You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/10/28 17:00:14 UTC
[38/50] [abbrv] incubator-ranger git commit: RANGER-683: access
should not be be allowed if denied by either a tag-based policy or a
resource-based policy
RANGER-683: access should not be be allowed if denied by either a tag-based policy or a resource-based policy
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/689dc76b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/689dc76b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/689dc76b
Branch: refs/heads/master
Commit: 689dc76bc49da8e669e6e6e1ffd865f16a11aacc
Parents: 8194269
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Wed Oct 7 13:54:13 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Wed Oct 7 17:30:31 2015 -0700
----------------------------------------------------------------------
.../policyengine/RangerPolicyEngineImpl.java | 132 ++--
.../RangerDefaultPolicyEvaluator.java | 57 +-
.../RangerOptimizedPolicyEvaluator.java | 13 +-
.../plugin/policyengine/TestPolicyEngine.java | 5 -
.../test_policyengine_tag_hdfs.json | 769 +++++++++++++++----
5 files changed, 729 insertions(+), 247 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/689dc76b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 5d1140b..8adab7b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -324,37 +324,38 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
- if (!ret.getIsAccessDetermined() || !ret.getIsAuditedDetermined()) {
- if (hasResourcePolicies()) {
- boolean foundInCache = policyRepository.setAuditEnabledFromCache(request, ret);
- RangerPolicyEvaluator allowedEvaluator = null;
+ boolean isAllowedByTags = ret.getIsAccessDetermined() && ret.getIsAllowed();
+ boolean isDeniedByTags = ret.getIsAccessDetermined() && !ret.getIsAllowed();
+ boolean evaluateResourcePolicies = hasResourcePolicies() && (!isDeniedByTags || !ret.getIsAuditedDetermined());
- List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators();
- for (RangerPolicyEvaluator evaluator : evaluators) {
- evaluator.evaluate(request, ret);
+ if (evaluateResourcePolicies) {
+ boolean findAuditByResource = !ret.getIsAuditedDetermined();
+ boolean foundInCache = findAuditByResource ? policyRepository.setAuditEnabledFromCache(request, ret) : false;
- if(allowedEvaluator == null && ret.getIsAllowed()) {
- allowedEvaluator = evaluator;
- }
+ if(isAllowedByTags) {
+ ret.setIsAccessDetermined(false); // discard allowed result by tag-policies, to evaluate resource policies for possible deny
+ }
- // stop once isAccessDetermined==true && isAuditedDetermined==true
- if(ret.getIsAuditedDetermined()) {
- if(ret.getIsAccessDetermined() || (allowedEvaluator != null && !evaluator.hasDeny())) {
- break; // Break out of policy-evaluation loop for this tag
- }
- }
- }
+ List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators();
+ for (RangerPolicyEvaluator evaluator : evaluators) {
+ evaluator.evaluate(request, ret);
- if(!ret.getIsAccessDetermined() && allowedEvaluator != null) {
- ret.setIsAllowed(true);
- ret.setPolicyId(allowedEvaluator.getPolicy().getId());
+ if(ret.getIsAllowed() && !evaluator.hasDeny()) { // all policies having deny have been evaluated
ret.setIsAccessDetermined(true);
}
- if (!foundInCache) {
- policyRepository.storeAuditEnabledInCache(request, ret);
+ if(ret.getIsAuditedDetermined() && ret.getIsAccessDetermined()) {
+ break; // Break out of policy-evaluation loop
}
}
+
+ if(ret.getIsAllowed()) {
+ ret.setIsAccessDetermined(true);
+ }
+
+ if (findAuditByResource && !foundInCache) {
+ policyRepository.storeAuditEnabledInCache(request, ret);
+ }
}
}
@@ -365,9 +366,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
return ret;
}
- protected RangerAccessResult isAccessAllowedForTagPolicies(final RangerAccessRequest request, RangerAccessResult result) {
+ protected void isAccessAllowedForTagPolicies(final RangerAccessRequest request, RangerAccessResult result) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ")");
+ LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ", " + result + ")");
}
List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators();
@@ -376,90 +377,75 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
if(CollectionUtils.isNotEmpty(tags)) {
- boolean someTagAllowedAudit = false;
- RangerAccessResult savedAccessResult = createAccessResult(request);
- List<RangerTagAuditEvent> tagAuditEvents = new ArrayList<RangerTagAuditEvent>();
-
for (RangerTag tag : tags) {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: Evaluating policies for tag (" + tag.getType() + ")");
}
- RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
- RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest);
- RangerPolicyEvaluator allowedEvaluator = null;
+ RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
+ RangerAccessResult tagEvalResult = createAccessResult(tagEvalRequest);
+
+ // carry fwd results from earlier tags, to optimize the current evaluation
+ // - if access was already allowed by a tag, only deny needs to be looked into
+ // - if audit was already determined, evaluation can bail out as soon as access is determined
+ if(result.getIsAllowed()) {
+ tagEvalResult.setIsAllowed(result.getIsAllowed());
+ }
+ tagEvalResult.setAuditResultFrom(result);
for (RangerPolicyEvaluator evaluator : evaluators) {
+ if(! evaluator.isMatch(tagEvalRequest.getResource()))
+ continue;
+
evaluator.evaluate(tagEvalRequest, tagEvalResult);
- if(allowedEvaluator == null && tagEvalResult.getIsAllowed()) {
- allowedEvaluator = evaluator;
+ if(tagEvalResult.getIsAllowed() && !evaluator.hasDeny()) { // all policies having deny have been evaluated
+ tagEvalResult.setIsAccessDetermined(true);
}
- if(tagEvalResult.getIsAuditedDetermined()) {
- if(tagEvalResult.getIsAccessDetermined() || (allowedEvaluator != null && !evaluator.hasDeny())) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag (" + tag.getType() + ") with authorization=" + tagEvalResult.getIsAllowed());
- }
- break; // Break out of policy-evaluation loop for this tag
+ if(tagEvalResult.getIsAuditedDetermined() && tagEvalResult.getIsAccessDetermined()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag (" + tag.getType() + ") with authorization=" + tagEvalResult.getIsAllowed());
}
+
+ break; // Break out of policy-evaluation loop for this tag
}
}
- if(!tagEvalResult.getIsAccessDetermined() && allowedEvaluator != null) {
- tagEvalResult.setIsAllowed(true);
- tagEvalResult.setPolicyId(allowedEvaluator.getPolicy().getId());
+ if(tagEvalResult.getIsAllowed()) {
tagEvalResult.setIsAccessDetermined(true);
}
- if (tagEvalResult.getIsAuditedDetermined()) {
- someTagAllowedAudit = true;
- // And generate an audit event
- if (tagEvalResult.getIsAccessDetermined()) {
- RangerTagAuditEvent event = new RangerTagAuditEvent(tag.getType(), tagEvalResult);
- tagAuditEvents.add(event);
- }
+ if (tagEvalResult.getIsAudited()) {
+ result.setIsAudited(true);
}
- if (tagEvalResult.getIsAccessDetermined()) {
- savedAccessResult.setAccessResultFrom(tagEvalResult);
-
- if (!tagEvalResult.getIsAllowed()) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: concluding eval of tag-policies as tag (" + tag.getType() + "), tag-policy-id=" + tagEvalResult.getPolicyId() + " denied access.");
+ if(!result.getIsAccessDetermined() && tagEvalResult.getIsAccessDetermined()) {
+ if(! tagEvalResult.getIsAllowed()) { // access is denied for this tag
+ result.setAccessResultFrom(tagEvalResult);
+ } else { // access is allowed for this tag
+ // if a policy evaluated earlier allowed the access, don't update with current tag result
+ if(! result.getIsAllowed()) {
+ result.setAccessResultFrom(tagEvalResult);
+ result.setIsAccessDetermined(false); // so that evaluation will continue for deny
}
- break; // Break out of tags evaluation loop altogether
}
}
- }
-
- result.setAccessResultFrom(savedAccessResult);
- if (someTagAllowedAudit) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies: at least one tag-policy requires generation of audit event");
+ if(result.getIsAuditedDetermined() && result.getIsAccessDetermined()) {
+ break; // Break out of policy-evaluation loop
}
- result.setIsAudited(true);
-
- boolean isAccessDenied = result.getIsAccessDetermined() && !result.getIsAllowed();
-
- RangerTagAuditEvent.processTagEvents(tagAuditEvents, isAccessDenied);
- // Set processed list into result
- // result.setAuxilaryAuditInfo(tagAuditEvents);
}
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : result=" + result);
- LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : auditEventList=" + tagAuditEvents);
}
}
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + result + ")" );
+ LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ", " + result + ")" );
}
-
- return result;
}
private void setResourceServiceDef(RangerAccessRequest request) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/689dc76b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 1764b60..da15c00 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -147,28 +147,13 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if (!isResourceMatch) {
if (attemptResourceHeadMatch && !isResourceHeadMatchAttempted) {
isResourceHeadMatch = matchResourceHead(request.getResource());
- isResourceHeadMatchAttempted = true;
+ isResourceHeadMatchAttempted = true;
}
}
+
// Go further to evaluate access only if match or head match was found at this point
if (isResourceMatch || isResourceHeadMatch) {
- RangerPolicyItemEvaluator matchedPolicyItem = getDeterminingPolicyItem(request);
-
- if(matchedPolicyItem != null) {
- RangerPolicy policy = getPolicy();
-
- if(matchedPolicyItem.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) {
- if(isResourceMatch) {
- result.setIsAllowed(false);
- result.setPolicyId(policy.getId());
- result.setReason(matchedPolicyItem.getComments());
- }
- } else {
- result.setIsAllowed(true);
- result.setPolicyId(policy.getId());
- result.setReason(matchedPolicyItem.getComments());
- }
- }
+ evaluatePolicyItems(request, result, isResourceMatch);
}
}
}
@@ -178,28 +163,38 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
}
- protected RangerPolicyItemEvaluator getDeterminingPolicyItem(RangerAccessRequest request) {
+ protected void evaluatePolicyItems(RangerAccessRequest request, RangerAccessResult result, boolean isResourceMatch) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + request + ")");
+ LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")");
}
- RangerPolicyItemEvaluator ret = null;
+ RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators);
- /*
- * 1. if a deny matches without hitting any deny-exception, return that
- * 2. if an allow matches without hitting any allow-exception, return that
- */
- ret = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators);
+ if(matchedPolicyItem == null && !result.getIsAllowed()) { // if not denied, evaluate allowItems only if not already allowed
+ matchedPolicyItem = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators);
+ }
- if(ret == null) {
- ret = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators);
+ if(matchedPolicyItem != null) {
+ RangerPolicy policy = getPolicy();
+
+ if(matchedPolicyItem.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) {
+ if(isResourceMatch) {
+ result.setIsAllowed(false);
+ result.setPolicyId(policy.getId());
+ result.setReason(matchedPolicyItem.getComments());
+ }
+ } else {
+ if(! result.getIsAllowed()) { // if access is not yet allowed by another policy
+ result.setIsAllowed(true);
+ result.setPolicyId(policy.getId());
+ result.setReason(matchedPolicyItem.getComments());
+ }
+ }
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + request + "): " + ret);
+ LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")");
}
-
- return ret;
}
protected RangerPolicyItemEvaluator getDeterminingPolicyItem(String user, Set<String> userGroups, String accessType) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/689dc76b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index a118466..a3da6bb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -26,6 +26,7 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
@@ -228,27 +229,23 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
}
@Override
- protected RangerPolicyItemEvaluator getDeterminingPolicyItem(RangerAccessRequest request) {
+ protected void evaluatePolicyItems(RangerAccessRequest request, RangerAccessResult result, boolean isResourceMatch) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerOptimizedPolicyEvaluator.isPolicyItemsMatch()");
+ LOG.debug("==> RangerOptimizedPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")");
}
- RangerPolicyItemEvaluator ret = null;
-
if (hasPublicGroup || users.contains(request.getUser()) || CollectionUtils.containsAny(groups, request.getUserGroups())) {
// No need to reject based on users and groups
if (request.isAccessTypeAny() || (request.isAccessTypeDelegatedAdmin() && delegateAdmin) || hasAllPerms || accessPerms.contains(request.getAccessType())) {
// No need to reject based on aggregated access permissions
- ret = super.getDeterminingPolicyItem(request);
+ super.evaluatePolicyItems(request, result, isResourceMatch);
}
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerOptimizedPolicyEvaluator.isPolicyItemsMatch(): " + ret);
+ LOG.debug("<== RangerOptimizedPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")");
}
-
- return ret;
}
private void preprocessPolicyItems(List<RangerPolicy.RangerPolicyItem> policyItems) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/689dc76b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index d7801b9..b59ae1f 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -23,13 +23,8 @@ import com.google.gson.*;
import com.google.gson.reflect.TypeToken;
import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.FSDataOutputStream;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.fs.FileSystem;
import org.apache.ranger.audit.provider.AuditHandler;
import org.apache.ranger.audit.provider.AuditProviderFactory;
-import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerTag;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/689dc76b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json
index ed42d5c..15fd4cd 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json
@@ -1,11 +1,10 @@
{
"serviceName":"hdfsdev",
-
"serviceDef":{
"name":"hdfs",
"id":1,
"resources":[
- {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Resource Path","description":"HDFS file or directory path"}
+ {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Resource Path","description":"HDFS file or directory path"}
],
"accessTypes":[
{"name":"read","label":"Read"},
@@ -13,171 +12,681 @@
{"name":"execute","label":"Execute"}
]
},
-
"policies":[
- ],
- "tagPolicyInfo": {
-
- "serviceName":"tagdev",
- "serviceDef": {
- "name": "tag",
- "id": 100,
- "resources": [
+ {
+ "id": 1,
+ "name": "/resource: allow: users=user-ra, user-ra-ta, user-ra-td; deny: user=user-rd, user-rd-ta, user-rd-td",
+ "isEnabled": true,
+ "isAuditEnabled": true,
+ "resources": {
+ "path": { "values": [ "/resource" ], "isRecursive": true }
+ },
+ "policyItems": [
{
- "itemId": 1,
- "name": "tag",
- "type": "string",
- "level": 1,
- "parent": "",
- "mandatory": true,
- "lookupSupported": true,
- "recursiveSupported": false,
- "excludesSupported": false,
- "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
- "matcherOptions": {
- "wildCard": true,
- "ignoreCase": false
- },
- "validationRegEx": "",
- "validationMessage": "",
- "uiHint": "",
- "label": "TAG",
- "description": "TAG"
+ "accesses":[
+ {"type":"read"},
+ {"type":"write"}
+ ],
+ "users":["user-ra", "user-ra-ta", "user-ra-td"],
+ "groups":["finance"],
+ "delegateAdmin":false,
+ "conditions" : []
}
],
- "accessTypes": [
- {
- "itemId": 1,
- "name": "hdfs:read",
- "label": "hdfs:Read"
- },
- {
- "itemId": 2,
- "name": "hdfs:write",
- "label": "hdfs:Write"
- },
- {
- "itemId": 3,
- "name": "hdfs:execute",
- "label": "hdfs:Execute"
- }
- ,
+ "allowExceptions":[ ],
+ "denyPolicyItems": [
{
- "itemId": 4,
- "name": "hive:grant",
- "label": "hive:grant"
- }
- ,
- {
- "itemId": 5,
- "name": "kms:dek",
- "label": "kms:dek"
- }
- ,
- {
- "itemId": 6,
- "name": "delete",
- "label": "delete"
+ "accesses": [
+ { "type": "read" },
+ { "type": "execute" },
+ { "type": "write" }
+ ],
+ "users": [ "user-rd", "user-rd-ta", "user-rd-td" ],
+ "groups": [],
+ "delegateAdmin": false,
+ "conditions": [
+ ]
}
],
- "contextEnrichers": [
+ "denyExceptions":[ ]
+ },
+ {
+ "id": 2,
+ "name": "/unaudited-resource: allow: users=user-ra, user-ra-ta, user-ra-td; deny: user=user-rd, user-rd-ta, user-rd-td",
+ "isEnabled": true,
+ "isAuditEnabled": false,
+ "resources": {
+ "path": { "values": [ "/unaudited-resource" ], "isRecursive": true }
+ },
+ "policyItems": [
{
- "itemId": 1,
- "name" : "TagEnricher",
- "enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
- "enricherOptions" : {"tagRetrieverClassName":"org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever", "tagRefresherPollingInterval":60000, "dataFile":"/etc/ranger/data/resourceTags.txt"}
+ "accesses":[
+ {"type":"read" },
+ {"type":"write" }
+ ],
+ "users":["user-ra", "user-ra-ta", "user-ra-td"],
+ "groups":["finance"],
+ "delegateAdmin":false,
+ "conditions" : []
}
],
- "policyConditions": [
+ "allowExceptions":[ ],
+ "denyPolicyItems": [
{
- "itemId":1,
- "name":"ScriptConditionEvaluator",
- "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
- "evaluatorOptions" : {"engineName":"JavaScript"},
- "label":"Script",
- "description": "Script to execute"
+ "accesses": [
+ { "type": "read" },
+ { "type": "execute" },
+ { "type": "write" }
+ ],
+ "users": [ "user-rd", "user-rd-ta", "user-rd-td" ],
+ "groups": [],
+ "delegateAdmin": false,
+ "conditions": [
+ ]
}
- ]
+ ],
+ "denyExceptions":[ ]
+ }
+ ],
+
+ "tagPolicyInfo": {
+ "serviceName":"tagdev",
+ "serviceDef": {
+ "name": "tag",
+ "id": 100,
+ "resources": [
+ { "name": "tag", "type": "string", "level": 1, "mandatory": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": false, "ignoreCase": false }, "label": "TAG", "description": "TAG" }
+ ],
+ "accessTypes": [
+ { "name": "hdfs:read", "label": "hdfs:Read" },
+ { "name": "hdfs:write", "label": "hdfs:Write" },
+ { "name": "hdfs:execute", "label": "hdfs:Execute" }
+ ],
+ "contextEnrichers": [ ],
+ "policyConditions": [ ]
},
"tagPolicies":[
- {"id":101,"name":"PII with expiry","isEnabled":true,"isAuditEnabled":true,
+ {
+ "id":101,
+ "name":"PII",
+ "isEnabled":true,
+ "isAuditEnabled":true,
"resources":{"tag":{"values":["PII"],"isRecursive":false}},
"policyItems":[
{
"accesses":[
- {"type":"hdfs:read", "isAllowed":true},
- {"type":"hive:grant", "isAllowed":true},
- {"type":"delete", "isAllowed":true},
- {"type":"hdfs:write", "isAllowed":true}
- ],
- "users":["user1"],
- "groups":["finance"],
- "delegateAdmin":false,
- "conditions" : []
+ {"type":"hdfs:read", "isAllowed":true},
+ {"type":"hdfs:write", "isAllowed":true}
+ ],
+ "users":["user-ta", "user-ra-ta", "user-rd-ta"],
+ "groups":["finance"],
+ "delegateAdmin":false,
+ "conditions" : []
}
],
+ "allowExceptions":[ ],
"denyPolicyItems":[
{
"accesses":[
- {"type":"hdfs:read", "isAllowed":true},
- {"type":"hive:grant", "isAllowed":true},
- {"type":"delete", "isAllowed":true},
- {"type":"hdfs:write", "isAllowed":true}
- ],
- "users":[""],
- "groups":["public"],
- "delegateAdmin":false,
- "conditions" : [
- {"type":"ScriptConditionEvaluator", "values": [
- "ctx.result = true; importPackage(java.util); var accessDate = ctx.accessTime; var expiryDate = ctx.getTagAttributeAsDate('PII','expiry_date'); expiryDate.getTime() < accessDate.getTime();"
- ]}
- ]
+ {"type":"hdfs:read" },
+ {"type":"hdfs:write" }
+ ],
+ "users":["user-td", "user-ra-td", "user-rd-td"],
+ "groups":[],
+ "delegateAdmin":false,
+ "conditions" : [ ]
}
],
- "denyExceptions":[
+ "denyExceptions":[ ]
+ },
+ {
+ "id":102,
+ "name":"Unaudited-TAG",
+ "isEnabled":true,
+ "isAuditEnabled":false,
+ "resources":{"tag":{"values":["Unaudited-TAG"],"isRecursive":false}},
+ "policyItems":[
{
"accesses":[
- {"type":"hdfs:read", "isAllowed":true},
- {"type":"hive:grant", "isAllowed":true},
- {"type":"delete", "isAllowed":true},
- {"type":"hdfs:write", "isAllowed":true}
- ],
- "users":["user1"],
- "groups":["finance"],
- "delegateAdmin":false,
- "conditions" : []
+ {"type":"hdfs:read" },
+ {"type":"hdfs:write" }
+ ],
+ "users":["user-ta", "user-ra-ta", "user-rd-ta"],
+ "groups":["finance"],
+ "delegateAdmin":false,
+ "conditions" : []
}
- ]
+ ],
+ "allowExceptions":[ ],
+ "denyPolicyItems":[
+ {
+ "accesses":[
+ {"type":"hdfs:read" },
+ {"type":"hdfs:write" }
+ ],
+ "users":["user-td", "user-ra-td", "user-rd-td"],
+ "groups":[],
+ "delegateAdmin":false,
+ "conditions" : [ ]
+ }
+ ],
+ "denyExceptions":[ ]
}
]
},
"tests":[
- {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance",
- "request":{
- "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
- "accessType":"read","user":"userx","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db",
- "context": {"TAGS":"[{\"type\":\"PII\",\"attributes\":{\"expiry_date\":\"2015/09/01\"}}]"}
- },
- "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+ {
+ "name": "ALLOW 'read /resource' for u=user-ra",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-ra",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 1 }
+ },
+ {
+ "name": "ALLOW 'read /resource' for u=user-ra-ta",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-ra-ta",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 101 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-ra-td",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-ra-td",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 101 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-rd",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-rd",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 1 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-rd-ta",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-rd-ta",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 1 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-rd-td",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-rd-td",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 101 }
+ },
+ {
+ "name": "ALLOW 'read /resource' for u=user-ta",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-ta",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 101 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-td",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-td",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 101 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-unknown",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-unknown",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": -1 }
}
,
- {"name":"ALLOW 'read /finance/restricted/sales.db' for u=user1",
- "request":{
- "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
- "accessType":"read","user":"user1","userGroups":["employee"],"requestData":"read /finance/restricted/sales.db",
- "context": {"TAGS":"[{\"type\":\"PII\",\"attributes\":{\"expiry_date\":\"2015/09/01\"}}]"}
- },
- "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+
+ {
+ "name": "ALLOW 'read /resource' for u=user-ra",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-ra",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 1 }
+ },
+ {
+ "name": "ALLOW 'read /resource' for u=user-ra-ta",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-ra-ta",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 102 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-ra-td",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-ra-td",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 102 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-rd",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-rd",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 1 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-rd-ta",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-rd-ta",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 1 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-rd-td",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-rd-td",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 102 }
+ },
+ {
+ "name": "ALLOW 'read /resource' for u=user-ta",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-ta",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 102 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-td",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-td",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 102 }
+ },
+ {
+ "name": "DENY 'read /resource' for u=user-unknown",
+ "request": {
+ "resource": { "elements": { "path": "/resource" } },
+ "accessType": "read",
+ "user": "user-unknown",
+ "userGroups": [ ],
+ "requestData": "read /resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": -1 }
}
,
- {"name":"DENY 'read /finance/restricted/sales.db' for u=user2",
- "request":{
- "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
- "accessType":"read","user":"user2","userGroups":["employee"],"requestData":"read /finance/restricted/sales.db",
- "context": {"TAGS":"[{\"type\":\"PII\",\"attributes\":{\"expiry_date\":\"2015/09/01\"}}]"}
- },
- "result":{"isAudited":true,"isAllowed":false,"policyId":101}
+
+ {
+ "name": "ALLOW 'read /unaudited-resource' for u=user-ra",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-ra",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 2 }
+ },
+ {
+ "name": "ALLOW 'read /unaudited-resource' for u=user-ra-ta",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-ra-ta",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 101 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-ra-td",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-ra-td",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 101 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-rd",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-rd",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 2 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-rd-ta",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-rd-ta",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 2 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-rd-td",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-rd-td",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 101 }
+ },
+ {
+ "name": "ALLOW 'read /unaudited-resource' for u=user-ta",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-ta",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 101 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-td",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-td",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 101 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-unknown",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-unknown",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": -1 }
+ }
+ ,
+
+ {
+ "name": "ALLOW 'read /unaudited-resource' for u=user-ra",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-ra",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": false, "isAllowed": true, "policyId": 2 }
+ },
+ {
+ "name": "ALLOW 'read /unaudited-resource' for u=user-ra-ta",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-ra-ta",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": false, "isAllowed": true, "policyId": 102 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-ra-td",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-ra-td",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": false, "isAllowed": false, "policyId": 102 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-rd",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-rd",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": false, "isAllowed": false, "policyId": 2 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-rd-ta",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-rd-ta",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": false, "isAllowed": false, "policyId": 2 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-rd-td",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-rd-td",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": false, "isAllowed": false, "policyId": 102 }
+ },
+ {
+ "name": "ALLOW 'read /unaudited-resource' for u=user-ta",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-ta",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": false, "isAllowed": true, "policyId": 102 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-td",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-td",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": false, "isAllowed": false, "policyId": 102 }
+ },
+ {
+ "name": "DENY 'read /unaudited-resource' for u=user-unknown",
+ "request": {
+ "resource": { "elements": { "path": "/unaudited-resource" } },
+ "accessType": "read",
+ "user": "user-unknown",
+ "userGroups": [ ],
+ "requestData": "read /unaudited-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"Unaudited-TAG\"}]"
+ }
+ },
+ "result": { "isAudited": false, "isAllowed": false, "policyId": -1 }
}
+
+
]
}