You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by co...@apache.org on 2017/04/18 09:36:44 UTC
[2/3] ranger git commit: RANGER-1421 - Add tag based authorization
tests for the supported components
http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
index 64a0a63..57b4eef 100644
--- a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
+++ b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
@@ -49,6 +49,12 @@ import org.junit.Test;
* d) "dave" can do a select on the table "words" but only if the "count" column is >= 80
* e) "jane" can do a select on the table "words", but only get a "hash" of the word, and not the word itself.
* f) "da_test_user" is delegate admin for rangerauthz database.
+ *
+ * In addition we have some TAG based policies created in Atlas and synced into Ranger:
+ *
+ * a) The tag "HiveTableTag" is associated with "select" permission to the "dev" group to the "words" table in the "hivetable" database.
+ * b) The tag "HiveDatabaseTag" is associated with "create" permission to the "dev" group to the "hivetable" database.
+ * c) The tag "HiveColumnTag" is associated with "select" permission to the "frank" user to the "word" column of the "words" table.
*/
public class HIVERangerAuthorizerTest {
@@ -584,128 +590,294 @@ public class HIVERangerAuthorizerTest {
connection.close();
}
- @Test
- public void testCreateDropMacro() throws Exception {
- String initialUrl = "jdbc:hive2://localhost:" + port;
- Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
- Statement statement = connection.createStatement();
- statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthz2");
+ @Test
+ public void testCreateDropMacro() throws Exception {
+ String initialUrl = "jdbc:hive2://localhost:" + port;
+ Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
+ Statement statement = connection.createStatement();
+ statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthz2");
- statement.close();
- connection.close();
+ statement.close();
+ connection.close();
- // Load data into HIVE
- String url = "jdbc:hive2://localhost:" + port + "/rangerauthz2";
- connection = DriverManager.getConnection(url, "admin", "admin");
- statement = connection.createStatement();
+ // Load data into HIVE
+ String url = "jdbc:hive2://localhost:" + port + "/rangerauthz2";
+ connection = DriverManager.getConnection(url, "admin", "admin");
+ statement = connection.createStatement();
- statement.execute("create table if not exists rangerauthz2.macro_testing (a INT, b INT)");
- statement.execute("insert into rangerauthz2.macro_testing (a, b) values (4, 5)");
- statement.execute("insert into rangerauthz2.macro_testing (a, b) values (3, 5)");
+ statement.execute("create table if not exists rangerauthz2.macro_testing (a INT, b INT)");
+ statement.execute("insert into rangerauthz2.macro_testing (a, b) values (4, 5)");
+ statement.execute("insert into rangerauthz2.macro_testing (a, b) values (3, 5)");
- ResultSet resultSet = statement.executeQuery("SELECT * FROM rangerauthz2.macro_testing where b == '5'");
- //Verify Table Created And Contains Data
+ ResultSet resultSet = statement.executeQuery("SELECT * FROM rangerauthz2.macro_testing where b == '5'");
+ //Verify Table Created And Contains Data
- if (resultSet.next()) {
- Assert.assertEquals(5, resultSet.getInt(2));
- } else {
- Assert.fail("No Resultset Found");
- }
+ if (resultSet.next()) {
+ Assert.assertEquals(5, resultSet.getInt(2));
+ } else {
+ Assert.fail("No Resultset Found");
+ }
- statement.execute("create temporary macro math_cube(x int) x*x*x");
- ResultSet resultSet2 = statement.executeQuery("select math_cube(b) from rangerauthz2.macro_testing");
+ statement.execute("create temporary macro math_cube(x int) x*x*x");
+ ResultSet resultSet2 = statement.executeQuery("select math_cube(b) from rangerauthz2.macro_testing");
- if (resultSet2.next()) {
- Assert.assertEquals(125, resultSet2.getInt(1));
- } else {
- Assert.fail("Macro Not Created Properly");
- }
+ if (resultSet2.next()) {
+ Assert.assertEquals(125, resultSet2.getInt(1));
+ } else {
+ Assert.fail("Macro Not Created Properly");
+ }
- statement.execute("drop temporary macro math_cube");
+ statement.execute("drop temporary macro math_cube");
- try{
- statement.executeQuery("select math_cube(b) from rangerauthz2.macro_testing");
- Assert.fail("macro deleted already");
- }
- catch(SQLException ex){
- //expected
- }
+ try{
+ statement.executeQuery("select math_cube(b) from rangerauthz2.macro_testing");
+ Assert.fail("macro deleted already");
+ }
+ catch(SQLException ex){
+ //expected
+ }
- statement.execute("DROP TABLE rangerauthz2.macro_testing");
- statement.execute("DROP DATABASE rangerauthz2");
+ statement.execute("DROP TABLE rangerauthz2.macro_testing");
+ statement.execute("DROP DATABASE rangerauthz2");
- statement.close();
- connection.close();
+ statement.close();
+ connection.close();
+ }
+
+ @Test
+ public void testCreateDropFunction() throws Exception {
+ String initialUrl = "jdbc:hive2://localhost:" + port;
+ Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
+ Statement statement = connection.createStatement();
+
+ statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthz3");
+ statement.close();
+ connection.close();
+
+ String url = "jdbc:hive2://localhost:" + port + "/rangerauthz3";
+ connection = DriverManager.getConnection(url, "admin", "admin");
+ statement = connection.createStatement();
+ statement.execute("CREATE TABLE if not exists rangerauthz3.function_testing (a DOUBLE, b DOUBLE)");
+ statement.execute("insert into rangerauthz3.function_testing (a, b) values (4.54845, 5.5487)");
+ ResultSet resultSet2 = statement.executeQuery("select round(b) from rangerauthz3.function_testing");
+
+ if (resultSet2.next()) {
+ Assert.assertEquals(6, resultSet2.getInt(1));
+ } else {
+ Assert.fail("No Resultset Found");
+ }
+
+ statement.execute("DROP TABLE rangerauthz3.function_testing");
+ statement.execute("DROP DATABASE rangerauthz3");
+
+ statement.close();
+ connection.close();
+ }
+
+ @Test
+ public void testGrantrevoke() throws Exception {
+ String initialUrl = "jdbc:hive2://localhost:" + port;
+ Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
+ Statement statement = connection.createStatement();
+ statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthzx");
+ statement.execute("use rangerauthzx");
+ statement.execute("CREATE TABLE rangerauthzx.tbl1 (a INT, b INT)");
+ statement.close();
+ connection.close();
+
+ String url = "jdbc:hive2://localhost:" + port;
+ connection = DriverManager.getConnection(url, "dave", "dave");
+ statement = connection.createStatement();
+ try{
+ statement.execute("use rangerauthzx");
+ statement.execute("grant select ON TABLE rangerauthzx.tbl1 to USER jane with grant option");
+ Assert.fail("access should not have been granted");
+ }
+ catch(SQLException ex){
+ //expected
}
- @Test
- public void testCreateDropFunction() throws Exception {
- String initialUrl = "jdbc:hive2://localhost:" + port;
- Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
+ connection = DriverManager.getConnection(url, "da_test_user", "da_test_user");
+ statement = connection.createStatement();
+ try{
+ statement.execute("use rangerauthzx");
+ statement.execute("grant select ON TABLE rangerauthzx.tbl1 to USER jane with grant option");
+ }
+ catch(SQLException ex){
+ Assert.fail("access should have been granted to da_test_user");
+ }
+ statement.close();
+ connection.close();
+
+ connection = DriverManager.getConnection(url, "admin", "admin");
+ statement = connection.createStatement();
+ statement.execute("DROP TABLE rangerauthzx.tbl1");
+ }
+
+ @Test
+ public void testTagBasedPolicyForTable() throws Exception {
+
+ String url = "jdbc:hive2://localhost:" + port;
+
+ // Create a database as "admin"
+ Connection connection = DriverManager.getConnection(url, "admin", "admin");
+ Statement statement = connection.createStatement();
+
+ statement.execute("CREATE DATABASE hivetable");
+
+ statement.close();
+ connection.close();
+
+ // Create a "words" table in "hivetable"
+ final String tableUrl = "jdbc:hive2://localhost:" + port + "/hivetable";
+ connection = DriverManager.getConnection(tableUrl, "admin", "admin");
+ statement = connection.createStatement();
+ statement.execute("CREATE TABLE WORDS (word STRING, count INT)");
+ statement.execute("CREATE TABLE WORDS2 (word STRING, count INT)");
+
+ statement.close();
+ connection.close();
+
+ // Now try to read it as the "public" group
+ UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] {"dev"});
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ public Void run() throws Exception {
+ Connection connection = DriverManager.getConnection(tableUrl, "alice", "alice");
Statement statement = connection.createStatement();
- statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthz3");
+ // "words" should work
+ ResultSet resultSet = statement.executeQuery("SELECT * FROM words");
+ Assert.assertNotNull(resultSet);
+
statement.close();
- connection.close();
- String url = "jdbc:hive2://localhost:" + port + "/rangerauthz3";
- connection = DriverManager.getConnection(url, "admin", "admin");
statement = connection.createStatement();
- statement.execute("CREATE TABLE if not exists rangerauthz3.function_testing (a DOUBLE, b DOUBLE)");
- statement.execute("insert into rangerauthz3.function_testing (a, b) values (4.54845, 5.5487)");
- ResultSet resultSet2 = statement.executeQuery("select round(b) from rangerauthz3.function_testing");
-
- if (resultSet2.next()) {
- Assert.assertEquals(6, resultSet2.getInt(1));
- } else {
- Assert.fail("No Resultset Found");
+ try {
+ // "words2" should not
+ statement.executeQuery("SELECT * FROM words2");
+ Assert.fail("Failure expected on an unauthorized call");
+ } catch (SQLException ex) {
+ // expected
}
- statement.execute("DROP TABLE rangerauthz3.function_testing");
- statement.execute("DROP DATABASE rangerauthz3");
-
statement.close();
connection.close();
- }
+ return null;
+ }
+ });
+
+ // Drop the table and database as "admin"
+ connection = DriverManager.getConnection(tableUrl, "admin", "admin");
+ statement = connection.createStatement();
+
+ statement.execute("drop TABLE words");
+ statement.execute("drop TABLE words2");
+ statement.execute("drop DATABASE hivetable");
+
+ statement.close();
+ connection.close();
+ }
- @Test
- public void testGrantrevoke() throws Exception {
- String initialUrl = "jdbc:hive2://localhost:" + port;
- Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
+ @Test
+ public void testTagBasedPolicyForDatabase() throws Exception {
+
+ final String url = "jdbc:hive2://localhost:" + port;
+
+ UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] {"dev"});
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ public Void run() throws Exception {
+ // Create a database
+ Connection connection = DriverManager.getConnection(url, "alice", "alice");
Statement statement = connection.createStatement();
- statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthzx");
- statement.execute("use rangerauthzx");
- statement.execute("CREATE TABLE rangerauthzx.tbl1 (a INT, b INT)");
+
+ statement.execute("CREATE DATABASE hivetable");
statement.close();
- connection.close();
- String url = "jdbc:hive2://localhost:" + port;
- connection = DriverManager.getConnection(url, "dave", "dave");
statement = connection.createStatement();
- try{
- statement.execute("use rangerauthzx");
- statement.execute("grant select ON TABLE rangerauthzx.tbl1 to USER jane with grant option");
- Assert.fail("access should not have been granted");
- }
- catch(SQLException ex){
- //expected
+ try {
+ // "hivetable2" should not be allowed to be created by the "dev" group
+ statement.execute("CREATE DATABASE hivetable2");
+ Assert.fail("Failure expected on an unauthorized call");
+ } catch (SQLException ex) {
+ // expected
}
- connection = DriverManager.getConnection(url, "da_test_user", "da_test_user");
- statement = connection.createStatement();
- try{
- statement.execute("use rangerauthzx");
- statement.execute("grant select ON TABLE rangerauthzx.tbl1 to USER jane with grant option");
- }
- catch(SQLException ex){
- Assert.fail("access should have been granted to da_test_user");
+ statement.close();
+ connection.close();
+ return null;
+ }
+ });
+
+ // Drop the database as "admin"
+ Connection connection = DriverManager.getConnection(url, "admin", "admin");
+ Statement statement = connection.createStatement();
+
+ statement.execute("drop DATABASE hivetable");
+
+ statement.close();
+ connection.close();
+ }
+
+ @Test
+ public void testTagBasedPolicyForColumn() throws Exception {
+
+ String url = "jdbc:hive2://localhost:" + port;
+
+ // Create a database as "admin"
+ Connection connection = DriverManager.getConnection(url, "admin", "admin");
+ Statement statement = connection.createStatement();
+
+ statement.execute("CREATE DATABASE hivetable");
+
+ statement.close();
+ connection.close();
+
+ // Create a "words" table in "hivetable"
+ final String tableUrl = "jdbc:hive2://localhost:" + port + "/hivetable";
+ connection = DriverManager.getConnection(tableUrl, "admin", "admin");
+ statement = connection.createStatement();
+ statement.execute("CREATE TABLE WORDS (word STRING, count INT)");
+ statement.execute("CREATE TABLE WORDS2 (word STRING, count INT)");
+
+ statement.close();
+ connection.close();
+
+ // Now try to read it as the user "frank"
+ UserGroupInformation ugi = UserGroupInformation.createUserForTesting("frank", new String[] {"unknown"});
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ public Void run() throws Exception {
+ Connection connection = DriverManager.getConnection(tableUrl, "frank", "frank");
+
+ // we can select "word" from "words"
+ Statement statement = connection.createStatement();
+ ResultSet resultSet = statement.executeQuery("SELECT word FROM words");
+ Assert.assertNotNull(resultSet);
+ statement.close();
+
+ try {
+ // we can't select "word" from "words2" as "frank"
+ statement.executeQuery("SELECT word FROM words2");
+ Assert.fail("Failure expected on an unauthorized call");
+ } catch (SQLException ex) {
+ // expected
}
+
statement.close();
connection.close();
+ return null;
+ }
+ });
- connection = DriverManager.getConnection(url, "admin", "admin");
- statement = connection.createStatement();
- statement.execute("DROP TABLE rangerauthzx.tbl1");
- }
+ // Drop the table and database as "admin"
+ connection = DriverManager.getConnection(tableUrl, "admin", "admin");
+ statement = connection.createStatement();
+
+ statement.execute("drop TABLE words");
+ statement.execute("drop TABLE words2");
+ statement.execute("drop DATABASE hivetable");
+
+ statement.close();
+ connection.close();
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerAdminClientImpl.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerAdminClientImpl.java b/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerAdminClientImpl.java
index 8b48dd8..e1c30d0 100644
--- a/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerAdminClientImpl.java
+++ b/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerAdminClientImpl.java
@@ -38,6 +38,7 @@ import com.google.gson.GsonBuilder;
public class RangerAdminClientImpl implements RangerAdminClient {
private static final Logger LOG = LoggerFactory.getLogger(RangerAdminClientImpl.class);
private final static String cacheFilename = "hive-policies.json";
+ private final static String tagFilename = "hive-policies-tag.json";
private Gson gson;
public void init(String serviceName, String appId, String configPropertyPrefix) {
@@ -72,8 +73,15 @@ public class RangerAdminClientImpl implements RangerAdminClient {
}
public ServiceTags getServiceTagsIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception {
- return null;
+ String basedir = System.getProperty("basedir");
+ if (basedir == null) {
+ basedir = new File(".").getCanonicalPath();
+ }
+
+ java.nio.file.Path cachePath = FileSystems.getDefault().getPath(basedir, "/src/test/resources/" + tagFilename);
+ byte[] cacheBytes = Files.readAllBytes(cachePath);
+ return gson.fromJson(new String(cacheBytes), ServiceTags.class);
}
public List<String> getTagTypes(String tagTypePattern) throws Exception {
http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/hive-agent/src/test/resources/hive-policies-tag.json
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/resources/hive-policies-tag.json b/hive-agent/src/test/resources/hive-policies-tag.json
new file mode 100644
index 0000000..27b15c5
--- /dev/null
+++ b/hive-agent/src/test/resources/hive-policies-tag.json
@@ -0,0 +1,108 @@
+{
+ "op": "add_or_update",
+ "serviceName": "cl1_hive",
+ "tagVersion": 8,
+ "tagDefinitions": {},
+ "tags": {
+ "5": {
+ "type": "HiveTableTag",
+ "owner": 0,
+ "attributes": {},
+ "id": 5,
+ "isEnabled": true,
+ "version": 1
+ },
+ "6": {
+ "type": "HiveDatabaseTag",
+ "owner": 0,
+ "attributes": {},
+ "id": 6,
+ "isEnabled": true,
+ "version": 1
+ },
+ "7": {
+ "type": "HiveColumnTag",
+ "owner": 0,
+ "attributes": {},
+ "id": 7,
+ "isEnabled": true,
+ "version": 1
+ }
+ },
+ "serviceResources": [
+ {
+ "resourceElements": {
+ "database": {
+ "values": [
+ "hivetable"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "words"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "id": 5,
+ "isEnabled": true,
+ "version": 14
+ },
+ {
+ "resourceElements": {
+ "database": {
+ "values": [
+ "hivetable"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "id": 6,
+ "isEnabled": true,
+ "version": 14
+ },
+ {
+ "resourceElements": {
+ "database": {
+ "values": [
+ "hivetable"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "word"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "words"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "id": 7,
+ "isEnabled": true,
+ "version": 14
+ }
+ ],
+ "resourceToTagIds": {
+ "5": [
+ 5
+ ],
+ "6": [
+ 6
+ ],
+ "7": [
+ 7
+ ]
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/hive-agent/src/test/resources/hive-policies.json
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/resources/hive-policies.json b/hive-agent/src/test/resources/hive-policies.json
index dd71424..2b568dc 100644
--- a/hive-agent/src/test/resources/hive-policies.json
+++ b/hive-agent/src/test/resources/hive-policies.json
@@ -1,18 +1,19 @@
{
- "serviceName": "HIVETest",
- "serviceId": 2,
- "policyVersion": 11,
- "policyUpdateTime": "20160915-12:47:25.000-+0100",
+ "serviceName": "cl1_hive",
+ "serviceId": 8,
+ "policyVersion": 19,
+ "policyUpdateTime": "20170221-13:11:59.000-+0000",
"policies": [
{
- "service": "HIVETest",
- "name": "all - database, table, column",
+ "service": "cl1_hive",
+ "name": "WordsPolicy",
"policyType": 0,
+ "description": "",
"isAuditEnabled": true,
"resources": {
"database": {
"values": [
- "*"
+ "rangerauthz"
],
"isExcludes": false,
"isRecursive": false
@@ -26,7 +27,7 @@
},
"table": {
"values": [
- "*"
+ "words"
],
"isExcludes": false,
"isRecursive": false
@@ -42,48 +43,38 @@
{
"type": "update",
"isAllowed": true
- },
- {
- "type": "create",
- "isAllowed": true
- },
- {
- "type": "drop",
- "isAllowed": true
- },
- {
- "type": "alter",
- "isAllowed": true
- },
- {
- "type": "index",
- "isAllowed": true
- },
- {
- "type": "lock",
- "isAllowed": true
- },
+ }
+ ],
+ "users": [
+ "bob"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false
+ },
+ {
+ "accesses": [
{
- "type": "all",
+ "type": "select",
"isAllowed": true
}
],
"users": [
- "admin"
+ "dave"
],
"groups": [],
"conditions": [],
- "delegateAdmin": true
+ "delegateAdmin": false
},
{
"accesses": [
{
- "type": "create",
+ "type": "select",
"isAllowed": true
}
],
"users": [
- "bob"
+ "jane"
],
"groups": [],
"conditions": [],
@@ -95,19 +86,20 @@
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
- "id": 8,
+ "id": 23,
"isEnabled": true,
- "version": 2
+ "version": 3
},
- {
- "service": "HIVETest",
- "name": "Delagate admin-allowed on rangerauthzx",
+ {
+ "service": "cl1_hive",
+ "name": "AllPolicy",
"policyType": 0,
+ "description": "",
"isAuditEnabled": true,
"resources": {
"database": {
"values": [
- "rangerauthzx"
+ "*"
],
"isExcludes": false,
"isRecursive": false
@@ -131,78 +123,17 @@
{
"accesses": [
{
- "type": "select",
- "isAllowed": true
- },
- {
- "type": "update",
- "isAllowed": true
- },
- {
"type": "create",
"isAllowed": true
- },
- {
- "type": "drop",
- "isAllowed": true
- },
- {
- "type": "alter",
- "isAllowed": true
- },
- {
- "type": "index",
- "isAllowed": true
- },
- {
- "type": "lock",
- "isAllowed": true
- },
- {
- "type": "all",
- "isAllowed": true
}
],
"users": [
- "da_test_user"
+ "bob"
],
"groups": [],
"conditions": [],
- "delegateAdmin": true
- }
- ],
- "denyPolicyItems": [],
- "allowExceptions": [],
- "denyExceptions": [],
- "dataMaskPolicyItems": [],
- "rowFilterPolicyItems": [],
- "id": 8,
- "isEnabled": true,
- "version": 2
- }
- ,
- {
- "service": "HIVETest",
- "name": "all - database, udf",
- "policyType": 0,
- "isAuditEnabled": true,
- "resources": {
- "database": {
- "values": [
- "*"
- ],
- "isExcludes": false,
- "isRecursive": false
+ "delegateAdmin": false
},
- "udf": {
- "values": [
- "*"
- ],
- "isExcludes": false,
- "isRecursive": false
- }
- },
- "policyItems": [
{
"accesses": [
{
@@ -243,7 +174,7 @@
],
"groups": [],
"conditions": [],
- "delegateAdmin": true
+ "delegateAdmin": false
}
],
"denyPolicyItems": [],
@@ -251,14 +182,15 @@
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
- "id": 9,
+ "id": 24,
"isEnabled": true,
- "version": 1
+ "version": 2
},
{
- "service": "HIVETest",
- "name": "SelectUpdateAllWords",
+ "service": "cl1_hive",
+ "name": "CountWordsPolicy",
"policyType": 0,
+ "description": "",
"isAuditEnabled": true,
"resources": {
"database": {
@@ -270,7 +202,7 @@
},
"column": {
"values": [
- "*"
+ "count"
],
"isExcludes": false,
"isRecursive": false
@@ -289,31 +221,12 @@
{
"type": "select",
"isAllowed": true
- },
- {
- "type": "update",
- "isAllowed": true
}
],
- "users": [
- "bob"
- ],
- "groups": [],
- "conditions": [],
- "delegateAdmin": false
- },
- {
- "accesses": [
- {
- "type": "select",
- "isAllowed": true
- }
- ],
- "users": [
- "dave",
- "jane"
+ "users": [],
+ "groups": [
+ "IT"
],
- "groups": [],
"conditions": [],
"delegateAdmin": false
}
@@ -323,14 +236,15 @@
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
- "id": 10,
+ "id": 25,
"isEnabled": true,
- "version": 3
+ "version": 1
},
{
- "service": "HIVETest",
- "name": "SelectCountWords",
+ "service": "cl1_hive",
+ "name": "TmpSelectPolicy",
"policyType": 0,
+ "description": "",
"isAuditEnabled": true,
"resources": {
"database": {
@@ -342,14 +256,14 @@
},
"column": {
"values": [
- "count"
+ "*"
],
"isExcludes": false,
"isRecursive": false
},
"table": {
"values": [
- "words"
+ "*_tmp_*"
],
"isExcludes": false,
"isRecursive": false
@@ -363,6 +277,20 @@
"isAllowed": true
}
],
+ "users": [
+ "bob"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false
+ },
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
"users": [],
"groups": [
"IT"
@@ -376,40 +304,42 @@
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
- "id": 11,
+ "id": 26,
"isEnabled": true,
- "version": 1
+ "version": 2
},
{
- "service": "HIVETest",
- "name": "TmpUpdatePolicy",
- "policyType": 0,
+ "service": "cl1_hive",
+ "name": "DavePolicy",
+ "policyType": 2,
+ "description": "",
"isAuditEnabled": true,
"resources": {
"database": {
"values": [
- "*"
- ],
- "isExcludes": false,
- "isRecursive": false
- },
- "column": {
- "values": [
- "*"
+ "rangerauthz"
],
"isExcludes": false,
"isRecursive": false
},
"table": {
"values": [
- "*_tmp_*"
+ "words"
],
"isExcludes": false,
"isRecursive": false
}
},
- "policyItems": [
+ "policyItems": [],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [
{
+ "rowFilterInfo": {
+ "filterExpr": "count \u003e\u003d \u002780\u0027"
+ },
"accesses": [
{
"type": "select",
@@ -417,28 +347,22 @@
}
],
"users": [
- "bob"
- ],
- "groups": [
- "IT"
+ "dave"
],
+ "groups": [],
"conditions": [],
"delegateAdmin": false
}
],
- "denyPolicyItems": [],
- "allowExceptions": [],
- "denyExceptions": [],
- "dataMaskPolicyItems": [],
- "rowFilterPolicyItems": [],
- "id": 12,
+ "id": 27,
"isEnabled": true,
"version": 1
},
{
- "service": "HIVETest",
- "name": "DaveFilter",
- "policyType": 2,
+ "service": "cl1_hive",
+ "name": "JanePolicy",
+ "policyType": 1,
+ "description": "",
"isAuditEnabled": true,
"resources": {
"database": {
@@ -448,6 +372,13 @@
"isExcludes": false,
"isRecursive": false
},
+ "column": {
+ "values": [
+ "word"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
"table": {
"values": [
"words"
@@ -460,11 +391,12 @@
"denyPolicyItems": [],
"allowExceptions": [],
"denyExceptions": [],
- "dataMaskPolicyItems": [],
- "rowFilterPolicyItems": [
+ "dataMaskPolicyItems": [
{
- "rowFilterInfo": {
- "filterExpr": "count \u003e\u003d \u002780\u0027"
+ "dataMaskInfo": {
+ "dataMaskType": "MASK_HASH",
+ "conditionExpr": "",
+ "valueExpr": ""
},
"accesses": [
{
@@ -473,72 +405,98 @@
}
],
"users": [
- "dave"
+ "jane"
],
"groups": [],
"conditions": [],
"delegateAdmin": false
}
],
- "id": 13,
+ "rowFilterPolicyItems": [],
+ "id": 28,
"isEnabled": true,
- "version": 1
+ "version": 2
},
{
- "service": "HIVETest",
- "name": "JaneWordMask",
- "policyType": 1,
+ "service": "cl1_hive",
+ "name": "Delagate admin-allowed on rangerauthzx",
+ "policyType": 0,
"isAuditEnabled": true,
"resources": {
"database": {
"values": [
- "rangerauthz"
+ "rangerauthzx"
],
"isExcludes": false,
"isRecursive": false
},
"column": {
"values": [
- "word"
+ "*"
],
"isExcludes": false,
"isRecursive": false
},
"table": {
"values": [
- "words"
+ "*"
],
"isExcludes": false,
"isRecursive": false
}
},
- "policyItems": [],
- "denyPolicyItems": [],
- "allowExceptions": [],
- "denyExceptions": [],
- "dataMaskPolicyItems": [
+ "policyItems": [
{
- "dataMaskInfo": {
- "dataMaskType": "MASK_HASH"
- },
"accesses": [
{
"type": "select",
"isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ },
+ {
+ "type": "lock",
+ "isAllowed": true
+ },
+ {
+ "type": "all",
+ "isAllowed": true
}
],
"users": [
- "jane"
+ "da_test_user"
],
"groups": [],
"conditions": [],
- "delegateAdmin": false
+ "delegateAdmin": true
}
],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
- "id": 14,
+ "id": 8,
"isEnabled": true,
- "version": 1
+ "version": 2
}
],
"serviceDef": {
@@ -750,7 +708,7 @@
{
"itemId": 1,
"name": "MASK",
- "label": "Mask",
+ "label": "Redact",
"description": "Replace lowercase with \u0027x\u0027, uppercase with \u0027X\u0027, digits with \u00270\u0027",
"transformer": "mask({col})",
"dataMaskOptions": {}
@@ -782,58 +740,18 @@
{
"itemId": 5,
"name": "MASK_NULL",
- "label": "NULL",
+ "label": "Nullify",
"description": "Replace with NULL",
"dataMaskOptions": {}
},
{
"itemId": 6,
"name": "MASK_NONE",
- "label": "No masking",
+ "label": "Unmasked (retain original value)",
"description": "No masking",
"dataMaskOptions": {}
},
{
- "itemId": 7,
- "name": "MASK_DATE_DAY",
- "label": "Date: mask day",
- "description": "Date: mask day",
- "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, 1, -1, -1)",
- "dataMaskOptions": {}
- },
- {
- "itemId": 8,
- "name": "MASK_DATE_MONTH",
- "label": "Date: mask month",
- "description": "Date: mask month",
- "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, -1, 0, -1)",
- "dataMaskOptions": {}
- },
- {
- "itemId": 9,
- "name": "MASK_DATE_YEAR",
- "label": "Date: mask year",
- "description": "Date: mask year",
- "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, -1, -1, 0)",
- "dataMaskOptions": {}
- },
- {
- "itemId": 10,
- "name": "MASK_DATE_SHOW_DAY",
- "label": "Date: show only day",
- "description": "Date: show only day",
- "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, -1, 0, 0)",
- "dataMaskOptions": {}
- },
- {
- "itemId": 11,
- "name": "MASK_DATE_SHOW_MONTH",
- "label": "Date: show only month",
- "description": "Date: show only month",
- "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, 1, -1, 0)",
- "dataMaskOptions": {}
- },
- {
"itemId": 12,
"name": "MASK_DATE_SHOW_YEAR",
"label": "Date: show only year",
@@ -978,8 +896,844 @@
"id": 3,
"guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c",
"isEnabled": true,
- "createTime": "20160914-11:19:33.000-+0100",
- "updateTime": "20160914-11:19:33.000-+0100",
- "version": 1
+ "createTime": "20170217-11:41:32.000-+0000",
+ "updateTime": "20170217-11:42:12.000-+0000",
+ "version": 2
+ },
+ "auditMode": "audit-default",
+ "tagPolicies": {
+ "serviceName": "KafkaTagService",
+ "serviceId": 5,
+ "policyVersion": 12,
+ "policyUpdateTime": "20170221-13:11:59.000-+0000",
+ "policies": [
+ {
+ "service": "KafkaTagService",
+ "name": "EXPIRES_ON",
+ "policyType": 0,
+ "description": "Policy for data with EXPIRES_ON tag",
+ "isAuditEnabled": true,
+ "resources": {
+ "tag": {
+ "values": [
+ "EXPIRES_ON"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "hdfs:read",
+ "isAllowed": true
+ },
+ {
+ "type": "hdfs:write",
+ "isAllowed": true
+ },
+ {
+ "type": "hdfs:execute",
+ "isAllowed": true
+ },
+ {
+ "type": "hbase:read",
+ "isAllowed": true
+ },
+ {
+ "type": "hbase:write",
+ "isAllowed": true
+ },
+ {
+ "type": "hbase:create",
+ "isAllowed": true
+ },
+ {
+ "type": "hbase:admin",
+ "isAllowed": true
+ },
+ {
+ "type": "hive:select",
+ "isAllowed": true
+ },
+ {
+ "type": "hive:update",
+ "isAllowed": true
+ },
+ {
+ "type": "hive:create",
+ "isAllowed": true
+ },
+ {
+ "type": "hive:drop",
+ "isAllowed": true
+ },
+ {
+ "type": "hive:alter",
+ "isAllowed": true
+ },
+ {
+ "type": "hive:index",
+ "isAllowed": true
+ },
+ {
+ "type": "hive:lock",
+ "isAllowed": true
+ },
+ {
+ "type": "hive:all",
+ "isAllowed": true
+ },
+ {
+ "type": "yarn:submit-app",
+ "isAllowed": true
+ },
+ {
+ "type": "yarn:admin-queue",
+ "isAllowed": true
+ },
+ {
+ "type": "knox:allow",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:submitTopology",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:fileUpload",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:fileDownload",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:killTopology",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:rebalance",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:activate",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:deactivate",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:getTopologyConf",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:getTopology",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:getUserTopology",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:getTopologyInfo",
+ "isAllowed": true
+ },
+ {
+ "type": "storm:uploadNewCredentials",
+ "isAllowed": true
+ },
+ {
+ "type": "kms:create",
+ "isAllowed": true
+ },
+ {
+ "type": "kms:delete",
+ "isAllowed": true
+ },
+ {
+ "type": "kms:rollover",
+ "isAllowed": true
+ },
+ {
+ "type": "kms:setkeymaterial",
+ "isAllowed": true
+ },
+ {
+ "type": "kms:get",
+ "isAllowed": true
+ },
+ {
+ "type": "kms:getkeys",
+ "isAllowed": true
+ },
+ {
+ "type": "kms:getmetadata",
+ "isAllowed": true
+ },
+ {
+ "type": "kms:generateeek",
+ "isAllowed": true
+ },
+ {
+ "type": "kms:decrypteek",
+ "isAllowed": true
+ },
+ {
+ "type": "solr:query",
+ "isAllowed": true
+ },
+ {
+ "type": "solr:update",
+ "isAllowed": true
+ },
+ {
+ "type": "solr:others",
+ "isAllowed": true
+ },
+ {
+ "type": "solr:solr_admin",
+ "isAllowed": true
+ },
+ {
+ "type": "kafka:publish",
+ "isAllowed": true
+ },
+ {
+ "type": "kafka:consume",
+ "isAllowed": true
+ },
+ {
+ "type": "kafka:configure",
+ "isAllowed": true
+ },
+ {
+ "type": "kafka:describe",
+ "isAllowed": true
+ },
+ {
+ "type": "kafka:create",
+ "isAllowed": true
+ },
+ {
+ "type": "kafka:delete",
+ "isAllowed": true
+ },
+ {
+ "type": "kafka:kafka_admin",
+ "isAllowed": true
+ },
+ {
+ "type": "atlas:read",
+ "isAllowed": true
+ },
+ {
+ "type": "atlas:create",
+ "isAllowed": true
+ },
+ {
+ "type": "atlas:update",
+ "isAllowed": true
+ },
+ {
+ "type": "atlas:delete",
+ "isAllowed": true
+ },
+ {
+ "type": "atlas:all",
+ "isAllowed": true
+ }
+ ],
+ "users": [],
+ "groups": [
+ "public"
+ ],
+ "conditions": [
+ {
+ "type": "accessed-after-expiry",
+ "values": [
+ "yes"
+ ]
+ }
+ ],
+ "delegateAdmin": false
+ }
+ ],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "id": 10,
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "KafkaTagService",
+ "name": "HiveTableTagPolicy",
+ "policyType": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "tag": {
+ "values": [
+ "HiveTableTag"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "hive:select",
+ "isAllowed": true
+ }
+ ],
+ "users": [],
+ "groups": [
+ "dev"
+ ],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "id": 29,
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "KafkaTagService",
+ "name": "HiveDatabaseTagPolicy",
+ "policyType": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "tag": {
+ "values": [
+ "HiveDatabaseTag"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "hive:create",
+ "isAllowed": true
+ }
+ ],
+ "users": [],
+ "groups": [
+ "dev"
+ ],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "id": 30,
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "KafkaTagService",
+ "name": "HiveColumnTagPolicy",
+ "policyType": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "tag": {
+ "values": [
+ "HiveColumnTag"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "hive:select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "frank"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "id": 31,
+ "isEnabled": true,
+ "version": 1
+ }
+ ],
+ "serviceDef": {
+ "name": "tag",
+ "implClass": "org.apache.ranger.services.tag.RangerServiceTag",
+ "label": "TAG",
+ "description": "TAG Service Definition",
+ "options": {
+ "ui.pages": "tag-based-policies"
+ },
+ "configs": [],
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "tag",
+ "type": "string",
+ "level": 1,
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "false",
+ "ignoreCase": "false"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "{ \"singleValue\":true }",
+ "label": "TAG",
+ "description": "TAG"
+ }
+ ],
+ "accessTypes": [
+ {
+ "itemId": 1002,
+ "name": "hdfs:read",
+ "label": "Read",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 1003,
+ "name": "hdfs:write",
+ "label": "Write",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 1004,
+ "name": "hdfs:execute",
+ "label": "Execute",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 2003,
+ "name": "hbase:read",
+ "label": "Read",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 2004,
+ "name": "hbase:write",
+ "label": "Write",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 2005,
+ "name": "hbase:create",
+ "label": "Create",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 2006,
+ "name": "hbase:admin",
+ "label": "Admin",
+ "impliedGrants": [
+ "hbase:read",
+ "hbase:write",
+ "hbase:create"
+ ]
+ },
+ {
+ "itemId": 3004,
+ "name": "hive:select",
+ "label": "select",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 3005,
+ "name": "hive:update",
+ "label": "update",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 3006,
+ "name": "hive:create",
+ "label": "Create",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 3007,
+ "name": "hive:drop",
+ "label": "Drop",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 3008,
+ "name": "hive:alter",
+ "label": "Alter",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 3009,
+ "name": "hive:index",
+ "label": "Index",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 3010,
+ "name": "hive:lock",
+ "label": "Lock",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 3011,
+ "name": "hive:all",
+ "label": "All",
+ "impliedGrants": [
+ "hive:select",
+ "hive:update",
+ "hive:create",
+ "hive:drop",
+ "hive:alter",
+ "hive:index",
+ "hive:lock"
+ ]
+ },
+ {
+ "itemId": 4005,
+ "name": "yarn:submit-app",
+ "label": "submit-app",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 4006,
+ "name": "yarn:admin-queue",
+ "label": "admin-queue",
+ "impliedGrants": [
+ "yarn:submit-app"
+ ]
+ },
+ {
+ "itemId": 5006,
+ "name": "knox:allow",
+ "label": "Allow",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6007,
+ "name": "storm:submitTopology",
+ "label": "Submit Topology",
+ "impliedGrants": [
+ "storm:fileUpload",
+ "storm:fileDownload"
+ ]
+ },
+ {
+ "itemId": 6008,
+ "name": "storm:fileUpload",
+ "label": "File Upload",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6011,
+ "name": "storm:fileDownload",
+ "label": "File Download",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6012,
+ "name": "storm:killTopology",
+ "label": "Kill Topology",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6013,
+ "name": "storm:rebalance",
+ "label": "Rebalance",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6014,
+ "name": "storm:activate",
+ "label": "Activate",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6015,
+ "name": "storm:deactivate",
+ "label": "Deactivate",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6016,
+ "name": "storm:getTopologyConf",
+ "label": "Get Topology Conf",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6017,
+ "name": "storm:getTopology",
+ "label": "Get Topology",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6018,
+ "name": "storm:getUserTopology",
+ "label": "Get User Topology",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6019,
+ "name": "storm:getTopologyInfo",
+ "label": "Get Topology Info",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6020,
+ "name": "storm:uploadNewCredentials",
+ "label": "Upload New Credential",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 7008,
+ "name": "kms:create",
+ "label": "Create",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 7009,
+ "name": "kms:delete",
+ "label": "Delete",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 7010,
+ "name": "kms:rollover",
+ "label": "Rollover",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 7011,
+ "name": "kms:setkeymaterial",
+ "label": "Set Key Material",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 7012,
+ "name": "kms:get",
+ "label": "Get",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 7013,
+ "name": "kms:getkeys",
+ "label": "Get Keys",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 7014,
+ "name": "kms:getmetadata",
+ "label": "Get Metadata",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 7015,
+ "name": "kms:generateeek",
+ "label": "Generate EEK",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 7016,
+ "name": "kms:decrypteek",
+ "label": "Decrypt EEK",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 8108,
+ "name": "solr:query",
+ "label": "Query",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 8208,
+ "name": "solr:update",
+ "label": "Update",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 8308,
+ "name": "solr:others",
+ "label": "Others",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 8908,
+ "name": "solr:solr_admin",
+ "label": "Solr Admin",
+ "impliedGrants": [
+ "solr:query",
+ "solr:update",
+ "solr:others"
+ ]
+ },
+ {
+ "itemId": 9010,
+ "name": "kafka:publish",
+ "label": "Publish",
+ "impliedGrants": [
+ "kafka:describe"
+ ]
+ },
+ {
+ "itemId": 9011,
+ "name": "kafka:consume",
+ "label": "Consume",
+ "impliedGrants": [
+ "kafka:describe"
+ ]
+ },
+ {
+ "itemId": 9014,
+ "name": "kafka:configure",
+ "label": "Configure",
+ "impliedGrants": [
+ "kafka:describe"
+ ]
+ },
+ {
+ "itemId": 9015,
+ "name": "kafka:describe",
+ "label": "Describe",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 9017,
+ "name": "kafka:create",
+ "label": "Create",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 9018,
+ "name": "kafka:delete",
+ "label": "Delete",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 9016,
+ "name": "kafka:kafka_admin",
+ "label": "Kafka Admin",
+ "impliedGrants": [
+ "kafka:publish",
+ "kafka:consume",
+ "kafka:configure",
+ "kafka:describe",
+ "kafka:create",
+ "kafka:delete"
+ ]
+ },
+ {
+ "itemId": 11012,
+ "name": "atlas:read",
+ "label": "read",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 11013,
+ "name": "atlas:create",
+ "label": "create",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 11014,
+ "name": "atlas:update",
+ "label": "update",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 11015,
+ "name": "atlas:delete",
+ "label": "delete",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 11016,
+ "name": "atlas:all",
+ "label": "All",
+ "impliedGrants": [
+ "atlas:read",
+ "atlas:create",
+ "atlas:update",
+ "atlas:delete"
+ ]
+ }
+ ],
+ "policyConditions": [
+ {
+ "itemId": 1,
+ "name": "accessed-after-expiry",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
+ "evaluatorOptions": {
+ "scriptTemplate": "ctx.isAccessedAfter(\u0027expiry_date\u0027);"
+ },
+ "uiHint": "{ \"singleValue\":true }",
+ "label": "Accessed after expiry_date (yes/no)?",
+ "description": "Accessed after expiry_date? (yes/no)"
+ }
+ ],
+ "contextEnrichers": [
+ {
+ "itemId": 1,
+ "name": "TagEnricher",
+ "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
+ "enricherOptions": {
+ "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever",
+ "tagRefresherPollingInterval": "60000"
+ }
+ }
+ ],
+ "enums": [],
+ "dataMaskDef": {
+ "maskTypes": [],
+ "accessTypes": [],
+ "resources": []
+ },
+ "rowFilterDef": {
+ "accessTypes": [],
+ "resources": []
+ },
+ "id": 100,
+ "guid": "0d047248-baff-4cf9-8e9e-d5d377284b2e",
+ "isEnabled": true,
+ "createTime": "20170217-11:41:33.000-+0000",
+ "updateTime": "20170217-11:41:35.000-+0000",
+ "version": 11
+ },
+ "auditMode": "audit-default"
}
-}
\ No newline at end of file
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/hive-agent/src/test/resources/ranger-hive-security.xml
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/resources/ranger-hive-security.xml b/hive-agent/src/test/resources/ranger-hive-security.xml
index 46fd28e..43489a8 100644
--- a/hive-agent/src/test/resources/ranger-hive-security.xml
+++ b/hive-agent/src/test/resources/ranger-hive-security.xml
@@ -20,7 +20,7 @@
<property>
<name>ranger.plugin.hive.service.name</name>
- <value>HIVETest</value>
+ <value>cl1_hive</value>
<description>
Name of the Ranger service containing policies for this SampleApp instance
</description>
http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
index cef9f12..2b0da34 100644
--- a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
@@ -60,7 +60,7 @@ import kafka.utils.ZkUtils;
*
* Policies available from admin via:
*
- * http://localhost:6080/service/plugins/policies/download/KafkaTest
+ * http://localhost:6080/service/plugins/policies/download/cl1_kafka
*
* Clients and services authenticate to Kafka using the SASL SSL protocol as part of this test.
*/
http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
index 898c785..f68a164 100644
--- a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
@@ -59,10 +59,14 @@ import kafka.utils.ZkUtils;
*
* - The "IT" group can do anything
* - The "public" group can only "read/describe" on the "test" topic, not "write".
+ *
+ * In addition we have a TAG based policy, which grants "read/describe" access to the "public" group to the "messages" topic (which is associated
+ * with the tag called "MessagesTag". A "kafka_topic" entity was created in Apache Atlas + then associated with the "MessagesTag". This was
+ * then imported into Ranger using the TagSyncService. The policies were then downloaded locally and saved for testing off-line.
*
* Policies available from admin via:
*
- * http://localhost:6080/service/plugins/policies/download/KafkaTest
+ * http://localhost:6080/service/plugins/policies/download/cl1_kafka
*/
public class KafkaRangerAuthorizerTest {
@@ -302,4 +306,68 @@ public class KafkaRangerAuthorizerTest {
producer.close();
}
+
+ // The "public" group can read from "messages"
+ @Test
+ public void testAuthorizedReadUsingTagPolicy() throws Exception {
+ // Create the Producer
+ Properties producerProps = new Properties();
+ producerProps.put("bootstrap.servers", "localhost:" + port);
+ producerProps.put("acks", "all");
+ producerProps.put("key.serializer", "org.apache.kafka.common.serialization.StringSerializer");
+ producerProps.put("value.serializer", "org.apache.kafka.common.serialization.StringSerializer");
+ producerProps.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL");
+ producerProps.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
+ producerProps.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, serviceKeystorePath);
+ producerProps.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "sspass");
+ producerProps.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, "skpass");
+ producerProps.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, truststorePath);
+ producerProps.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "security");
+
+ final Producer<String, String> producer = new KafkaProducer<>(producerProps);
+
+ // Create the Consumer
+ Properties consumerProps = new Properties();
+ consumerProps.put("bootstrap.servers", "localhost:" + port);
+ consumerProps.put("group.id", "test");
+ consumerProps.put("enable.auto.commit", "true");
+ consumerProps.put("auto.offset.reset", "earliest");
+ consumerProps.put("auto.commit.interval.ms", "1000");
+ consumerProps.put("session.timeout.ms", "30000");
+ consumerProps.put("key.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
+ consumerProps.put("value.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
+ consumerProps.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL");
+ consumerProps.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
+ consumerProps.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, clientKeystorePath);
+ consumerProps.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "cspass");
+ consumerProps.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, "ckpass");
+ consumerProps.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, truststorePath);
+ consumerProps.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "security");
+
+ final KafkaConsumer<String, String> consumer = new KafkaConsumer<>(consumerProps);
+ consumer.subscribe(Arrays.asList("messages"));
+
+ // Send a message
+ producer.send(new ProducerRecord<String, String>("messages", "somekey", "somevalue"));
+ producer.flush();
+
+ // Poll until we consume it
+
+ ConsumerRecord<String, String> record = null;
+ for (int i = 0; i < 1000; i++) {
+ ConsumerRecords<String, String> records = consumer.poll(100);
+ if (records.count() > 0) {
+ record = records.iterator().next();
+ break;
+ }
+ Thread.sleep(1000);
+ }
+
+ Assert.assertNotNull(record);
+ Assert.assertEquals("somevalue", record.value());
+
+ producer.close();
+ consumer.close();
+ }
+
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/RangerAdminClientImpl.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/RangerAdminClientImpl.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/RangerAdminClientImpl.java
index 26dc151..9ed94ff 100644
--- a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/RangerAdminClientImpl.java
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/RangerAdminClientImpl.java
@@ -38,6 +38,7 @@ import com.google.gson.GsonBuilder;
public class RangerAdminClientImpl implements RangerAdminClient {
private static final Logger LOG = LoggerFactory.getLogger(RangerAdminClientImpl.class);
private final static String cacheFilename = "kafka-policies.json";
+ private final static String tagFilename = "kafka-policies-tag.json";
private Gson gson;
public void init(String serviceName, String appId, String configPropertyPrefix) {
@@ -72,8 +73,15 @@ public class RangerAdminClientImpl implements RangerAdminClient {
}
public ServiceTags getServiceTagsIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception {
- return null;
-
+ String basedir = System.getProperty("basedir");
+ if (basedir == null) {
+ basedir = new File(".").getCanonicalPath();
+ }
+
+ java.nio.file.Path cachePath = FileSystems.getDefault().getPath(basedir, "/src/test/resources/" + tagFilename);
+ byte[] cacheBytes = Files.readAllBytes(cachePath);
+
+ return gson.fromJson(new String(cacheBytes), ServiceTags.class);
}
public List<String> getTagTypes(String tagTypePattern) throws Exception {
http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/plugin-kafka/src/test/resources/kafka-policies-tag.json
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/resources/kafka-policies-tag.json b/plugin-kafka/src/test/resources/kafka-policies-tag.json
new file mode 100644
index 0000000..c85e133
--- /dev/null
+++ b/plugin-kafka/src/test/resources/kafka-policies-tag.json
@@ -0,0 +1,37 @@
+{
+ "op": "add_or_update",
+ "serviceName": "cl1_kafka",
+ "tagVersion": 2,
+ "tagDefinitions": {},
+ "tags": {
+ "3": {
+ "type": "MessagesTag",
+ "owner": 0,
+ "attributes": {},
+ "id": 3,
+ "isEnabled": true,
+ "version": 1
+ }
+ },
+ "serviceResources": [
+ {
+ "resourceElements": {
+ "topic": {
+ "values": [
+ "messages"
+ ],
+ "isExcludes": false,
+ "isRecursive": true
+ }
+ },
+ "id": 3,
+ "isEnabled": true,
+ "version": 2
+ }
+ ],
+ "resourceToTagIds": {
+ "3": [
+ 3
+ ]
+ }
+}
\ No newline at end of file