You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/01/09 18:59:56 UTC
incubator-ranger git commit: RANGER-203: added tests for HDFS access
requests.
Repository: incubator-ranger
Updated Branches:
refs/heads/stack 82400d2b6 -> ee9ecde98
RANGER-203: added tests for HDFS access requests.
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ee9ecde9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ee9ecde9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ee9ecde9
Branch: refs/heads/stack
Commit: ee9ecde98fc38be97ea100cd5227b945e7ed0f57
Parents: 82400d2
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Fri Jan 9 09:59:36 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Fri Jan 9 09:59:36 2015 -0800
----------------------------------------------------------------------
.../RangerPathResourceMatcher.java | 12 +-
.../service-defs/ranger-servicedef-hdfs.json | 4 +-
.../plugin/policyengine/TestPolicyEngine.java | 30 ++--
.../policyengine/test_policyengine_hdfs.json | 140 +++++++++++++++++++
4 files changed, 173 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index 79f68c0..2cf3a68 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -62,9 +62,17 @@ public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher {
for(String policyValue : policyValues) {
if(policyIsRecursive) {
- ret = optWildCard ? isRecursiveWildCardMatch(resource, policyValue) : StringUtils.startsWith(resource, policyValue);
+ ret = StringUtils.startsWith(resource, policyValue);
+
+ if(! ret && optWildCard) {
+ ret = isRecursiveWildCardMatch(resource, policyValue) ;
+ }
} else {
- ret = optWildCard ? FilenameUtils.wildcardMatch(resource, policyValue) : StringUtils.equals(resource, policyValue);
+ ret = StringUtils.equals(resource, policyValue);
+
+ if(! ret && optWildCard) {
+ ret = FilenameUtils.wildcardMatch(resource, policyValue);
+ }
}
if(ret) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json
index b2431c7..907b6d3 100644
--- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json
+++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json
@@ -34,13 +34,13 @@
[
{"name":"username","type":"string","mandatory":true,"label":"Username"},
{"name":"password","type":"password","mandatory":true,"label":"Password"},
- {"name":"hadoop.security.authorization","type":"bool","mandatory":true,"defaultValue":"false"},
+ {"name":"hadoop.security.authorization","type":"bool","subType":"TrueFalse","mandatory":true,"defaultValue":"false"},
{"name":"hadoop.security.authentication","type":"enum","subType":"authnType","mandatory":true,"defaultValue":"simple"},
{"name":"hadoop.security.auth_to_local","type":"string","mandatory":false},
{"name":"dfs.datanode.kerberos.principal","type":"string","mandatory":false},
{"name":"dfs.namenode.kerberos.principal","type":"string","mandatory":false},
{"name":"dfs.secondary.namenode.kerberos.principal","type":"string","mandatory":false},
- {"name":"hadoop.rpc.protection","type":"rpcProtection","mandatory":false,"defaultValue":"authentication"},
+ {"name":"hadoop.rpc.protection","type":"enum","subType":"rpcProtection","mandatory":false,"defaultValue":"authentication"},
{"name":"certificate.cn","type":"string","mandatory":false,"label":"Common Name for Certificate"}
],
"resources":
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 553a0d7..811c873 100644
--- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -61,24 +61,36 @@ public class TestPolicyEngine {
}
@Test
+ public void testPolicyEngine_hdfs() {
+ String[] hdfsTestResourceFiles = { "/policyengine/test_policyengine_hdfs.json" };
+
+ runTestsFromResourceFiles(hdfsTestResourceFiles);
+ }
+
+ @Test
public void testPolicyEngine_hive() {
- String filename = "/policyengine/test_policyengine_hive.json";
- InputStream inStream = this.getClass().getResourceAsStream(filename);
- InputStreamReader reader = new InputStreamReader(inStream);
+ String[] hiveTestResourceFiles = { "/policyengine/test_policyengine_hive.json" };
- runTests(reader, filename);
+ runTestsFromResourceFiles(hiveTestResourceFiles);
}
@Test
public void testPolicyEngine_hbase() {
- String filename = "/policyengine/test_policyengine_hbase.json";
- InputStream inStream = this.getClass().getResourceAsStream(filename);
- InputStreamReader reader = new InputStreamReader(inStream);
+ String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase.json" };
- runTests(reader, filename);
+ runTestsFromResourceFiles(hbaseTestResourceFiles);
+ }
+
+ private void runTestsFromResourceFiles(String[] resourceNames) {
+ for(String resourceName : resourceNames) {
+ InputStream inStream = this.getClass().getResourceAsStream(resourceName);
+ InputStreamReader reader = new InputStreamReader(inStream);
+
+ runTests(reader, resourceName);
+ }
}
- public void runTests(InputStreamReader reader, String testName) {
+ private void runTests(InputStreamReader reader, String testName) {
try {
PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
new file mode 100644
index 0000000..b9afd8b
--- /dev/null
+++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -0,0 +1,140 @@
+{
+ "serviceName":"hdfsdev",
+
+ "serviceDef":{
+ "name":"hdfs",
+ "id":1,
+ "resources":[
+ {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Resource Path","description":"HDFS file or directory path"}
+ ],
+ "accessTypes":[
+ {"name":"read","label":"Read"},
+ {"name":"write","label":"Write"},
+ {"name":"execute","label":"Execute"}
+ ]
+ },
+
+ "policies":[
+ {"id":1,"name":"audit-all-access under /finance/restricted/","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/finance/restricted/"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false,
+ "resources":{"path":{"values":["/public/"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":3,"name":"allow-read-to-finance under /finance/restricted","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/finance/restricted"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false}
+ ]
+ }
+ ],
+
+ "tests":[
+ {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance",
+ "request":{
+ "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":3}}}
+ }
+ ,
+ {"name":"ALLOW 'read /finance/restricted/hr/payroll.db' for g=finance",
+ "request":{
+ "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/hr/payroll.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":3}}}
+ }
+ ,
+ {"name":"DENY 'read /operations/visitors.db' for g=finance",
+ "request":{
+ "resource":{"elements":{"path":"/operations/visitors.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /operations/visitors.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+ }
+ ,
+ {"name":"ALLOW 'read /public/technology/blogs.db' for g=finance",
+ "request":{
+ "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read /public/technology/blogs.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}}
+ }
+ ,
+
+ {"name":"DENY 'read /finance/restricted/sales.db' for g=hr",
+ "request":{
+ "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ }
+ ,
+ {"name":"FALSE 'read /finance/restricted/hr/payroll.db' for g=hr",
+ "request":{
+ "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ }
+ ,
+ {"name":"DENY 'read /operations/visitors.db' for g=hr",
+ "request":{
+ "resource":{"elements":{"path":"/operations/visitors.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+ }
+ ,
+ {"name":"ALLOW 'read /public/technology/blogs.db' for g=hr",
+ "request":{
+ "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}}
+ }
+ ,
+
+ {"name":"DENY 'read /finance/restricted/sales.db' for u=user1",
+ "request":{
+ "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ }
+ ,
+ {"name":"DENY 'read /finance/restricted/hr/payroll.db' for u=user1",
+ "request":{
+ "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ }
+ ,
+ {"name":"DENY 'read /operations/visitors.db' for u=user1",
+ "request":{
+ "resource":{"elements":{"path":"/operations/visitors.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /operations/visitors.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+ }
+ ,
+ {"name":"ALLOW 'read /public/technology/blogs.db' for u=user1",
+ "request":{
+ "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+ "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db"
+ },
+ "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}}
+ }
+ ]
+}
+