You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2022/06/27 23:44:06 UTC
[ranger] branch master updated: RANGER-3796: enhancement to support multiple resource sets in a policy
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new dfab947dd RANGER-3796: enhancement to support multiple resource sets in a policy
dfab947dd is described below
commit dfab947ddd71391a22342f0421754ad3cec0a0e1
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Mon Jun 20 09:54:07 2022 -0700
RANGER-3796: enhancement to support multiple resource sets in a policy
---
.../RangerServiceResourceMatcher.java | 4 +-
.../apache/ranger/plugin/model/RangerPolicy.java | 82 +-
.../model/RangerPolicyResourceSignature.java | 45 +-
.../model/validation/RangerPolicyValidator.java | 47 +-
.../plugin/model/validation/RangerValidator.java | 12 +-
.../validation/RangerZoneResourceMatcher.java | 4 +-
.../policyengine/RangerPolicyEngineImpl.java | 37 +-
.../policyengine/RangerPolicyRepository.java | 61 +-
.../plugin/policyengine/RangerResourceTrie.java | 84 +-
.../RangerAbstractPolicyEvaluator.java | 126 +-
.../RangerAuditPolicyEvaluator.java | 48 +-
.../RangerDefaultDataMaskPolicyItemEvaluator.java | 2 +-
.../RangerDefaultPolicyEvaluator.java | 265 +-
.../policyevaluator/RangerPolicyEvaluator.java | 22 +-
.../RangerDefaultPolicyResourceMatcher.java | 2 +
.../RangerPolicyResourceMatcher.java | 4 +-
...Evaluator.java => RangerResourceEvaluator.java} | 2 +-
.../validation/TestRangerPolicyValidator.java | 25 +-
.../plugin/policyengine/TestPathResourceTrie.java | 47 +-
.../plugin/policyengine/TestPolicyEngine.java | 40 +-
...icyengine_policy_with_additional_resources.json | 84 +
.../org/apache/ranger/biz/RangerPolicyAdmin.java | 2 +-
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 116 +-
.../org/apache/ranger/biz/TestPolicyAdmin.java | 155 ++
.../java/org/apache/ranger/biz/TestPolicyDb.java | 2 +-
.../biz/test_policyadmin_additional_resources.json | 2710 ++++++++++++++++++++
26 files changed, 3681 insertions(+), 347 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java
index 9433ae1da..465d7d375 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java
@@ -24,7 +24,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
-import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import org.apache.ranger.plugin.util.ServiceDefUtil;
@@ -32,7 +32,7 @@ import java.io.Serializable;
import java.util.Comparator;
import java.util.Map;
-public class RangerServiceResourceMatcher implements RangerPolicyResourceEvaluator {
+public class RangerServiceResourceMatcher implements RangerResourceEvaluator {
public static final Comparator<RangerServiceResourceMatcher> ID_COMPARATOR = new IdComparator();
private final RangerServiceResource serviceResource;
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index ea4099966..51c28e3f3 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -29,7 +29,6 @@ import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
-import org.apache.commons.collections.CollectionUtils;
import org.codehaus.jackson.annotate.JsonAutoDetect;
import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.annotate.JsonAutoDetect.Visibility;
@@ -68,27 +67,28 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
// For future use
private static final long serialVersionUID = 1L;
- private String service;
- private String name;
- private Integer policyType;
- private Integer policyPriority;
- private String description;
- private String resourceSignature;
- private Boolean isAuditEnabled;
- private Map<String, RangerPolicyResource> resources;
- private List<RangerPolicyItemCondition> conditions;
- private List<RangerPolicyItem> policyItems;
- private List<RangerPolicyItem> denyPolicyItems;
- private List<RangerPolicyItem> allowExceptions;
- private List<RangerPolicyItem> denyExceptions;
- private List<RangerDataMaskPolicyItem> dataMaskPolicyItems;
- private List<RangerRowFilterPolicyItem> rowFilterPolicyItems;
- private String serviceType;
- private Map<String, Object> options;
- private List<RangerValiditySchedule> validitySchedules;
- private List<String> policyLabels;
- private String zoneName;
- private Boolean isDenyAllElse;
+ private String service;
+ private String name;
+ private Integer policyType;
+ private Integer policyPriority;
+ private String description;
+ private String resourceSignature;
+ private Boolean isAuditEnabled;
+ private Map<String, RangerPolicyResource> resources;
+ private List<Map<String, RangerPolicyResource>> additionalResources;
+ private List<RangerPolicyItemCondition> conditions;
+ private List<RangerPolicyItem> policyItems;
+ private List<RangerPolicyItem> denyPolicyItems;
+ private List<RangerPolicyItem> allowExceptions;
+ private List<RangerPolicyItem> denyExceptions;
+ private List<RangerDataMaskPolicyItem> dataMaskPolicyItems;
+ private List<RangerRowFilterPolicyItem> rowFilterPolicyItems;
+ private String serviceType;
+ private Map<String, Object> options;
+ private List<RangerValiditySchedule> validitySchedules;
+ private List<String> policyLabels;
+ private String zoneName;
+ private Boolean isDenyAllElse;
public RangerPolicy() {
this(null, null, null, null, null, null, null, null, null, null, null);
@@ -155,6 +155,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
setResourceSignature(other.getResourceSignature());
setIsAuditEnabled(other.getIsAuditEnabled());
setResources(other.getResources());
+ setAdditionalResources(other.getAdditionalResources());
setConditions(other.getConditions());
setPolicyItems(other.getPolicyItems());
setDenyPolicyItems(other.getDenyPolicyItems());
@@ -324,6 +325,28 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
}
+ public List<Map<String, RangerPolicyResource>> getAdditionalResources() {
+ return additionalResources;
+ }
+
+ public void setAdditionalResources(List<Map<String, RangerPolicyResource>> additionalResources) {
+ this.additionalResources = additionalResources;
+ }
+
+ public void addResource(Map<String, RangerPolicyResource> resources) {
+ if (resources != null && !resources.isEmpty()) {
+ if (this.resources == null || this.resources.isEmpty()) {
+ this.resources = resources;
+ } else {
+ if (this.additionalResources == null) {
+ this.additionalResources = new ArrayList<>();
+ }
+
+ this.additionalResources.add(resources);
+ }
+ }
+ }
+
/**
* @return the policyItems
*/
@@ -558,6 +581,19 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
}
}
sb.append("} ");
+ sb.append("additionalResources={");
+ if(additionalResources != null) {
+ for(Map<String, RangerPolicyResource> additionalResource : additionalResources) {
+ sb.append("{");
+ for(Map.Entry<String, RangerPolicyResource> e : additionalResource.entrySet()) {
+ sb.append(e.getKey()).append("={");
+ e.getValue().toString(sb);
+ sb.append("} ");
+ }
+ sb.append("} ");
+ }
+ }
+ sb.append("} ");
sb.append("policyLabels={");
if(policyLabels != null) {
for(String policyLabel : policyLabels) {
@@ -650,7 +686,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
//sb.append("validitySchedules={").append(validitySchedules).append("} ");
sb.append("validitySchedules={");
- if (CollectionUtils.isNotEmpty(validitySchedules)) {
+ if (validitySchedules != null) {
for (RangerValiditySchedule schedule : validitySchedules) {
if (schedule != null) {
sb.append("schedule={").append(schedule).append("}");
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
index 02d0a863f..c14811867 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
@@ -132,7 +132,7 @@ public class RangerPolicyResourceSignature {
}
return valid;
}
-
+
@Override
public String toString() {
// invalid/empty policy gets a deterministic signature as if it had an
@@ -144,13 +144,9 @@ public class RangerPolicyResourceSignature {
if (_policy.getPolicyType() != null) {
type = _policy.getPolicyType();
}
- Map<String, ResourceSerializer> resources = new TreeMap<>();
- for (Map.Entry<String, RangerPolicyResource> entry : _policy.getResources().entrySet()) {
- String resourceName = entry.getKey();
- ResourceSerializer resourceView = new ResourceSerializer(entry.getValue());
- resources.put(resourceName, resourceView);
- }
- String resource = resources.toString();
+
+ String resource = toSignatureString(_policy.getResources(), _policy.getAdditionalResources());
+
if (CollectionUtils.isNotEmpty(_policy.getValiditySchedules())) {
resource += _policy.getValiditySchedules().toString();
}
@@ -175,6 +171,39 @@ public class RangerPolicyResourceSignature {
}
+ public static String toSignatureString(Map<String, RangerPolicyResource> resource) {
+ Map<String, ResourceSerializer> resources = new TreeMap<>();
+
+ for (Map.Entry<String, RangerPolicyResource> entry : resource.entrySet()) {
+ String resourceName = entry.getKey();
+ ResourceSerializer resourceView = new ResourceSerializer(entry.getValue());
+
+ resources.put(resourceName, resourceView);
+ }
+
+ return resources.toString();
+ }
+
+ public static String toSignatureString(Map<String, RangerPolicyResource> resource, List<Map<String, RangerPolicyResource>> additionalResources) {
+ String ret = toSignatureString(resource);
+
+ if (additionalResources != null && !additionalResources.isEmpty()) {
+ List<String> signatures = new ArrayList<>(additionalResources.size() + 1);
+
+ signatures.add(ret);
+
+ for (Map<String, RangerPolicyResource> additionalResource : additionalResources) {
+ signatures.add(toSignatureString(additionalResource));
+ }
+
+ Collections.sort(signatures);
+
+ ret = signatures.toString();
+ }
+
+ return ret;
+ }
+
static public class ResourceSerializer {
final RangerPolicyResource _policyResource;
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 0a58bb36d..e1b5fe8f1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -489,6 +489,15 @@ public class RangerPolicyValidator extends RangerValidator {
valid = isValidResourceNames(policy, failures, serviceDef) && valid;
valid = isValidResourceValues(resourceMap, failures, serviceDef) && valid;
valid = isValidResourceFlags(resourceMap, failures, serviceDef.getResources(), serviceDef.getName(), policy.getName(), isAdmin) && valid;
+
+ List<Map<String, RangerPolicyResource>> additionalResources = policy.getAdditionalResources();
+
+ if (additionalResources != null) {
+ for (Map<String, RangerPolicyResource> additionalResource : additionalResources) {
+ valid = isValidResourceValues(additionalResource, failures, serviceDef) && valid;
+ valid = isValidResourceFlags(additionalResource, failures, serviceDef.getResources(), serviceDef.getName(), policy.getName(), isAdmin) && valid;
+ }
+ }
}
}
@@ -565,17 +574,43 @@ public class RangerPolicyValidator extends RangerValidator {
}
boolean isValidResourceNames(final RangerPolicy policy, final List<ValidationFailureDetails> failures, final RangerServiceDef serviceDef) {
-
- if(LOG.isDebugEnabled()) {
+
+ if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValidResourceNames(%s, %s, %s)", policy, failures, serviceDef));
}
boolean valid = true;
- convertPolicyResourceNamesToLower(policy);
- Set<String> policyResources = policy.getResources().keySet();
+
+ Map<String, RangerPolicyResource> resources = policy.getResources();
+
+ if (resources != null) {
+ valid = isValidResourceNames(resources, failures, serviceDef, policy.getPolicyType()) && valid;
+
+ List<Map<String, RangerPolicyResource>> additionalResources = policy.getAdditionalResources();
+
+ if (additionalResources != null) {
+ for (Map<String, RangerPolicyResource> additionalResource : additionalResources) {
+ valid = isValidResourceNames(additionalResource, failures, serviceDef, policy.getPolicyType()) && valid;
+ }
+ }
+
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug(String.format("<== RangerPolicyValidator.isValidResourceNames(%s, %s, %s): %s", policy, failures, serviceDef, valid));
+ }
+
+ return valid;
+ }
+
+ boolean isValidResourceNames(Map<String, RangerPolicyResource> resources, List<ValidationFailureDetails> failures, RangerServiceDef serviceDef, Integer policyType) {
+ boolean valid = true;
+
+ convertPolicyResourceNamesToLower(resources);
+ Set<String> policyResources = resources.keySet();
RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef);
- Set<List<RangerResourceDef>> hierarchies = defHelper.getResourceHierarchies(policy.getPolicyType()); // this can be empty but not null!
+ Set<List<RangerResourceDef>> hierarchies = defHelper.getResourceHierarchies(policyType); // this can be empty but not null!
if (hierarchies.isEmpty()) {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyValidator.isValidResourceNames: serviceDef does not have any resource hierarchies, possibly due to invalid service def!!");
@@ -650,7 +685,7 @@ public class RangerPolicyValidator extends RangerValidator {
}
if(LOG.isDebugEnabled()) {
- LOG.debug(String.format("<== RangerPolicyValidator.isValidResourceNames(%s, %s, %s): %s", policy, failures, serviceDef, valid));
+ LOG.debug(String.format("<== RangerPolicyValidator.isValidResourceNames(%s, %s, %s): %s", resources, failures, serviceDef, valid));
}
return valid;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
index 62970ad9f..d47be1404 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
@@ -539,19 +539,21 @@ public abstract class RangerValidator {
/**
* Converts, in place, the resources defined in the policy to have lower-case resource-def-names
- * @param policy
+ * @param resources
* @return
*/
- void convertPolicyResourceNamesToLower(RangerPolicy policy) {
+ void convertPolicyResourceNamesToLower(Map<String, RangerPolicyResource> resources) {
Map<String, RangerPolicyResource> lowerCasePolicyResources = new HashMap<>();
- if (policy.getResources() != null) {
- for (Map.Entry<String, RangerPolicyResource> entry : policy.getResources().entrySet()) {
+ if (resources != null) {
+ for (Map.Entry<String, RangerPolicyResource> entry : resources.entrySet()) {
String lowerCasekey = entry.getKey().toLowerCase();
lowerCasePolicyResources.put(lowerCasekey, entry.getValue());
}
+
+ resources.clear();
+ resources.putAll(lowerCasePolicyResources);
}
- policy.setResources(lowerCasePolicyResources);
}
Map<String, String> getValidationRegExes(RangerServiceDef serviceDef) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
index c6cc9ac72..e079b7c46 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
@@ -23,7 +23,7 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
-import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.slf4j.Logger;
@@ -33,7 +33,7 @@ import java.util.Collection;
import java.util.List;
import java.util.Map;
-public class RangerZoneResourceMatcher implements RangerPolicyResourceEvaluator {
+public class RangerZoneResourceMatcher implements RangerResourceEvaluator {
private static final Logger LOG = LoggerFactory.getLogger(RangerZoneResourceMatcher.class);
private final String securityZoneName;
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 5b3c9c3e5..3ae0add51 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -34,6 +34,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.RangerPolicyResourceEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor;
@@ -307,18 +308,30 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
policyPriority = evaluator.getPolicyPriority();
}
- MatchType matchType = tagMatchTypeMap.get(evaluator.getId());
+ MatchType matchType = tagMatchTypeMap.get(evaluator.getPolicyId());
+
+ boolean isMatched = false;
if (matchType == null) {
- matchType = evaluator.getPolicyResourceMatcher().getMatchType(request.getResource(), request.getContext());
- }
+ for (RangerPolicyResourceEvaluator resourceEvaluator : evaluator.getResourceEvaluators()) {
+ matchType = resourceEvaluator.getPolicyResourceMatcher().getMatchType(request.getResource(), request.getContext());
- final boolean isMatched;
+ if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ isMatched = matchType != MatchType.NONE;
+ } else {
+ isMatched = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS;
+ }
- if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
- isMatched = matchType != MatchType.NONE;
+ if (isMatched) {
+ break;
+ }
+ }
} else {
- isMatched = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS;
+ if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ isMatched = matchType != MatchType.NONE;
+ } else {
+ isMatched = matchType == MatchType.SELF || matchType == MatchType.SELF_AND_ALL_DESCENDANTS;
+ }
}
if (!isMatched) {
@@ -1009,10 +1022,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
RangerTagForEval tag = tagEvaluator.getTag();
allEvaluators.add(evaluator);
- tagMatchTypeMap.put(evaluator.getId(), tag.getMatchType());
+ tagMatchTypeMap.put(evaluator.getPolicyId(), tag.getMatchType());
if (CollectionUtils.isNotEmpty(tag.getValidityPeriods())) {
- policyIdForTemporalTags.add(evaluator.getId());
+ policyIdForTemporalTags.add(evaluator.getPolicyId());
}
}
}
@@ -1166,7 +1179,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
return;
}
- boolean isConditional = policyIdForTemporalTags.contains(evaluator.getId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
+ boolean isConditional = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
for (Map.Entry<String, Map<String, PolicyACLSummary.AccessResult>> userAccessInfo : aclSummary.getUsersAccessInfo().entrySet()) {
final String userName = userAccessInfo.getKey();
@@ -1239,7 +1252,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
if (aclSummary != null) {
- boolean isConditional = policyIdForTemporalTags.contains(evaluator.getId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
+ boolean isConditional = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
for (RowFilterResult rowFilterResult : aclSummary.getRowFilters()) {
rowFilterResult = copyRowFilter(rowFilterResult);
@@ -1257,7 +1270,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
if (aclSummary != null) {
- boolean isConditional = policyIdForTemporalTags.contains(evaluator.getId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
+ boolean isConditional = policyIdForTemporalTags.contains(evaluator.getPolicyId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
for (DataMaskResult dataMaskResult : aclSummary.getDataMasks()) {
dataMaskResult = copyDataMask(dataMaskResult);
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 07cbe7ff6..ff83c7434 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -39,6 +39,7 @@ import org.apache.ranger.plugin.policyevaluator.RangerAuditPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.RangerPolicyResourceEvaluator;
import org.apache.ranger.plugin.store.AbstractServiceStore;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServiceDefUtil;
@@ -701,20 +702,20 @@ public class RangerPolicyRepository {
perf = RangerPerfTracer.getPerfTracer(PERF_TRIE_OP_LOG, "RangerPolicyRepository.getLikelyMatchEvaluators(resource=" + resource.getAsString() + ")");
}
- List<String> resourceKeys = resource == null ? null : options.getServiceDefHelper().getOrderedResourceNames(resource.getKeys());
- Set<RangerPolicyEvaluator> smallestList = null;
+ List<String> resourceKeys = resource == null ? null : options.getServiceDefHelper().getOrderedResourceNames(resource.getKeys());
+ Set<RangerPolicyResourceEvaluator> smallestList = null;
if (CollectionUtils.isNotEmpty(resourceKeys)) {
for (String resourceName : resourceKeys) {
- RangerResourceTrie<RangerPolicyEvaluator> trie = resourceTrie.get(resourceName);
+ RangerResourceTrie<RangerPolicyResourceEvaluator> trie = resourceTrie.get(resourceName);
if (trie == null) { // if no trie exists for this resource level, ignore and continue to next level
continue;
}
- Set<RangerPolicyEvaluator> serviceResourceMatchersForResource = trie.getEvaluatorsForResource(resource.getValue(resourceName), request.getResourceMatchingScope());
- Set<RangerPolicyEvaluator> inheritedResourceMatchers = trie.getInheritedEvaluators();
+ Set<RangerPolicyResourceEvaluator> serviceResourceMatchersForResource = trie.getEvaluatorsForResource(resource.getValue(resourceName), request.getResourceMatchingScope());
+ Set<RangerPolicyResourceEvaluator> inheritedResourceMatchers = trie.getInheritedEvaluators();
if (smallestList != null) {
if (CollectionUtils.isEmpty(inheritedResourceMatchers) && CollectionUtils.isEmpty(serviceResourceMatchersForResource)) {
@@ -724,7 +725,7 @@ public class RangerPolicyRepository {
} else if (CollectionUtils.isEmpty(serviceResourceMatchersForResource)) {
smallestList.retainAll(inheritedResourceMatchers);
} else {
- Set<RangerPolicyEvaluator> smaller, bigger;
+ Set<RangerPolicyResourceEvaluator> smaller, bigger;
if (serviceResourceMatchersForResource.size() < inheritedResourceMatchers.size()) {
smaller = serviceResourceMatchersForResource;
bigger = inheritedResourceMatchers;
@@ -732,7 +733,7 @@ public class RangerPolicyRepository {
smaller = inheritedResourceMatchers;
bigger = serviceResourceMatchersForResource;
}
- Set<RangerPolicyEvaluator> tmp = new HashSet<>();
+ Set<RangerPolicyResourceEvaluator> tmp = new HashSet<>();
if (smallestList.size() < smaller.size()) {
smallestList.stream().filter(smaller::contains).forEach(tmp::add);
smallestList.stream().filter(bigger::contains).forEach(tmp::add);
@@ -748,7 +749,7 @@ public class RangerPolicyRepository {
}
} else {
if (CollectionUtils.isEmpty(inheritedResourceMatchers) || CollectionUtils.isEmpty(serviceResourceMatchersForResource)) {
- Set<RangerPolicyEvaluator> tmp = CollectionUtils.isEmpty(inheritedResourceMatchers) ? serviceResourceMatchersForResource : inheritedResourceMatchers;
+ Set<RangerPolicyResourceEvaluator> tmp = CollectionUtils.isEmpty(inheritedResourceMatchers) ? serviceResourceMatchersForResource : inheritedResourceMatchers;
smallestList = resourceKeys.size() == 1 || CollectionUtils.isEmpty(tmp) ? tmp : new HashSet<>(tmp);
} else {
smallestList = new HashSet<>(serviceResourceMatchersForResource);
@@ -764,8 +765,31 @@ public class RangerPolicyRepository {
}
if (smallestList != null) {
- ret = new ArrayList<>(smallestList);
- ret.sort(RangerPolicyEvaluator.EVAL_ORDER_COMPARATOR);
+ if (smallestList.size() == 0) {
+ ret = new ArrayList<>();
+ } else if (smallestList.size() == 1) {
+ ret = new ArrayList<>(1);
+
+ for (RangerPolicyResourceEvaluator resourceEvaluator : smallestList) {
+ RangerPolicyEvaluator policyEvaluator = resourceEvaluator.getPolicyEvaluator();
+
+ ret.add(policyEvaluator);
+ }
+ } else {
+ ret = new ArrayList<>(smallestList.size());
+
+ Set<Long> policyIds = new HashSet<>();
+
+ for (RangerPolicyResourceEvaluator resourceEvaluator : smallestList) {
+ RangerPolicyEvaluator policyEvaluator = resourceEvaluator.getPolicyEvaluator();
+
+ if (policyIds.add(policyEvaluator.getPolicyId())) {
+ ret.add(policyEvaluator);
+ }
+ }
+
+ ret.sort(RangerPolicyEvaluator.EVAL_ORDER_COMPARATOR);
+ }
}
RangerPerfTracer.logAlways(perf);
@@ -1224,7 +1248,7 @@ public class RangerPolicyRepository {
String resourceDefName = resourceDef.getName();
- RangerResourceTrie<RangerPolicyEvaluator> trie = trieMap.get(resourceDefName);
+ RangerResourceTrie<RangerPolicyResourceEvaluator> trie = trieMap.get(resourceDefName);
if (trie == null) {
if (RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE == policyDeltaType || RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE == policyDeltaType) {
@@ -1251,18 +1275,23 @@ public class RangerPolicyRepository {
}
}
- private void addEvaluatorToTrie(RangerPolicyEvaluator newEvaluator, RangerResourceTrie<RangerPolicyEvaluator> trie, String resourceDefName) {
+ private void addEvaluatorToTrie(RangerPolicyEvaluator newEvaluator, RangerResourceTrie<RangerPolicyResourceEvaluator> trie, String resourceDefName) {
if (newEvaluator != null) {
- RangerPolicy.RangerPolicyResource resource = newEvaluator.getPolicyResource().get(resourceDefName);
- trie.add(resource, newEvaluator);
+ for (RangerPolicyResourceEvaluator resourceEvaluator : newEvaluator.getResourceEvaluators()) {
+ RangerPolicy.RangerPolicyResource resource = resourceEvaluator.getPolicyResource().get(resourceDefName);
+
+ trie.add(resource, resourceEvaluator);
+ }
} else {
LOG.warn("Unexpected: newPolicyEvaluator is null for resource:[" + resourceDefName + "]");
}
}
- private void removeEvaluatorFromTrie(RangerPolicyEvaluator oldEvaluator, RangerResourceTrie<RangerPolicyEvaluator> trie, String resourceDefName) {
+ private void removeEvaluatorFromTrie(RangerPolicyEvaluator oldEvaluator, RangerResourceTrie<RangerPolicyResourceEvaluator> trie, String resourceDefName) {
if (oldEvaluator != null) {
- trie.delete(oldEvaluator.getPolicyResource().get(resourceDefName), oldEvaluator);
+ for (RangerPolicyResourceEvaluator resourceEvaluator : oldEvaluator.getResourceEvaluators()) {
+ trie.delete(resourceEvaluator.getPolicyResource().get(resourceDefName), resourceEvaluator);
+ }
}
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 70b9f6884..504acd3a2 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -25,7 +25,8 @@ import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
-import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import org.apache.ranger.plugin.util.RangerPerfTracer;
@@ -37,6 +38,7 @@ import org.slf4j.LoggerFactory;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -48,7 +50,7 @@ import java.util.concurrent.LinkedBlockingQueue;
import static org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher.DEFAULT_PATH_SEPARATOR_CHAR;
import static org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher.OPTION_PATH_SEPARATOR;
-public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
+public class RangerResourceTrie<T extends RangerResourceEvaluator> {
private static final Logger LOG = LoggerFactory.getLogger(RangerResourceTrie.class);
private static final Logger TRACE_LOG = RangerPerfTracer.getPerfLogger("resourcetrie.trace");
private static final Logger PERF_TRIE_INIT_LOG = RangerPerfTracer.getPerfLogger("resourcetrie.init");
@@ -358,7 +360,7 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
return dest;
}
- private TrieNode<T> buildTrie(RangerResourceDef resourceDef, List<T> evaluators, int builderThreadCount) {
+ private <E> TrieNode<T> buildTrie(RangerResourceDef resourceDef, List<E> evaluators, int builderThreadCount) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> buildTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + ", isMultiThreaded=" + (builderThreadCount > 1) + ")");
}
@@ -393,46 +395,60 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
builderThreadMap = null;
}
- for (T evaluator : evaluators) {
- Map<String, RangerPolicyResource> policyResources = evaluator.getPolicyResource();
- RangerPolicyResource policyResource = policyResources != null ? policyResources.get(resourceName) : null;
+ for (E evaluator : evaluators) {
+ final List<T> resourceEvaluators;
- if (policyResource == null) {
- if (evaluator.isAncestorOf(resourceDef)) {
- addInheritedEvaluator(evaluator);
- }
+ if (evaluator instanceof RangerPolicyEvaluator) {
+ resourceEvaluators = (List<T>) ((RangerPolicyEvaluator) evaluator).getResourceEvaluators();
+ } else if (evaluator instanceof RangerResourceEvaluator) {
+ resourceEvaluators = Collections.singletonList((T) evaluator);
+ } else {
+ LOG.error("buildTrie(): unexpected evaluator class " + evaluator.getClass().getCanonicalName());
- continue;
+ resourceEvaluators = Collections.emptyList();
}
- if (policyResource.getIsExcludes()) {
- addInheritedEvaluator(evaluator);
- } else {
- RangerResourceMatcher resourceMatcher = evaluator.getResourceMatcher(resourceName);
+ for (T resourceEvaluator : resourceEvaluators) {
+ Map<String, RangerPolicyResource> policyResources = resourceEvaluator.getPolicyResource();
+ RangerPolicyResource policyResource = policyResources != null ? policyResources.get(resourceName) : null;
+
+ if (policyResource == null) {
+ if (resourceEvaluator.isAncestorOf(resourceDef)) {
+ addInheritedEvaluator(resourceEvaluator);
+ }
- if (resourceMatcher != null && (resourceMatcher.isMatchAny())) {
- ret.addWildcardEvaluator(evaluator);
+ continue;
+ }
+
+ if (policyResource.getIsExcludes()) {
+ addInheritedEvaluator(resourceEvaluator);
} else {
- if (CollectionUtils.isNotEmpty(policyResource.getValues())) {
- for (String resource : policyResource.getValues()) {
- if (!isMultiThreaded) {
- insert(ret, resource, policyResource.getIsRecursive(), evaluator);
- } else {
- try {
- lastUsedThreadIndex = insert(ret, resource, policyResource.getIsRecursive(), evaluator, builderThreadMap, builderThreads, lastUsedThreadIndex);
- } catch (InterruptedException ex) {
- LOG.error("Failed to dispatch " + resource + " to " + builderThreads.get(lastUsedThreadIndex));
- LOG.error("Failing and retrying with one thread");
-
- ret = null;
-
- break;
+ RangerResourceMatcher resourceMatcher = resourceEvaluator.getResourceMatcher(resourceName);
+
+ if (resourceMatcher != null && (resourceMatcher.isMatchAny())) {
+ ret.addWildcardEvaluator(resourceEvaluator);
+ } else {
+ if (CollectionUtils.isNotEmpty(policyResource.getValues())) {
+ for (String resource : policyResource.getValues()) {
+ if (!isMultiThreaded) {
+ insert(ret, resource, policyResource.getIsRecursive(), resourceEvaluator);
+ } else {
+ try {
+ lastUsedThreadIndex = insert(ret, resource, policyResource.getIsRecursive(), resourceEvaluator, builderThreadMap, builderThreads, lastUsedThreadIndex);
+ } catch (InterruptedException ex) {
+ LOG.error("Failed to dispatch " + resource + " to " + builderThreads.get(lastUsedThreadIndex));
+ LOG.error("Failing and retrying with one thread");
+
+ ret = null;
+
+ break;
+ }
}
}
- }
- if (ret == null) {
- break;
+ if (ret == null) {
+ break;
+ }
}
}
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index ad102a765..c16d2acb0 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -21,27 +21,38 @@ package org.apache.ranger.plugin.policyevaluator;
import org.apache.commons.collections.CollectionUtils;
import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
+import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.util.ArrayList;
+import java.util.Collections;
import java.util.List;
import java.util.Map;
+import java.util.concurrent.atomic.AtomicLong;
import java.util.stream.Collectors;
public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator {
private static final Logger LOG = LoggerFactory.getLogger(RangerAbstractPolicyEvaluator.class);
- private RangerPolicy policy;
- private RangerServiceDef serviceDef;
- private RangerResourceDef leafResourceDef;
- private int evalOrder;
- protected RangerPluginContext pluginContext = null;
+ private static final AtomicLong NEXT_RESOURCE_EVALUATOR_ID = new AtomicLong(1);
+
+ private RangerPolicy policy;
+ private RangerServiceDef serviceDef;
+ private boolean needsDynamicEval = false;
+ private int evalOrder;
+ private List<RangerPolicyResourceEvaluator> resourceEvaluators = Collections.emptyList();
+ protected RangerPluginContext pluginContext = null;
public void setPluginContext(RangerPluginContext pluginContext) { this.pluginContext = pluginContext; }
@@ -54,23 +65,38 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu
LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")");
}
- this.policy = getPrunedPolicy(policy);
- this.serviceDef = serviceDef;
- this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource());
+ this.policy = getPrunedPolicy(policy);
+ this.serviceDef = serviceDef;
+ this.needsDynamicEval = false;
+
+ List<RangerPolicyResourceEvaluator> resourceEvaluators = new ArrayList<>();
+ RangerDefaultPolicyResourceEvaluator resourceEvaluator = new RangerDefaultPolicyResourceEvaluator(NEXT_RESOURCE_EVALUATOR_ID.getAndIncrement(), policy.getResources(), getPolicyType(), serviceDef, options.getServiceDefHelper());
+
+ resourceEvaluators.add(resourceEvaluator);
+
+ this.needsDynamicEval = this.needsDynamicEval || resourceEvaluator.getPolicyResourceMatcher().getNeedsDynamicEval();
+
+ if (CollectionUtils.isNotEmpty(policy.getAdditionalResources())) {
+ for (Map<String, RangerPolicyResource> additionalResource : policy.getAdditionalResources()) {
+ resourceEvaluator = new RangerDefaultPolicyResourceEvaluator(NEXT_RESOURCE_EVALUATOR_ID.getAndIncrement(), additionalResource, getPolicyType(), serviceDef, options.getServiceDefHelper());
+
+ resourceEvaluators.add(resourceEvaluator);
+
+ this.needsDynamicEval = this.needsDynamicEval || resourceEvaluator.getPolicyResourceMatcher().getNeedsDynamicEval();
+ }
+ }
+
+ this.resourceEvaluators = resourceEvaluators;
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + this.policy + ", " + serviceDef + ")");
}
}
- @Override
- public long getId() {
- return policy != null ? policy.getId() :-1;
- }
+ public int getPolicyType() {
+ Integer ret = policy != null ? policy.getPolicyType() : null;
- @Override
- public Map<String, RangerPolicy.RangerPolicyResource> getPolicyResource() {
- return policy !=null ? policy.getResources() : null;
+ return ret != null ? ret.intValue() : RangerPolicy.POLICY_TYPE_ACCESS;
}
@Override
@@ -78,19 +104,26 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu
return policy;
}
+ @Override
+ public long getPolicyId() {
+ Long ret = policy != null ? policy.getId() : null;
+
+ return ret != null ? ret.longValue() : -1;
+ }
+
@Override
public int getPolicyPriority() {
return policy != null && policy.getPolicyPriority() != null ? policy.getPolicyPriority() : RangerPolicy.POLICY_PRIORITY_NORMAL;
}
@Override
- public RangerServiceDef getServiceDef() {
- return serviceDef;
+ public List<RangerPolicyResourceEvaluator> getResourceEvaluators() {
+ return resourceEvaluators;
}
@Override
- public boolean isAncestorOf(RangerResourceDef resourceDef) {
- return ServiceDefUtil.isAncestorOf(serviceDef, leafResourceDef, resourceDef);
+ public RangerServiceDef getServiceDef() {
+ return serviceDef;
}
public boolean hasAllow() {
@@ -105,6 +138,8 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu
return policy != null && (policy.getIsDenyAllElse() || CollectionUtils.isNotEmpty(policy.getDenyPolicyItems()));
}
+ protected boolean needsDynamicEval() { return needsDynamicEval; }
+
private RangerPolicy getPrunedPolicy(final RangerPolicy policy) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAbstractPolicyEvaluator.getPrunedPolicy(" + policy + ")");
@@ -199,4 +234,57 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu
return sb;
}
+
+ public class RangerDefaultPolicyResourceEvaluator implements RangerPolicyResourceEvaluator {
+ private final long id;
+ private final Map<String, RangerPolicyResource> resource;
+ private final RangerDefaultPolicyResourceMatcher resourceMatcher;
+ private final RangerResourceDef leafResourceDef;
+
+ public RangerDefaultPolicyResourceEvaluator(long id, Map<String, RangerPolicyResource> resource, int policyType, RangerServiceDef serviceDef, RangerServiceDefHelper serviceDefHelper) {
+ this.id = id;
+ this.resource = resource;
+ this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, resource);
+ this.resourceMatcher = new RangerDefaultPolicyResourceMatcher();
+
+ this.resourceMatcher.setPolicyResources(resource, policyType);
+ this.resourceMatcher.setServiceDef(serviceDef);
+ this.resourceMatcher.setServiceDefHelper(serviceDefHelper);
+ this.resourceMatcher.init();
+ }
+
+ @Override
+ public RangerPolicyEvaluator getPolicyEvaluator() {
+ return RangerAbstractPolicyEvaluator.this;
+ }
+
+ @Override
+ public long getId() {
+ return id;
+ }
+
+ @Override
+ public RangerPolicyResourceMatcher getPolicyResourceMatcher() {
+ return resourceMatcher;
+ }
+
+ @Override
+ public Map<String, RangerPolicyResource> getPolicyResource() {
+ return resource;
+ }
+
+ @Override
+ public RangerResourceMatcher getResourceMatcher(String resourceName) {
+ return resourceMatcher.getResourceMatcher(resourceName);
+ }
+
+ @Override
+ public boolean isAncestorOf(RangerResourceDef resourceDef) {
+ if (resourceMatcher.getPolicyType() == RangerPolicy.POLICY_TYPE_AUDIT && (resource == null || resource.isEmpty())) {
+ return true;
+ } else {
+ return ServiceDefUtil.isAncestorOf(serviceDef, leafResourceDef, resourceDef);
+ }
+ }
+ }
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
index ace4e30ac..1c46f184c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
@@ -26,7 +26,6 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.policyengine.*;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
@@ -81,11 +80,6 @@ public class RangerAuditPolicyEvaluator extends RangerDefaultPolicyEvaluator {
}
}
- @Override
- public boolean isAncestorOf(RangerResourceDef resourceDef) {
- return matchAnyResource || super.isAncestorOf(resourceDef);
- }
-
@Override
public void evaluate(RangerAccessRequest request, RangerAccessResult result) {
if (LOG.isDebugEnabled()) {
@@ -119,33 +113,39 @@ public class RangerAuditPolicyEvaluator extends RangerDefaultPolicyEvaluator {
}
private boolean matchResource(RangerAccessRequest request) {
- final boolean ret;
+ boolean ret = false;
if (!matchAnyResource) {
- RangerPolicyResourceMatcher.MatchType matchType;
+ for (RangerPolicyResourceEvaluator resourceEvaluator : getResourceEvaluators()) {
+ RangerPolicyResourceMatcher.MatchType matchType;
- if (RangerTagAccessRequest.class.isInstance(request)) {
- matchType = ((RangerTagAccessRequest) request).getMatchType();
+ if (RangerTagAccessRequest.class.isInstance(request)) {
+ matchType = ((RangerTagAccessRequest) request).getMatchType();
+
+ if (matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
+ matchType = RangerPolicyResourceMatcher.MatchType.SELF;
+ }
+ } else {
+ RangerPolicyResourceMatcher resourceMatcher = resourceEvaluator.getPolicyResourceMatcher();
- if (matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
- matchType = RangerPolicyResourceMatcher.MatchType.SELF;
+ if (resourceMatcher != null) {
+ matchType = resourceMatcher.getMatchType(request.getResource(), request.getContext());
+ } else {
+ matchType = RangerPolicyResourceMatcher.MatchType.NONE;
+ }
}
- } else {
- RangerPolicyResourceMatcher resourceMatcher = getPolicyResourceMatcher();
- if (resourceMatcher != null) {
- matchType = resourceMatcher.getMatchType(request.getResource(), request.getContext());
+ if (request.isAccessTypeAny()) {
+ ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
+ } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
} else {
- matchType = RangerPolicyResourceMatcher.MatchType.NONE;
+ ret = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
}
- }
- if (request.isAccessTypeAny()) {
- ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
- } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
- ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
- } else {
- ret = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
+ if (ret) {
+ break;
+ }
}
} else {
ret = true;
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
index f7e5f81f8..8d9969a3f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
@@ -51,7 +51,7 @@ public class RangerDefaultDataMaskPolicyItemEvaluator extends RangerDefaultPolic
result.setMaskedValue(dataMaskInfo.getValueExpr());
result.setIsAccessDetermined(true);
result.setPolicyPriority(policyEvaluator.getPolicyPriority());
- result.setPolicyId(policyEvaluator.getId());
+ result.setPolicyId(policyEvaluator.getPolicyId());
result.setReason(getComments());
result.setPolicyVersion(policyEvaluator.getPolicy().getVersion());
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 0f2c55456..c514a86a3 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -49,9 +49,7 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.policyengine.RangerTagAccessRequest;
-import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
-import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServiceDefUtil;
@@ -67,7 +65,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
private static final Logger PERF_POLICY_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policy.request");
private static final Logger PERF_POLICYCONDITION_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policycondition.request");
- private RangerPolicyResourceMatcher resourceMatcher;
private List<RangerValidityScheduleEvaluator> validityScheduleEvaluators;
private List<RangerPolicyItemEvaluator> allowEvaluators;
private List<RangerPolicyItemEvaluator> denyEvaluators;
@@ -82,8 +79,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
private boolean useAclSummaryForEvaluation = false;
private boolean disableRoleResolution = true;
- protected boolean needsDynamicEval() { return resourceMatcher != null && resourceMatcher.getNeedsDynamicEval(); }
-
@Override
public int getCustomConditionsCount() {
return customConditionsCount;
@@ -94,14 +89,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return validityScheduleEvaluators.size();
}
- @Override
- public RangerPolicyResourceMatcher getPolicyResourceMatcher() { return resourceMatcher; }
-
- @Override
- public RangerResourceMatcher getResourceMatcher(String resourceName) {
- return resourceMatcher != null ? resourceMatcher.getResourceMatcher(resourceName) : null;
- }
-
@Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if(LOG.isDebugEnabled()) {
@@ -127,13 +114,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
preprocessPolicy(policy, serviceDef);
- resourceMatcher = new RangerDefaultPolicyResourceMatcher();
-
- resourceMatcher.setServiceDef(serviceDef);
- resourceMatcher.setPolicy(policy);
- resourceMatcher.setServiceDefHelper(options.getServiceDefHelper());
- resourceMatcher.init();
-
if(policy != null) {
validityScheduleEvaluators = createValidityScheduleEvaluators(policy);
@@ -240,51 +220,54 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
if (request != null && result != null) {
+ for (RangerPolicyResourceEvaluator resourceEvaluator : getResourceEvaluators()) {
+ RangerPolicyResourceMatcher resourceMatcher = resourceEvaluator.getPolicyResourceMatcher();
- if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) {
- RangerPolicyResourceMatcher.MatchType matchType;
+ if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) {
+ RangerPolicyResourceMatcher.MatchType matchType;
- if (RangerTagAccessRequest.class.isInstance(request)) {
- matchType = ((RangerTagAccessRequest) request).getMatchType();
- if (matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
- matchType = RangerPolicyResourceMatcher.MatchType.SELF;
- }
- } else {
- if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_CHILD) {
- request.getContext().put(RangerAccessRequest.RANGER_ACCESS_REQUEST_SCOPE_STRING, RangerAccessRequest.ResourceMatchingScope.SELF_OR_CHILD);
+ if (RangerTagAccessRequest.class.isInstance(request)) {
+ matchType = ((RangerTagAccessRequest) request).getMatchType();
+ if (matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
+ matchType = RangerPolicyResourceMatcher.MatchType.SELF;
+ }
+ } else {
+ if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_CHILD) {
+ request.getContext().put(RangerAccessRequest.RANGER_ACCESS_REQUEST_SCOPE_STRING, RangerAccessRequest.ResourceMatchingScope.SELF_OR_CHILD);
+ }
+ matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
+ request.getContext().remove(RangerAccessRequest.RANGER_ACCESS_REQUEST_SCOPE_STRING);
}
- matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
- request.getContext().remove(RangerAccessRequest.RANGER_ACCESS_REQUEST_SCOPE_STRING);
- }
- final boolean isMatched;
+ final boolean isMatched;
- if (request.isAccessTypeAny() || Boolean.TRUE.equals(RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext()))) {
- isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
- } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
- isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
- } else {
- isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
- }
+ if (request.isAccessTypeAny() || Boolean.TRUE.equals(RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext()))) {
+ isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
+ } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
+ } else {
+ isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
+ }
- if (isMatched) {
- //Evaluate Policy Level Custom Conditions, if any and allowed then go ahead for policyItem level evaluation
- if(matchPolicyCustomConditions(request)) {
- if (!result.getIsAuditedDetermined()) {
- if (isAuditEnabled()) {
- result.setIsAudited(true);
- result.setAuditPolicyId(getPolicy().getId());
+ if (isMatched) {
+ //Evaluate Policy Level Custom Conditions, if any and allowed then go ahead for policyItem level evaluation
+ if (matchPolicyCustomConditions(request)) {
+ if (!result.getIsAuditedDetermined()) {
+ if (isAuditEnabled()) {
+ result.setIsAudited(true);
+ result.setAuditPolicyId(getPolicy().getId());
+ }
}
- }
- if (!result.getIsAccessDetermined()) {
- if (hasMatchablePolicyItem(request)) {
- evaluatePolicyItems(request, matchType, result);
+ if (!result.getIsAccessDetermined()) {
+ if (hasMatchablePolicyItem(request)) {
+ evaluatePolicyItems(request, matchType, result);
+ }
}
}
}
}
}
- }
+ }
RangerPerfTracer.log(perf);
@@ -307,8 +290,14 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isMatch(resource=" + resource.getAsString() + "," + evalContext + "," + perfTag + ")");
}
- if(resourceMatcher != null) {
- ret = resourceMatcher.isMatch(resource, evalContext);
+ for (RangerPolicyResourceEvaluator resourceEvaluator : getResourceEvaluators()) {
+ RangerPolicyResourceMatcher resourceMatcher = resourceEvaluator.getPolicyResourceMatcher();
+
+ ret = resourceMatcher != null && resourceMatcher.isMatch(resource, evalContext);
+
+ if (ret) {
+ break;
+ }
}
RangerPerfTracer.log(perf);
@@ -326,7 +315,18 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + resource + ", " + evalContext + ")");
}
- boolean ret = resourceMatcher != null && resourceMatcher.isCompleteMatch(resource, evalContext);
+ final boolean ret;
+
+ List<RangerPolicyResourceEvaluator> resourceEvaluators = getResourceEvaluators();
+
+ if (resourceEvaluators.size() == 1) {
+ RangerPolicyResourceEvaluator resourceEvaluator = resourceEvaluators.get(0);
+ RangerPolicyResourceMatcher resourceMatcher = resourceEvaluator.getPolicyResourceMatcher();
+
+ ret = resourceMatcher != null && resourceMatcher.isCompleteMatch(resource, evalContext);
+ } else {
+ ret = false;
+ }
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + resource + "): " + ret);
@@ -336,12 +336,32 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
@Override
- public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
+ public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources, List<Map<String, RangerPolicyResource>> additionalResources, Map<String, Object> evalContext) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.isCompleteMatch(" + resources + ", " + evalContext + ")");
}
- boolean ret = resourceMatcher != null && resourceMatcher.isCompleteMatch(resources, evalContext);
+ boolean ret = false;
+
+ List<RangerPolicyResourceEvaluator> resourceEvaluators = getResourceEvaluators();
+
+ for (int i = 0; i < resourceEvaluators.size(); i++) {
+ RangerPolicyResourceEvaluator resourceEvaluator = resourceEvaluators.get(i);
+ RangerPolicyResourceMatcher resourceMatcher = resourceEvaluator.getPolicyResourceMatcher();
+ Map<String, RangerPolicyResource> policyResource = null;
+
+ if (i == 0) {
+ policyResource = resources;
+ } else if (additionalResources != null && additionalResources.size() >= i) {
+ policyResource = additionalResources.get(i - 1);
+ }
+
+ ret = resourceMatcher != null && policyResource != null && resourceMatcher.isCompleteMatch(policyResource, evalContext);
+
+ if (!ret) {
+ break;
+ }
+ }
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isCompleteMatch(" + resources + ", " + evalContext + "): " + ret);
@@ -408,13 +428,23 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
*/
@Override
- public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) {
+ public boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, List<Map<String, RangerPolicyResource>> additionalResources, String user, Set<String> userGroups, String accessType) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
boolean ret = isAccessAllowed(user, userGroups, null, null, accessType) && isMatch(resources, null);
+ if (ret && additionalResources != null) {
+ for (Map<String, RangerPolicyResource> additionalResource : additionalResources) {
+ ret = isMatch(additionalResource, null);
+
+ if (!ret) {
+ break;
+ }
+ }
+ }
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
@@ -428,55 +458,60 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ", " + result + ")");
}
- RangerPolicyResourceMatcher.MatchType matchType;
- if (RangerTagAccessRequest.class.isInstance(request)) {
- matchType = ((RangerTagAccessRequest) request).getMatchType();
- } else {
- matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
- }
- final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
+ for (RangerPolicyResourceEvaluator resourceEvaluator : getResourceEvaluators()) {
+ RangerPolicyResourceMatcher resourceMatcher = resourceEvaluator.getPolicyResourceMatcher();
+ RangerPolicyResourceMatcher.MatchType matchType;
- if (isMatched) {
+ if (RangerTagAccessRequest.class.isInstance(request)) {
+ matchType = ((RangerTagAccessRequest) request).getMatchType();
+ } else {
+ matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
+ }
- if (CollectionUtils.isNotEmpty(allowEvaluators)) {
- Set<String> users = new HashSet<>();
- Set<String> groups = new HashSet<>();
+ final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
- getResourceAccessInfo(request, allowEvaluators, users, groups);
+ if (isMatched) {
- if (CollectionUtils.isNotEmpty(allowExceptionEvaluators)) {
- Set<String> exceptionUsers = new HashSet<>();
- Set<String> exceptionGroups = new HashSet<>();
+ if (CollectionUtils.isNotEmpty(allowEvaluators)) {
+ Set<String> users = new HashSet<>();
+ Set<String> groups = new HashSet<>();
- getResourceAccessInfo(request, allowExceptionEvaluators, exceptionUsers, exceptionGroups);
+ getResourceAccessInfo(request, allowEvaluators, users, groups);
- users.removeAll(exceptionUsers);
- groups.removeAll(exceptionGroups);
+ if (CollectionUtils.isNotEmpty(allowExceptionEvaluators)) {
+ Set<String> exceptionUsers = new HashSet<>();
+ Set<String> exceptionGroups = new HashSet<>();
+
+ getResourceAccessInfo(request, allowExceptionEvaluators, exceptionUsers, exceptionGroups);
+
+ users.removeAll(exceptionUsers);
+ groups.removeAll(exceptionGroups);
+ }
+
+ result.getAllowedUsers().addAll(users);
+ result.getAllowedGroups().addAll(groups);
}
+ if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT) {
+ if (CollectionUtils.isNotEmpty(denyEvaluators)) {
+ Set<String> users = new HashSet<String>();
+ Set<String> groups = new HashSet<String>();
- result.getAllowedUsers().addAll(users);
- result.getAllowedGroups().addAll(groups);
- }
- if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT) {
- if (CollectionUtils.isNotEmpty(denyEvaluators)) {
- Set<String> users = new HashSet<String>();
- Set<String> groups = new HashSet<String>();
+ getResourceAccessInfo(request, denyEvaluators, users, groups);
- getResourceAccessInfo(request, denyEvaluators, users, groups);
+ if (CollectionUtils.isNotEmpty(denyExceptionEvaluators)) {
+ Set<String> exceptionUsers = new HashSet<String>();
+ Set<String> exceptionGroups = new HashSet<String>();
- if (CollectionUtils.isNotEmpty(denyExceptionEvaluators)) {
- Set<String> exceptionUsers = new HashSet<String>();
- Set<String> exceptionGroups = new HashSet<String>();
+ getResourceAccessInfo(request, denyExceptionEvaluators, exceptionUsers, exceptionGroups);
- getResourceAccessInfo(request, denyExceptionEvaluators, exceptionUsers, exceptionGroups);
+ users.removeAll(exceptionUsers);
+ groups.removeAll(exceptionGroups);
+ }
- users.removeAll(exceptionUsers);
- groups.removeAll(exceptionGroups);
+ result.getDeniedUsers().addAll(users);
+ result.getDeniedGroups().addAll(groups);
}
-
- result.getDeniedUsers().addAll(users);
- result.getDeniedGroups().addAll(groups);
}
}
}
@@ -505,13 +540,13 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
@Override
public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed, String reason) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getId() + ")");
+ LOG.debug("==> RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getPolicyId() + ")");
}
if (!isAllowed) {
if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT) {
result.setIsAllowed(false);
result.setPolicyPriority(getPolicyPriority());
- result.setPolicyId(getId());
+ result.setPolicyId(getPolicyId());
result.setReason(reason);
result.setPolicyVersion(getPolicy().getVersion());
}
@@ -520,14 +555,14 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if (matchType != RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
result.setIsAllowed(true);
result.setPolicyPriority(getPolicyPriority());
- result.setPolicyId(getId());
+ result.setPolicyId(getPolicyId());
result.setReason(reason);
result.setPolicyVersion(getPolicy().getVersion());
}
}
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getId() + ")");
+ LOG.debug("<== RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getPolicyId() + ")");
}
}
@@ -757,7 +792,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
if (useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
if (LOG.isDebugEnabled()) {
- LOG.debug("Using ACL Summary for access evaluation. PolicyId=[" + getId() + "]");
+ LOG.debug("Using ACL Summary for access evaluation. PolicyId=[" + getPolicyId() + "]");
}
Integer accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(), request.isAccessTypeAny() || Boolean.TRUE.equals(RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) ? RangerPolicyEngine.ANY_ACCESS : request.getAccessType());
if (accessResult != null) {
@@ -767,7 +802,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
} else {
if (LOG.isDebugEnabled()) {
- LOG.debug("Using policyItemEvaluators for access evaluation. PolicyId=[" + getId() + "]");
+ LOG.debug("Using policyItemEvaluators for access evaluation. PolicyId=[" + getPolicyId() + "]");
}
RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, result);
@@ -938,7 +973,17 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + resources + ", " + evalContext + ")");
}
- boolean ret = resourceMatcher != null && resourceMatcher.isMatch(resources, evalContext);
+ boolean ret = false;
+
+ for (RangerPolicyResourceEvaluator resourceEvaluator : getResourceEvaluators()) {
+ RangerPolicyResourceMatcher resourceMatcher = resourceEvaluator.getPolicyResourceMatcher();
+
+ ret = resourceMatcher != null && resourceMatcher.isMatch(resources, evalContext);
+
+ if (ret) {
+ break;
+ }
+ }
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + resources + ", " + evalContext + "): " + ret);
@@ -962,7 +1007,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if (useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
if (LOG.isDebugEnabled()) {
- LOG.debug("Using ACL Summary for checking if access is allowed. PolicyId=[" + getId() +"]");
+ LOG.debug("Using ACL Summary for checking if access is allowed. PolicyId=[" + getPolicyId() +"]");
}
Integer accessResult = StringUtils.isEmpty(accessType) ? null : lookupPolicyACLSummary(user, userGroups, roles, accessType);
@@ -971,7 +1016,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
} else {
if (LOG.isDebugEnabled()) {
- LOG.debug("Using policyItemEvaluators for checking if access is allowed. PolicyId=[" + getId() +"]");
+ LOG.debug("Using policyItemEvaluators for checking if access is allowed. PolicyId=[" + getPolicyId() +"]");
}
RangerPolicyItemEvaluator item = this.getDeterminingPolicyItem(user, userGroups, roles, owner, accessType);
@@ -995,11 +1040,15 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
super.toString(sb);
- sb.append("resourceMatcher={");
- if(resourceMatcher != null) {
- resourceMatcher.toString(sb);
+ for (RangerPolicyResourceEvaluator resourceEvaluator : getResourceEvaluators()) {
+ RangerPolicyResourceMatcher resourceMatcher = resourceEvaluator.getPolicyResourceMatcher();
+
+ sb.append("resourceMatcher={");
+ if(resourceMatcher != null) {
+ resourceMatcher.toString(sb);
+ }
+ sb.append("} ");
}
- sb.append("} ");
sb.append("}");
@@ -1381,7 +1430,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
conditionType = ((RangerAbstractConditionEvaluator)conditionEvaluator).getPolicyItemCondition().getType();
}
- perf = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_REQUEST_LOG, "RangerConditionEvaluator.matchPolicyCustomConditions(policyId=" + getId() + ",policyConditionType=" + conditionType + ")");
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_REQUEST_LOG, "RangerConditionEvaluator.matchPolicyCustomConditions(policyId=" + getPolicyId() + ",policyConditionType=" + conditionType + ")");
}
boolean conditionEvalResult = conditionEvaluator.isMatched(request);
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 0b7f7ba12..d1c2f7cde 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -47,7 +47,7 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
-import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
@@ -56,7 +56,7 @@ import static org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator
import static org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY;
import static org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS;
-public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator {
+public interface RangerPolicyEvaluator {
Comparator<RangerPolicyEvaluator> EVAL_ORDER_COMPARATOR = new RangerPolicyEvaluator.PolicyEvalOrderComparator();
Comparator<RangerPolicyEvaluator> NAME_COMPARATOR = new RangerPolicyEvaluator.PolicyNameComparator();
@@ -80,8 +80,12 @@ public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator {
boolean hasDeny();
+ long getPolicyId();
+
int getPolicyPriority();
+ List<RangerPolicyResourceEvaluator> getResourceEvaluators();
+
boolean isApplicable(Date accessTime);
int getEvalOrder();
@@ -98,9 +102,9 @@ public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator {
boolean isCompleteMatch(RangerAccessResource resource, Map<String, Object> evalContext);
- boolean isCompleteMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext);
+ boolean isCompleteMatch(Map<String, RangerPolicyResource> resources, List<Map<String, RangerPolicyResource>> additionalResources, Map<String, Object> evalContext);
- boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType);
+ boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, List<Map<String, RangerPolicyResource>> additionalResources, String user, Set<String> userGroups, String accessType);
void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed, String reason);
@@ -628,4 +632,14 @@ public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator {
}
}
}
+
+ interface RangerPolicyResourceEvaluator extends RangerResourceEvaluator {
+ default long getPolicyId() {
+ RangerPolicyEvaluator evaluator = getPolicyEvaluator();
+
+ return evaluator != null ? evaluator.getPolicyId() : -1;
+ }
+
+ RangerPolicyEvaluator getPolicyEvaluator();
+ }
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 3060214ec..15f2522db 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -99,6 +99,8 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
this.serviceDefHelper = serviceDefHelper;
}
+ public int getPolicyType() { return policyType; }
+
@Override
public RangerServiceDef getServiceDef() {
return serviceDef;
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
index 7978e7fdf..0220feba7 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
@@ -32,6 +32,8 @@ public interface RangerPolicyResourceMatcher {
enum MatchScope { SELF, SELF_OR_DESCENDANT, SELF_OR_ANCESTOR, DESCENDANT, ANCESTOR, ANY, SELF_AND_ALL_DESCENDANTS}
enum MatchType { NONE, SELF, DESCENDANT, ANCESTOR, SELF_AND_ALL_DESCENDANTS}
+ void init();
+
void setServiceDef(RangerServiceDef serviceDef);
void setPolicy(RangerPolicy policy);
@@ -42,8 +44,6 @@ public interface RangerPolicyResourceMatcher {
void setServiceDefHelper(RangerServiceDefHelper serviceDefHelper);
- void init();
-
RangerServiceDef getServiceDef();
RangerResourceMatcher getResourceMatcher(String resourceName);
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerResourceEvaluator.java
similarity index 96%
rename from agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java
rename to agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerResourceEvaluator.java
index 9da9fac66..014bdd528 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerResourceEvaluator.java
@@ -26,7 +26,7 @@ import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import java.util.Map;
-public interface RangerPolicyResourceEvaluator {
+public interface RangerResourceEvaluator {
long getId();
RangerPolicyResourceMatcher getPolicyResourceMatcher();
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
index 0c6c4c206..be049a820 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
@@ -811,7 +811,30 @@ public class TestRangerPolicyValidator {
_failures.clear(); Assert.assertFalse("Policy with resources for multiple hierarchies missing mandatory resources for all pontential matches", _validator.isValidResourceNames(_policy, _failures, _serviceDef));
_utils.checkFailureForSemanticError(_failures, "policy resources", "missing mandatory");
}
-
+
+ @Test
+ public void test_isValidResource_additionalResources() throws Exception {
+ String serviceName = "a-service-def";
+ Date now = new Date();
+ List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData_multipleHierarchies);
+ Map<String, RangerPolicyResource> resources = _utils.createPolicyResourceMap(policyResourceMap_good);
+ List<Map<String, RangerPolicyResource>> additionalResources = new ArrayList<>();
+
+ when(_serviceDef.getName()).thenReturn(serviceName );
+ when(_serviceDef.getUpdateTime()).thenReturn(now);
+ when(_serviceDef.getResources()).thenReturn(resourceDefs);
+ when(_policy.getResources()).thenReturn(resources);
+ when(_policy.getAdditionalResources()).thenReturn(additionalResources);
+
+ Assert.assertTrue("valid resources and empty additionalResources", _validator.isValidResourceNames(_policy, _failures, _serviceDef));
+
+ additionalResources.add(_utils.createPolicyResourceMap(policyResourceMap_good));
+ Assert.assertTrue("valid resources and additionalResources[0]", _validator.isValidResourceNames(_policy, _failures, _serviceDef));
+
+ additionalResources.add(_utils.createPolicyResourceMap(policyResourceMap_bad));
+ Assert.assertFalse("valid resources and invalid additionalResources[1]", _validator.isValidResourceNames(_policy, _failures, _serviceDef));
+ }
+
@Test
public final void test_isValidServiceWithZone_happyPath() throws Exception{
boolean isAdmin = true;
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPathResourceTrie.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPathResourceTrie.java
index 90e4575e3..30a7215a6 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPathResourceTrie.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPathResourceTrie.java
@@ -21,7 +21,7 @@ package org.apache.ranger.plugin.policyengine;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
-import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
@@ -39,22 +39,21 @@ import static org.junit.Assert.assertEquals;
public class TestPathResourceTrie {
- private static final RangerResourceDef PATH_RESOURCE_DEF = getPathResourceDef();
-
- private static final RangerPolicyResourceEvaluator EVAL_ = getEvaluator("/");
- private static final RangerPolicyResourceEvaluator EVAL_nr = getEvaluator("/", false, false);
- private static final RangerPolicyResourceEvaluator EVAL_HOME = getEvaluator("/home");
- private static final RangerPolicyResourceEvaluator EVAL_HOME_ = getEvaluator("/home/");
- private static final RangerPolicyResourceEvaluator EVAL_TMPnr = getEvaluator("/tmp", false, false);
- private static final RangerPolicyResourceEvaluator EVAL_TMP_nr = getEvaluator("/tmp/", false, false);
- private static final RangerPolicyResourceEvaluator EVAL_TMP_AB = getEvaluator("/tmp/ab");
- private static final RangerPolicyResourceEvaluator EVAL_TMP_A_B = getEvaluator("/tmp/a/b");
- private static final RangerPolicyResourceEvaluator EVAL_TMP_AC_D_E_F = getEvaluator("/tmp/ac/d/e/f");
- private static final RangerPolicyResourceEvaluator EVAL_TMPFILE = getEvaluator("/tmpfile");
- private static final RangerPolicyResourceEvaluator EVAL_TMPdTXT = getEvaluator("/tmp.txt");
- private static final RangerPolicyResourceEvaluator EVAL_TMPA_B = getEvaluator("/tmpa/b");
-
- private static final List<RangerPolicyResourceEvaluator> EVALUATORS = Arrays.asList(EVAL_,
+ private static final RangerResourceDef PATH_RESOURCE_DEF = getPathResourceDef();
+ private static final RangerResourceEvaluator EVAL_ = getEvaluator("/");
+ private static final RangerResourceEvaluator EVAL_nr = getEvaluator("/", false, false);
+ private static final RangerResourceEvaluator EVAL_HOME = getEvaluator("/home");
+ private static final RangerResourceEvaluator EVAL_HOME_ = getEvaluator("/home/");
+ private static final RangerResourceEvaluator EVAL_TMPnr = getEvaluator("/tmp", false, false);
+ private static final RangerResourceEvaluator EVAL_TMP_nr = getEvaluator("/tmp/", false, false);
+ private static final RangerResourceEvaluator EVAL_TMP_AB = getEvaluator("/tmp/ab");
+ private static final RangerResourceEvaluator EVAL_TMP_A_B = getEvaluator("/tmp/a/b");
+ private static final RangerResourceEvaluator EVAL_TMP_AC_D_E_F = getEvaluator("/tmp/ac/d/e/f");
+ private static final RangerResourceEvaluator EVAL_TMPFILE = getEvaluator("/tmpfile");
+ private static final RangerResourceEvaluator EVAL_TMPdTXT = getEvaluator("/tmp.txt");
+ private static final RangerResourceEvaluator EVAL_TMPA_B = getEvaluator("/tmpa/b");
+
+ private static final List<RangerResourceEvaluator> EVALUATORS = Arrays.asList(EVAL_,
EVAL_nr,
EVAL_HOME,
EVAL_HOME_,
@@ -68,7 +67,7 @@ public class TestPathResourceTrie {
EVAL_TMPA_B
);
- private final RangerResourceTrie<RangerPolicyResourceEvaluator> trie = new RangerResourceTrie<>(PATH_RESOURCE_DEF, EVALUATORS);
+ private final RangerResourceTrie<RangerResourceEvaluator> trie = new RangerResourceTrie<>(PATH_RESOURCE_DEF, EVALUATORS);
@Test
public void testChildrenScope() {
@@ -100,9 +99,9 @@ public class TestPathResourceTrie {
verifyEvaluators("invalid: does-not-begin-with-sep", scope);
}
- private void verifyEvaluators(String resource, RangerAccessRequest.ResourceMatchingScope scope, RangerPolicyResourceEvaluator... evaluators) {
- Set<RangerPolicyResourceEvaluator> expected = evaluators.length == 0 ? null : new HashSet<>(Arrays.asList(evaluators));
- Set<RangerPolicyResourceEvaluator> result = trie.getEvaluatorsForResource(resource, scope);
+ private void verifyEvaluators(String resource, RangerAccessRequest.ResourceMatchingScope scope, RangerResourceEvaluator... evaluators) {
+ Set<RangerResourceEvaluator> expected = evaluators.length == 0 ? null : new HashSet<>(Arrays.asList(evaluators));
+ Set<RangerResourceEvaluator> result = trie.getEvaluatorsForResource(resource, scope);
assertEquals("incorrect evaluators for resource " + resource, expected, result);
}
@@ -125,15 +124,15 @@ public class TestPathResourceTrie {
return ret;
}
- private static RangerPolicyResourceEvaluator getEvaluator(String resource) {
+ private static RangerResourceEvaluator getEvaluator(String resource) {
return new TestPolicyResourceEvaluator(new RangerPolicyResource(resource, false, true));
}
- private static RangerPolicyResourceEvaluator getEvaluator(String resource, boolean isExcludes, boolean isRecursive) {
+ private static RangerResourceEvaluator getEvaluator(String resource, boolean isExcludes, boolean isRecursive) {
return new TestPolicyResourceEvaluator(new RangerPolicyResource(resource, isExcludes, isRecursive));
}
- private static class TestPolicyResourceEvaluator implements RangerPolicyResourceEvaluator {
+ private static class TestPolicyResourceEvaluator implements RangerResourceEvaluator {
private static long nextId = 1;
private final long id;
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 824516add..e6bd2f4f8 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -46,8 +46,9 @@ import org.apache.ranger.plugin.model.RangerValiditySchedule;
import org.apache.ranger.plugin.model.validation.RangerValidityScheduleValidator;
import org.apache.ranger.plugin.model.validation.ValidationFailureDetails;
import org.apache.ranger.plugin.policyengine.TestPolicyEngine.PolicyEngineTestCase.TestData;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.RangerPolicyResourceEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerValidityScheduleEvaluator;
-import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import org.apache.ranger.plugin.policyresourcematcher.RangerResourceEvaluator;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerRequestedResources;
@@ -465,6 +466,13 @@ public class TestPolicyEngine {
runTestsFromResourceFiles(resourceFiles);
}
+ @Test
+ public void testPolicyEngin_policyWithAdditionalResources() {
+ String[] resourceFiles = {"/policyengine/test_policyengine_policy_with_additional_resources.json"};
+
+ runTestsFromResourceFiles(resourceFiles);
+ }
+
private void runTestsFromResourceFiles(String[] resourceNames) {
for(String resourceName : resourceNames) {
InputStream inStream = this.getClass().getResourceAsStream(resourceName);
@@ -1108,28 +1116,36 @@ public class TestPolicyEngine {
ret = me.size() == other.size();
if (ret) {
- List<? extends RangerPolicyResourceEvaluator> meAsList = new ArrayList<>(me);
- List<? extends RangerPolicyResourceEvaluator> otherAsList = new ArrayList<>(other);
-
- List<Long> myIds = new ArrayList<>();
- List<Long> otherIds = new ArrayList<>();
- for (RangerPolicyResourceEvaluator evaluator : meAsList) {
- myIds.add(evaluator.getId());
+ List<? extends RangerResourceEvaluator> meAsList = new ArrayList<>(me);
+ List<? extends RangerResourceEvaluator> otherAsList = new ArrayList<>(other);
+ List<Long> myIds = new ArrayList<>();
+ List<Long> otherIds = new ArrayList<>();
+
+ for (RangerResourceEvaluator evaluator : meAsList) {
+ if (evaluator instanceof RangerPolicyResourceEvaluator) {
+ myIds.add(((RangerPolicyResourceEvaluator) evaluator).getPolicyId());
+ } else {
+ myIds.add(evaluator.getId());
+ }
}
- for (RangerPolicyResourceEvaluator evaluator : otherAsList) {
- otherIds.add(evaluator.getId());
+
+ for (RangerResourceEvaluator evaluator : otherAsList) {
+ if (evaluator instanceof RangerPolicyResourceEvaluator) {
+ otherIds.add(((RangerPolicyResourceEvaluator) evaluator).getPolicyId());
+ } else {
+ otherIds.add(evaluator.getId());
+ }
}
ret = compareLongLists(myIds, otherIds);
}
}
+
return ret;
}
private static boolean compareLongLists(List<Long> me, List<Long> other) {
return me.size() == CollectionUtils.intersection(me, other).size();
}
-
-
}
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_policy_with_additional_resources.json b/agents-common/src/test/resources/policyengine/test_policyengine_policy_with_additional_resources.json
new file mode 100644
index 000000000..71a9c507a
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_policy_with_additional_resources.json
@@ -0,0 +1,84 @@
+{
+ "serviceName": "hivedev",
+
+ "serviceDef": {
+ "name": "hive", "id": 3,
+ "resources": [
+ { "name": "database", "level": 1, "parent": "", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Database", "description": "Hive Database" },
+ { "name": "table", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Table", "description": "Hive Table" },
+ { "name": "udf", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive UDF", "description": "Hive UDF" },
+ { "name": "column", "level": 3, "parent": "table", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Column", "description": "Hive Column" }
+ ],
+ "accessTypes": [
+ { "name": "select", "label": "Select" },
+ { "name": "update", "label": "Update" },
+ { "name": "create", "label": "Create" },
+ { "name": "drop", "label": "Drop" },
+ { "name": "alter", "label": "Alter" },
+ { "name": "index", "label": "Index" },
+ { "name": "lock", "label": "Lock" },
+ { "name": "all", "label": "All" }
+ ],
+ "options": {
+ "enableDenyAndExceptionsInPolicies": "true"
+ }
+ },
+
+ "policies": [
+ { "id": 1, "name": "db=default: audit-all-access", "isEnabled": true, "isAuditEnabled": true,
+ "resources": { "database": { "values": [ "default" ] }, "table": { "values": [ "*" ] }, "column": { "values": [ "*" ] } }
+ },
+ { "id": 2, "name": "db=default; table=test*; column=*", "isEnabled": true, "isAuditEnabled": true,
+ "resources": { "database": { "values": [ "default" ] }, "table": { "values": [ "test*" ] }, "column": { "values": [ "*" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl*" ] }, "column": { "values": [ "*" ] } }
+ ],
+ "policyItems": [
+ { "accesses": [ { "type": "select" } ], "users": [ "user1", "user2" ], "groups": [ "group1", "group2" ], "delegateAdmin": false },
+ { "accesses": [ { "type": "create" }, { "type": "drop" } ], "users": [ "admin" ], "groups": [ "admin" ], "delegateAdmin": true }
+ ]
+ },
+ { "id": 3, "name": "db=default; table=test2; column=*", "isEnabled": true, "isAuditEnabled": true,
+ "resources": { "database": { "values": [ "default" ] }, "table": { "values": [ "test2" ] }, "column": { "values": [ "*" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "*" ] } }
+ ],
+ "denyPolicyItems":[
+ { "accesses": [ { "type": "select" } ], "users": [ "user1", "user2" ], "groups": [ "group1", "group2" ], "delegateAdmin": false },
+ { "accesses": [ { "type": "create" }, { "type": "drop" } ], "users": [ "admin" ], "groups": [ "admin" ], "delegateAdmin": true }
+ ]
+ }
+ ],
+
+ "tests":[
+ { "name": "ALLOW use default; for user1",
+ "request": { "resource": { "elements": { "database": "default"} }, "accessType":"", "user":"user1","userGroups":[],"requestData":"use default; user=user1" },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 2 }
+ },
+ { "name": "ALLOW select * from default.test1; for user1",
+ "request": { "resource": { "elements": { "database": "default", "table": "test1" } }, "accessType": "select", "user": "user1", "userGroups":[], "requestData":"select * from default.test1; user=user1" },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 2}
+ },
+ { "name": "DENY create table default.test1; for user1",
+ "request": { "resource": { "elements": { "database": "default", "table": "test1" } }, "accessType": "create", "user": "user1", "userGroups":[], "requestData": "create table from default.test1; user=user1" },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": -1 }
+ },
+ { "name": "ALLOW create table default.test1; for admin",
+ "request": { "resource": { "elements": { "database": "default", "table": "test1" } }, "accessType": "create", "user": "admin", "userGroups":[], "requestData": "create table from default.test1; user=admin" },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 2 }
+ },
+ { "name": "DENY select * from default.test2; for user1",
+ "request": { "resource": { "elements": { "database": "default", "table": "test2" } }, "accessType": "select", "user": "user1", "userGroups": [], "requestData": "select * from default.test2; user=user1" },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 3 }
+ },
+ { "name": "DENY create default.test2; for admin",
+ "request": { "resource": { "elements": { "database": "default", "table": "test2" } }, "accessType":"create", "user": "admin", "userGroups":[], "requestData":"create default.test2; user=admin" },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 3 }
+ },
+ { "name": "ALLOW use db1; for user1",
+ "request": { "resource": { "elements": { "database":"db1" } }, "accessType":"", "user": "user1", "userGroups":[], "requestData":"use db1; user=user1" },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 2}
+ }
+ ]
+}
+
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
index f1ce602cb..f975287f9 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
@@ -60,7 +60,7 @@ public interface RangerPolicyAdmin {
String getUniquelyMatchedZoneName(GrantRevokeRequest grantRevokeRequest);
// This API is used only by test-code
- boolean isAccessAllowedByUnzonedPolicies(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType);
+ boolean isAccessAllowedByUnzonedPolicies(Map<String, RangerPolicyResource> resources, List<Map<String, RangerPolicyResource>> additionalResources, String user, Set<String> userGroups, String accessType);
// This API is used only by test-code
List<RangerPolicy> getAllowedUnzonedPolicies(String user, Set<String> userGroups, String accessType);
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index df75db11a..97a384f30 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -38,6 +38,7 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyRepository;
import org.apache.ranger.plugin.policyengine.RangerTagAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerTagResource;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.RangerPolicyResourceEvaluator;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
import org.apache.ranger.plugin.service.RangerDefaultRequestProcessor;
@@ -60,7 +61,6 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
-import java.util.TreeMap;
public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
private static final Logger LOG = LoggerFactory.getLogger(RangerPolicyAdminImpl.class);
@@ -266,32 +266,42 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
LOG.debug("Checking delegate-admin access for the access-types:[" + accessTypes + "]");
}
- // RANGER-3082
- // Convert policy resources to by substituting macros with ASTERISK
- Map<String, RangerPolicyResource> modifiedPolicyResources = getPolicyResourcesWithMacrosReplaced(policy.getResources(), wildcardEvalContext);
+ Set<String> allowedAccesses = getAllowedAccesses(matchedRepository, policy.getResources(), user, userGroups, roles, accessTypes, evalContext);
- for (RangerPolicyEvaluator evaluator : matchedRepository.getPolicyEvaluators()) {
- Set<String> allowedAccesses = evaluator.getAllowedAccesses(modifiedPolicyResources, user, userGroups, roles, accessTypes, evalContext);
+ if (CollectionUtils.isEmpty(allowedAccesses)) {
+ ret = false;
+ } else {
+ ret = isRead ? CollectionUtils.containsAny(allowedAccesses, accessTypes) : allowedAccesses.containsAll(accessTypes);
+ }
- if (allowedAccesses == null) {
- continue;
- }
+ if (ret && CollectionUtils.isNotEmpty(policy.getAdditionalResources())) {
+ for (Map<String, RangerPolicyResource> additionalResource : policy.getAdditionalResources()) {
+ Set<String> additionalResourceAllowedActions = getAllowedAccesses(matchedRepository, additionalResource, user, userGroups, roles, accessTypes, evalContext);
- boolean isAllowedAccessesModified = accessTypes.removeAll(allowedAccesses);
+ if (CollectionUtils.isEmpty(additionalResourceAllowedActions)) {
+ allowedAccesses.clear();
- if (isRead && isAllowedAccessesModified) {
- ret = true;
- break;
- }
+ ret = false;
+ } else {
+ allowedAccesses.retainAll(additionalResourceAllowedActions); // allowedAccesses to contain only access-types that are allowed on all resources in the policy
- if (CollectionUtils.isEmpty(accessTypes)) {
- ret = true;
- break;
+ if (isRead) {
+ ret = !allowedAccesses.isEmpty();
+ } else {
+ ret = additionalResourceAllowedActions.containsAll(accessTypes);
+ }
+ }
+
+ if (!ret) {
+ break;
+ }
}
}
- if (!ret && CollectionUtils.isNotEmpty(accessTypes)) {
- LOG.info("Accesses : " + accessTypes + " are not authorized for the policy:[" + policy.getId() + "] by any of delegated-admin policies");
+ if (!ret) {
+ Collection<String> unauthorizedAccesses = CollectionUtils.isEmpty(allowedAccesses) ? accessTypes : CollectionUtils.subtract(accessTypes, allowedAccesses);
+
+ LOG.info("Accesses : " + unauthorizedAccesses + " are not authorized for the policy:[" + policy.getId() + "] by any of delegated-admin policies");
}
}
@@ -302,6 +312,31 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
return ret;
}
+ private Set<String> getAllowedAccesses(RangerPolicyRepository matchedRepository, Map<String, RangerPolicyResource> resource, String user, Set<String> userGroups, Set<String> roles, Set<String> accessTypes, Map<String, Object> evalContext) {
+ // RANGER-3082
+ // Convert policy resources to by substituting macros with ASTERISK
+ Map<String, RangerPolicyResource> modifiedResource = getPolicyResourcesWithMacrosReplaced(resource, wildcardEvalContext);
+ Set<String> ret = null;
+
+ for (RangerPolicyEvaluator evaluator : matchedRepository.getPolicyEvaluators()) {
+ Set<String> allowedAccesses = evaluator.getAllowedAccesses(modifiedResource, user, userGroups, roles, accessTypes, evalContext);
+
+ if (CollectionUtils.isNotEmpty(allowedAccesses)) {
+ if (ret == null) {
+ ret = new HashSet<>(allowedAccesses);
+ } else {
+ ret.addAll(allowedAccesses);
+ }
+
+ if (ret.containsAll(accessTypes)) {
+ break;
+ }
+ }
+ }
+
+ return ret;
+ }
+
@Override
public List<RangerPolicy> getExactMatchPolicies(RangerAccessResource resource, String zoneName, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
@@ -359,10 +394,8 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
RangerPolicyRepository policyRepository = policyEngine.getRepositoryForMatchedZone(policy);
if (policyRepository != null) {
- Map<String, RangerPolicyResource> resources = policy.getResources();
-
for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
- if (evaluator.isCompleteMatch(resources, evalContext)) {
+ if (evaluator.isCompleteMatch(policy.getResources(), policy.getAdditionalResources(), evalContext)) {
if (ret == null) {
ret = new ArrayList<>();
}
@@ -513,7 +546,7 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
// This API is used only by test-code; checks only policies within default security-zone
@Override
- public boolean isAccessAllowedByUnzonedPolicies(Map<String, RangerPolicyResource> resources, String user, Set<String> userGroups, String accessType) {
+ public boolean isAccessAllowedByUnzonedPolicies(Map<String, RangerPolicyResource> resources, List<Map<String, RangerPolicyResource>> additionalResources, String user, Set<String> userGroups, String accessType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyAdminImpl.isAccessAllowedByUnzonedPolicies(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
@@ -526,7 +559,7 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
}
for (RangerPolicyEvaluator evaluator : policyEngine.getPolicyRepository().getPolicyEvaluators()) {
- ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType);
+ ret = evaluator.isAccessAllowed(resources, additionalResources, user, userGroups, accessType);
if (ret) {
if (LOG.isDebugEnabled()) {
@@ -558,7 +591,7 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
for (RangerPolicyEvaluator evaluator : policyEngine.getPolicyRepository().getPolicyEvaluators()) {
RangerPolicy policy = evaluator.getPolicy();
- boolean isAccessAllowed = isAccessAllowedByUnzonedPolicies(policy.getResources(), user, userGroups, accessType);
+ boolean isAccessAllowed = isAccessAllowedByUnzonedPolicies(policy.getResources(), policy.getAdditionalResources(), user, userGroups, accessType);
if (isAccessAllowed) {
ret.add(policy);
@@ -641,11 +674,15 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
}
}
- RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
+ for (RangerPolicyResourceEvaluator resourceEvaluator : evaluator.getResourceEvaluators()) {
+ RangerPolicyResourceMatcher matcher = resourceEvaluator.getPolicyResourceMatcher();
- if (matcher != null &&
- (request.isAccessTypeAny() ? matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.ANY, null) : matcher.isMatch(tagResource, null))) {
- ret.add(evaluator.getPolicy());
+ if (matcher != null &&
+ (request.isAccessTypeAny() ? matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.ANY, null) : matcher.isMatch(tagResource, null))) {
+ ret.add(evaluator.getPolicy());
+
+ break;
+ }
}
}
@@ -658,11 +695,15 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
List<RangerPolicyEvaluator> likelyEvaluators = matchedRepository.getLikelyMatchPolicyEvaluators(request);
for (RangerPolicyEvaluator evaluator : likelyEvaluators) {
- RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
+ for (RangerPolicyResourceEvaluator resourceEvaluator : evaluator.getResourceEvaluators()) {
+ RangerPolicyResourceMatcher matcher = resourceEvaluator.getPolicyResourceMatcher();
- if (matcher != null &&
- (request.isAccessTypeAny() ? matcher.isMatch(request.getResource(), RangerPolicyResourceMatcher.MatchScope.ANY, null) : matcher.isMatch(request.getResource(), null))) {
- ret.add(evaluator.getPolicy());
+ if (matcher != null &&
+ (request.isAccessTypeAny() ? matcher.isMatch(request.getResource(), RangerPolicyResourceMatcher.MatchScope.ANY, null) : matcher.isMatch(request.getResource(), null))) {
+ ret.add(evaluator.getPolicy());
+
+ break;
+ }
}
}
}
@@ -889,14 +930,7 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
}
private String getResourceSignature(final RangerPolicy policy) {
- Map<String, RangerPolicyResourceSignature.ResourceSerializer> resources = new TreeMap<>();
- for (Map.Entry<String, RangerPolicyResource> entry : policy.getResources().entrySet()) {
- String resourceName = entry.getKey();
- RangerPolicyResourceSignature.ResourceSerializer resourceView = new RangerPolicyResourceSignature.ResourceSerializer(entry.getValue());
- resources.put(resourceName, resourceView);
- }
- return resources.toString();
+ return RangerPolicyResourceSignature.toSignatureString(policy.getResources(), policy.getAdditionalResources());
}
-
}
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyAdmin.java b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyAdmin.java
new file mode 100644
index 000000000..41c360dec
--- /dev/null
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyAdmin.java
@@ -0,0 +1,155 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.biz;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
+import org.apache.ranger.biz.TestPolicyAdmin.PolicyAdminTestCase.TestData;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.util.ServicePolicies;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.util.*;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+public class TestPolicyAdmin {
+ static Gson gsonBuilder;
+
+ @BeforeClass
+ public static void setUpBeforeClass() throws Exception {
+ gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
+ .setPrettyPrinting()
+ .create();
+ }
+
+ @AfterClass
+ public static void tearDownAfterClass() throws Exception {
+ }
+
+ @Test
+ public void testPolicyAdmin_additionalResources() {
+ String[] testFile = { "/biz/test_policyadmin_additional_resources.json" };
+
+ runTestsFromResourceFiles(testFile);
+ }
+
+ private void runTestsFromResourceFiles(String[] resourceNames) {
+ for(String resourceName : resourceNames) {
+ InputStream inStream = this.getClass().getResourceAsStream(resourceName);
+ InputStreamReader reader = new InputStreamReader(inStream);
+
+ runTests(reader, resourceName);
+ }
+ }
+
+ private void runTests(InputStreamReader reader, String testName) {
+ PolicyAdminTestCase testCase = gsonBuilder.fromJson(reader, PolicyAdminTestCase.class);
+
+ assertTrue("invalid input: " + testName, testCase != null && testCase.servicePolicies != null && testCase.tests != null && testCase.servicePolicies.getPolicies() != null);
+
+ RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
+
+ policyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
+ policyEngineOptions.cacheAuditResults = false;
+ policyEngineOptions.disableContextEnrichers = true;
+ policyEngineOptions.disableCustomConditions = true;
+ policyEngineOptions.evaluateDelegateAdminOnly = true;
+
+ RangerPluginContext pluginContext = new RangerPluginContext(new RangerPluginConfig("hive", null, "test-policydb", "cl1", "on-prem", policyEngineOptions));
+ RangerPolicyAdmin policyAdmin = new RangerPolicyAdminImpl(testCase.servicePolicies, pluginContext, null);
+
+ for(TestData test : testCase.tests) {
+ if (test.userGroups == null) {
+ test.userGroups = Collections.emptySet();
+ }
+
+ if (test.allowedPolicies != null) {
+ Set<Long> allowedPolicies = new HashSet<>();
+
+ for (RangerPolicy policy : testCase.servicePolicies.getPolicies()) {
+ boolean isAllowed = test.isModifyAccess ? policyAdmin.isDelegatedAdminAccessAllowedForModify(policy, test.user, test.userGroups, null, null)
+ : policyAdmin.isDelegatedAdminAccessAllowedForRead(policy, test.user, test.userGroups, null, null);
+
+ if (isAllowed) {
+ allowedPolicies.add(policy.getId());
+ }
+ }
+
+ assertEquals("allowed-policy count mismatch! - " + test.name, test.allowedPolicies.size(), allowedPolicies.size());
+
+ assertEquals("allowed-policy list mismatch! - " + test.name, test.allowedPolicies, allowedPolicies);
+ } else {
+ RangerPolicy policy = new RangerPolicy();
+ RangerPolicyItem policyItem = new RangerPolicyItem();
+
+ policyItem.getUsers().add(test.user);
+ policyItem.getUsers().addAll(test.userGroups);
+
+ for (String accessType : test.accessTypes) {
+ policyItem.getAccesses().add(new RangerPolicy.RangerPolicyItemAccess(accessType));
+ }
+
+ policy.setResources(test.resources);
+ policy.setAdditionalResources(test.additionalResources);
+ policy.getPolicyItems().add(policyItem);
+
+ final boolean expected = test.result;
+ final boolean result;
+
+ if (test.isModifyAccess) {
+ result = policyAdmin.isDelegatedAdminAccessAllowedForModify(policy, test.user, test.userGroups, null, null);
+ } else {
+ result = policyAdmin.isDelegatedAdminAccessAllowedForRead(policy, test.user, test.userGroups, null, null);
+ }
+
+ assertEquals("isAccessAllowed mismatched! - " + test.name, expected, result);
+ }
+ }
+ }
+
+ static class PolicyAdminTestCase {
+ public ServicePolicies servicePolicies;
+ public List<TestData> tests;
+
+ class TestData {
+ public String name;
+ public Map<String, RangerPolicyResource> resources;
+ public List<Map<String, RangerPolicyResource>> additionalResources;
+ public String user;
+ public Set<String> userGroups;
+ public Set<String> accessTypes;
+ public boolean isModifyAccess;
+ public boolean result;
+ public Set<Long> allowedPolicies;
+ }
+ }
+}
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
index 7416fe45d..5b7e6b6af 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestPolicyDb.java
@@ -136,7 +136,7 @@ public class TestPolicyDb {
}
assertEquals("allowed-policy list mismatch!", test.allowedPolicies, allowedPolicyIds);
} else {
- boolean result = policyAdmin.isAccessAllowedByUnzonedPolicies(test.resources, test.user, test.userGroups, test.accessType);
+ boolean result = policyAdmin.isAccessAllowedByUnzonedPolicies(test.resources, null, test.user, test.userGroups, test.accessType);
assertEquals("isAccessAllowed mismatched! - " + test.name, expected, result);
}
diff --git a/security-admin/src/test/resources/biz/test_policyadmin_additional_resources.json b/security-admin/src/test/resources/biz/test_policyadmin_additional_resources.json
new file mode 100644
index 000000000..dd3be5759
--- /dev/null
+++ b/security-admin/src/test/resources/biz/test_policyadmin_additional_resources.json
@@ -0,0 +1,2710 @@
+{
+ "servicePolicies": {
+ "serviceName": "hivedev",
+ "serviceDef": {
+ "name": "hive", "id": 3,
+ "resources": [
+ { "name": "database", "level": 1, "parent": "", "mandatory": true, "lookupSupported": true, "label": "Hive Database", "description": "Hive Database", "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true } },
+ { "name": "table", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, "label": "Hive Table", "description": "Hive Table", "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true } },
+ { "name": "udf", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, "label": "Hive UDF", "description": "Hive UDF", "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true } },
+ { "name": "column", "level": 3, "parent": "table", "mandatory": true, "lookupSupported": true, "label": "Hive Column", "description": "Hive Column", "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true } }
+ ],
+ "accessTypes": [
+ { "name": "select", "label": "Select" },
+ { "name": "update", "label": "Update" },
+ { "name": "create", "label": "Create" },
+ { "name": "drop", "label": "Drop" },
+ { "name": "alter", "label": "Alter" },
+ { "name": "index", "label": "Index" },
+ { "name": "lock", "label": "Lock" },
+ { "name": "all", "label": "All", "impliedGrants": [ "select", "update", "create", "drop", "alter", "index", "lock" ] }
+ ]
+ },
+ "policies": [
+ { "id": 1, "name": "db1.tbl1.*, db2.tbl2.*, db3.tbl3.*", "isEnabled": true, "isAuditEnabled": true,
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "*" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "*" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "*" ] } }
+ ],
+ "policyItems": [
+ { "accesses": [ { "type": "all" } ], "users": [ "user_1" ], "delegateAdmin": true },
+ { "accesses": [ { "type": "select" } ], "users": [ "user_2" ], "delegateAdmin": true },
+ { "accesses": [ { "type": "select" } ], "users": [ "user_3" ], "delegateAdmin": false }
+ ]
+ },
+ { "id": 11, "name": "db1.tbl1.*", "isEnabled": true, "isAuditEnabled": true,
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "*" ] } },
+ "policyItems": [
+ { "accesses": [ { "type": "all" } ], "users": [ "user1_1" ], "delegateAdmin": true },
+ { "accesses": [ { "type": "select" } ], "users": [ "user1_2" ], "delegateAdmin": true },
+ { "accesses": [ { "type": "select" } ], "users": [ "user1_3" ], "delegateAdmin": false }
+ ]
+ },
+ { "id": 12, "name": "db2.tbl2.*", "isEnabled": true, "isAuditEnabled": true,
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "*" ] } },
+ "policyItems": [
+ { "accesses": [ { "type": "all" } ], "users": [ "user2_1" ], "delegateAdmin": true },
+ { "accesses": [ { "type": "select" } ], "users": [ "user2_2" ], "delegateAdmin": true },
+ { "accesses": [ { "type": "select" } ], "users": [ "user2_3" ], "delegateAdmin": false }
+ ]
+ },
+ { "id": 13, "name": "db3.tbl3.*", "isEnabled": true, "isAuditEnabled": true,
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "*" ] } },
+ "policyItems": [
+ { "accesses": [ { "type": "all" } ], "users": [ "user3_1" ], "delegateAdmin": true },
+ { "accesses": [ { "type": "select" } ], "users": [ "user3_2" ], "delegateAdmin": true },
+ { "accesses": [ { "type": "select" } ], "users": [ "user3_3" ], "delegateAdmin": false }
+ ]
+ }
+ ]
+ },
+
+ "tests": [
+ { "name": "user_1 - policies allowed to read",
+ "user": "user_1", "allowedPolicies": [ 1, 11, 12, 13 ]
+ },
+ { "name": "user_1 - policies allowed to modify",
+ "user": "user_1", "isModifyAccess": true, "allowedPolicies": [ 1, 11, 12, 13 ]
+ },
+ { "name": "user_2 - policies allowed to read",
+ "user": "user_2", "allowedPolicies": [ 1, 11, 12, 13 ]
+ },
+ { "name": "user_2 - policies allowed to modify",
+ "user": "user_2", "isModifyAccess": true, "allowedPolicies": [ ]
+ },
+ { "name": "user_3 - policies allowed to read",
+ "user": "user_3", "allowedPolicies": [ ]
+ },
+ { "name": "user_3 - policies allowed to modify",
+ "user": "user_3", "isModifyAccess": true, "allowedPolicies": [ ]
+ },
+ { "name": "user1_1 - policies allowed to read",
+ "user": "user1_1", "allowedPolicies": [ 11 ]
+ },
+ { "name": "user1_1 - policies allowed to modify",
+ "user": "user1_1", "isModifyAccess": true, "allowedPolicies": [ 11 ]
+ },
+ { "name": "user1_2 - policies allowed to read",
+ "user": "user1_2", "allowedPolicies": [ 11 ]
+ },
+ { "name": "user1_2 - policies allowed to modify",
+ "user": "user1_2", "isModifyAccess": true, "allowedPolicies": [ ]
+ },
+ { "name": "user1_3 - policies allowed to read",
+ "user": "user1_3", "allowedPolicies": [ ]
+ },
+ { "name": "user1_3 - policies allowed to modify",
+ "user": "user1_3", "isModifyAccess": true, "allowedPolicies": [ ]
+ },
+ { "name": "user2_1 - policies allowed to read",
+ "user": "user2_1", "allowedPolicies": [ 12 ]
+ },
+ { "name": "user2_1 - policies allowed to modify",
+ "user": "user2_1", "isModifyAccess": true, "allowedPolicies": [ 12 ]
+ },
+ { "name": "user2_2 - policies allowed to read",
+ "user": "user2_2", "allowedPolicies": [ 12 ]
+ },
+ { "name": "user2_2 - policies allowed to modify",
+ "user": "user2_2", "isModifyAccess": true, "allowedPolicies": [ ]
+ },
+ { "name": "user2_3 - policies allowed to read",
+ "user": "user2_3", "allowedPolicies": [ ]
+ },
+ { "name": "user2_3 - policies allowed to modify",
+ "user": "user2_3", "isModifyAccess": true, "allowedPolicies": [ ]
+ },
+ { "name": "user3_1 - policies allowed to read",
+ "user": "user3_1", "allowedPolicies": [ 13 ]
+ },
+ { "name": "user3_1 - policies allowed to modify",
+ "user": "user3_1", "isModifyAccess": true, "allowedPolicies": [ 13 ]
+ },
+ { "name": "user3_2 - policies allowed to read",
+ "user": "user3_2", "allowedPolicies": [ 13 ]
+ },
+ { "name": "user3_2 - policies allowed to modify",
+ "user": "user3_2", "isModifyAccess": true, "allowedPolicies": [ ]
+ },
+ { "name": "user3_3 - policies allowed to read",
+ "user": "user3_3", "allowedPolicies": [ ]
+ },
+ { "name": "user3_3 - policies allowed to modify",
+ "user": "user3_3", "isModifyAccess": true, "allowedPolicies": [ ]
+ },
+
+ { "name": "user_1 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "drop" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "all" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "create", "alter", "drop" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "drop" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "drop" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user_1 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user_1 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "create" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "all" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "create" ],
+ "result": true
+ },
+ { "name": "user_1 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "all" ],
+ "result": true
+ },
+
+ { "name": "user_2 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user_2 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user_2 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "all" ],
+ "result": true
+ },
+ { "name": "user_2 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "create", "alter", "drop" ],
+ "result": false
+ },
+ { "name": "user_2 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": true
+ },
+ { "name": "user_2 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user_2 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user_2 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user_2 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user_2 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user_2 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user_2 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user_2 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user_2 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "all" ],
+ "result": true
+ },
+ { "name": "user_2 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user_2 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user_2 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "all" ],
+ "result": true
+ },
+
+
+ { "name": "user_3 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "create", "alter", "drop" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user_3 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+
+ { "name": "user1_1 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user1_1 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "drop" ],
+ "result": true
+ },
+ { "name": "user1_1 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "all" ],
+ "result": true
+ },
+ { "name": "user1_1 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "create", "alter", "drop" ],
+ "result": true
+ },
+ { "name": "user1_1 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": true
+ },
+ { "name": "user1_1 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user1_1 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "all" ],
+ "result": false
+ },
+
+ { "name": "user1_2 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user1_2 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "all" ],
+ "result": true
+ },
+ { "name": "user1_2 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "create", "alter", "drop" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": true
+ },
+ { "name": "user1_2 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user1_2 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "all" ],
+ "result": false
+ },
+
+ { "name": "user1_3 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "create", "alter", "drop" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user1_3 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+
+ { "name": "user2_1 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "create", "alter", "drop" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user2_1 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "drop" ],
+ "result": true
+ },
+ { "name": "user2_1 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user2_1 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "all" ],
+ "result": false
+ },
+
+ { "name": "user2_2 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "create", "alter", "drop" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user2_2 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user2_2 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "all" ],
+ "result": false
+ },
+
+ { "name": "user2_3 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "create", "alter", "drop" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user2_3 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+
+ { "name": "user3_1 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "create", "alter", "drop" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user3_1 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "drop" ],
+ "result": true
+ },
+ { "name": "user3_1 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user3_1 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "all" ],
+ "result": false
+ },
+
+ { "name": "user3_2 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "create", "alter", "drop" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "select" ],
+ "result": true
+ },
+ { "name": "user3_2 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user3_2 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "all" ],
+ "result": false
+ },
+
+ { "name": "user3_3 - read [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "create", "alter", "drop" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "drop" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "select" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "create" ],
+ "result": false
+ },
+ { "name": "user3_3 - read [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "all" ],
+ "result": false
+ },
+
+
+
+ { "name": "user_1 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_1 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_1 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_1 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": true
+ },
+
+ { "name": "user_2 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_2 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_2 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_2 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_2 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user_2 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_2 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+
+
+ { "name": "user_3 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user_3 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+
+ { "name": "user1_1 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user1_1 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user1_1 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user1_1 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user1_1 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user1_1 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_1 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+
+ { "name": "user1_2 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user1_2 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_2 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+
+ { "name": "user1_3 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user1_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user1_3 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user1_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+
+ { "name": "user2_1 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user2_1 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user2_1 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_1 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+
+ { "name": "user2_2 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user2_2 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_2 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+
+ { "name": "user2_3 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user2_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user2_3 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user2_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+
+ { "name": "user3_1 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user3_1 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user3_1 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_1", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_1 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_1", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+
+ { "name": "user3_2 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": true
+ },
+ { "name": "user3_2 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_2", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_2 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_2", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+
+ { "name": "user3_3 - modify [ select ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ all ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ create, alter, drop ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "create", "alter", "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ create, alter, drop, select, update, index, lock ] on db1.tbl1.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "create", "alter", "drop", "select", "update", "index", "lock" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ select ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ drop ] on db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ select ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ drop ] on db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ select ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ drop ] on db1.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ "user": "user3_3", "accessTypes": [ "drop" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ select ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "select" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ create ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "create" ], "isModifyAccess": true,
+ "result": false
+ },
+ { "name": "user3_3 - modify [ all ] on db1.tbl1.col1, db2.tbl2.col1, db3.tbl3.col1",
+ "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } },
+ "additionalResources": [
+ { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col1" ] } },
+ { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col1" ] } }
+ ],
+ "user": "user3_3", "accessTypes": [ "all" ], "isModifyAccess": true,
+ "result": false
+ }
+ ]
+}
+