES;
+ boolean hasExpectedError = StringUtils.contains(failureMessage, expectedError.getErrorCode() + "");
+
+ Assert.assertTrue("validation failure message didn't include expected error code " + expectedError.getErrorCode() + ". Failure message: " + failureMessage, hasExpectedError);
}
}
@@ -357,8 +366,83 @@ public class RangerSecurityZoneValidatorTest {
Assert.assertFalse(isValid);
}
-
-
+ @Test
+ public void testValidatePathResourceInMultipleSecurityZones() throws Exception {
+ List<HashMap<String, List<String>>> zone1Resources = new ArrayList<>();
+ List<HashMap<String, List<String>>> zone2Resources = new ArrayList<>();
+
+ zone1Resources.add(new HashMap<String, List<String>>() {{ put("hdfs", Arrays.asList("/zone1")); }});
+ zone2Resources.add(new HashMap<String, List<String>>() {{ put("hdfs", Arrays.asList("/zone1/a")); }});
+
+ RangerServiceDef svcDef = rangerServiceDef();
+ RangerService svc = getRangerService();
+ RangerSecurityZoneService zone1HdfsSvc = new RangerSecurityZoneService(zone1Resources);
+ RangerSecurityZoneService zone2HdfsSvc = new RangerSecurityZoneService(zone2Resources);
+
+ RangerSecurityZone zone1 = new RangerSecurityZone("zone1", Collections.singletonMap(svc.getName(), zone1HdfsSvc), null, Arrays.asList("admin"), null, Arrays.asList("auditor"), null, "Zone 1");
+ RangerSecurityZone zone2 = new RangerSecurityZone("zone2", Collections.singletonMap(svc.getName(), zone2HdfsSvc), null, Arrays.asList("admin"), null, Arrays.asList("auditor"), null, "Zone 1");
+
+ zone1.setId(1L);
+ zone2.setId(2L);
+
+ List<RangerSecurityZone> zones = new ArrayList<RangerSecurityZone>() {{ add(zone1); }};
+
+ Mockito.when(_store.getServiceByName(svc.getName())).thenReturn(svc);
+ Mockito.when(_store.getServiceDefByName(svc.getType())).thenReturn(svcDef);
+ Mockito.when(_store.getSecurityZone(2L)).thenReturn(zone2);
+ Mockito.when(_securityZoneStore.getSecurityZones(Mockito.any())).thenReturn(zones);
+
+ try {
+ rangerSecurityZoneValidator.validate(zone2, RangerValidator.Action.UPDATE);
+
+ Assert.assertFalse("security-zone update should have failed in validation", true);
+ } catch (Exception excp) {
+ String failureMessage = excp.getMessage();
+ ValidationErrorCode expectedError = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_RESOURCE_CONFLICT;
+ boolean hasExpectedError = StringUtils.contains(failureMessage, expectedError.getErrorCode() + "");
+
+ Assert.assertTrue("validation failure message didn't include expected error code " + expectedError.getErrorCode() + ". Failure message: " + failureMessage, hasExpectedError);
+ }
+ }
+
+ @Test
+ public void testValidateHiveResourceInMultipleSecurityZones() throws Exception {
+ List<HashMap<String, List<String>>> zone1Resources = new ArrayList<>();
+ List<HashMap<String, List<String>>> zone2Resources = new ArrayList<>();
+
+ zone1Resources.add(new HashMap<String, List<String>>() {{ put("database", Arrays.asList("db1")); }});
+ zone2Resources.add(new HashMap<String, List<String>>() {{ put("database", Arrays.asList("db1")); put("table", Arrays.asList("tbl1")); }});
+
+ RangerServiceDef svcDef = getHiveServiceDef();
+ RangerService svc = getHiveService();
+ RangerSecurityZoneService zone1HiveSvc = new RangerSecurityZoneService(zone1Resources);
+ RangerSecurityZoneService zone2HiveSvc = new RangerSecurityZoneService(zone2Resources);
+
+ RangerSecurityZone zone1 = new RangerSecurityZone("zone1", Collections.singletonMap(svc.getName(), zone1HiveSvc), null, Arrays.asList("admin"), null, Arrays.asList("auditor"), null, "Zone 1");
+ RangerSecurityZone zone2 = new RangerSecurityZone("zone2", Collections.singletonMap(svc.getName(), zone2HiveSvc), null, Arrays.asList("admin"), null, Arrays.asList("auditor"), null, "Zone 1");
+
+ zone1.setId(1L);
+ zone2.setId(2L);
+
+ List<RangerSecurityZone> zones = new ArrayList<RangerSecurityZone>() {{ add(zone1); }};
+
+ Mockito.when(_store.getServiceByName(svc.getName())).thenReturn(svc);
+ Mockito.when(_store.getServiceDefByName(svc.getType())).thenReturn(svcDef);
+ Mockito.when(_store.getSecurityZone(2L)).thenReturn(zone2);
+ Mockito.when(_securityZoneStore.getSecurityZones(Mockito.any())).thenReturn(zones);
+
+ try {
+ rangerSecurityZoneValidator.validate(zone2, RangerValidator.Action.UPDATE);
+
+ Assert.assertFalse("security-zone update should have failed in validation", true);
+ } catch (Exception excp) {
+ String failureMessage = excp.getMessage();
+ boolean hasResourceConflictError = StringUtils.contains(failureMessage, ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_RESOURCE_CONFLICT.getErrorCode() + "");
+
+ Assert.assertTrue("validation failure message didn't include expected error code " + ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_RESOURCE_CONFLICT.getErrorCode() + ". Failure message: " + excp.getMessage(), hasResourceConflictError);
+ }
+ }
+
private RangerService getRangerService() {
Map<String, String> configs = new HashMap<String, String>();
configs.put("username", "servicemgr");
@@ -393,6 +477,8 @@ public class RangerSecurityZoneValidatorTest {
RangerResourceDef rangerResourceDef = new RangerResourceDef();
rangerResourceDef.setName("hdfs");
+ rangerResourceDef.setRecursiveSupported(true);
+ rangerResourceDef.setMatcher("org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher");
List<RangerServiceConfigDef> configs = new ArrayList<RangerServiceConfigDef>();
List<RangerResourceDef> resources = new ArrayList<RangerResourceDef>();
@@ -421,6 +507,18 @@ public class RangerSecurityZoneValidatorTest {
return rangerServiceDef;
}
+ private RangerService getHiveService() {
+ RangerService ret = new RangerService(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HIVE_NAME, "hiveSvc", "Test Hive Service", null, new HashMap<>());
+
+ ret.setId(1L);
+
+ return ret;
+ }
+
+ private RangerServiceDef getHiveServiceDef() throws Exception {
+ return EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HIVE_NAME);
+ }
+
private RangerSecurityZone getRangerSecurityZone(){
List<String> resourceList = new ArrayList<String>();
resourceList.add("/path/myfolder");
@@ -466,7 +564,7 @@ public class RangerSecurityZoneValidatorTest {
SearchFilter filter = new SearchFilter();
filter.setParam(SearchFilter.SERVICE_NAME, "hdfsSvc");
- filter.setParam(SearchFilter.ZONE_NAME, "MyZone");
+ filter.setParam(SearchFilter.NOT_ZONE_NAME, "MyZone");
return filter;
}