You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/01/05 07:28:57 UTC
incubator-ranger git commit: RANGER-203: add more policy engine tests; fixes.
Repository: incubator-ranger
Updated Branches:
refs/heads/stack 63923bf6d -> 3106b1122
RANGER-203: add more policy engine tests; fixes.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3106b112
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3106b112
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3106b112
Branch: refs/heads/stack
Commit: 3106b1122b816c0cc458f0ff14957fc6f1b541da
Parents: 63923bf
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Sun Jan 4 22:28:01 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Sun Jan 4 22:28:01 2015 -0800
----------------------------------------------------------------------
.../plugin/policyengine/RangerAccessResult.java | 35 +++
.../RangerDefaultPolicyEvaluator.java | 20 +-
.../plugin/policyengine/TestPolicyEngine.java | 26 ++-
.../policyengine/test_policyengine_01.json | 211 ++++++++++++++++++-
4 files changed, 261 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3106b112/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index 6fbfe82..8fa766f 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -19,6 +19,9 @@
package org.apache.ranger.plugin.policyengine;
+import org.apache.commons.lang.ObjectUtils;
+import org.apache.commons.lang.StringUtils;
+
public class RangerAccessResult {
public enum Result { ALLOWED, DENIED };
@@ -117,6 +120,38 @@ public class RangerAccessResult {
}
@Override
+ public boolean equals(Object obj) {
+ boolean ret = false;
+
+ if(obj != null && (obj instanceof RangerAccessResult)) {
+ RangerAccessResult other = (RangerAccessResult)obj;
+
+ ret = (this == other);
+
+ if(! ret) {
+ ret = this.isAudited == other.isAudited &&
+ this.policyId == other.policyId &&
+ StringUtils.equals(this.reason, other.reason) &&
+ ObjectUtils.equals(this.result, other.result);
+ }
+ }
+
+ return ret;
+ }
+
+ @Override
+ public int hashCode() {
+ int ret = 7;
+
+ ret = 31 * ret + (isAudited ? 1 : 0);
+ ret = 31 * ret + (int)policyId;
+ ret = 31 * ret + (reason == null ? 0 : reason.hashCode());
+ ret = 31 * ret + (result == null ? 0 : result.hashCode());
+
+ return ret;
+ }
+
+ @Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3106b112/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 3ef5d08..2d0f300 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -91,24 +91,24 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
for(RangerPolicyItem policyItem : policy.getPolicyItems()) {
RangerPolicyItemAccess access = getAccess(policyItem, request.getAccessType());
- if(access != null && (access.getIsAllowed() || policy.getIsAuditEnabled())) {
+ if(access != null) {
+ if(! result.isAudited() && policy.getIsAuditEnabled()) {
+ result.setAudited(true);
+ }
+
if(matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) {
if(matchCustomConditions(policyItem, request)) {
if(result.getResult() != Result.ALLOWED && access.getIsAllowed()) {
result.setResult(Result.ALLOWED);
result.setPolicyId(policy.getId());
}
-
- if(! result.isAudited() && policy.getIsAuditEnabled()) {
- result.setAudited(true);
- }
-
- if(result.getResult() == Result.ALLOWED && result.isAudited()) {
- result.setFinal(true);
- break;
- }
}
}
+
+ if(result.getResult() == Result.ALLOWED && result.isAudited()) {
+ result.setFinal(true);
+ break;
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3106b112/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 3c2c688..b7d156a 100644
--- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -10,7 +10,7 @@ import java.util.List;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTests.TestData;
+import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
@@ -53,19 +53,17 @@ public class TestPolicyEngine {
public void runTests(InputStreamReader reader, String testName) {
try {
- PolicyEngineTests tests = gsonBuilder.fromJson(reader, PolicyEngineTests.class);
+ PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
- assertTrue("invalid input: " + testName, tests != null && tests.serviceDef != null && tests.policies != null && tests.tests != null);
+ assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
- policyEngine.setPolicies(tests.serviceDef, tests.policies);
+ policyEngine.setPolicies(testCase.serviceDef, testCase.policies);
- for(TestData td : tests.tests) {
- RangerAccessResult expected = td.result;
- RangerAccessResult result = policyEngine.isAccessAllowed(td.request);
+ for(TestData test : testCase.tests) {
+ RangerAccessResult expected = test.result;
+ RangerAccessResult result = policyEngine.isAccessAllowed(test.request);
- assertEquals(result.getResult(), expected.getResult());
- assertEquals(result.isAudited(), expected.isAudited());
- assertEquals(result.getPolicyId(), expected.getPolicyId());
+ assertEquals(test.name, expected, result);
}
} catch(Throwable excp) {
excp.printStackTrace();
@@ -73,10 +71,10 @@ public class TestPolicyEngine {
}
- static class PolicyEngineTests {
- public RangerServiceDef serviceDef;
- public List<RangerPolicy> policies;
- public List<TestData> tests;
+ static class PolicyEngineTestCase {
+ public RangerServiceDef serviceDef;
+ public List<RangerPolicy> policies;
+ public List<TestData> tests;
class TestData {
public String name;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3106b112/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
index e952d84..7388bbd 100644
--- a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
+++ b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
@@ -8,8 +8,8 @@
{"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Hive Column","description":"Hive Column"}
],
"accessTypes":[
- {"name":"select","label":"select"},
- {"name":"update","label":"update"},
+ {"name":"select","label":"Select"},
+ {"name":"update","label":"Update"},
{"name":"create","label":"Create"},
{"name":"drop","label":"Drop"},
{"name":"alter","label":"Alter"},
@@ -31,31 +31,228 @@
"resources":{"database":{"values":["default"]},"table":{"values":["test*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false}
+ ,
+ {"accesses":[{"type":"create","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["admin"],"groups":["admin"],"delegateAdmin":true}
]
}
],
"tests":[
- {"request":{
+ {"name":"'use default;' as user1 ==> ALLOWED",
+ "request":{
"resource":{"elements":{"database":"default"}},
"accessType":"select","user":"user1","userGroups":["users"],"requestData":"use default"
},
"result":{"result":"ALLOWED","isAudited":true,"policyId":2}
}
,
- {"request":{
- "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
- "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable"
+ {"name":"'use default;' as user2 ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default"}},
+ "accessType":"select","user":"user2","userGroups":["users"],"requestData":"use default"
+ },
+ "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+ }
+ ,
+ {"name":"'use default;' as user3 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default"}},
+ "accessType":"select","user":"user3","userGroups":["users"],"requestData":"use default"
+ },
+ "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+ }
+ ,
+ {"name":"'use default;' as user3, group1 ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default"}},
+ "accessType":"select","user":"user3","userGroups":["users", "group1"],"requestData":"use default"
},
"result":{"result":"ALLOWED","isAudited":true,"policyId":2}
}
,
- {"request":{
+ {"name":"'use default;' as user3, group2 ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default"}},
+ "accessType":"select","user":"user3","userGroups":["users", "group2"],"requestData":"use default"
+ },
+ "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+ }
+ ,
+ {"name":"'use default;' as user3, group3 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default"}},
+ "accessType":"select","user":"user3","userGroups":["users", "group3"],"requestData":"use default"
+ },
+ "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+ }
+ ,
+ {"name":"'use finance;' as user3, group3 ==> DENIED",
+ "request":{
"resource":{"elements":{"database":"finance"}},
"accessType":"select","user":"user1","userGroups":["users"],"requestData":"use finance"
},
"result":{"result":"DENIED","isAudited":true,"policyId":-1}
}
+ ,
+ {"name":"'select col1 from default.testtable;' as user1 ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
+ "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+ }
+ ,
+ {"name":"'select col1 from default.testtable;' as user2 ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
+ "accessType":"select","user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+ }
+ ,
+ {"name":"'select col1 from default.testtable;' as user3 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
+ "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+ }
+ ,
+ {"name":"'select col1 from default.testtable;' as user3, group1 ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
+ "accessType":"select","user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+ }
+ ,
+ {"name":"'select col1 from default.testtable;' as user3, group2 ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
+ "accessType":"select","user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+ }
+ ,
+ {"name":"'select col1 from default.testtable;' as user3, group3 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
+ "accessType":"select","user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+ }
+ ,
+ {"name":"'select col1 from default.table1;' as user1 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"table1","column":"col1"}},
+ "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1"
+ },
+ "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+ }
+ ,
+ {"name":"'create table default.testtable1;' as user1 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable1"}},
+ "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table default.testtable1"
+ },
+ "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+ }
+ ,
+ {"name":"'create table default.testtable1;' as user1, group1 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable1"}},
+ "accessType":"create","user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1"
+ },
+ "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+ }
+ ,
+ {"name":"'create table default.testtable1;' as admin ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable1"}},
+ "accessType":"create","user":"admin","userGroups":["users"],"requestData":"create table default.testtable1"
+ },
+ "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+ }
+ ,
+ {"name":"'create table default.testtable1;' as user1, admin ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable1"}},
+ "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1"
+ },
+ "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+ }
+ ,
+ {"name":"'drop table default.testtable1;' as user1 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable1"}},
+ "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+ }
+ ,
+ {"name":"'drop table default.testtable1;' as user1, group1 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable1"}},
+ "accessType":"drop","user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+ }
+ ,
+ {"name":"'drop table default.testtable1;' as admin ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable1"}},
+ "accessType":"drop","user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+ }
+ ,
+ {"name":"'drop table default.testtable1;' as user1, admin ==> ALLOWED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"testtable1"}},
+ "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+ }
+ ,
+ {"name":"'create table default.table1;' as user1 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"table1"}},
+ "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table default.testtable1"
+ },
+ "result":{"result":"DENIED","isAudited":false,"policyId":-1}
+ }
+ ,
+ {"name":"'create table default.table1;' as user1, admin ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"table1"}},
+ "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1"
+ },
+ "result":{"result":"DENIED","isAudited":false,"policyId":-1}
+ }
+ ,
+ {"name":"'drop table default.table1;' as user1 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"table1"}},
+ "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"result":"DENIED","isAudited":false,"policyId":-1}
+ }
+ ,
+ {"name":"'drop table default.table1;' as user1, admin ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"table1"}},
+ "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"result":"DENIED","isAudited":false,"policyId":-1}
+ }
+ ,
+ {"name":"'select col1 from default.table1;' as user3 ==> DENIED",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"table1","column":"col1"}},
+ "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1"
+ },
+ "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+ }
]
}