You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2020/04/06 17:03:20 UTC
[ranger] 02/02: RANGER-2780: updated RangerBasePlugin to support
audit-excluded-users
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 8b963d304c77f7daf86131a514f1744a44b485b1
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Sun Apr 5 17:09:47 2020 -0700
RANGER-2780: updated RangerBasePlugin to support audit-excluded-users
---
.../hadoop/config/RangerPluginConfig.java | 39 +++
.../ranger/plugin/policyengine/PolicyEngine.java | 63 -----
.../plugin/policyengine/RangerPolicyEngine.java | 4 -
.../policyengine/RangerPolicyEngineImpl.java | 175 +++++++++----
.../ranger/plugin/service/RangerBasePlugin.java | 20 +-
.../plugin/policyengine/TestPolicyEngine.java | 36 ++-
...icyengine_audit_exclude_users_groups_roles.json | 283 +++++++++++++++++++++
7 files changed, 486 insertions(+), 134 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
index cea6842..89a31cc 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
@@ -19,6 +19,7 @@
package org.apache.ranger.authorization.hadoop.config;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.log4j.Logger;
@@ -27,6 +28,9 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import java.io.File;
import java.net.URL;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
public class RangerPluginConfig extends RangerConfiguration {
@@ -43,6 +47,11 @@ public class RangerPluginConfig extends RangerConfiguration {
private final boolean useForwardedIPAddress;
private final String[] trustedProxyAddresses;
private final String propertyPrefix;
+ private Set<String> auditExcludedUsers = Collections.emptySet();
+ private Set<String> auditExcludedGroups = Collections.emptySet();
+ private Set<String> auditExcludedRoles = Collections.emptySet();
+ private Set<String> superUsers = Collections.emptySet();
+ private Set<String> superGroups = Collections.emptySet();
public RangerPluginConfig(String serviceType, String serviceName, String appId, String clusterName, String clusterType, RangerPolicyEngineOptions policyEngineOptions) {
@@ -143,6 +152,36 @@ public class RangerPluginConfig extends RangerConfiguration {
return policyEngineOptions;
}
+ public void setAuditExcludedUsersGroupsRoles(Set<String> users, Set<String> groups, Set<String> roles) {
+ auditExcludedUsers = CollectionUtils.isEmpty(users) ? Collections.emptySet() : new HashSet<>(users);
+ auditExcludedGroups = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(groups);
+ auditExcludedRoles = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(roles);
+ }
+
+ public void setSuperUsersGroups(Set<String> users, Set<String> groups) {
+ superUsers = CollectionUtils.isEmpty(users) ? Collections.emptySet() : new HashSet<>(users);
+ superGroups = CollectionUtils.isEmpty(groups) ? Collections.emptySet() : new HashSet<>(groups);
+ }
+
+ public boolean isAuditExcludedUser(String userName) {
+ return auditExcludedUsers.contains(userName);
+ }
+
+ public boolean hasAuditExcludedGroup(Set<String> userGroups) {
+ return userGroups != null && userGroups.size() > 0 && auditExcludedGroups.size() > 0 && CollectionUtils.containsAny(userGroups, auditExcludedGroups);
+ }
+
+ public boolean hasAuditExcludedRole(Set<String> userRoles) {
+ return userRoles != null && userRoles.size() > 0 && auditExcludedRoles.size() > 0 && CollectionUtils.containsAny(userRoles, auditExcludedRoles);
+ }
+
+ public boolean isSuperUser(String userName) {
+ return superUsers.contains(userName);
+ }
+
+ public boolean hasSuperGroup(Set<String> userGroups) {
+ return userGroups != null && userGroups.size() > 0 && superGroups.size() > 0 && CollectionUtils.containsAny(userGroups, superGroups);
+ }
private void addResourcesForServiceType(String serviceType) {
String auditCfg = "ranger-" + serviceType + "-audit.xml";
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index bc80677..297d02f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -33,7 +33,6 @@ import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
@@ -64,9 +63,6 @@ public class PolicyEngine {
private boolean useForwardedIPAddress;
private String[] trustedProxyAddresses;
private boolean isPreCleaned = false;
- private final Set<String> auditExcludeUsers;
- private final Set<String> auditExcludeGroups;
- private final Set<String> auditExcludeRoles;
public boolean getUseForwardedIPAddress() {
@@ -115,18 +111,6 @@ public class PolicyEngine {
public RangerPluginContext getPluginContext() { return pluginContext; }
- public Set<String> getAuditExcludeUsers() {
- return auditExcludeUsers;
- }
-
- public Set<String> getAuditExcludeGroups() {
- return auditExcludeGroups;
- }
-
- public Set<String> getAuditExcludeRoles() {
- return auditExcludeRoles;
- }
-
@Override
public String toString() {
return toString(new StringBuilder()).toString();
@@ -177,45 +161,6 @@ public class PolicyEngine {
return resourceZoneTrie;
}
- public RangerAccessResult createAccessResult(RangerAccessRequest request, int policyType) {
- RangerAccessResult ret = new RangerAccessResult(policyType, getServiceName(), getPolicyRepository().getServiceDef(), request);
-
- switch (getPolicyRepository().getAuditModeEnum()) {
- case AUDIT_ALL:
- ret.setIsAudited(true);
- break;
-
- case AUDIT_NONE:
- ret.setIsAudited(false);
- break;
-
- default:
- if (CollectionUtils.isEmpty(getPolicyRepository().getPolicies()) && getTagPolicyRepository() == null) {
- ret.setIsAudited(true);
- }
-
- break;
- }
- if (isAuditExcludedRequest(request)) {
- ret.setIsAudited(false);
- }
- return ret;
- }
-
- private boolean isAuditExcludedRequest(RangerAccessRequest request) {
- boolean ret = getAuditExcludeUsers().contains(request.getUser());
-
- if (!ret && CollectionUtils.isNotEmpty(getAuditExcludeGroups())) {
- ret = CollectionUtils.containsAny(getAuditExcludeGroups(), request.getUserGroups());
- }
-
- if (!ret && CollectionUtils.isNotEmpty(getAuditExcludeRoles())) {
- Set<String> roles = this.pluginContext.getAuthContext().getRolesForUserAndGroups(request.getUser(), request.getUserGroups());
- ret = CollectionUtils.containsAny(getAuditExcludeRoles(), roles);
- }
- return ret;
- }
-
public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> PolicyEngine(" + ", " + servicePolicies + ", " + pluginContext + ")");
@@ -290,10 +235,6 @@ public class PolicyEngine {
}
}
- this.auditExcludeUsers = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS)) : new HashSet<String>();
- this.auditExcludeGroups = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS)) : new HashSet<String>();
- this.auditExcludeRoles = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES)) : new HashSet<String>();
-
RangerPerfTracer.log(perf);
if (PERF_POLICYENGINE_INIT_LOG.isDebugEnabled()) {
@@ -622,10 +563,6 @@ public class PolicyEngine {
this.trustedProxyAddresses = other.trustedProxyAddresses;
this.pluginContext = other.pluginContext;
- this.auditExcludeUsers = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS)) : new HashSet<String>();
- this.auditExcludeGroups = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS)) : new HashSet<String>();
- this.auditExcludeRoles = servicePolicies.getServiceConfig() !=null ? StringUtil.toSet(servicePolicies.getServiceConfig().get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES)) : new HashSet<String>();
-
long policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1L;
List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>();
List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies = new ArrayList<>();
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index c673169..fdec9ca 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -51,10 +51,6 @@ public interface RangerPolicyEngine {
void setTrustedProxyAddresses(String[] trustedProxyAddresses);
- void setSuperUsersAndGroups(Set<String> users, Set<String> groups);
-
- boolean isSuperUser(String userName, Set<String> userGroups);
-
RangerServiceDef getServiceDef();
long getPolicyVersion();
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index c68e22d..6140549 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -24,6 +24,7 @@ import org.apache.commons.collections.ListUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
import org.apache.ranger.plugin.model.RangerPolicy;
@@ -59,11 +60,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private final PolicyEngine policyEngine;
private final RangerAccessRequestProcessor requestProcessor;
- private final Set<String> svcCfgSuperUsers;
- private final Set<String> svcCfgSuperGroups;
- private Set<String> superUsers;
- private Set<String> superGroups;
- private boolean isEmptySupers = true;
+ private final ServiceConfig serviceConfig;
static public RangerPolicyEngine getPolicyEngine(final RangerPolicyEngineImpl other, final ServicePolicies servicePolicies) {
@@ -81,29 +78,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles) {
- this(servicePolicies, pluginContext, roles, null, null);
- }
-
- public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles, Set<String> superUsers, Set<String> superGroups) {
- policyEngine = new PolicyEngine(servicePolicies, pluginContext, roles);
-
- policyEngine.getPluginContext().getAuthContext().setRoles(roles);
-
+ policyEngine = new PolicyEngine(servicePolicies, pluginContext, roles);
+ serviceConfig = new ServiceConfig(servicePolicies.getServiceConfig());
requestProcessor = new RangerDefaultRequestProcessor(policyEngine);
-
- Map<String, String> svcConfig = servicePolicies.getServiceConfig();
- String cfgSuperUsers = null;
- String cfgSuperGroups = null;
-
- if (svcConfig != null) {
- cfgSuperUsers = svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_USERS);
- cfgSuperGroups = svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_GROUPS);
- }
-
- svcCfgSuperUsers = StringUtils.isNotBlank(cfgSuperUsers) ? StringUtil.toSet(cfgSuperUsers) : Collections.emptySet();
- svcCfgSuperGroups = StringUtils.isNotBlank(cfgSuperGroups) ? StringUtil.toSet(cfgSuperGroups) : Collections.emptySet();
-
- setSuperUsersAndGroups(superUsers, superGroups);
}
@Override
@@ -497,21 +474,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
@Override
- public void setSuperUsersAndGroups(Set<String> users, Set<String> groups) {
- this.superUsers = users == null ? Collections.emptySet() : users;
- this.superGroups = groups == null ? Collections.emptySet() : groups;
- this.isEmptySupers = CollectionUtils.isEmpty(superUsers) && CollectionUtils.isEmpty(svcCfgSuperUsers) &&
- CollectionUtils.isEmpty(superGroups) && CollectionUtils.isEmpty(svcCfgSuperGroups);
- }
-
- @Override
- public boolean isSuperUser(String userName, Set<String> userGroups) {
- return !isEmptySupers && (superUsers.contains(userName) || svcCfgSuperUsers.contains(userName) ||
- CollectionUtils.containsAny(superGroups, userGroups) ||
- CollectionUtils.containsAny(svcCfgSuperGroups, userGroups));
- }
-
- @Override
public RangerServiceDef getServiceDef() {
return policyEngine.getServiceDef();
}
@@ -574,12 +536,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
private RangerPolicyEngineImpl(final PolicyEngine policyEngine, RangerPolicyEngineImpl other) {
- this.policyEngine = policyEngine;
- this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine);
- this.svcCfgSuperUsers = new HashSet<>(other.svcCfgSuperUsers);
- this.svcCfgSuperGroups = new HashSet<>(other.svcCfgSuperGroups);
- this.superUsers = new HashSet<>(other.superUsers);
- this.superGroups = new HashSet<>(other.superGroups);
+ this.policyEngine = policyEngine;
+ this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine);
+ this.serviceConfig = new ServiceConfig(other.serviceConfig);
}
private RangerAccessResult zoneAwareAccessEvaluationWithNoAudit(RangerAccessRequest request, int policyType) {
@@ -623,7 +582,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
final Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date();
- final RangerAccessResult ret = policyEngine.createAccessResult(request, policyType);
+ final RangerAccessResult ret = createAccessResult(request, policyType);
final boolean isSuperUser = isSuperUser(request.getUser(), request.getUserGroups());
// for superusers, set access as allowed
@@ -751,7 +710,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
RangerTagForEval tag = policyEvaluator.getTag();
RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
- RangerAccessResult tagEvalResult = policyEngine.createAccessResult(tagEvalRequest, policyType);
+ RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest, policyType);
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyEngineImpl.evaluateTagPolicies: Evaluating policies for tag (" + tag.getType() + ")");
@@ -798,4 +757,120 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ", " + result + ")");
}
}
+
+ private RangerAccessResult createAccessResult(RangerAccessRequest request, int policyType) {
+ RangerPolicyRepository repository = policyEngine.getPolicyRepository();
+ RangerAccessResult ret = new RangerAccessResult(policyType, repository.getServiceName(), repository.getServiceDef(), request);
+
+ switch (repository.getAuditModeEnum()) {
+ case AUDIT_ALL:
+ ret.setIsAudited(true);
+ break;
+
+ case AUDIT_NONE:
+ ret.setIsAudited(false);
+ break;
+
+ default:
+ if (CollectionUtils.isEmpty(repository.getPolicies()) && policyEngine.getTagPolicyRepository() == null) {
+ ret.setIsAudited(true);
+ }
+
+ break;
+ }
+
+ if (isAuditExcludedUser(request.getUser(), request.getUserGroups(), RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext()))) {
+ ret.setIsAudited(false);
+ }
+
+ return ret;
+ }
+
+ private boolean isAuditExcludedUser(String userName, Set<String> userGroups, Set<String> userRoles) {
+ boolean ret = serviceConfig.isAuditExcludedUser(userName);
+
+ if (!ret) {
+ RangerPluginConfig pluginConfig = policyEngine.getPluginContext().getConfig();
+
+ ret = pluginConfig.isAuditExcludedUser(userName);
+
+ if (!ret && userGroups != null && userGroups.size() > 0) {
+ ret = serviceConfig.hasAuditExcludedGroup(userGroups) || pluginConfig.hasAuditExcludedGroup(userGroups);
+ }
+
+ if (!ret && userRoles != null && userRoles.size() > 0) {
+ ret = serviceConfig.hasAuditExcludedRole(userRoles) || pluginConfig.hasAuditExcludedRole(userRoles);
+ }
+ }
+
+ return ret;
+ }
+
+ private boolean isSuperUser(String userName, Set<String> userGroups) {
+ boolean ret = serviceConfig.isSuperUser(userName);
+
+ if (!ret) {
+ RangerPluginConfig pluginConfig = policyEngine.getPluginContext().getConfig();
+
+ ret = pluginConfig.isSuperUser(userName);
+
+ if (!ret && userGroups != null && userGroups.size() > 0) {
+ ret = serviceConfig.hasSuperGroup(userGroups) || pluginConfig.hasSuperGroup(userGroups);
+ }
+ }
+
+ return ret;
+ }
+
+ private static class ServiceConfig {
+ private final Set<String> auditExcludedUsers;
+ private final Set<String> auditExcludedGroups;
+ private final Set<String> auditExcludedRoles;
+ private final Set<String> superUsers;
+ private final Set<String> superGroups;
+
+ public ServiceConfig(Map<String, String> svcConfig) {
+ if (svcConfig != null) {
+ auditExcludedUsers = StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_USERS));
+ auditExcludedGroups = StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_GROUPS));
+ auditExcludedRoles = StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES));
+ superUsers = StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_USERS));
+ superGroups = StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_GROUPS));
+ } else {
+ auditExcludedUsers = Collections.emptySet();
+ auditExcludedGroups = Collections.emptySet();
+ auditExcludedRoles = Collections.emptySet();
+ superUsers = Collections.emptySet();
+ superGroups = Collections.emptySet();
+ }
+ }
+
+ public ServiceConfig(ServiceConfig other) {
+ auditExcludedUsers = other == null || CollectionUtils.isEmpty(other.auditExcludedUsers) ? Collections.emptySet() : new HashSet<>(other.auditExcludedUsers);
+ auditExcludedGroups = other == null || CollectionUtils.isEmpty(other.auditExcludedGroups) ? Collections.emptySet() : new HashSet<>(other.auditExcludedGroups);
+ auditExcludedRoles = other == null || CollectionUtils.isEmpty(other.auditExcludedRoles) ? Collections.emptySet() : new HashSet<>(other.auditExcludedRoles);
+ superUsers = other == null || CollectionUtils.isEmpty(other.superUsers) ? Collections.emptySet() : new HashSet<>(other.superUsers);
+ superGroups = other == null || CollectionUtils.isEmpty(other.superGroups) ? Collections.emptySet() : new HashSet<>(other.superGroups);
+ }
+
+ public boolean isAuditExcludedUser(String userName) {
+ return auditExcludedUsers.contains(userName);
+ }
+
+ public boolean hasAuditExcludedGroup(Set<String> userGroups) {
+ return userGroups != null && userGroups.size() > 0 && auditExcludedGroups.size() > 0 && CollectionUtils.containsAny(userGroups, auditExcludedGroups);
+ }
+
+ public boolean hasAuditExcludedRole(Set<String> userRoles) {
+ return userRoles != null && userRoles.size() > 0 && auditExcludedRoles.size() > 0 && CollectionUtils.containsAny(userRoles, auditExcludedRoles);
+ }
+
+ public boolean isSuperUser(String userName) {
+ return superUsers.contains(userName);
+ }
+
+ public boolean hasSuperGroup(Set<String> userGroups) {
+ return userGroups != null && userGroups.size() > 0 && superGroups.size() > 0 && CollectionUtils.containsAny(userGroups, superGroups);
+ }
+ }
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index b5e18ba..41b2492 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -56,7 +56,6 @@ import org.apache.ranger.plugin.util.*;
public class RangerBasePlugin {
private static final Log LOG = LogFactory.getLog(RangerBasePlugin.class);
-
private final RangerPluginConfig pluginConfig;
private final RangerPluginContext pluginContext;
private final Map<String, LogHistory> logHistoryList = new Hashtable<>();
@@ -67,8 +66,6 @@ public class RangerBasePlugin {
private RangerAuthContext currentAuthContext;
private RangerAccessResultProcessor resultProcessor;
private RangerRoles roles;
- private Set<String> superUsers = Collections.emptySet();
- private Set<String> superGroups = Collections.emptySet();
public RangerBasePlugin(String serviceType, String appId) {
@@ -130,15 +127,12 @@ public class RangerBasePlugin {
pluginContext.notifyAuthContextChanged();
}
- public void setSuperUsersAndGroups(Set<String> users, Set<String> groups) {
- this.superUsers = users == null ? Collections.emptySet() : users;
- this.superGroups = groups == null ? Collections.emptySet() : groups;
-
- RangerPolicyEngine policyEngine = this.policyEngine;
+ public void setAuditExcludedUsersGroupsRoles(Set<String> users, Set<String> groups, Set<String> roles) {
+ pluginConfig.setAuditExcludedUsersGroupsRoles(users, groups, roles);
+ }
- if (policyEngine != null) {
- policyEngine.setSuperUsersAndGroups(this.superUsers, this.superGroups);
- }
+ public void setSuperUsersAndGroups(Set<String> users, Set<String> groups) {
+ pluginConfig.setSuperUsersGroups(users, groups);
}
public RangerServiceDef getServiceDef() {
@@ -230,7 +224,7 @@ public class RangerBasePlugin {
LOG.debug("Creating engine from policies");
}
- newPolicyEngine = new RangerPolicyEngineImpl(policies, pluginContext, roles, superUsers, superGroups);
+ newPolicyEngine = new RangerPolicyEngineImpl(policies, pluginContext, roles);
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("policy-deltas are not null");
@@ -259,7 +253,7 @@ public class RangerBasePlugin {
LOG.debug("Creating new engine from servicePolicies:[" + servicePolicies + "]");
}
- newPolicyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles, superUsers, superGroups);
+ newPolicyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
}
} else {
if (LOG.isDebugEnabled()) {
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 8811f2a..26c7dfb 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -408,6 +408,13 @@ public class TestPolicyEngine {
runTestsFromResourceFiles(resourceFiles);
}
+ @Test
+ public void testPolicyEngine_auditExcludeUsersGroupsRoles() {
+ String[] resourceFiles = {"/policyengine/test_policyengine_audit_exclude_users_groups_roles.json"};
+
+ runTestsFromResourceFiles(resourceFiles);
+ }
+
private void runTestsFromResourceFiles(String[] resourceNames) {
for(String resourceName : resourceNames) {
InputStream inStream = this.getClass().getResourceAsStream(resourceName);
@@ -462,6 +469,7 @@ public class TestPolicyEngine {
Map<String, Set<String>> userRoleMapping = testCase.userRoles;
Map<String, Set<String>> groupRoleMapping = testCase.groupRoles;
+ Map<String, Set<String>> roleRoleMapping = testCase.roleRoles;
if (userRoleMapping != null) {
for (Map.Entry<String, Set<String>> userRole : userRoleMapping.entrySet()) {
String user = userRole.getKey();
@@ -482,26 +490,42 @@ public class TestPolicyEngine {
RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(group, true);
List<RangerRole.RoleMember> groupRoleMembers = Arrays.asList(groupRoleMember);
for (String grpRole : groupRoles) {
- RangerRole rangerGroupRole = new RangerRole(grpRole, grpRole, null, groupRoleMembers, null);
+ RangerRole rangerGroupRole = new RangerRole(grpRole, grpRole, null, null, groupRoleMembers);
rolesSet.add(rangerGroupRole);
}
}
}
+ if (roleRoleMapping != null) {
+ for (Map.Entry<String, Set<String>> roleRole : roleRoleMapping.entrySet()) {
+ String role = roleRole.getKey();
+ Set<String> roleRoles = roleRole.getValue();
+ RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(role, true);
+ List<RangerRole.RoleMember> roleRoleMembers = Arrays.asList(roleRoleMember);
+ for (String rleRole : roleRoles) {
+ RangerRole rangerRoleRole = new RangerRole(rleRole, rleRole, null, null, null, roleRoleMembers);
+ rolesSet.add(rangerRoleRole);
+ }
+ }
+ }
+
roles.setRangerRoles(rolesSet);
RangerPolicyEngineOptions policyEngineOptions = pluginContext.getConfig().getPolicyEngineOptions();
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
- RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles, testCase.superUsers, testCase.superGroups);
+ pluginContext.getConfig().setSuperUsersGroups(testCase.superUsers, testCase.superGroups);
+ pluginContext.getConfig().setAuditExcludedUsersGroupsRoles(testCase.auditExcludedUsers, testCase.auditExcludedGroups, testCase.auditExcludedRoles);
+
+ RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false;
- RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles, testCase.superUsers, testCase.superGroups);
+ RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
@@ -672,6 +696,7 @@ public class TestPolicyEngine {
public Map<String, ServicePolicies.SecurityZoneInfo> securityZones;
public Map<String, Set<String>> userRoles;
public Map<String, Set<String>> groupRoles;
+ public Map<String, Set<String>> roleRoles;
public String auditMode;
public List<TestData> tests;
public Map<String, String> serviceConfig;
@@ -679,7 +704,10 @@ public class TestPolicyEngine {
public List<TestData> updatedTests;
public Set<String> superUsers;
public Set<String> superGroups;
-
+ public Set<String> auditExcludedUsers;
+ public Set<String> auditExcludedGroups;
+ public Set<String> auditExcludedRoles;
+
class TestData {
public String name;
public RangerAccessRequest request;
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_audit_exclude_users_groups_roles.json b/agents-common/src/test/resources/policyengine/test_policyengine_audit_exclude_users_groups_roles.json
new file mode 100644
index 0000000..191a7d0
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_audit_exclude_users_groups_roles.json
@@ -0,0 +1,283 @@
+{
+ "serviceName":"hivedev",
+
+ "original-serviceDef":{
+ "name":"hive",
+ "id":3,
+ "resources":[
+ {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Database","description":"Hive Database"},
+ {"name":"url","level":1,"mandatory":true,"lookupSupported":false,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"URL","description":"URL"},
+ {"name":"hiveservice","level":1,"mandatory":true,"lookupSupported":false,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HiveService","description":"HiveService"},
+ {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Table","description":"Hive Table"},
+ {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"},
+ {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Column","description":"Hive Column"}
+ ],
+ "accessTypes":[
+ {"name":"select","label":"Select"},
+ {"name":"update","label":"Update"},
+ {"name":"create","label":"Create"},
+ {"name":"drop","label":"Drop"},
+ {"name":"alter","label":"Alter"},
+ {"name":"index","label":"Index"},
+ {"name":"lock","label":"Lock"},
+ {"name":"read","label":"Read"},
+ {"name":"write","label":"Write"},
+ {"name":"repladmin","label":"ReplAdmin"},
+ {"name":"serviceadmin","label":"ServiceAdmin"},
+ {"name":"all","label":"All",
+ "impliedGrants": ["select", "update", "create", "drop", "alter", "index", "lock", "read", "write", "repladmin", "serviceadmin"]
+ }
+ ]
+ },
+
+ "serviceDef": {
+ "id":3,
+ "name": "hive",
+ "implClass": "org.apache.ranger.services.hive.RangerServiceHive",
+ "label": "Hive Server2",
+ "description": "Hive Server2",
+ "guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c",
+
+ "resources": [
+ {"itemId": 1, "name": "database", "type": "string", "level": 10, "parent": "", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Hive Database", "description": "Hive Database", "isValidLeaf": true},
+ {"itemId": 2, "name": "table", "type": "string", "level": 20, "parent": "database", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Hive Table", "description": "Hive Table", "isValidLeaf": true},
+ {"itemId": 3, "name": "udf", "type": "string", "level": 20, "parent": "database", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Hive UDF", "description": "Hive UDF", "isValidLeaf": true},
+ {"itemId": 4, "name": "column", "type": "string", "level": 30, "parent": "table", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard":true, "ignoreCase":true }, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Hive Column", "description": "Hive Column", "isValidLeaf": true},
+ {"itemId": 5, "name": "url", "type": "string", "level": 10, "parent": "", "mandatory": true, "lookupSupported": false, "recursiveSupported": true, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher", "matcherOptions": { "wildCard":true, "ignoreCase":false }, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "URL", "description": "URL", "isValidLeaf": true}
+ ],
+
+ "accessTypes": [
+ {"itemId": 1, "name": "select", "label": "select"},
+ {"itemId": 2, "name": "update", "label": "update"},
+ {"itemId": 3, "name": "create", "label": "Create"},
+ {"itemId": 4, "name": "drop", "label": "Drop"},
+ {"itemId": 5, "name": "alter", "label": "Alter"},
+ {"itemId": 6, "name": "index", "label": "Index"},
+ {"itemId": 7, "name": "lock", "label": "Lock"},
+ {"itemId": 8, "name": "all", "label": "All",
+ "impliedGrants": ["select", "update", "create", "drop", "alter", "index", "lock", "read", "write"]},
+ {"itemId": 9, "name": "read", "label": "Read"},
+ {"itemId": 10, "name": "write", "label": "Write"}
+ ],
+
+ "configs": [
+ {"itemId": 1, "name": "username", "type": "string", "mandatory": true, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Username"},
+ {"itemId": 2, "name": "password", "type": "password", "mandatory": true, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Password"},
+ {"itemId": 3, "name": "jdbc.driverClassName", "type": "string", "mandatory": true, "validationRegEx":"", "validationMessage": "", "uiHint":"", "defaultValue": "org.apache.hive.jdbc.HiveDriver"},
+ {"itemId": 4, "name": "jdbc.url", "type": "string", "mandatory": true, "defaultValue": "", "validationRegEx":"", "validationMessage": "", "uiHint":""},
+ {"itemId": 5, "name": "commonNameForCertificate", "type": "string", "mandatory": false, "validationRegEx":"", "validationMessage": "", "uiHint":"", "label": "Common Name for Certificate"}
+ ],
+
+ "enums": [
+ ],
+
+ "contextEnrichers": [
+ ],
+
+ "policyConditions": [
+ ]
+ },
+
+ "userRoles": {
+ "user-in-aer1": [ "aer1" ],
+ "user-in-aer2": [ "aer2" ],
+ "user-in-svc-cfg-aer1": [ "svc-cfg-aer1" ],
+ "user-in-svc-cfg-aer2": [ "svc-cfg-aer2" ]
+ },
+
+ "groupRoles": {
+ "group-in-aer1": [ "aer1" ],
+ "group-in-aer2": [ "aer2" ],
+ "group-in-svc-cfg-aer1": [ "svc-cfg-aer1" ],
+ "group-in-svc-cfg-aer2": [ "svc-cfg-aer2" ]
+ },
+
+ "roleRoles": {
+ "role-in-aer1": [ "aer1" ],
+ "role-in-aer2": [ "aer2" ],
+ "role-in-svc-cfg-aer1": [ "svc-cfg-aer1" ],
+ "role-in-svc-cfg-aer2": [ "svc-cfg-aer2" ]
+ },
+
+ "serviceConfig": {
+ "ranger.plugin.audit.exclude.users": "svc-cfg-aeu1, svc-cfg-aeu2",
+ "ranger.plugin.audit.exclude.groups": "svc-cfg-aeg1, svc-cfg-aeg2",
+ "ranger.plugin.audit.exclude.roles": "svc-cfg-aer1, svc-cfg-aer2"
+ },
+
+ "policies":[
+ {"id":1,"name":"database=db-*,table=*,column=* - allow create to everyone, audit accesses","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"database":{"values":["db-*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"create","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+ ]
+ }
+ ],
+
+ "auditExcludedUsers": [ "aeu1", "aeu2" ],
+ "auditExcludedGroups": [ "aeg1", "aeg2" ],
+ "auditExcludedRoles": [ "aer1", "aer2" ],
+
+ "tests":[
+ {"name":"NO AUDIT 'create db-1.tbl-1;' for group-in-aer1",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+ "accessType":"create","user":"user3","userGroups":["group-in-aer1"],"requestData":"create db-1.tbl-1;' for group-in-aer1"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1;' for aeu1",
+ "request":{
+ "resource":{"elements":{"database":"db-1"}},
+ "accessType":"create","user":"aeu1","requestData":"create db-1 for aeu1"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-2;' for aeu2",
+ "request":{
+ "resource":{"elements":{"database":"db-2"}},
+ "accessType":"create","user":"aeu2","requestData":"create db-2 for aeu2"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1;' for svc-cfg-aeu1",
+ "request":{
+ "resource":{"elements":{"database":"db-1"}},
+ "accessType":"create","user":"svc-cfg-aeu1","requestData":"create db-1 for svc-cfg-aeu1"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-2;' for svc-cfg-aeu2",
+ "request":{
+ "resource":{"elements":{"database":"db-2"}},
+ "accessType":"create","user":"svc-cfg-aeu2","requestData":"create db-2 for svc-cfg-aeu2"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-1;' for user1 (in aeg1)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+ "accessType":"create","user":"user1","userGroups":["aeg1"],"requestData":"create db-1.tbl-1;' for user1 (in aeg1)"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-2;' for user2 (in aeg2)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+ "accessType":"create","user":"user2","userGroups":["aeg2"],"requestData":"create db-1.tbl-2;' for user2 (in aeg2)"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-1;' for user1 (in svc-cfg-aeg1)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+ "accessType":"create","user":"user1","userGroups":["svc-cfg-aeg1"],"requestData":"create db-1.tbl-1;' for user1 (in svc-cfg-aeg1)"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-2;' for user2 (in svc-cfg-aeg2)",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+ "accessType":"create","user":"user2","userGroups":["svc-cfg-aeg2"],"requestData":"create db-1.tbl-2;' for user2 (in svc-cfg-aeg2)"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-1;' for user-in-aer1",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+ "accessType":"create","user":"user-in-aer1","requestData":"create db-1.tbl-1;' for user1 (in aer1)"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-2;' for user-in-aer2",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+ "accessType":"create","user":"user-in-aer2","requestData":"create db-1.tbl-2;' for user2 (in aer2)"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-1;' for user-in-svc-cfg-aer1",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+ "accessType":"create","user":"user-in-svc-cfg-aer1","requestData":"create db-1.tbl-1;' for user1 (in svc-cfg-aer1)"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-2;' for user-in-svc-cfg-aer2",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+ "accessType":"create","user":"user-in-svc-cfg-aer2","requestData":"create db-1.tbl-2;' for user2 (in svc-cfg-aer2)"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-1;' for group-in-aer1",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+ "accessType":"create","user":"user3","userGroups":["group-in-aer1"],"requestData":"create db-1.tbl-1;' for group-in-aer1"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-2;' for group-in-aer2",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+ "accessType":"create","user":"user3", "userGroups":["group-in-aer2"],"requestData":"create db-1.tbl-2;' for group-in-aer2"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-1;' for group-in-svc-cfg-aer1",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-1"}},
+ "accessType":"create","user":"user3","userGroups":["group-in-svc-cfg-aer1"],"requestData":"create db-1.tbl-1;' for group-in-svc-cfg-aer1"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-2;' for group-in-svc-cfg-aer2",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+ "accessType":"create","user":"user3", "userGroups":["group-in-svc-cfg-aer2"],"requestData":"create db-1.tbl-2;' for group-in-svc-cfg-aer2"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create db-1.tbl-2;' for group-in-svc-cfg-aer2",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-2"}},
+ "accessType":"create","user":"user3", "userGroups":["group-in-svc-cfg-aer2"],"requestData":"create db-1.tbl-2;' for group-in-svc-cfg-aer2"
+ },
+ "result":{"isAudited":false,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"AUDIT 'create db-1.tbl-3;' for user3",
+ "request":{
+ "resource":{"elements":{"database":"db-1", "table":"tbl-3"}},
+ "accessType":"create","user":"user3","userGroups":["users"],"requestData":"create db-1.tbl-3;' for user3"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"NO AUDIT 'create testdb;' for aeu1; no audit",
+ "request":{
+ "resource":{"elements":{"database":"testdb"}},
+ "accessType":"create","user":"aeu1","requestData":"create db-1 for aeu1"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+ }
+ ]
+}
+