You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2018/01/30 18:35:29 UTC
ranger git commit: RANGER-1966: Policy engine initialization does not
create context enrichers in some cases
Repository: ranger
Updated Branches:
refs/heads/ranger-0.7 0fa926613 -> 27829af8f
RANGER-1966: Policy engine initialization does not create context enrichers in some cases
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/27829af8
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/27829af8
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/27829af8
Branch: refs/heads/ranger-0.7
Commit: 27829af8f9af8c48e975311f38bd1e0fc8237e95
Parents: 0fa9266
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Tue Jan 30 10:18:57 2018 -0800
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Tue Jan 30 10:18:57 2018 -0800
----------------------------------------------------------------------
.../policyengine/RangerPolicyRepository.java | 32 +-
.../plugin/policyengine/TestPolicyEngine.java | 7 +
.../test_policyengine_tag_hive_mask.json | 434 +++++++++++++++++++
3 files changed, 471 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/27829af8/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 1580766..a8fa292 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -584,7 +584,8 @@ class RangerPolicyRepository {
this.rowFilterPolicyEvaluators = Collections.unmodifiableList(rowFilterPolicyEvaluators);
List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>();
- if (CollectionUtils.isNotEmpty(this.policyEvaluators)) {
+ if (CollectionUtils.isNotEmpty(this.policyEvaluators) || CollectionUtils.isNotEmpty(this.dataMaskPolicyEvaluators)
+ || CollectionUtils.isNotEmpty(this.rowFilterPolicyEvaluators)) {
if (CollectionUtils.isNotEmpty(serviceDef.getContextEnrichers())) {
for (RangerServiceDef.RangerContextEnricherDef enricherDef : serviceDef.getContextEnrichers()) {
if (enricherDef == null) {
@@ -627,7 +628,7 @@ class RangerPolicyRepository {
LOG.debug("dataMask policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder());
}
- LOG.debug("rowFilter policy evaluation order: " + this.dataMaskPolicyEvaluators.size() + " policies");
+ LOG.debug("rowFilter policy evaluation order: " + this.rowFilterPolicyEvaluators.size() + " policies");
order = 0;
for(RangerPolicyEvaluator policyEvaluator : this.rowFilterPolicyEvaluators) {
RangerPolicy policy = policyEvaluator.getPolicy();
@@ -873,6 +874,32 @@ class RangerPolicyRepository {
}
}
}
+ sb.append("} ");
+
+ sb.append("dataMaskPolicyEvaluators={");
+
+ if (this.dataMaskPolicyEvaluators != null) {
+ for (RangerPolicyEvaluator policyEvaluator : dataMaskPolicyEvaluators) {
+ if (policyEvaluator != null) {
+ sb.append(policyEvaluator).append(" ");
+ }
+ }
+ }
+ sb.append("} ");
+
+ sb.append("rowFilterPolicyEvaluators={");
+
+ if (this.rowFilterPolicyEvaluators != null) {
+ for (RangerPolicyEvaluator policyEvaluator : rowFilterPolicyEvaluators) {
+ if (policyEvaluator != null) {
+ sb.append(policyEvaluator).append(" ");
+ }
+ }
+ }
+ sb.append("} ");
+
+ sb.append("contextEnrichers={");
+
if (contextEnrichers != null) {
for (RangerContextEnricher contextEnricher : contextEnrichers) {
if (contextEnricher != null) {
@@ -880,6 +907,7 @@ class RangerPolicyRepository {
}
}
}
+ sb.append("} ");
sb.append("} ");
http://git-wip-us.apache.org/repos/asf/ranger/blob/27829af8/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index d4c16c1..a82df28 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -290,6 +290,13 @@ public class TestPolicyEngine {
}
@Test
+ public void testPolicyEngine_hiveTagMasking() {
+ String[] resourceFiles = {"/policyengine/test_policyengine_tag_hive_mask.json"};
+
+ runTestsFromResourceFiles(resourceFiles);
+ }
+
+ @Test
public void testPolicyEngine_owner() {
String[] resourceFiles = {"/policyengine/test_policyengine_owner.json"};
http://git-wip-us.apache.org/repos/asf/ranger/blob/27829af8/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
new file mode 100644
index 0000000..3945dce
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
@@ -0,0 +1,434 @@
+{
+ "serviceName": "hivedev",
+ "serviceDef": {
+ "name": "hive",
+ "id": 3,
+ "resources": [
+ {
+ "name": "database",
+ "level": 1,
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive Database",
+ "description": "Hive Database"
+ },
+ {
+ "name": "table",
+ "level": 2,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive Table",
+ "description": "Hive Table"
+ },
+ {
+ "name": "udf",
+ "level": 2,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive UDF",
+ "description": "Hive UDF"
+ },
+ {
+ "name": "column",
+ "level": 3,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive Column",
+ "description": "Hive Column"
+ }
+ ],
+ "accessTypes": [
+ {
+ "name": "select",
+ "label": "Select"
+ },
+ {
+ "name": "update",
+ "label": "Update"
+ },
+ {
+ "name": "create",
+ "label": "Create"
+ },
+ {
+ "name": "grant",
+ "label": "Grant"
+ },
+ {
+ "name": "drop",
+ "label": "Drop"
+ },
+ {
+ "name": "alter",
+ "label": "Alter"
+ },
+ {
+ "name": "index",
+ "label": "Index"
+ },
+ {
+ "name": "lock",
+ "label": "Lock"
+ },
+ {
+ "name": "all",
+ "label": "All",
+ "impliedGrants": [
+ "select",
+ "update",
+ "create",
+ "grant",
+ "drop",
+ "alter",
+ "index",
+ "lock"
+ ]
+ }
+ ]
+ },
+ "policies": [
+ {
+ "id": 101,
+ "name": "db=*: audit-all-access",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "*"
+ ]
+ },
+ "table": {
+ "values": [
+ "*"
+ ]
+ },
+ "column": {
+ "values": [
+ "*"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "all",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hive",
+ "user1",
+ "user2"
+ ],
+ "groups": [
+ "public"
+ ],
+ "delegateAdmin": false
+ }
+ ]
+ },
+ {
+ "id": 102,
+ "name": "db=*, udf=*: audit-all-access",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "*"
+ ]
+ },
+ "udf": {
+ "values": [
+ "*"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "all",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hive",
+ "user1",
+ "user2"
+ ],
+ "groups": [
+ "public"
+ ],
+ "delegateAdmin": false
+ }
+ ]
+ }
+ ],
+ "tagPolicyInfo": {
+ "serviceName": "tagdev",
+ "serviceDef": {
+ "name": "tag",
+ "id": 100,
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "tag",
+ "type": "string",
+ "level": 1,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": false
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "TAG",
+ "description": "TAG"
+ }
+ ],
+ "accessTypes": [
+ {
+ "itemId": 1,
+ "name": "hive:select",
+ "label": "hive:select"
+ },
+ {
+ "itemId": 2,
+ "name": "hive:update",
+ "label": "hive:update"
+ },
+ {
+ "itemId": 3,
+ "name": "hive:create",
+ "label": "hive:create"
+ },
+ {
+ "itemId": 4,
+ "name": "hive:grant",
+ "label": "hive:grant"
+ },
+ {
+ "itemId": 5,
+ "name": "hive:drop",
+ "label": "hive:drop"
+ },
+ {
+ "itemId": 6,
+ "name": "hive:alter",
+ "label": "hive:alter"
+ },
+ {
+ "itemId": 7,
+ "name": "hive:index",
+ "label": "hive:index"
+ },
+ {
+ "itemId": 8,
+ "name": "hive:lock",
+ "label": "hive:lock"
+ },
+ {
+ "itemId": 9,
+ "name": "hive:all",
+ "label": "hive:all",
+ "impliedGrants": [
+ "hive:select",
+ "hive:update",
+ "hive:create",
+ "hive:grant",
+ "hive:drop",
+ "hive:alter",
+ "hive:index",
+ "hive:lock"
+ ]
+ }
+ ],
+ "contextEnrichers": [
+ ],
+ "policyConditions": [
+ {
+ "itemId": 1,
+ "name": "expression",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions": {
+ "engineName": "JavaScript",
+ "ui.isMultiline": "true"
+ },
+ "label": "Enter boolean expression",
+ "description": "Boolean expression"
+ },
+ {
+ "itemId": 2,
+ "name": "enforce-expiry",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
+ "evaluatorOptions": {
+ "scriptTemplate": "ctx.isAccessedAfter('expiry_date');"
+ },
+ "label": "Deny access after expiry_date?",
+ "description": "Deny access after expiry_date? (yes/no)"
+ }
+ ]
+ },
+ "tagPolicies": [
+ {
+ "id": 1,
+ "name": "RESTRICTED_TAG_POLICY",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "policyType": 1,
+ "resources": {
+ "tag": {
+ "values": [
+ "RESTRICTED"
+ ],
+ "isRecursive": false
+ }
+ },
+ "dataMaskPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "user1"
+ ],
+ "groups": [],
+ "delegateAdmin": false,
+ "dataMaskInfo": {
+ "dataMaskType": "MASK"
+ }
+ },
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "user2"
+ ],
+ "groups": [],
+ "delegateAdmin": false,
+ "dataMaskInfo": {
+ "dataMaskType": "SHUFFLE"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ "tests": [
+ {
+ "name": "'select ssn from employee.personal;' for user1 - maskType=MASK",
+ "request": {
+ "resource": {
+ "elements": {
+ "database": "employee",
+ "table": "personal",
+ "column": "ssn"
+ }
+ },
+ "accessType": "select",
+ "user": "user1",
+ "userGroups": [],
+ "requestData": "select ssn from employee.personal;' for user1",
+ "context": {
+ "TAGS": "[{\"type\":\"RESTRICTED\"}]"
+ }
+ },
+ "dataMaskResult": {
+ "maskType": "MASK",
+ "maskCondition": null,
+ "maskValue": null,
+ "policyId": 1
+ }
+ },
+ {
+ "name": "'select ssn from employee.personal;' for user2 - maskType=SHUFFLE",
+ "request": {
+ "resource": {
+ "elements": {
+ "database": "employee",
+ "table": "personal",
+ "column": "ssn"
+ }
+ },
+ "accessType": "select",
+ "user": "user2",
+ "userGroups": [],
+ "requestData": "select ssn from employee.personal;' for user2",
+ "context": {
+ "TAGS": "[{\"type\":\"RESTRICTED\"}]"
+ }
+ },
+ "dataMaskResult": {
+ "maskType": "SHUFFLE",
+ "maskCondition": null,
+ "maskValue": null,
+ "policyId": 1
+ }
+ },
+ {
+ "name": "'select ssn from employee.personal;' for hive - maskType=NONE",
+ "request": {
+ "resource": {
+ "elements": {
+ "database": "employee",
+ "table": "personal",
+ "column": "ssn"
+ }
+ },
+ "accessType": "select",
+ "user": "hive",
+ "userGroups": [],
+ "requestData": "select ssn from employee.personal;' for hive",
+ "context": {
+ "TAGS": "[{\"type\":\"RESTRICTED\"}]"
+ }
+ },
+ "dataMaskResult": {
+ "maskType": null,
+ "maskCondition": null,
+ "maskValue": null,
+ "policyId": -1
+ }
+ }
+ ]
+}
+