You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2017/11/10 16:33:42 UTC
[1/2] ranger git commit: RANGER-1781: Policy model update to support
restricted access-types based on selected resource (more performance
improvements)
Repository: ranger
Updated Branches:
refs/heads/master 0688f5eb7 -> 2a1406df8
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/policyengine/test_policydb_hive.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policydb_hive.json b/agents-common/src/test/resources/policyengine/test_policydb_hive.json
new file mode 100644
index 0000000..3342d13
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policydb_hive.json
@@ -0,0 +1,441 @@
+{
+ "servicePolicies": {
+ "serviceName": "hivedev",
+ "serviceDef": {
+ "name": "hive",
+ "id": 3,
+ "resources": [
+ {
+ "name": "database",
+ "level": 1,
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive Database",
+ "description": "Hive Database"
+ },
+ {
+ "name": "table",
+ "level": 2,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive Table",
+ "description": "Hive Table"
+ },
+ {
+ "name": "udf",
+ "level": 2,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive UDF",
+ "description": "Hive UDF"
+ },
+ {
+ "name": "column",
+ "level": 3,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive Column",
+ "description": "Hive Column"
+ }
+ ],
+ "accessTypes": [
+ {
+ "name": "select",
+ "label": "Select"
+ },
+ {
+ "name": "update",
+ "label": "Update"
+ },
+ {
+ "name": "create",
+ "label": "Create"
+ },
+ {
+ "name": "drop",
+ "label": "Drop"
+ },
+ {
+ "name": "alter",
+ "label": "Alter"
+ },
+ {
+ "name": "index",
+ "label": "Index"
+ },
+ {
+ "name": "lock",
+ "label": "Lock"
+ },
+ {
+ "name": "all",
+ "label": "All"
+ }
+ ]
+ },
+ "policies": [
+ {
+ "id": 1,
+ "name": "db=default: audit-all-access",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ]
+ },
+ "table": {
+ "values": [
+ "*"
+ ]
+ },
+ "column": {
+ "values": [
+ "*"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [],
+ "users": [],
+ "groups": [
+ "public"
+ ],
+ "delegateAdmin": false
+ }
+ ]
+ },
+ {
+ "id": 2,
+ "name": "db=default; table=test1,test2; column=column1",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ]
+ },
+ "table": {
+ "values": [
+ "test1", "test2"
+ ]
+ },
+ "column": {
+ "values": [
+ "column1"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "user1",
+ "user2"
+ ],
+ "groups": [
+ "group1",
+ "group2"
+ ],
+ "delegateAdmin": false
+ },
+ {
+ "accesses": [
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "admin"
+ ],
+ "groups": [
+ "cluster-admin"
+ ],
+ "delegateAdmin": true
+ }
+ ]
+ },
+ {
+ "id": 21,
+ "name": "db=default; table=test1,test2; column=column2",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ]
+ },
+ "table": {
+ "values": [
+ "test1", "test2"
+ ]
+ },
+ "column": {
+ "values": [
+ "column2"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "user1",
+ "user2"
+ ],
+ "groups": [
+ "group1",
+ "group2"
+ ],
+ "delegateAdmin": false
+ },
+ {
+ "accesses": [
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "admin"
+ ],
+ "groups": [
+ "cluster-admin"
+ ],
+ "delegateAdmin": true
+ }
+ ]
+ },
+ {
+ "id": 3,
+ "name": "db=finance; table=fin_*; column=*",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "finance"
+ ]
+ },
+ "table": {
+ "values": [
+ "fin_*"
+ ]
+ },
+ "column": {
+ "values": [
+ "*"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "user1",
+ "user2"
+ ],
+ "groups": [
+ "finance-controller"
+ ],
+ "delegateAdmin": true
+ }
+ ]
+ },
+ {
+ "id": 4,
+ "name": "db=db1; table=tmp; column=tmp*",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "db1"
+ ]
+ },
+ "table": {
+ "values": [
+ "tmp"
+ ]
+ },
+ "column": {
+ "values": [
+ "tmp*"
+ ],
+ "isExcludes": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "user1",
+ "user2"
+ ],
+ "groups": [
+ "cluster-admin",
+ "finance-controller"
+ ],
+ "delegateAdmin": true
+ }
+ ]
+ },
+ {
+ "id": 5,
+ "name": "db=hr",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "hr"
+ ]
+ },
+ "udf": {
+ "values": [
+ "udf"
+ ]
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "user1",
+ "user2"
+ ],
+ "groups": [
+ "cluster-admin"
+ ],
+ "delegateAdmin": true
+ }
+ ]
+ }
+ ]
+ },
+
+ "tests":[
+ {"name":"ALLOW '_admin access on resource [database=db1, table=tmp, column=tmp1]' for g=cluster-admin",
+ "resources":{"database":{"values":["db1"]}, "table":{"values":["tmp"]}, "column":{"values":["tmp1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin",
+ "result":true
+ },
+ {"name":"DENY '_admin access on resource [database=db1, table=tmp, column=column1]' for g=cluster-admin",
+ "resources":{"database":{"values":["db1"]}, "table":{"values":["tmp"]}, "column":{"values":["column1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin",
+ "result":false
+ },
+ {"name":"DENY '_admin access on resource [database=hr]' for g=cluster-admin",
+ "resources":{"database":{"values":["hr"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin",
+ "result":false
+ },
+ {"name":"DENY '_admin access on resource [database=db1:default, table=tmp:test*, column=tmp1:column1]' for g=cluster-admin",
+ "resources":{"database":{"values":["db1", "default"]}, "table":{"values":["tmp", "test*"]}, "column":{"values":["tmp1", "column1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin",
+ "result":false
+ },
+ {"name":"ALLOW '_admin access on resource [database=default, table=test1:test2, column=column1]' for g=cluster-admin",
+ "resources":{"database":{"values":["default"]}, "table":{"values":["test1", "test2"]}, "column":{"values":["column1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin",
+ "result":true
+ },
+ {"name":"DENY '_admin access on resource [database=default, table=test1:test2:test3, column=column1]' for g=cluster-admin",
+ "resources":{"database":{"values":["default"]}, "table":{"values":["test1", "test2", "test3"]}, "column":{"values":["column1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin",
+ "result":false
+ },
+ {"name":"DENY '_admin access on resource [database=default, table=test1:test2, column=column1,column2]' for g=cluster-admin",
+ "resources":{"database":{"values":["default"]}, "table":{"values":["test1", "test2"]}, "column":{"values":["column1","column2"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin",
+ "result":false
+ },
+ {"name":"DENY '_admin access on resource [database=default, table=test1:test2, column=column1]' for g=cluster-admin",
+ "resources":{"database":{"values":["default"]}, "table":{"values":["test1", "test2", "test3"]}, "column":{"values":["column1"]}},"user":"testuser","userGroups":["cluster-admin","users"],"accessType":"_admin",
+ "result":false
+ },
+
+ {"name":"4 'create allowed policies' for g=cluster-admin",
+ "user":"testuser","userGroups":["cluster-admin","users"],"accessType":"create","allowedPolicies":[2, 21, 4, 5]
+ }
+ ,
+ {"name":"2 'select allowed policies' for g=finance-controller",
+ "user":"testuser","userGroups":["finance-controller","users"],"accessType":"select","allowedPolicies":[3, 4]
+ }
+ ,
+ {"name":"0 'drop allowed policies' for g=finance-controller",
+ "user":"testuser","userGroups":["finance-controller","users"],"accessType":"drop","allowedPolicies":[]
+ }
+ ,
+ {"name":"0 'select allowed policies' for u=testuser",
+ "user":"testuser","userGroups":["public","users"],"accessType":"select","allowedPolicies":[]
+ }
+ ,
+ {"name":"5 'select allowed policies' for u=user1",
+ "user":"user1","userGroups":["public","users"],"accessType":"select","allowedPolicies":[2, 21, 3, 4, 5]
+ }
+ ]
+}
+
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
index cba7a21..211e0ed 100644
--- a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
+++ b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
@@ -133,8 +133,8 @@
}
,
{
- "name": "MATCH for parent 'finance:tax'",
- "type": "ancestorMatch",
+ "name": "MATCH for exact 'finance:tax'",
+ "type": "exactMatch",
"resource": {
"elements": {"database": "finance","table": "tax"}
},
@@ -277,8 +277,8 @@
}
,
{
- "name": "MATCH for parent 'finance:tax'",
- "type": "ancestorMatch",
+ "name": "MATCH for exact 'finance:tax'",
+ "type": "exactMatch",
"resource": {
"elements": {"database": "finance","table": "tax"}
},
@@ -411,8 +411,8 @@
}
,
{
- "name": "MATCH for parent 'finance'",
- "type": "ancestorMatch",
+ "name": "MATCH for exact 'finance'",
+ "type": "exactMatch",
"resource": {
"elements": {"database": "finance"}
},
@@ -440,8 +440,8 @@
},
"tests": [
{
- "name": "MATCH for parent 'finance.tax.ssn'",
- "type": "ancestorMatch",
+ "name": "MATCH for exact 'finance.tax.ssn'",
+ "type": "exactMatch",
"resource": {
"elements": {"database": "finance", "table":"tax", "column":"ssn"}
},
@@ -606,8 +606,8 @@
},
"tests": [
{
- "name": "MATCH for parent 'finance.tax.ssn'",
- "type": "ancestorMatch",
+ "name": "MATCH for exact 'finance.tax.ssn'",
+ "type": "exactMatch",
"resource": {
"elements": {"database": "finance", "table":"tax", "column":"ssn"}
},
@@ -647,8 +647,8 @@
},
"tests": [
{
- "name": "MATCH for parent 'finance.tax.ssn'",
- "type": "ancestorMatch",
+ "name": "MATCH for exact 'finance.tax.ssn'",
+ "type": "exactMatch",
"resource": {
"elements": {"database": "finance", "table":"tax", "column":"ssn"}
},
@@ -767,8 +767,8 @@
},
"tests": [
{
- "name": "MATCH for parent 'finance.tax.ssn'",
- "type": "ancestorMatch",
+ "name": "MATCH for exact 'finance.tax.ssn'",
+ "type": "exactMatch",
"resource": {
"elements": {"database": "finance", "table":"tax", "column":"ssn"}
},
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json
new file mode 100644
index 0000000..ddb171d
--- /dev/null
+++ b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json
@@ -0,0 +1,410 @@
+{
+ "serviceDef": {
+ "name": "hive",
+ "id": 3,
+ "resources": [
+ {
+ "name": "database",
+ "level": 1,
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive Database",
+ "description": "Hive Database"
+ },
+ {
+ "name": "table",
+ "level": 2,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive Table",
+ "description": "Hive Table"
+ },
+ {
+ "name": "udf",
+ "level": 2,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive UDF",
+ "description": "Hive UDF"
+ },
+ {
+ "name": "column",
+ "level": 3,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "label": "Hive Column",
+ "description": "Hive Column"
+ }
+ ],
+ "accessTypes": [
+ {
+ "name": "select",
+ "label": "Select"
+ },
+ {
+ "name": "update",
+ "label": "Update"
+ },
+ {
+ "name": "create",
+ "label": "Create"
+ },
+ {
+ "name": "drop",
+ "label": "Drop"
+ },
+ {
+ "name": "alter",
+ "label": "Alter"
+ },
+ {
+ "name": "index",
+ "label": "Index"
+ },
+ {
+ "name": "lock",
+ "label": "Lock"
+ },
+ {
+ "name": "all",
+ "label": "All"
+ }
+ ]
+ },
+ "testCases": [
+ {
+ "name": "database=*:table=*:column:demo",
+ "policyResources": {
+ "database": {"values": ["*"]},
+ "table": {"values": ["*"]},
+ "column":{"values":["demo"]}
+ },
+ "tests": [
+ {
+ "name": "Exact match for 'tmp:*:demo' policy",
+ "type": "exactMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["tmp"], "isExcludes": false, "isRecursive": false},
+ "table": {"values": ["*"], "isExcludes": false, "isRecursive": false},
+ "column": {"values": ["demo"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : true
+ }
+ ]
+ },
+ {
+ "name": "database=finance:table=tax:column:refund",
+ "policyResources": {
+ "database": {"values": ["finance"]},
+ "table": {"values": ["tax"]},
+ "column":{"values":["refund"]}
+ },
+ "tests": [
+ {
+ "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy",
+ "type": "exactMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
+ "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false},
+ "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : true
+ },
+ {
+ "name": "Descendant match for 'finance,hr,tmp*:tax,employee,tmp*:' policy",
+ "type": "descendantMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
+ "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : true
+ },
+ {
+ "name": "No match for '*:*:*' policy",
+ "type": "anyMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["*"], "isExcludes": false, "isRecursive": false},
+ "table": {"values": ["*"], "isExcludes": false, "isRecursive": false},
+ "column": {"values": ["*"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : false
+ }
+ ]
+ },
+ {
+ "name": "database=hr:table=*:column=refund",
+ "policyResources": {
+ "database": {"values": ["hr"]},
+ "table": {"values": ["*"]},
+ "column":{"values":["refund"]}
+ },
+ "tests": [
+ {
+ "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy",
+ "type": "exactMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
+ "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false},
+ "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : true
+ }
+ ,
+ {
+ "name": "No match for 'finance,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy",
+ "type": "anyMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["finance", "tmp*"], "isExcludes": false, "isRecursive": false},
+ "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false},
+ "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : false
+ }
+ ]
+ },
+ {
+ "name": "database=hr:table=*:column=*",
+ "policyResources": {
+ "database": {"values": ["hr"]},
+ "table": {"values": ["*"]},
+ "column":{"values":["*"]}
+ },
+ "tests": [
+ {
+ "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy",
+ "type": "exactMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
+ "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false},
+ "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : true
+ },
+ {
+ "name": "Ancestor match for 'finance,hr,tmp*:tax,employee,tmp*:' policy",
+ "type": "ancestorMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
+ "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : true
+ },
+ {
+ "name": "Exact match for 'finance,hr,tmp*:*,employee,tmp*:*,salary,tmp*' policy",
+ "type": "exactMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
+ "table": {"values": ["*","employee","tmp*"], "isExcludes": false, "isRecursive": false},
+ "column": {"values": ["*","salary","tmp*"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : true
+ },
+ {
+ "name": "No match for 'finance,hr,tmp*::refund,salary,tmp*' policy",
+ "type": "anyMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
+ "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : false
+ },
+ {
+ "name": "Ancestor match for 'finance,hr,tmp*::' policy",
+ "type": "ancestorMatch",
+ "policy" : {
+ "service" : "any",
+ "name" : "test",
+ "policyType":0,
+ "description":"",
+ "resourceSignature":"",
+ "isAuditEnabled":true,
+ "resources" : {
+ "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}
+ },
+ "policyItems":[],
+ "denyPolicyItems":[],
+ "allowExceptions":[],
+ "denyExceptions":[],
+ "dataMaskPolicyItems":[],
+ "rowFilterPolicyItems":[]
+ },
+ "evalContext": {},
+ "result" : true
+ }
+ ]
+ }
+ ]
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json
deleted file mode 100644
index 489cc13..0000000
--- a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json
+++ /dev/null
@@ -1,315 +0,0 @@
-{
- "serviceDef": {
- "name": "hive",
- "id": 3,
- "resources": [
- {
- "name": "database",
- "level": 1,
- "mandatory": true,
- "lookupSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": {
- "wildCard": true,
- "ignoreCase": true
- },
- "label": "Hive Database",
- "description": "Hive Database"
- },
- {
- "name": "table",
- "level": 2,
- "parent": "database",
- "mandatory": true,
- "lookupSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": {
- "wildCard": true,
- "ignoreCase": true
- },
- "label": "Hive Table",
- "description": "Hive Table"
- },
- {
- "name": "udf",
- "level": 2,
- "parent": "database",
- "mandatory": true,
- "lookupSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": {
- "wildCard": true,
- "ignoreCase": true
- },
- "label": "Hive UDF",
- "description": "Hive UDF"
- },
- {
- "name": "column",
- "level": 3,
- "parent": "table",
- "mandatory": true,
- "lookupSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": {
- "wildCard": true,
- "ignoreCase": true
- },
- "label": "Hive Column",
- "description": "Hive Column"
- }
- ],
- "accessTypes": [
- {
- "name": "select",
- "label": "Select"
- },
- {
- "name": "update",
- "label": "Update"
- },
- {
- "name": "create",
- "label": "Create"
- },
- {
- "name": "drop",
- "label": "Drop"
- },
- {
- "name": "alter",
- "label": "Alter"
- },
- {
- "name": "index",
- "label": "Index"
- },
- {
- "name": "lock",
- "label": "Lock"
- },
- {
- "name": "all",
- "label": "All"
- }
- ]
- },
- "testCases": [
- {
- "name": "database=*:table=*:column:demo",
- "policyResources": {
- "database": {"values": ["*"]},
- "table": {"values": ["*"]},
- "column":{"values":["demo"]}
- },
- "tests": [
- {
- "name": "Exact match for 'tmp:*:demo' policy",
- "type": "exactMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["tmp"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["demo"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : true
- }
- ]
- },
- {
- "name": "database=finance:table=tax:column:refund",
- "policyResources": {
- "database": {"values": ["finance"]},
- "table": {"values": ["tax"]},
- "column":{"values":["refund"]}
- },
- "tests": [
- {
- "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy",
- "type": "exactMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : true
- },
- {
- "name": "No match for '*:*:*' policy",
- "type": "anyMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : false
- }
- ]
- },
- {
- "name": "database=hr:table=*:column:refund",
- "policyResources": {
- "database": {"values": ["hr"]},
- "table": {"values": ["*"]},
- "column":{"values":["refund"]}
- },
- "tests": [
- {
- "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy",
- "type": "exactMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : true
- }
- ,
- {
- "name": "No match for 'finance,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy",
- "type": "anyMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "tmp*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : false
- }
- ]
- },
- {
- "name": "database=hr:table=*:column:*",
- "policyResources": {
- "database": {"values": ["hr"]},
- "table": {"values": ["*"]},
- "column":{"values":["*"]}
- },
- "tests": [
- {
- "name": "Ancestor match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy",
- "type": "ancestorMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : true
- },
- {
- "name": "Ancestor match for 'finance,hr,tmp*:*,employee,tmp*:*,salary,tmp*' policy",
- "type": "ancestorMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["*","employee","tmp*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["*","salary","tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : true
- }
- ]
- }
- ]
-}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json
deleted file mode 100644
index 4373647..0000000
--- a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json
+++ /dev/null
@@ -1,335 +0,0 @@
-{
- "serviceDef": {
- "name": "hive",
- "id": 3,
- "resources": [
- {
- "name": "database",
- "level": 1,
- "mandatory": true,
- "lookupSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": {
- "wildCard": true,
- "ignoreCase": true
- },
- "label": "Hive Database",
- "description": "Hive Database"
- },
- {
- "name": "table",
- "level": 2,
- "parent": "database",
- "mandatory": true,
- "lookupSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": {
- "wildCard": true,
- "ignoreCase": true
- },
- "label": "Hive Table",
- "description": "Hive Table"
- },
- {
- "name": "udf",
- "level": 2,
- "parent": "database",
- "mandatory": true,
- "lookupSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": {
- "wildCard": true,
- "ignoreCase": true
- },
- "label": "Hive UDF",
- "description": "Hive UDF"
- },
- {
- "name": "column",
- "level": 3,
- "parent": "table",
- "mandatory": true,
- "lookupSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": {
- "wildCard": true,
- "ignoreCase": true
- },
- "label": "Hive Column",
- "description": "Hive Column"
- }
- ],
- "accessTypes": [
- {
- "name": "select",
- "label": "Select"
- },
- {
- "name": "update",
- "label": "Update"
- },
- {
- "name": "create",
- "label": "Create"
- },
- {
- "name": "drop",
- "label": "Drop"
- },
- {
- "name": "alter",
- "label": "Alter"
- },
- {
- "name": "index",
- "label": "Index"
- },
- {
- "name": "lock",
- "label": "Lock"
- },
- {
- "name": "all",
- "label": "All"
- }
- ]
- },
- "testCases": [
- {
- "name": "database=*:table=*:column:demo",
- "policyResources": {
- "database": {"values": ["*"]},
- "table": {"values": ["*"]},
- "column":{"values":["demo"]}
- },
- "tests": [
- {
- "name": "Exact match for 'tmp:*:demo' policy",
- "type": "exactMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["tmp"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["demo"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : true
- }
- ]
- },
- {
- "name": "database=finance:table=tax:column:refund",
- "policyResources": {
- "database": {"values": ["finance"]},
- "table": {"values": ["tax"]},
- "column":{"values":["refund"]}
- },
- "tests": [
- {
- "name": "Descendant match for 'finance,hr,tmp*:tax,employee,tmp*:' policy",
- "type": "descendantMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : true
- },
- {
- "name": "No match for '*:*:*' policy",
- "type": "anyMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : false
- }
- ]
- },
- {
- "name": "database=hr:table=*:column:refund",
- "policyResources": {
- "database": {"values": ["hr"]},
- "table": {"values": ["*"]},
- "column":{"values":["refund"]}
- },
- "tests": [
- {
- "name": "Exact match for 'finance,hr,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy",
- "type": "exactMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : true
- }
- ,
- {
- "name": "No match for 'finance,tmp*:tax,employee,tmp*:refund,salary,tmp*' policy",
- "type": "anyMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "tmp*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : false
- }
- ]
- },
- {
- "name": "database=hr:table=*:column:*",
- "policyResources": {
- "database": {"values": ["hr"]},
- "table": {"values": ["*"]},
- "column":{"values":["*"]}
- },
- "tests": [
- {
- "name": "Ancestor match for 'finance,hr,tmp*:tax,employee,tmp*:' policy",
- "type": "ancestorMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
- "table": {"values": ["tax","employee","tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : true
- },
- {
- "name": "No match for 'finance,hr,tmp*::refund,salary,tmp*' policy",
- "type": "anyMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false},
- "column": {"values": ["refund","salary","tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : false
- },
- {
- "name": "Ancestor match for 'finance,hr,tmp*::' policy",
- "type": "ancestorMatch",
- "policy" : {
- "service" : "any",
- "name" : "test",
- "policyType":0,
- "description":"",
- "resourceSignature":"",
- "isAuditEnabled":true,
- "resources" : {
- "database": {"values": ["finance", "hr", "tmp*"], "isExcludes": false, "isRecursive": false}
- },
- "policyItems":[],
- "denyPolicyItems":[],
- "allowExceptions":[],
- "denyExceptions":[],
- "dataMaskPolicyItems":[],
- "rowFilterPolicyItems":[]
- },
- "evalContext": {},
- "result" : true
- }
- ]
- }
- ]
-}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/ranger-tools/src/test/resources/testdata/test_modules.txt
----------------------------------------------------------------------
diff --git a/ranger-tools/src/test/resources/testdata/test_modules.txt b/ranger-tools/src/test/resources/testdata/test_modules.txt
index a355ec8..d2b4f50 100644
--- a/ranger-tools/src/test/resources/testdata/test_modules.txt
+++ b/ranger-tools/src/test/resources/testdata/test_modules.txt
@@ -23,3 +23,5 @@ RangerPolicyEngine.preProcess
RangerPolicyEngine.isAccessAllowedNoAudit
RangerPolicyEngine.reorderPolicyEvaluators
RangerPolicyEngine.usage
+RangerDefaultPolicyResourceMatcher.init
+RangerDefaultPolicyResourceMatcher.getMatchType
[2/2] ranger git commit: RANGER-1781: Policy model update to support
restricted access-types based on selected resource (more performance
improvements)
Posted by ab...@apache.org.
RANGER-1781: Policy model update to support restricted access-types based on selected resource (more performance improvements)
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/2a1406df
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/2a1406df
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/2a1406df
Branch: refs/heads/master
Commit: 2a1406df8125b96b3051616cb61ba01fc96f93c3
Parents: 0688f5e
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Fri Nov 10 07:34:34 2017 -0800
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Fri Nov 10 07:34:34 2017 -0800
----------------------------------------------------------------------
.../policyengine/RangerPolicyEngineImpl.java | 4 +-
.../RangerDefaultPolicyResourceMatcher.java | 364 ++++++----
.../RangerPolicyResourceMatcher.java | 2 +-
.../RangerAbstractResourceMatcher.java | 2 +-
.../validation/TestRangerServiceDefHelper.java | 16 +-
.../plugin/policyengine/TestPolicyDb.java | 40 +-
.../TestDefaultPolicyResourceMatcher.java | 46 +-
...stDefaultPolicyResourceMatcherForPolicy.java | 55 +-
.../service-defs/test-hbase-servicedef.json | 241 +++++++
.../service-defs/test-hdfs-servicedef.json | 286 ++++++++
.../service-defs/test-hive-servicedef.json | 679 +++++++++++++------
.../admin/service-defs/test-tag-servicedef.json | 82 +++
agents-common/src/test/resources/log4j.xml | 18 +-
.../policyengine/test_policydb_hive.json | 441 ++++++++++++
.../test_defaultpolicyresourcematcher.json | 28 +-
...ltpolicyresourcematcher_for_hive_policy.json | 410 +++++++++++
...defaultpolicyresourcematcher_for_policy.json | 315 ---------
...rcematcher_for_resource_specific_policy.json | 335 ---------
.../test/resources/testdata/test_modules.txt | 2 +
19 files changed, 2300 insertions(+), 1066 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 2bebb95..cff7a5e 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -572,7 +572,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
for (List<RangerPolicyEvaluator> evaluators : likelyEvaluators) {
for (RangerPolicyEvaluator evaluator : evaluators) {
RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
- if (matcher != null && matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR_OR_DESCENDANT, null)) {
+ if (matcher != null && matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
ret.add(evaluator.getPolicy());
}
}
@@ -591,7 +591,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
for (List<RangerPolicyEvaluator> evaluators : likelyEvaluators) {
for (RangerPolicyEvaluator evaluator : evaluators) {
RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
- if (matcher != null && matcher.isMatch(resource, RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR_OR_DESCENDANT, null)) {
+ if (matcher != null && matcher.isMatch(resource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
ret.add(evaluator.getPolicy());
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 74b70be..415263e 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -20,7 +20,6 @@
package org.apache.ranger.plugin.policyresourcematcher;
import java.util.Collection;
-import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
@@ -40,10 +39,14 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceMatcher {
private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyResourceMatcher.class);
+ private static final Log PERF_POLICY_RESOURCE_MATCHER_INIT_LOG = RangerPerfTracer.getPerfLogger("policyresourcematcher.init");
+ private static final Log PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG = RangerPerfTracer.getPerfLogger("policyresourcematcher.match");
+
protected RangerServiceDef serviceDef;
protected int policyType;
protected Map<String, RangerPolicyResource> policyResources;
@@ -74,7 +77,6 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
} else {
setPolicyResources(policy.getResources(), policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType());
}
-
}
@Override
@@ -98,6 +100,16 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
@Override
+ public RangerServiceDef getServiceDef() {
+ return serviceDef;
+ }
+
+ @Override
+ public RangerResourceMatcher getResourceMatcher(String resourceName) {
+ return allMatchers != null ? allMatchers.get(resourceName) : null;
+ }
+
+ @Override
public boolean getNeedsDynamicEval() { return needsDynamicEval; }
@Override
@@ -110,10 +122,15 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
needsDynamicEval = false;
validResourceHierarchy = null;
isInitialized = false;
- serviceDefHelper = null;
String errorText = "";
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG, "RangerDefaultPolicyResourceMatcher.init()");
+ }
+
if (policyResources != null && !policyResources.isEmpty() && serviceDef != null) {
serviceDefHelper = serviceDefHelper == null ? new RangerServiceDefHelper(serviceDef, false) : serviceDefHelper;
@@ -204,35 +221,37 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
isInitialized = true;
}
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.init(): ret=" + isInitialized);
}
}
@Override
- public RangerServiceDef getServiceDef() {
- return serviceDef;
- }
+ public String toString() {
+ StringBuilder sb = new StringBuilder();
- @Override
- public RangerResourceMatcher getResourceMatcher(String resourceName) {
- return allMatchers != null ? allMatchers.get(resourceName) : null;
+ return toString(sb).toString();
}
@Override
- public boolean isMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + ")");
- }
-
- boolean ret = isMatch(resources, MatchScope.SELF_OR_ANCESTOR, true, evalContext);
+ public StringBuilder toString(StringBuilder sb) {
+ sb.append("RangerDefaultPolicyResourceMatcher={");
+ sb.append("isInitialized=").append(isInitialized).append(", ");
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + "): " + ret);
+ sb.append("matchers={");
+ if(allMatchers != null) {
+ for(RangerResourceMatcher matcher : allMatchers.values()) {
+ sb.append("{").append(matcher).append("} ");
+ }
}
+ sb.append("} ");
- return ret;
+ sb.append("}");
+
+ return sb;
}
@Override
@@ -241,6 +260,12 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ", " + evalContext + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()");
+ }
+
boolean ret = false;
Collection<String> resourceKeys = resource == null ? null : resource.getKeys();
Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
@@ -268,6 +293,8 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
}
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ", " + evalContext + "): " + ret);
}
@@ -281,6 +308,12 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.applyPolicyMatch()");
+ }
+
boolean ret = false;
Collection<String> resourceKeys = resources == null ? null : resources.keySet();
Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
@@ -308,6 +341,8 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
}
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + "): " + ret);
}
@@ -316,19 +351,18 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
@Override
- public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
- return isMatch(resource, MatchScope.SELF_OR_ANCESTOR, evalContext);
- }
-
- @Override
public boolean isMatch(RangerPolicy policy, MatchScope scope, Map<String, Object> evalContext) {
- return policy.getPolicyType() == policyType && isMatch(policy.getResources(), scope, false, evalContext);
- }
-
- private boolean isMatch(Map<String, RangerPolicyResource> resources, MatchScope scope, boolean mustMatchAllPolicyValues, Map<String, Object> evalContext) {
boolean ret = false;
- if (MapUtils.isNotEmpty(resources)) {
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getPoliciesNonLegacy()");
+ }
+
+ Map<String, RangerPolicyResource> resources = policy.getResources();
+
+ if (policy.getPolicyType() == policyType && MapUtils.isNotEmpty(resources)) {
List<RangerResourceDef> hierarchy = getMatchingHierarchy(resources.keySet());
if (CollectionUtils.isNotEmpty(hierarchy)) {
@@ -349,9 +383,10 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
// level, the final matchType (which is for the entire policy) is checked against
// requested scope to determine the match-result.
- // Unit tests in TestDefaultPolicyResourceForPolicy.java, test_defaultpolicyresourcematcher_for_policy.json,
+ // Unit tests in TestDefaultPolicyResourceForPolicy.java, TestDefaultPolicyResourceMatcher.java
// test_defaultpolicyresourcematcher_for_hdfs_policy.json, and
- // test_defaultpolicyresourcematcher_for_resource_specific_policy.json
+ // test_defaultpolicyresourcematcher_for_hive_policy.json, and
+ // test_defaultPolicyResourceMatcher.json
boolean skipped = false;
@@ -371,10 +406,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
if (matchType != MatchType.NONE) { // One value for this resourceDef matched
ret = true;
-
- if (!mustMatchAllPolicyValues) {
- break;
- }
+ break;
}
}
} else {
@@ -388,10 +420,107 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
break;
}
}
+
ret = ret && isMatch(scope, matchType);
}
}
+ RangerPerfTracer.log(perf);
+
+ return ret;
+ }
+
+ @Override
+ public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()");
+ }
+
+ /*
+ * There is already API to get the delegateAdmin permissions for a map of policyResources.
+ * That implementation should be reused for figuring out delegateAdmin permissions for a resource as well.
+ */
+
+ Map<String, RangerPolicyResource> policyResources = null;
+
+ for (RangerResourceDef resourceDef : serviceDef.getResources()) {
+ String resourceName = resourceDef.getName();
+ String resourceValue = resource.getValue(resourceName);
+ if (resourceValue != null) {
+ if (policyResources == null) {
+ policyResources = new HashMap<>();
+ }
+ policyResources.put(resourceName, new RangerPolicyResource(resourceValue));
+ }
+ }
+ final boolean ret = MapUtils.isNotEmpty(policyResources) && isMatch(policyResources, evalContext);
+
+ RangerPerfTracer.log(perf);
+
+ return ret;
+ }
+
+ @Override
+ public boolean isMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + ")");
+ }
+
+ boolean ret = false;
+
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.delegateAdminMatch()");
+ }
+
+ if(serviceDef != null && serviceDef.getResources() != null) {
+ Collection<String> resourceKeys = resources == null ? null : resources.keySet();
+ Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
+
+ boolean keysMatch = CollectionUtils.isEmpty(resourceKeys) || (policyKeys != null && policyKeys.containsAll(resourceKeys));
+
+ if(keysMatch) {
+ for(RangerResourceDef resourceDef : serviceDef.getResources()) {
+ String resourceName = resourceDef.getName();
+ RangerPolicyResource resourceValues = resources == null ? null : resources.get(resourceName);
+ List<String> values = resourceValues == null ? null : resourceValues.getValues();
+ RangerResourceMatcher matcher = allMatchers == null ? null : allMatchers.get(resourceName);
+
+ if (matcher != null) {
+ if (CollectionUtils.isNotEmpty(values)) {
+ for (String value : values) {
+ ret = matcher.isMatch(value, evalContext);
+ if (!ret) {
+ break;
+ }
+ }
+ } else {
+ ret = matcher.isMatchAny();
+ }
+ } else {
+ ret = CollectionUtils.isEmpty(values);
+ }
+
+ if(! ret) {
+ break;
+ }
+ }
+ } else {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("isMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
+ }
+ }
+ }
+
+ RangerPerfTracer.log(perf);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + "): " + ret);
+ }
+
return ret;
}
@@ -406,91 +535,81 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.getMatchType(" + resource + evalContext + ")");
}
-
MatchType ret = MatchType.NONE;
- int policyKeysSize = policyResources == null ? 0 : policyResources.size();
- int resourceKeysSize = resource == null || resource.getKeys() == null ? 0 : resource.getKeys().size();
- if (policyKeysSize == 0 && resourceKeysSize == 0) {
- ret = MatchType.SELF;
- } else {
- List<RangerResourceDef> hierarchy = getMatchingHierarchy(resource);
- if (CollectionUtils.isNotEmpty(hierarchy)) {
- int lastNonAnyMatcherIndex = 0;
- /*
- * For hive resource policy:
- * lastNonAnyMatcherIndex will be set to
- * 0 : if all matchers in policy are '*'; such as database=*, table=*, column=*
- * 1 : database=hr, table=*, column=*
- * 2 : database=<any>, table=employee, column=*
- * 3 : database=<any>, table=<any>, column=ssn
- */
- int matchersSize = 0;
+ RangerPerfTracer perf = null;
- for (RangerResourceDef resourceDef : hierarchy) {
- RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
- if (matcher != null) {
- matchersSize++;
- if (!matcher.isMatchAny()) {
- lastNonAnyMatcherIndex = matchersSize;
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getMatchType()");
+ }
+
+ if (resource != null && policyResources != null) {
+ int resourceKeysSize = resource.getKeys() == null ? 0 : resource.getKeys().size();
+
+ if (policyResources.size() == 0 && resourceKeysSize == 0) {
+ ret = MatchType.SELF;
+ } else {
+ List<RangerResourceDef> hierarchy = getMatchingHierarchy(resource);
+ if (CollectionUtils.isNotEmpty(hierarchy)) {
+
+ int lastNonAnyMatcherIndex = -1;
+ int matchersSize = 0;
+
+ for (RangerResourceDef resourceDef : hierarchy) {
+ RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
+ if (matcher != null) {
+ if (!matcher.isMatchAny()) {
+ lastNonAnyMatcherIndex = matchersSize;
+ }
+ matchersSize++;
+ } else {
+ break;
}
}
- }
- if (resourceKeysSize == 0 && lastNonAnyMatcherIndex == 0) {
- ret = MatchType.SELF;
- } else if (lastNonAnyMatcherIndex == 0) {
- ret = MatchType.ANCESTOR;
- } else if (resourceKeysSize == 0) {
- ret = MatchType.DESCENDANT;
- } else {
- int index = 0;
+ int lastMatchedMatcherIndex = -1;
+
for (RangerResourceDef resourceDef : hierarchy) {
- String resourceName = resourceDef.getName();
- RangerResourceMatcher matcher = getResourceMatcher(resourceName);
- String resourceValue = resource.getValue(resourceName);
+ RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName());
+ String resourceValue = resource.getValue(resourceDef.getName());
- if (resourceValue != null) {
- if (matcher != null) {
- index++;
+ if (matcher != null) {
+ if (resourceValue != null) {
if (matcher.isMatch(resourceValue, evalContext)) {
- ret = index == resourceKeysSize && matcher.isMatchAny() ? MatchType.ANCESTOR : MatchType.SELF;
+ ret = MatchType.SELF;
+ lastMatchedMatcherIndex++;
} else {
ret = MatchType.NONE;
break;
}
} else {
- // More resource-levels than matchers
- ret = MatchType.ANCESTOR;
+ // More matchers than resource-values
+ ret = MatchType.DESCENDANT;
+
+ if (lastMatchedMatcherIndex >= lastNonAnyMatcherIndex) {
+ ret = MatchType.ANCESTOR;
+ if (lastMatchedMatcherIndex == lastNonAnyMatcherIndex && lastMatchedMatcherIndex == -1) {
+ // For degenerate case : resourceKeysSize == 0 and all matchers are of type Any
+ ret = MatchType.SELF;
+ }
+ }
break;
}
} else {
- if (matcher != null) {
- // More matchers than resource-levels
- if (index >= lastNonAnyMatcherIndex) {
- // All AnyMatch matchers after this
- ret = MatchType.ANCESTOR;
- } else {
- ret = MatchType.DESCENDANT;
- }
- } else {
- // Common part of several possible hierarchies matched
- if (resourceKeysSize > index) {
- ret = MatchType.ANCESTOR;
- }
+ if (resourceValue != null) {
+ // More resource-values than matchers
+ ret = MatchType.ANCESTOR;
}
break;
}
}
- if (ret == MatchType.SELF && resourceKeysSize > matchersSize) {
- ret = MatchType.ANCESTOR;
- }
}
}
-
}
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.getMatchType(" + resource + evalContext + "): " + ret);
}
@@ -519,15 +638,18 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
}
}
- }
+ } else {
+ ret = false;
+ }
return ret;
}
+
private List<RangerResourceDef> getMatchingHierarchy(Set<String> resourceKeys) {
List<RangerResourceDef> ret = null;
- if (CollectionUtils.isNotEmpty(resourceKeys)) {
- Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper == null ? Collections.EMPTY_SET : serviceDefHelper.getResourceHierarchies(policyType, resourceKeys);
+ if (CollectionUtils.isNotEmpty(resourceKeys) && serviceDefHelper != null) {
+ Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, resourceKeys);
// pick the shortest hierarchy
for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) {
@@ -554,25 +676,26 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
final List<RangerResourceDef> ret;
- Set<String> policyResourcesKeySet = policyResources == null ? Collections.EMPTY_SET : policyResources.keySet();
+ Set<String> policyResourcesKeySet = policyResources.keySet();
+ Set<String> resourceKeySet = resource.getKeys();
- if (resource != null && resource.getKeys() != null) {
+ if (CollectionUtils.isNotEmpty(resourceKeySet)) {
List<RangerResourceDef> aValidHierarchy = null;
if (validResourceHierarchy != null && serviceDefHelper != null) {
- if (serviceDefHelper.hierarchyHasAllResources(validResourceHierarchy, resource.getKeys())) {
+ if (serviceDefHelper.hierarchyHasAllResources(validResourceHierarchy, resourceKeySet)) {
aValidHierarchy = validResourceHierarchy;
}
} else {
- if (policyResourcesKeySet.containsAll(resource.getKeys())) {
+ if (policyResourcesKeySet.containsAll(resourceKeySet)) {
aValidHierarchy = getMatchingHierarchy(policyResourcesKeySet);
- } else if (resource.getKeys().containsAll(policyResourcesKeySet)) {
- aValidHierarchy = getMatchingHierarchy(resource.getKeys());
+ } else if (resourceKeySet.containsAll(policyResourcesKeySet)) {
+ aValidHierarchy = getMatchingHierarchy(resourceKeySet);
}
}
ret = isHierarchyValidForResources(aValidHierarchy, resource.getAsMap()) ? aValidHierarchy : null;
} else {
- ret = getMatchingHierarchy(policyResourcesKeySet);
+ ret = validResourceHierarchy != null ? validResourceHierarchy : getMatchingHierarchy(policyResourcesKeySet);
}
if (LOG.isDebugEnabled()) {
@@ -585,10 +708,6 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
private boolean isMatch(final MatchScope scope, final MatchType matchType) {
final boolean ret;
switch (scope) {
- case SELF_OR_ANCESTOR_OR_DESCENDANT: {
- ret = matchType != MatchType.NONE;
- break;
- }
case SELF: {
ret = matchType == MatchType.SELF;
break;
@@ -609,39 +728,12 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
ret = matchType == MatchType.ANCESTOR;
break;
}
- default:
+ default: {
ret = matchType != MatchType.NONE;
break;
- }
- return ret;
- }
-
- @Override
- public String toString() {
- StringBuilder sb = new StringBuilder();
-
- toString(sb);
-
- return sb.toString();
- }
-
- @Override
- public StringBuilder toString(StringBuilder sb) {
- sb.append("RangerDefaultPolicyResourceMatcher={");
-
- sb.append("isInitialized=").append(isInitialized).append(", ");
-
- sb.append("matchers={");
- if(allMatchers != null) {
- for(RangerResourceMatcher matcher : allMatchers.values()) {
- sb.append("{").append(matcher).append("} ");
}
}
- sb.append("} ");
-
- sb.append("}");
-
- return sb;
+ return ret;
}
private static RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDef, RangerPolicyResource resource) {
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
index b8e7fd4..4696d84 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
@@ -29,7 +29,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
public interface RangerPolicyResourceMatcher {
- enum MatchScope { SELF_OR_ANCESTOR_OR_DESCENDANT, SELF, SELF_OR_DESCENDANT, SELF_OR_ANCESTOR, DESCENDANT, ANCESTOR };
+ enum MatchScope { SELF, SELF_OR_DESCENDANT, SELF_OR_ANCESTOR, DESCENDANT, ANCESTOR, ANY };
enum MatchType { NONE, SELF, DESCENDANT, ANCESTOR };
void setServiceDef(RangerServiceDef serviceDef);
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index 34a8777..acd599a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -205,7 +205,7 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
String policyValue = policyValues.get(0);
if(isMatchAny) {
- ret = StringUtils.containsOnly(resource, WILDCARD_ASTERISK);
+ ret = StringUtils.isEmpty(resource) || StringUtils.containsOnly(resource, WILDCARD_ASTERISK);
} else {
ret = optIgnoreCase ? StringUtils.equalsIgnoreCase(resource, policyValue) : StringUtils.equals(resource, policyValue);
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java
index 584e88e..b0c1085 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java
@@ -71,8 +71,8 @@ public class TestRangerServiceDefHelper {
RangerResourceDef Database = createResourceDef("Database", "");
RangerResourceDef UDF = createResourceDef("UDF", "Database");
RangerResourceDef Table = createResourceDef("Table", "Database");
- RangerResourceDef Column = createResourceDef("Column", "Table");
- RangerResourceDef Table_Attribute = createResourceDef("Table-Attribute", "Table");
+ RangerResourceDef Column = createResourceDef("Column", "Table", true);
+ RangerResourceDef Table_Attribute = createResourceDef("Table-Attribute", "Table", true);
// order of resources in list sould not matter
List<RangerResourceDef> resourceDefs = Lists.newArrayList(Column, Database, Table, Table_Attribute, UDF);
// stuff this into a service-def
@@ -127,12 +127,12 @@ public class TestRangerServiceDefHelper {
* Check that helper corrects reports back all of the hierarchies: levels in it and their order.
*/
RangerResourceDef database = createResourceDef("database", "");
- RangerResourceDef tableSpace = createResourceDef("table-space", "database");
+ RangerResourceDef tableSpace = createResourceDef("table-space", "database", true);
RangerResourceDef table = createResourceDef("table", "database");
- RangerResourceDef column = createResourceDef("column", "table");
+ RangerResourceDef column = createResourceDef("column", "table", true);
RangerResourceDef namespace = createResourceDef("namespace", "");
- RangerResourceDef function = createResourceDef("function", "namespace");
- RangerResourceDef Package = createResourceDef("package", "namespace");
+ RangerResourceDef function = createResourceDef("function", "namespace", true);
+ RangerResourceDef Package = createResourceDef("package", "namespace", true);
List<RangerResourceDef> resourceDefs = Lists.newArrayList(database, tableSpace, table, column, namespace, function, Package);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
_helper = new RangerServiceDefHelper(_serviceDef);
@@ -172,8 +172,8 @@ public class TestRangerServiceDefHelper {
RangerResourceDef database = createResourceDef("database", "");
RangerResourceDef server = createResourceDef("server", "");
RangerResourceDef namespace = createResourceDef("namespace", "");
- RangerResourceDef function = createResourceDef("function", "namespace");
- RangerResourceDef Package = createResourceDef("package", "namespace");
+ RangerResourceDef function = createResourceDef("function", "namespace", true);
+ RangerResourceDef Package = createResourceDef("package", "namespace", true);
List<RangerResourceDef> resourceDefs = Lists.newArrayList(database, server, namespace, function, Package);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
_helper = new RangerServiceDefHelper(_serviceDef);
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
index 58bb351..85ea679 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java
@@ -31,6 +31,7 @@ import java.util.Set;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.TestPolicyDb.PolicyDbTestCase.TestData;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.ServicePolicies;
@@ -43,36 +44,67 @@ import com.google.gson.GsonBuilder;
public class TestPolicyDb {
static Gson gsonBuilder;
+ static RangerServiceDef hdfsServiceDef;
+ static RangerServiceDef hiveServiceDef;
+ static RangerServiceDef hbaseServiceDef;
+ static RangerServiceDef tagServiceDef;
@BeforeClass
public static void setUpBeforeClass() throws Exception {
gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
.setPrettyPrinting()
.create();
+ initializeServiceDefs();
}
+ private static void initializeServiceDefs() {
+ hdfsServiceDef = readServiceDef("hdfs");
+ hiveServiceDef = readServiceDef("hive");
+ hbaseServiceDef = readServiceDef("hbase");
+ tagServiceDef = readServiceDef("tag");
+ }
+
+ private static RangerServiceDef readServiceDef(String name) {
+ InputStream inStream = TestPolicyDb.class.getResourceAsStream("/admin/service-defs/test-" + name + "-servicedef.json");
+ InputStreamReader reader = new InputStreamReader(inStream);
+ return gsonBuilder.fromJson(reader, RangerServiceDef.class);
+
+ }
+
@AfterClass
public static void tearDownAfterClass() throws Exception {
}
@Test
public void testPolicyDb_hdfs() {
+
String[] hdfsTestResourceFiles = { "/policyengine/test_policydb_hdfs.json" };
- runTestsFromResourceFiles(hdfsTestResourceFiles);
+ runTestsFromResourceFiles(hdfsTestResourceFiles, hdfsServiceDef);
}
- private void runTestsFromResourceFiles(String[] resourceNames) {
+ @Test
+ public void testPolicyDb_hive() {
+ String[] hiveTestResourceFiles = { "/policyengine/test_policydb_hive.json" };
+
+ runTestsFromResourceFiles(hiveTestResourceFiles, hiveServiceDef);
+ }
+
+ private void runTestsFromResourceFiles(String[] resourceNames, RangerServiceDef serviceDef) {
for(String resourceName : resourceNames) {
InputStream inStream = this.getClass().getResourceAsStream(resourceName);
InputStreamReader reader = new InputStreamReader(inStream);
- runTests(reader, resourceName);
+ runTests(reader, resourceName, serviceDef);
}
}
- private void runTests(InputStreamReader reader, String testName) {
+ private void runTests(InputStreamReader reader, String testName, RangerServiceDef serviceDef) {
PolicyDbTestCase testCase = gsonBuilder.fromJson(reader, PolicyDbTestCase.class);
+ if (serviceDef != null) {
+ // Override serviceDef in the json test-file with a global service-def
+ testCase.servicePolicies.setServiceDef(serviceDef);
+ }
assertTrue("invalid input: " + testName, testCase != null && testCase.servicePolicies != null && testCase.tests != null && testCase.servicePolicies.getPolicies() != null);
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
index 7d2519c..1755233 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
@@ -50,12 +50,31 @@ import com.google.gson.GsonBuilder;
public class TestDefaultPolicyResourceMatcher {
static Gson gsonBuilder;
+ static RangerServiceDef hdfsServiceDef;
+ static RangerServiceDef hiveServiceDef;
+ static RangerServiceDef hbaseServiceDef;
+ static RangerServiceDef tagServiceDef;
+
@BeforeClass
public static void setUpBeforeClass() throws Exception {
gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
.setPrettyPrinting()
.registerTypeAdapter(RangerAccessResource.class, new TestDefaultPolicyResourceMatcher.RangerResourceDeserializer())
.create();
+ initializeServiceDefs();
+ }
+
+ private static void initializeServiceDefs() {
+ hdfsServiceDef = readServiceDef("hdfs");
+ hiveServiceDef = readServiceDef("hive");
+ hbaseServiceDef = readServiceDef("hbase");
+ tagServiceDef = readServiceDef("tag");
+ }
+
+ private static RangerServiceDef readServiceDef(String name) {
+ InputStream inStream = TestDefaultPolicyResourceMatcher.class.getResourceAsStream("/admin/service-defs/test-" + name + "-servicedef.json");
+ InputStreamReader reader = new InputStreamReader(inStream);
+ return gsonBuilder.fromJson(reader, RangerServiceDef.class);
}
@AfterClass
@@ -74,23 +93,30 @@ public class TestDefaultPolicyResourceMatcher {
public void testDefaultPolicyResourceMatcher() throws Exception {
String[] tests = { "/resourcematcher/test_defaultpolicyresourcematcher.json" };
- runTestsFromResourceFiles(tests);
+ runTestsFromResourceFiles(tests, null);
}
- private void runTestsFromResourceFiles(String[] resourceNames) throws Exception {
- for(String resourceName : resourceNames) {
- InputStream inStream = this.getClass().getResourceAsStream(resourceName);
- InputStreamReader reader = new InputStreamReader(inStream);
+ @Test
+ public void testDefaultPolicyResourceMatcher_ResourceSpecific() throws Exception {
+ String[] tests = { "/resourcematcher/test_defaultpolicyresourcematcher.json" };
- runTests(reader);
- }
+ runTestsFromResourceFiles(tests, hiveServiceDef);
}
- private void runTests(InputStreamReader reader) throws Exception {
+ private void runTestsFromResourceFiles(String[] resourceNames, RangerServiceDef serviceDef) throws Exception {
+ for (String resourceName : resourceNames) {
+ InputStream inStream = this.getClass().getResourceAsStream(resourceName);
+ InputStreamReader reader = new InputStreamReader(inStream);
+
+ runTests(reader, serviceDef);
+ }
+ }
+
+ private void runTests(InputStreamReader reader, RangerServiceDef serviceDef) throws Exception {
DefaultPolicyResourceMatcherTestCases testCases = gsonBuilder.fromJson(reader, DefaultPolicyResourceMatcherTestCases.class);
for (DefaultPolicyResourceMatcherTestCases.TestCase testCase : testCases.testCases) {
- runTest(testCase, testCases.serviceDef);
+ runTest(testCase, serviceDef == null ? testCases.serviceDef : serviceDef);
}
}
private void runTest(DefaultPolicyResourceMatcherTestCases.TestCase testCase, RangerServiceDef serviceDef) throws Exception {
@@ -120,7 +146,7 @@ public class TestDefaultPolicyResourceMatcher {
} else if (StringUtils.equalsIgnoreCase(oneTest.type, "ancestorMatch")) {
scope = RangerPolicyResourceMatcher.MatchScope.ANCESTOR;
} else if (StringUtils.equalsIgnoreCase(oneTest.type, "anyMatch")) {
- scope = RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR_OR_DESCENDANT;
+ scope = RangerPolicyResourceMatcher.MatchScope.ANY;
} else {
continue;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java
index f6732eb..93daf3b 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java
@@ -52,12 +52,31 @@ import com.google.gson.GsonBuilder;
public class TestDefaultPolicyResourceMatcherForPolicy {
static Gson gsonBuilder;
+ static RangerServiceDef hdfsServiceDef;
+ static RangerServiceDef hiveServiceDef;
+ static RangerServiceDef hbaseServiceDef;
+ static RangerServiceDef tagServiceDef;
+
@BeforeClass
public static void setUpBeforeClass() throws Exception {
gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
.setPrettyPrinting()
.registerTypeAdapter(RangerAccessResource.class, new TestDefaultPolicyResourceMatcherForPolicy.RangerResourceDeserializer())
.create();
+ initializeServiceDefs();
+ }
+
+ private static void initializeServiceDefs() {
+ hdfsServiceDef = readServiceDef("hdfs");
+ hiveServiceDef = readServiceDef("hive");
+ hbaseServiceDef = readServiceDef("hbase");
+ tagServiceDef = readServiceDef("tag");
+ }
+
+ private static RangerServiceDef readServiceDef(String name) {
+ InputStream inStream = TestDefaultPolicyResourceMatcherForPolicy.class.getResourceAsStream("/admin/service-defs/test-" + name + "-servicedef.json");
+ InputStreamReader reader = new InputStreamReader(inStream);
+ return gsonBuilder.fromJson(reader, RangerServiceDef.class);
}
@AfterClass
@@ -73,28 +92,40 @@ public class TestDefaultPolicyResourceMatcherForPolicy {
}
@Test
- public void testDefaultPolicyResourceMatcherForPolicy() throws Exception {
- String[] tests = { "/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json",
- "/resourcematcher/test_defaultpolicyresourcematcher_for_hdfs_policy.json",
- "/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json"};
+ public void testDefaultPolicyResourceMatcherForHdfs() throws Exception {
+ String[] tests = { "/resourcematcher/test_defaultpolicyresourcematcher_for_hdfs_policy.json" };
+
+ runTestsFromResourceFiles(tests, null);
+ }
+
+ @Test
+ public void testDefaultPolicyResourceMatcherForHive() throws Exception {
+ String[] tests = {"/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json"};
+
+ runTestsFromResourceFiles(tests, null);
+ }
+
+ @Test
+ public void testDefaultPolicyResourceMatcherForHive_ResourceSpecific() throws Exception {
+ String[] tests = {"/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json"};
- runTestsFromResourceFiles(tests);
+ runTestsFromResourceFiles(tests, hiveServiceDef);
}
- private void runTestsFromResourceFiles(String[] resourceNames) throws Exception {
+ private void runTestsFromResourceFiles(String[] resourceNames, RangerServiceDef serviceDef) throws Exception {
for(String resourceName : resourceNames) {
- InputStream inStream = this.getClass().getResourceAsStream(resourceName);
- InputStreamReader reader = new InputStreamReader(inStream, Charset.defaultCharset());
+ InputStream inStream = this.getClass().getResourceAsStream(resourceName);
+ InputStreamReader reader = new InputStreamReader(inStream, Charset.defaultCharset());
- runTests(reader);
+ runTests(reader, serviceDef);
}
}
- private void runTests(InputStreamReader reader) throws Exception {
+ private void runTests(InputStreamReader reader, RangerServiceDef serviceDef) throws Exception {
DefaultPolicyResourceMatcherTestCases testCases = gsonBuilder.fromJson(reader, DefaultPolicyResourceMatcherTestCases.class);
for (DefaultPolicyResourceMatcherTestCases.TestCase testCase : testCases.testCases) {
- runTest(testCase, testCases.serviceDef);
+ runTest(testCase, serviceDef == null ? testCases.serviceDef : serviceDef);
}
}
private void runTest(DefaultPolicyResourceMatcherTestCases.TestCase testCase, RangerServiceDef serviceDef) throws Exception {
@@ -124,7 +155,7 @@ public class TestDefaultPolicyResourceMatcherForPolicy {
} else if (StringUtils.equalsIgnoreCase(oneTest.type, "ancestorMatch")) {
scope = RangerPolicyResourceMatcher.MatchScope.ANCESTOR;
} else if (StringUtils.equalsIgnoreCase(oneTest.type, "anyMatch")) {
- scope = RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR_OR_DESCENDANT;
+ scope = RangerPolicyResourceMatcher.MatchScope.ANY;
} else {
continue;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
new file mode 100644
index 0000000..71fae66
--- /dev/null
+++ b/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json
@@ -0,0 +1,241 @@
+{
+ "id":2,
+ "name": "hbase",
+ "implClass": "org.apache.ranger.services.hbase.RangerServiceHBase",
+ "label": "HBase",
+ "description": "HBase",
+ "guid": "d6cea1f0-2509-4791-8fc1-7b092399ba3b",
+ "resources":
+ [
+ {
+ "itemId": 1,
+ "name": "table",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":false },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "HBase Table",
+ "description": "HBase Table"
+ },
+
+ {
+ "itemId": 2,
+ "name": "column-family",
+ "type": "string",
+ "level": 20,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":false },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "HBase Column-family",
+ "description": "HBase Column-family"
+ },
+
+ {
+ "itemId": 3,
+ "name": "column",
+ "type": "string",
+ "level": 30,
+ "parent": "column-family",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":false },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "HBase Column",
+ "description": "HBase Column"
+ }
+ ],
+
+ "accessTypes":
+ [
+ {
+ "itemId": 1,
+ "name": "read",
+ "label": "Read"
+ },
+
+ {
+ "itemId": 2,
+ "name": "write",
+ "label": "Write"
+ },
+
+ {
+ "itemId": 3,
+ "name": "create",
+ "label": "Create"
+ },
+
+ {
+ "itemId": 4,
+ "name": "admin",
+ "label": "Admin",
+ "impliedGrants":
+ [
+ "read",
+ "write",
+ "create"
+ ]
+ }
+ ],
+
+ "configs":
+ [
+ {
+ "itemId": 1,
+ "name": "username",
+ "type": "string",
+ "subType": "",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Username"
+ },
+
+ {
+ "itemId": 2,
+ "name": "password",
+ "type": "password",
+ "subType": "",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Password"
+ },
+
+ {
+ "itemId": 3,
+ "name": "hadoop.security.authentication",
+ "type": "enum",
+ "subType": "authnType",
+ "mandatory": true,
+ "defaultValue": "simple",
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":""
+ },
+
+ {
+ "itemId": 4,
+ "name": "hbase.master.kerberos.principal",
+ "type": "string",
+ "subType": "",
+ "mandatory": false,
+ "defaultValue": ""
+ },
+
+ {
+ "itemId": 5,
+ "name": "hbase.security.authentication",
+ "type": "enum",
+ "subType": "authnType",
+ "mandatory": true,
+ "defaultValue": "simple",
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":""
+ },
+
+ {
+ "itemId": 6,
+ "name": "hbase.zookeeper.property.clientPort",
+ "type": "int",
+ "subType": "",
+ "mandatory": true,
+ "defaultValue": "2181",
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":""
+ },
+
+ {
+ "itemId": 7,
+ "name": "hbase.zookeeper.quorum",
+ "type": "string",
+ "subType": "",
+ "mandatory": true,
+ "defaultValue": "",
+ "validationRegEx":"",
+ "validationMessage": ""
+ },
+
+ {
+ "itemId": 8,
+ "name": "zookeeper.znode.parent",
+ "type": "string",
+ "subType": "",
+ "mandatory": true,
+ "defaultValue": "/hbase",
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":""
+ },
+
+ {
+ "itemId": 9,
+ "name": "commonNameForCertificate",
+ "type": "string",
+ "subType": "",
+ "mandatory": false,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Common Name for Certificate"
+ }
+ ],
+
+ "enums":
+ [
+ {
+ "itemId": 1,
+ "name": "authnType",
+ "elements":
+ [
+ {
+ "itemId": 1,
+ "name": "simple",
+ "label": "Simple"
+ },
+
+ {
+ "itemId": 2,
+ "name": "kerberos",
+ "label": "Kerberos"
+ }
+ ],
+
+ "defaultIndex": 0
+ }
+ ],
+
+ "contextEnrichers":
+ [
+
+ ],
+
+ "policyConditions":
+ [
+
+ ]
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/admin/service-defs/test-hdfs-servicedef.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/admin/service-defs/test-hdfs-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-hdfs-servicedef.json
new file mode 100755
index 0000000..2a21ea9
--- /dev/null
+++ b/agents-common/src/test/resources/admin/service-defs/test-hdfs-servicedef.json
@@ -0,0 +1,286 @@
+{
+ "id":1,
+ "name": "hdfs",
+ "implClass": "org.apache.ranger.services.hdfs.RangerServiceHdfs",
+ "label": "HDFS Repository",
+ "description": "HDFS Repository",
+ "guid": "0d047247-bafe-4cf8-8e9b-d5d377284b2d",
+ "resources":
+ [
+ {
+ "itemId": 1,
+ "name": "path",
+ "type": "path",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": true,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":false },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Resource Path",
+ "description": "HDFS file or directory path"
+ }
+ ],
+
+ "accessTypes":
+ [
+ {
+ "itemId": 1,
+ "name": "read",
+ "label": "Read"
+ },
+
+ {
+ "itemId": 2,
+ "name": "write",
+ "label": "Write"
+ },
+
+ {
+ "itemId": 3,
+ "name": "execute",
+ "label": "Execute"
+ }
+ ],
+
+ "configs":
+ [
+ {
+ "itemId": 1,
+ "name": "username",
+ "type": "string",
+ "subType": "",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Username"
+ },
+
+ {
+ "itemId": 2,
+ "name": "password",
+ "type": "password",
+ "subType": "",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Password"
+ },
+
+ {
+ "itemId": 3,
+ "name": "fs.default.name",
+ "type": "string",
+ "subType": "",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Namenode URL"
+ },
+
+ {
+ "itemId": 4,
+ "name": "hadoop.security.authorization",
+ "type": "bool",
+ "subType": "YesTrue:NoFalse",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Authorization Enabled",
+ "defaultValue": "false"
+ },
+
+ {
+ "itemId": 5,
+ "name": "hadoop.security.authentication",
+ "type": "enum",
+ "subType": "authnType",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Authentication Type",
+ "defaultValue": "simple"
+ },
+
+ {
+ "itemId": 6,
+ "name": "hadoop.security.auth_to_local",
+ "type": "string",
+ "subType": "",
+ "mandatory": false,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":""
+ },
+
+ {
+ "itemId": 7,
+ "name": "dfs.datanode.kerberos.principal",
+ "type": "string",
+ "subType": "",
+ "mandatory": false,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":""
+ },
+
+ {
+ "itemId": 8,
+ "name": "dfs.namenode.kerberos.principal",
+ "type": "string",
+ "subType": "",
+ "mandatory": false,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":""
+ },
+
+ {
+ "itemId": 9,
+ "name": "dfs.secondary.namenode.kerberos.principal",
+ "type": "string",
+ "subType": "",
+ "mandatory": false,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":""
+ },
+
+ {
+ "itemId": 10,
+ "name": "hadoop.rpc.protection",
+ "type": "enum",
+ "subType": "rpcProtection",
+ "mandatory": false,
+ "label": "RPC Protection Type",
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "defaultValue": "authentication"
+ },
+
+ {
+ "itemId": 11,
+ "name": "commonNameForCertificate",
+ "type": "string",
+ "subType": "",
+ "mandatory": false,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Common Name for Certificate"
+ }
+ ],
+
+ "enums":
+ [
+ {
+ "itemId": 1,
+ "name": "authnType",
+ "elements":
+ [
+ {
+ "itemId": 1,
+ "name": "simple",
+ "label": "Simple"
+ },
+
+ {
+ "itemId": 2,
+ "name": "kerberos",
+ "label": "Kerberos"
+ }
+ ],
+
+ "defaultIndex": 0
+ },
+
+ {
+ "itemId": 2,
+ "name": "rpcProtection",
+ "elements":
+ [
+ {
+ "itemId": 1,
+ "name": "authentication",
+ "label": "Authentication"
+ },
+
+ {
+ "itemId": 2,
+ "name": "integrity",
+ "label": "Integrity"
+ },
+
+ {
+ "itemId": 3,
+ "name": "privacy",
+ "label": "Privacy"
+ }
+ ],
+
+ "defaultIndex": 0
+ }
+ ],
+
+ "contextEnrichers":
+ [
+ {
+ "itemId":1,
+ "name" : "GeolocationEnricher_format_long",
+ "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider",
+ "enricherOptions" : {
+ "FilePath":"/etc/ranger/geo/geo_long.txt", "ForceRead":"false", "IPInDotFormat":"false"
+ ,"geolocation.meta.prefix": "FORMAT_LONG_"
+ }
+ },
+ {
+ "itemId":2,
+ "name" : "GeolocationEnricher_format_dot",
+ "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider",
+ "enricherOptions" : {
+ "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true"
+ ,"geolocation.meta.prefix": "FORMAT_DOT_"
+ }
+ }
+ ,
+ {
+ "itemId":1,
+ "name" : "GeolocationEnricher",
+ "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider",
+ "enricherOptions" : {
+ "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true"
+ ,"geolocation.meta.prefix": "TEST_"
+ }
+ }
+ ],
+
+ "policyConditions":
+ [
+ {
+ "itemId":1,
+ "name":"ScriptConditionEvaluator",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions" : {"engineName":"JavaScript"},
+ "label":"Script",
+ "description": "Script to execute"
+ }
+ ,
+ { "itemId": 2,
+ "name":"country",
+ "evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcher",
+ "evaluatorOptions":{"CONTEXT_NAME":"country"}
+ }
+
+ ]
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/admin/service-defs/test-hive-servicedef.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/admin/service-defs/test-hive-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-hive-servicedef.json
index 53b1926..32d92b0 100644
--- a/agents-common/src/test/resources/admin/service-defs/test-hive-servicedef.json
+++ b/agents-common/src/test/resources/admin/service-defs/test-hive-servicedef.json
@@ -1,226 +1,457 @@
{
- "id":3,
- "name": "hive",
- "implClass": "org.apache.ranger.services.hive.RangerServiceHive",
- "label": "Hive Server2",
- "description": "Hive Server2",
- "guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c",
- "resources":
- [
- {
- "itemId": 1,
- "name": "database",
- "type": "string",
- "level": 10,
- "parent": "",
- "mandatory": true,
- "lookupSupported": true,
- "recursiveSupported": false,
- "excludesSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": { "wildCard":true, "ignoreCase":true },
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Hive Database",
- "description": "Hive Database"
- },
-
- {
- "itemId": 2,
- "name": "table",
- "type": "string",
- "level": 20,
- "parent": "database",
- "mandatory": true,
- "lookupSupported": true,
- "recursiveSupported": false,
- "excludesSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": { "wildCard":true, "ignoreCase":true },
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Hive Table",
- "description": "Hive Table"
- },
-
- {
- "itemId": 3,
- "name": "udf",
- "type": "string",
- "level": 20,
- "parent": "database",
- "mandatory": true,
- "lookupSupported": true,
- "recursiveSupported": false,
- "excludesSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": { "wildCard":true, "ignoreCase":true },
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Hive UDF",
- "description": "Hive UDF"
- },
-
- {
- "itemId": 4,
- "name": "column",
- "type": "string",
- "level": 30,
- "parent": "table",
- "mandatory": true,
- "lookupSupported": true,
- "recursiveSupported": false,
- "excludesSupported": true,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": { "wildCard":true, "ignoreCase":true },
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Hive Column",
- "description": "Hive Column"
- }
- ],
-
- "accessTypes":
- [
- {
- "itemId": 1,
- "name": "select",
- "label": "select"
- },
-
- {
- "itemId": 2,
- "name": "update",
- "label": "update"
- },
-
- {
- "itemId": 3,
- "name": "create",
- "label": "Create"
- },
-
- {
- "itemId": 4,
- "name": "drop",
- "label": "Drop"
- },
-
- {
- "itemId": 5,
- "name": "alter",
- "label": "Alter"
- },
-
- {
- "itemId": 6,
- "name": "index",
- "label": "Index"
- },
-
- {
- "itemId": 7,
- "name": "lock",
- "label": "Lock"
- },
-
- {
- "itemId": 8,
- "name": "all",
- "label": "All",
- "impliedGrants":
- [
- "select",
- "update",
- "create",
- "drop",
- "alter",
- "index",
- "lock"
- ]
- }
- ],
-
- "configs":
- [
- {
- "itemId": 1,
- "name": "username",
- "type": "string",
- "mandatory": true,
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Username"
- },
-
- {
- "itemId": 2,
- "name": "password",
- "type": "password",
- "mandatory": true,
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Password"
- },
-
- {
- "itemId": 3,
- "name": "jdbc.driverClassName",
- "type": "string",
- "mandatory": true,
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "defaultValue": "org.apache.hive.jdbc.HiveDriver"
- },
-
- {
- "itemId": 4,
- "name": "jdbc.url",
- "type": "string",
- "mandatory": true,
- "defaultValue": "",
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":""
- },
-
- {
- "itemId": 5,
- "name": "commonNameForCertificate",
- "type": "string",
- "mandatory": false,
- "validationRegEx":"",
- "validationMessage": "",
- "uiHint":"",
- "label": "Common Name for Certificate"
- }
- ],
-
- "enums":
- [
-
- ],
-
- "contextEnrichers":
- [
- ],
-
- "policyConditions":
- [
- {
- "itemId":1,
- "name":"not-accessed-together",
- "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesNotAccessedTogetherCondition",
- "evaluatorOptions" : {},
- "label":"Not Accessed Together?",
- "description": "List of Hive resources"
- }
- ]
+ "id":3,
+ "name": "hive",
+ "implClass": "org.apache.ranger.services.hive.RangerServiceHive",
+ "label": "Hive Server2",
+ "description": "Hive Server2",
+ "guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c",
+ "resources":
+ [
+ {
+ "itemId": 1,
+ "name": "database",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":true },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Hive Database",
+ "description": "Hive Database",
+ "accessTypeRestrictions":["select", "update", "create", "drop", "alter", "lock"],
+ "isValidLeaf": true
+ },
+
+ {
+ "itemId": 2,
+ "name": "table",
+ "type": "string",
+ "level": 20,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":true },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Hive Table",
+ "description": "Hive Table",
+ "accessTypeRestrictions":["select", "update", "create", "drop", "alter", "index", "lock"],
+ "isValidLeaf": true
+ },
+
+ {
+ "itemId": 3,
+ "name": "udf",
+ "type": "string",
+ "level": 20,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":true },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Hive UDF",
+ "description": "Hive UDF",
+ "accessTypeRestrictions":["select", "update", "create", "drop", "alter"],
+ "isValidLeaf": true
+ },
+
+ {
+ "itemId": 4,
+ "name": "column",
+ "type": "string",
+ "level": 30,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":true },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Hive Column",
+ "description": "Hive Column",
+ "accessTypeRestrictions":["select", "update", "alter", "lock"],
+ "isValidLeaf": true
+ },
+
+ {
+ "itemId": 5,
+ "name": "url",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": true,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":false },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "URL",
+ "description": "URL",
+ "accessTypeRestrictions":["read", "write"],
+ "isValidLeaf": true
+ }
+ ],
+
+ "accessTypes":
+ [
+ {
+ "itemId": 1,
+ "name": "select",
+ "label": "select"
+ },
+
+ {
+ "itemId": 2,
+ "name": "update",
+ "label": "update"
+ },
+
+ {
+ "itemId": 3,
+ "name": "create",
+ "label": "Create"
+ },
+
+ {
+ "itemId": 4,
+ "name": "drop",
+ "label": "Drop"
+ },
+
+ {
+ "itemId": 5,
+ "name": "alter",
+ "label": "Alter"
+ },
+
+ {
+ "itemId": 6,
+ "name": "index",
+ "label": "Index"
+ },
+
+ {
+ "itemId": 7,
+ "name": "lock",
+ "label": "Lock"
+ },
+
+ {
+ "itemId": 8,
+ "name": "all",
+ "label": "All",
+ "impliedGrants":
+ [
+ "select",
+ "update",
+ "create",
+ "drop",
+ "alter",
+ "index",
+ "lock",
+ "read",
+ "write"
+ ]
+ },
+
+ {
+ "itemId": 9,
+ "name": "read",
+ "label": "Read"
+ },
+
+ {
+ "itemId": 10,
+ "name": "write",
+ "label": "Write"
+ }
+ ],
+
+ "configs":
+ [
+ {
+ "itemId": 1,
+ "name": "username",
+ "type": "string",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Username"
+ },
+
+ {
+ "itemId": 2,
+ "name": "password",
+ "type": "password",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Password"
+ },
+
+ {
+ "itemId": 3,
+ "name": "jdbc.driverClassName",
+ "type": "string",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "defaultValue": "org.apache.hive.jdbc.HiveDriver"
+ },
+
+ {
+ "itemId": 4,
+ "name": "jdbc.url",
+ "type": "string",
+ "mandatory": true,
+ "defaultValue": "",
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":""
+ },
+
+ {
+ "itemId": 5,
+ "name": "commonNameForCertificate",
+ "type": "string",
+ "mandatory": false,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Common Name for Certificate"
+ }
+ ],
+
+ "enums":
+ [
+
+ ],
+
+ "contextEnrichers":
+ [
+ {
+ "itemId":1,
+ "name" : "GeolocationEnricher_format_long",
+ "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider",
+ "enricherOptions" : {
+ "FilePath":"/etc/ranger/geo/geo_long.txt", "ForceRead":"false", "IPInDotFormat":"false"
+ ,"geolocation.meta.prefix": "FORMAT_LONG_"
+ }
+ },
+ {
+ "itemId":2,
+ "name" : "GeolocationEnricher_format_dot",
+ "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider",
+ "enricherOptions" : {
+ "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true"
+ ,"geolocation.meta.prefix": "FORMAT_DOT_"
+ }
+ }
+ ],
+
+ "policyConditions":
+ [
+ {
+ "itemId":1,
+ "name":"ScriptConditionEvaluator",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions" : {"engineName":"JavaScript"},
+ "label":"Script",
+ "description": "Script to execute"
+ }
+ ,
+ { "itemId": 2,
+ "name":"country",
+ "evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcher",
+ "evaluatorOptions":{"CONTEXT_NAME":"country"}
+ }
+ ,
+ {
+ "itemId":3,
+ "name":"not-accessed-together",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesNotAccessedTogetherCondition",
+ "evaluatorOptions" : {},
+ "label":"Not Accessed Together?",
+ "description": "List of Hive resources"
+ }
+ ,
+ {
+ "itemId":4,
+ "name":"accessed-together",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesAccessedTogetherCondition",
+ "evaluatorOptions" : {"ui.isMultiline":"false" },
+ "label":"Accessed Together?",
+ "description": "List of Hive resources"
+ }
+ ],
+ "dataMaskDef": {
+ "accessTypes": [
+ {
+ "name": "select"
+ }
+ ],
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "database",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcherOptions": {
+ "wildCard": "false"
+ },
+ "uiHint":"{ \"singleValue\":true }",
+ "isValidLeaf": false
+ },
+ {
+ "itemId": 2,
+ "name": "table",
+ "type": "string",
+ "level": 20,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcherOptions": {
+ "wildCard": "false"
+ },
+ "uiHint":"{ \"singleValue\":true }",
+ "isValidLeaf": false
+ },
+ {
+ "itemId": 4,
+ "name": "column",
+ "type": "string",
+ "level": 30,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcherOptions": {
+ "wildCard": "false"
+ },
+ "uiHint":"{ \"singleValue\":true }",
+ "isValidLeaf": true
+ }
+ ],
+ "maskTypes": [
+ {
+ "itemId": 1,
+ "name": "MASK",
+ "label": "Redact",
+ "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
+ "transformer": "mask({col})",
+ "dataMaskOptions": {
+ }
+ },
+ {
+ "itemId": 2,
+ "name": "MASK_SHOW_LAST_4",
+ "label": "Partial mask: show last 4",
+ "description": "Show last 4 characters; replace rest with 'x'",
+ "transformer": "mask_show_last_n({col}, 4, 'x', 'x', 'x', -1, '1')"
+ },
+ {
+ "itemId": 3,
+ "name": "MASK_SHOW_FIRST_4",
+ "label": "Partial mask: show first 4",
+ "description": "Show first 4 characters; replace rest with 'x'",
+ "transformer": "mask_show_first_n({col}, 4, 'x', 'x', 'x', -1, '1')"
+ },
+ {
+ "itemId": 4,
+ "name": "MASK_HASH",
+ "label": "Hash",
+ "description": "Hash the value",
+ "transformer": "mask_hash({col})"
+ },
+ {
+ "itemId": 5,
+ "name": "MASK_NULL",
+ "label": "Nullify",
+ "description": "Replace with NULL"
+ },
+ {
+ "itemId": 6,
+ "name": "MASK_NONE",
+ "label": "Unmasked (retain original value)",
+ "description": "No masking"
+ },
+ {
+ "itemId": 12,
+ "name": "MASK_DATE_SHOW_YEAR",
+ "label": "Date: show only year",
+ "description": "Date: show only year",
+ "transformer": "mask({col}, 'x', 'x', 'x', -1, '1', 1, 0, -1)"
+ },
+ {
+ "itemId": 13,
+ "name": "CUSTOM",
+ "label": "Custom",
+ "description": "Custom"
+ }
+ ]
+ },
+ "rowFilterDef": {
+ "accessTypes": [
+ {
+ "name": "select"
+ }
+ ],
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "database",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcherOptions": {
+ "wildCard": "false"
+ },
+ "uiHint": "{ \"singleValue\":true }",
+ "isValidLeaf": false
+ },
+ {
+ "itemId": 2,
+ "name": "table",
+ "type": "string",
+ "level": 20,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "matcherOptions": {
+ "wildCard": "false"
+ },
+ "uiHint": "{ \"singleValue\":true }",
+ "isValidLeaf": true
+ }
+ ]
+ }
}
+
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/admin/service-defs/test-tag-servicedef.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/admin/service-defs/test-tag-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-tag-servicedef.json
new file mode 100644
index 0000000..c17b750
--- /dev/null
+++ b/agents-common/src/test/resources/admin/service-defs/test-tag-servicedef.json
@@ -0,0 +1,82 @@
+{
+ "id":100,
+ "name": "tag",
+ "implClass": "org.apache.ranger.services.tag.RangerServiceTag",
+ "label": "TAG",
+ "description": "TAG Service Definition",
+ "guid": "0d047248-baff-4cf9-8e9e-d5d377284b2e",
+ "options":
+ {
+ "ui.pages":"tag-based-policies"
+ },
+ "resources":
+ [
+ {
+ "itemId":1,
+ "name": "tag",
+ "type": "string",
+ "level": 1,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":false, "ignoreCase":false },
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"{ \"singleValue\":true }",
+ "label": "TAG",
+ "description": "TAG"
+ }
+ ],
+
+ "accessTypes":
+ [
+
+ ],
+
+ "configs":
+ [
+
+ ],
+
+ "enums":
+ [
+
+ ],
+
+ "contextEnrichers":
+ [
+ {
+ "itemId": 1,
+ "name" : "TagEnricher",
+ "enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
+ "enricherOptions" : {
+ "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever",
+ "tagRefresherPollingInterval": 60000
+ }
+ }
+ ],
+
+ "policyConditions":
+ [
+ {
+ "itemId":1,
+ "name":"accessed-after-expiry",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
+ "evaluatorOptions" : { "scriptTemplate":"ctx.isAccessedAfter('expiry_date');" },
+ "uiHint": "{ \"singleValue\":true }",
+ "label":"Accessed after expiry_date (yes/no)?",
+ "description": "Accessed after expiry_date? (yes/no)"
+ },
+ {
+ "itemId":2,
+ "name":"expression",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+ "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
+ "label":"Enter boolean expression",
+ "description": "Boolean expression"
+ }
+ ]
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/log4j.xml
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/log4j.xml b/agents-common/src/test/resources/log4j.xml
index d863cf1..558e27b 100644
--- a/agents-common/src/test/resources/log4j.xml
+++ b/agents-common/src/test/resources/log4j.xml
@@ -26,9 +26,8 @@
</layout>
</appender>
- <!--
- <appender name="ranger_perf_appender" class="org.apache.log4j.DailyRollingFileAppender">
- <param name="file" value="./ranger_admin_perf.log" />
+ <appender name="ranger_perf_appender" class="org.apache.log4j.ConsoleAppender">
+ <param name="target" value="System.err" />
<param name="datePattern" value="'.'yyyy-MM-dd" />
<param name="append" value="true" />
<layout class="org.apache.log4j.PatternLayout">
@@ -36,6 +35,7 @@
</layout>
</appender>
+ <!--
<logger name="org.apache.ranger.perf.policyengine" additivity="false">
<level value="debug" />
<appender-ref ref="ranger_perf_appender" />
@@ -51,6 +51,11 @@
<appender-ref ref="ranger_perf_appender" />
</logger>
+ <logger name="org.apache.ranger.perf.policyresourcematcher" additivity="false">
+ <level value="debug" />
+ <appender-ref ref="ranger_perf_appender" />
+ </logger>
+
<logger name="org.apache.ranger.perf.contextenricher" additivity="false">
<level value="debug" />
<appender-ref ref="ranger_perf_appender" />
@@ -70,7 +75,12 @@
<level value="debug" />
<appender-ref ref="ranger_perf_appender" />
</logger>
- -->
+ -->
+
+ <logger name="org.apache.ranger.perf.policyresourcematcher" additivity="false">
+ <level value="debug" />
+ <appender-ref ref="ranger_perf_appender" />
+ </logger>
<root>
<level value="warn" />