You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2017/03/15 00:34:35 UTC
[3/3] ranger git commit: RANGER-1321:Provide a mechanism to create
service-specific default policies
RANGER-1321:Provide a mechanism to create service-specific default policies
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/c9e94357
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/c9e94357
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/c9e94357
Branch: refs/heads/ranger-0.7
Commit: c9e94357028234db1b1ff9be57ecf13ae29f5d87
Parents: 959ba7f
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Mar 13 19:44:29 2017 -0700
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Tue Mar 14 17:10:44 2017 -0700
----------------------------------------------------------------------
.../plugin/service/RangerBaseService.java | 203 +++++++++-
.../ranger/services/tag/RangerServiceTag.java | 82 +++-
.../hadoop/RangerHdfsAuthorizer.java | 8 +-
.../ranger/services/hdfs/RangerServiceHdfs.java | 47 +++
.../services/atlas/RangerServiceAtlas.java | 31 ++
.../services/kafka/RangerServiceKafka.java | 39 +-
.../ranger/services/kms/RangerServiceKMS.java | 103 ++++-
.../yarn/authorizer/RangerYarnAuthorizer.java | 8 +-
.../ranger/services/yarn/RangerServiceYarn.java | 46 +++
.../org/apache/ranger/biz/ServiceDBStore.java | 399 +++----------------
.../apache/ranger/biz/TestServiceDBStore.java | 171 +-------
11 files changed, 606 insertions(+), 531 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
index debaa83..9955051 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
@@ -19,21 +19,44 @@
package org.apache.ranger.plugin.service;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
+import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
public abstract class RangerBaseService {
- private RangerServiceDef serviceDef;
- private RangerService service;
-
+ private static final Log LOG = LogFactory.getLog(RangerBaseService.class);
+
+ protected static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal";
+ protected static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab";
+ protected static final String LOOKUP_PRINCIPAL = "ranger.lookup.kerberos.principal";
+ protected static final String LOOKUP_KEYTAB = "ranger.lookup.kerberos.keytab";
+ protected static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
+
+ protected static final String KERBEROS_TYPE = "kerberos";
+
+ protected RangerServiceDef serviceDef;
+ protected RangerService service;
+
protected Map<String, String> configs;
protected String serviceName;
protected String serviceType;
-
public void init(RangerServiceDef serviceDef, RangerService service) {
this.serviceDef = serviceDef;
@@ -84,8 +107,172 @@ public abstract class RangerBaseService {
public abstract Map<String, Object> validateConfig() throws Exception;
public abstract List<String> lookupResource(ResourceLookupContext context) throws Exception;
-
-
-
-
+
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerBaseService.getDefaultRangerPolicies() ");
+ }
+ List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
+
+ try {
+ // we need to create one policy for each resource hierarchy
+ RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
+ for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) {
+ RangerPolicy policy = getDefaultPolicy(aHierarchy);
+ if (policy != null) {
+ ret.add(policy);
+ }
+ }
+ } catch (Exception e) {
+ LOG.error("Error getting default polcies for Service: " + service.getName(), e);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerBaseService.getDefaultRangerPolicies(): " + ret);
+ }
+ return ret;
+ }
+
+ public List<RangerPolicy.RangerPolicyItemAccess> getAndAllowAllAccesses() {
+ List<RangerPolicy.RangerPolicyItemAccess> ret = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+
+ for (RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
+ RangerPolicy.RangerPolicyItemAccess access = new RangerPolicy.RangerPolicyItemAccess();
+ access.setType(accessTypeDef.getName());
+ access.setIsAllowed(true);
+ ret.add(access);
+ }
+ return ret;
+ }
+
+ private RangerPolicy getDefaultPolicy(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerBaseService.getDefaultPolicy()");
+ }
+
+ RangerPolicy policy = new RangerPolicy();
+
+ String policyName=buildPolicyName(resourceHierarchy);
+
+ policy.setIsEnabled(true);
+ policy.setVersion(1L);
+ policy.setName(policyName);
+ policy.setService(service.getName());
+ policy.setDescription("Policy for " + policyName);
+ policy.setIsAuditEnabled(true);
+ policy.setResources(createDefaultPolicyResource(resourceHierarchy));
+
+ List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
+ //Create Default policy item for the service user
+ RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem();
+ policyItems.add(policyItem);
+ policy.setPolicyItems(policyItems);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerBaseService.getDefaultPolicy()" + policy);
+ }
+
+ return policy;
+ }
+
+ private RangerPolicy.RangerPolicyItem createDefaultPolicyItem() throws Exception {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerBaseService.createDefaultPolicyItem()");
+ }
+
+ RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
+
+ policyItem.setUsers(getUserList());
+ policyItem.setAccesses(getAndAllowAllAccesses());
+ policyItem.setDelegateAdmin(true);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerBaseService.createDefaultPolicyItem(): " + policyItem );
+ }
+ return policyItem;
+ }
+
+ private Map<String, RangerPolicy.RangerPolicyResource> createDefaultPolicyResource(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerBaseService.createDefaultPolicyResource()");
+ }
+ Map<String, RangerPolicy.RangerPolicyResource> resourceMap = new HashMap<>();
+
+ for (RangerServiceDef.RangerResourceDef resourceDef : resourceHierarchy) {
+ RangerPolicy.RangerPolicyResource polRes = new RangerPolicy.RangerPolicyResource();
+
+ polRes.setIsExcludes(false);
+ polRes.setIsRecursive(resourceDef.getRecursiveSupported());
+ polRes.setValue(RangerAbstractResourceMatcher.WILDCARD_ASTERISK);
+
+ resourceMap.put(resourceDef.getName(), polRes);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerBaseService.createDefaultPolicyResource():" + resourceMap);
+ }
+ return resourceMap;
+ }
+
+ private String buildPolicyName(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) {
+ String ret = "all";
+ if (CollectionUtils.isNotEmpty(resourceHierarchy)) {
+ int resourceDefCount = 0;
+ for (RangerServiceDef.RangerResourceDef resourceDef : resourceHierarchy) {
+ if (resourceDefCount > 0) {
+ ret += ", ";
+ } else {
+ ret += " - ";
+ }
+ ret += resourceDef.getName();
+ resourceDefCount++;
+ }
+ ret = ret.trim();
+ }
+ return ret;
+ }
+
+ private List<String> getUserList() {
+ List<String> ret = new ArrayList<>();
+ Map<String, String> serviceConfig = service.getConfigs();
+ if (serviceConfig != null ) {
+ ret.add(serviceConfig.get("username"));
+ String defaultUsers = serviceConfig.get("default.policy.users");
+ if (!StringUtils.isEmpty(defaultUsers)) {
+ List<String> defaultUserList = new ArrayList<>(Arrays.asList(StringUtils.split(defaultUsers,",")));
+ if (!defaultUserList.isEmpty()) {
+ ret.addAll(defaultUserList);
+ }
+ }
+ }
+ String authType = RangerConfiguration.getInstance().get(RANGER_AUTH_TYPE,"simple");
+ String lookupPrincipal = RangerConfiguration.getInstance().get(LOOKUP_PRINCIPAL);
+ String lookupKeytab = RangerConfiguration.getInstance().get(LOOKUP_KEYTAB);
+
+ String lookUpUser = getLookupUser(authType, lookupPrincipal, lookupKeytab);
+
+ if (StringUtils.isNotBlank(lookUpUser)) {
+ ret.add(lookUpUser);
+ }
+
+ return ret;
+ }
+
+ protected String getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) {
+ String lookupUser = null;
+ if(!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)){
+ if(SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
+ KerberosName krbName = new KerberosName(lookupPrincipal);
+ try {
+ lookupUser = krbName.getShortName();
+ } catch (IOException e) {
+ LOG.error("Unknown lookup user", e);
+ }
+ }
+ }
+ return lookupUser;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java b/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
index d3085d4..05d3a9b 100644
--- a/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
+++ b/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
@@ -19,12 +19,11 @@
package org.apache.ranger.services.tag;
-import java.util.*;
-
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.service.RangerBaseService;
@@ -33,11 +32,20 @@ import org.apache.ranger.plugin.store.TagStore;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import java.util.ArrayList;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.List;
+
+import static org.apache.ranger.plugin.policyengine.RangerPolicyEngine.GROUP_PUBLIC;
+
public class RangerServiceTag extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceTag.class);
public static final String TAG_RESOURCE_NAME = "tag";
+ public static final String RANGER_TAG_NAME_EXPIRES_ON = "EXPIRES_ON";
+ public static final String RANGER_TAG_EXPIRY_CONDITION_NAME = "accessed-after-expiry";
private TagStore tagStore = null;
@@ -118,4 +126,74 @@ public class RangerServiceTag extends RangerBaseService {
return ret;
}
+
+ @Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceTag.getDefaultRangerPolicies() ");
+ }
+
+ List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
+
+ boolean isConditionDefFound = false;
+
+ List<RangerServiceDef.RangerPolicyConditionDef> policyConditionDefs = serviceDef.getPolicyConditions();
+
+ if (CollectionUtils.isNotEmpty(policyConditionDefs)) {
+ for (RangerServiceDef.RangerPolicyConditionDef conditionDef : policyConditionDefs) {
+ if (conditionDef.getName().equals(RANGER_TAG_EXPIRY_CONDITION_NAME)) {
+ isConditionDefFound = true;
+ break;
+ }
+ }
+ }
+
+ if (isConditionDefFound) {
+
+ ret = super.getDefaultRangerPolicies();
+
+ String tagResourceName = serviceDef.getResources().get(0).getName();
+
+ for (RangerPolicy defaultPolicy : ret) {
+
+ RangerPolicy.RangerPolicyResource tagPolicyResource = defaultPolicy.getResources().get(tagResourceName);
+
+ if (tagPolicyResource != null) {
+
+ String value = RANGER_TAG_NAME_EXPIRES_ON;
+
+ tagPolicyResource.setValue(value);
+ defaultPolicy.setDescription("Policy for data with " + value + " tag");
+
+ List<RangerPolicy.RangerPolicyItem> defaultPolicyItems = defaultPolicy.getPolicyItems();
+
+ for (RangerPolicy.RangerPolicyItem defaultPolicyItem : defaultPolicyItems) {
+
+ List<String> groups = new ArrayList<String>();
+ groups.add(GROUP_PUBLIC);
+ defaultPolicyItem.setGroups(groups);
+
+ List<RangerPolicy.RangerPolicyItemCondition> policyItemConditions = new ArrayList<RangerPolicy.RangerPolicyItemCondition>();
+ List<String> values = new ArrayList<String>();
+ values.add("yes");
+ RangerPolicy.RangerPolicyItemCondition policyItemCondition = new RangerPolicy.RangerPolicyItemCondition(RANGER_TAG_EXPIRY_CONDITION_NAME, values);
+ policyItemConditions.add(policyItemCondition);
+
+ defaultPolicyItem.setConditions(policyItemConditions);
+ defaultPolicyItem.setDelegateAdmin(Boolean.FALSE);
+ }
+
+ defaultPolicy.setDenyPolicyItems(defaultPolicyItems);
+ defaultPolicy.setPolicyItems(null);
+ }
+ }
+ } else {
+ LOG.error("RangerServiceTag.getDefaultRangerPolicies() - Cannot create default TAG policy: Cannot get tagPolicyConditionDef with name=" + RANGER_TAG_EXPIRY_CONDITION_NAME);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceTag.getDefaultRangerPolicies() : " + ret);
+ }
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 324551d..460c692 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -64,7 +64,9 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
public static final String KEY_BASE_FILENAME = "BASE_FILENAME";
public static final String DEFAULT_FILENAME_EXTENSION_SEPARATOR = ".";
- public static final String RANGER_FILENAME_EXTENSION_SEPARATOR_PROP = "ranger.plugin.hdfs.filename.extension.separator";
+ public static final String KEY_RESOURCE_PATH = "path";
+
+ public static final String RANGER_FILENAME_EXTENSION_SEPARATOR_PROP = "ranger.plugin.hdfs.filename.extension.separator";
private static final Log LOG = LogFactory.getLog(RangerHdfsAuthorizer.class);
@@ -500,11 +502,9 @@ class RangerHdfsPlugin extends RangerBasePlugin {
}
class RangerHdfsResource extends RangerAccessResourceImpl {
- private static final String KEY_PATH = "path";
-
public RangerHdfsResource(String path, String owner) {
- super.setValue(KEY_PATH, path);
+ super.setValue(RangerHdfsAuthorizer.KEY_RESOURCE_PATH, path);
super.setOwnerUser(owner);
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
index bc12da9..c269648 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
@@ -23,9 +23,14 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer;
import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
+import org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.hdfs.client.HdfsResourceMgr;
@@ -95,6 +100,48 @@ public class RangerServiceHdfs extends RangerBaseService {
return ret;
}
+
+ @Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceHdfs.getDefaultRangerPolicies() ");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+
+ String pathResourceName = RangerHdfsAuthorizer.KEY_RESOURCE_PATH;
+
+ for (RangerPolicy defaultPolicy : ret) {
+ RangerPolicy.RangerPolicyResource pathPolicyResource = defaultPolicy.getResources().get(pathResourceName);
+ if (pathPolicyResource != null) {
+ List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
+ RangerServiceDef.RangerResourceDef pathResourceDef = null;
+ for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
+ if (resourceDef.getName().equals(pathResourceName)) {
+ pathResourceDef = resourceDef;
+ break;
+ }
+ }
+ if (pathResourceDef != null) {
+ String pathSeparator = pathResourceDef.getMatcherOptions().get(RangerPathResourceMatcher.OPTION_PATH_SEPARATOR);
+ if (StringUtils.isBlank(pathSeparator)) {
+ pathSeparator = Character.toString(RangerPathResourceMatcher.DEFAULT_PATH_SEPARATOR_CHAR);
+ }
+ String value = pathSeparator + RangerAbstractResourceMatcher.WILDCARD_ASTERISK;
+ pathPolicyResource.setValue(value);
+ } else {
+ LOG.warn("No resourceDef found in HDFS service-definition for '" + pathResourceName + "'");
+ }
+ } else {
+ LOG.warn("No '" + pathResourceName + "' found in default policy");
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceHdfs.getDefaultRangerPolicies() : " + ret);
+ }
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
index d2b60bd..fe97874 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -22,8 +22,11 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.service.RangerBaseService;
@@ -85,4 +88,32 @@ public class RangerServiceAtlas extends RangerBaseService {
}
return ret;
}
+
+ @Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceAtlas.getDefaultRangerPolicies() ");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+
+ for (RangerPolicy defaultPolicy : ret) {
+ for (RangerPolicy.RangerPolicyItem defaultPolicyItem : defaultPolicy.getPolicyItems()) {
+ List<String> users = defaultPolicyItem.getUsers();
+
+ String atlasAdminUser = service.getConfigs().get("atlas.admin.user");
+ if (StringUtils.isBlank(atlasAdminUser)) {
+ atlasAdminUser = "admin";
+ }
+
+ users.add(atlasAdminUser);
+ defaultPolicyItem.setUsers(users);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceAtlas.getDefaultRangerPolicies() ");
+ }
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
index 86e97bc..b7bbe98 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
@@ -23,6 +23,9 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.service.RangerBaseService;
@@ -32,6 +35,8 @@ import org.apache.ranger.services.kafka.client.ServiceKafkaConnectionMgr;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import static org.apache.ranger.plugin.policyengine.RangerPolicyEngine.GROUP_PUBLIC;
+
public class RangerServiceKafka extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceKafka.class);
@@ -76,7 +81,7 @@ public class RangerServiceKafka extends RangerBaseService {
LOG.debug("==> RangerServiceKafka.lookupResource(" + serviceName + ")");
}
- if(configs != null) {
+ if (configs != null) {
ServiceKafkaClient serviceKafkaClient = ServiceKafkaConnectionMgr.getKafkaClient(serviceName, configs);
ret = serviceKafkaClient.getResources(context);
@@ -88,4 +93,36 @@ public class RangerServiceKafka extends RangerBaseService {
return ret;
}
+
+ @Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceKafka.getDefaultRangerPolicies() ");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+
+ String authType = RangerConfiguration.getInstance().get(RANGER_AUTH_TYPE,"simple");
+
+ if (StringUtils.equalsIgnoreCase(authType, KERBEROS_TYPE)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Auth type is " + KERBEROS_TYPE);
+ }
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Auth type is " + authType);
+ }
+ for (RangerPolicy defaultPolicy : ret) {
+ for (RangerPolicy.RangerPolicyItem defaultPolicyItem : defaultPolicy.getPolicyItems()) {
+ defaultPolicyItem.getGroups().add(GROUP_PUBLIC);
+ }
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceKafka.getDefaultRangerPolicies() ");
+ }
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
index 7657099..cd368e4 100644
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
@@ -22,6 +22,8 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.service.RangerBaseService;
@@ -33,7 +35,11 @@ import org.apache.commons.logging.LogFactory;
public class RangerServiceKMS extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceKMS.class);
-
+
+ public static final String ACCESS_TYPE_DECRYPT_EEK = "decrypteek";
+ public static final String ACCESS_TYPE_GENERATE_EEK = "generateeek";
+ public static final String ACCESS_TYPE_GET_METADATA = "getmetadata";
+
public RangerServiceKMS() {
super();
}
@@ -86,5 +92,100 @@ public class RangerServiceKMS extends RangerBaseService {
}
return ret;
}
+
+ @Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceKMS.getDefaultRangerPolicies() ");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+
+ String adminPrincipal = RangerConfiguration.getInstance().get(ADMIN_USER_PRINCIPAL);
+ String adminKeytab = RangerConfiguration.getInstance().get(ADMIN_USER_KEYTAB);
+ String authType = RangerConfiguration.getInstance().get(RANGER_AUTH_TYPE,"simple");
+
+ String adminUser = getLookupUser(authType, adminPrincipal, adminKeytab);
+
+ // Add default policies for HDFS & HIVE users.
+ List<RangerServiceDef.RangerAccessTypeDef> hdfsAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
+ List<RangerServiceDef.RangerAccessTypeDef> hiveAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
+
+ for(RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
+ if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
+ hdfsAccessTypeDefs.add(accessTypeDef);
+ hiveAccessTypeDefs.add(accessTypeDef);
+ } else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) {
+ hdfsAccessTypeDefs.add(accessTypeDef);
+ } else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
+ hiveAccessTypeDefs.add(accessTypeDef);
+ }
+ }
+
+ for (RangerPolicy defaultPolicy : ret) {
+
+ List<RangerPolicy.RangerPolicyItem> policyItems = defaultPolicy.getPolicyItems();
+ for (RangerPolicy.RangerPolicyItem item : policyItems) {
+ List<String> users = item.getUsers();
+ users.add(adminUser);
+ item.setUsers(users);
+ }
+
+ String hdfsUser = RangerConfiguration.getInstance().get("ranger.kms.service.user.hdfs", "hdfs");
+ if (hdfsUser != null && !hdfsUser.isEmpty()) {
+ LOG.info("Creating default KMS policy item for " + hdfsUser);
+ List<String> users = new ArrayList<String>();
+ users.add(hdfsUser);
+ RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(hdfsAccessTypeDefs, users);
+ policyItems.add(policyItem);
+ }
+
+
+ String hiveUser = RangerConfiguration.getInstance().get("ranger.kms.service.user.hive", "hive");
+
+ if (hiveUser != null && !hiveUser.isEmpty()) {
+ LOG.info("Creating default KMS policy item for " + hiveUser);
+ List<String> users = new ArrayList<String>();
+ users.add(hiveUser);
+ RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(hiveAccessTypeDefs, users);
+ policyItems.add(policyItem);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceKMS.getDefaultRangerPolicies() : " + ret);
+ }
+
+ return ret;
+ }
+
+ private RangerPolicy.RangerPolicyItem createDefaultPolicyItem(List<RangerServiceDef.RangerAccessTypeDef> accessTypeDefs, List<String> users) throws Exception {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceTag.createDefaultPolicyItem()");
+ }
+
+ RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
+
+ policyItem.setUsers(users);
+
+ List<RangerPolicy.RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+
+ for (RangerServiceDef.RangerAccessTypeDef accessTypeDef : accessTypeDefs) {
+ RangerPolicy.RangerPolicyItemAccess access = new RangerPolicy.RangerPolicyItemAccess();
+ access.setType(accessTypeDef.getName());
+ access.setIsAllowed(true);
+ accesses.add(access);
+ }
+
+ policyItem.setAccesses(accesses);
+ policyItem.setDelegateAdmin(true);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceTag.createDefaultPolicyItem(): " + policyItem );
+ }
+ return policyItem;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
index 470c711..2338ba1 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
@@ -50,7 +50,9 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
public static final String ACCESS_TYPE_SUBMIT_APP = "submit-app";
public static final String ACCESS_TYPE_ADMIN = "admin";
- private static boolean yarnAuthEnabled = RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT;
+ public static final String KEY_RESOURCE_QUEUE = "queue";
+
+ private static boolean yarnAuthEnabled = RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT;
private static final Log LOG = LogFactory.getLog(RangerYarnAuthorizer.class);
@@ -260,10 +262,8 @@ class RangerYarnPlugin extends RangerBasePlugin {
}
class RangerYarnResource extends RangerAccessResourceImpl {
- private static final String KEY_QUEUE = "queue";
-
public RangerYarnResource(PrivilegedEntity entity) {
- setValue(KEY_QUEUE, entity != null ? entity.getName() : null);
+ setValue(RangerYarnAuthorizer.KEY_RESOURCE_QUEUE, entity != null ? entity.getName() : null);
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
----------------------------------------------------------------------
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
index 69f2bc3..5d429ae 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
@@ -22,8 +22,13 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
+import org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.services.yarn.client.YarnResourceMgr;
@@ -86,5 +91,46 @@ public class RangerServiceYarn extends RangerBaseService {
}
return ret;
}
+
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceYarn.getDefaultRangerPolicies() ");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+
+ String queueResourceName = RangerYarnAuthorizer.KEY_RESOURCE_QUEUE;
+
+ for (RangerPolicy defaultPolicy : ret) {
+ RangerPolicy.RangerPolicyResource queuePolicyResource = defaultPolicy.getResources().get(queueResourceName);
+ if (queuePolicyResource != null) {
+ List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
+ RangerServiceDef.RangerResourceDef queueResourceDef = null;
+ for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
+ if (resourceDef.getName().equals(queueResourceName)) {
+ queueResourceDef = resourceDef;
+ break;
+ }
+ }
+ if (queueResourceDef != null) {
+ String pathSeparator = queueResourceDef.getMatcherOptions().get(RangerPathResourceMatcher.OPTION_PATH_SEPARATOR);
+ if (StringUtils.isBlank(pathSeparator)) {
+ pathSeparator = ".";
+ }
+ String value = pathSeparator + RangerAbstractResourceMatcher.WILDCARD_ASTERISK;
+ queuePolicyResource.setValue(value);
+ } else {
+ LOG.warn("No resourceDef found in YARN service-definition for '" + queueResourceName + "'");
+ }
+ } else {
+ LOG.warn("No '" + queueResourceName + "' found in default policy");
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceYarn.getDefaultRangerPolicies() : " + ret);
+ }
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index dcee0cd..f171bb4 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -49,8 +49,6 @@ import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.security.SecureClientLogin;
-import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.common.AppConstants;
@@ -60,11 +58,11 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
+import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.util.PasswordUtils;
import org.apache.ranger.common.JSONUtil;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
-import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.RangerFactory;
import org.apache.ranger.common.RangerServicePoliciesCache;
import org.apache.ranger.common.RangerVersionInfo;
@@ -188,18 +186,9 @@ import com.google.gson.Gson;
@Component
public class ServiceDBStore extends AbstractServiceStore {
private static final Log LOG = LogFactory.getLog(ServiceDBStore.class);
- public static final String RANGER_TAG_EXPIRY_CONDITION_NAME = "accessed-after-expiry";
- private static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal";
- private static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab";
- private static final String LOOKUP_PRINCIPAL = "ranger.lookup.kerberos.principal";
- private static final String LOOKUP_KEYTAB = "ranger.lookup.kerberos.keytab";
- static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
- private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user";
-
- private static final String KERBEROS_TYPE = "kerberos";
-
+
private static final String POLICY_ALLOW_EXCLUDE = "Policy Allow:Exclude";
- private static final String POLICY_ALLOW_INCLUDE = "Policy Allow:Include";
+ //private static final String POLICY_ALLOW_INCLUDE = "Policy Allow:Include";
private static final String POLICY_DENY_EXCLUDE = "Policy Deny:Exclude";
private static final String POLICY_DENY_INCLUDE = "Policy Deny:Include";
@@ -208,8 +197,10 @@ public class ServiceDBStore extends AbstractServiceStore {
private static final String USER_NAME = "Exported by";
private static final String RANGER_VERSION = "Ranger apache version";
private static final String TIMESTAMP = "Export time";
-
- static {
+
+ private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user";
+
+ static {
try {
LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName();
} catch (UnknownHostException e) {
@@ -269,6 +260,9 @@ public class ServiceDBStore extends AbstractServiceStore {
@Autowired
JSONUtil jsonUtil;
+ @Autowired
+ ServiceMgr serviceMgr;
+
private static volatile boolean legacyServiceDefsInitDone = false;
private Boolean populateExistingBaseFields = false;
@@ -1430,7 +1424,10 @@ public class ServiceDBStore extends AbstractServiceStore {
xConfMap.setServiceId(xCreatedService.getId());
xConfMap.setConfigkey(configKey);
xConfMap.setConfigvalue(configValue);
- xConfMap = xConfMapDao.create(xConfMap);
+ xConfMapDao.create(xConfMap);
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("vXUser:[" + vXUser + "]");
}
RangerService createdService = svcService.getPopulatedViewObject(xCreatedService);
@@ -1445,7 +1442,7 @@ public class ServiceDBStore extends AbstractServiceStore {
bizUtil.createTrxLog(trxLogList);
if (createDefaultPolicy) {
- createDefaultPolicies(xCreatedService, vXUser);
+ createDefaultPolicies(createdService);
}
return createdService;
@@ -1595,9 +1592,11 @@ public class ServiceDBStore extends AbstractServiceStore {
xConfMap.setServiceId(service.getId());
xConfMap.setConfigkey(configKey);
xConfMap.setConfigvalue(configValue);
- xConfMap = xConfMapDao.create(xConfMap);
+ xConfMapDao.create(xConfMap);
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("vXUser:[" + vXUser + "]");
}
-
RangerService updService = svcService.getPopulatedViewObject(xUpdService);
dataHistService.createObjectDataHistory(updService, RangerDataHistService.ACTION_UPDATE);
bizUtil.createTrxLog(trxLogList);
@@ -2447,341 +2446,47 @@ public class ServiceDBStore extends AbstractServiceStore {
return ret;
}
- void createDefaultPolicies(XXService createdService, VXUser vXUser) throws Exception {
- RangerServiceDef serviceDef = getServiceDef(createdService.getType());
-
- if (serviceDef.getName().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) {
- createDefaultTagPolicy(createdService);
- } else {
- // we need to create one policy for each resource hierarchy
- RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
- for (List<RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) {
- RangerPolicy policy = new RangerPolicy();
- createDefaultPolicy(policy, createdService, vXUser, aHierarchy);
- policy = createPolicy(policy);
- }
- }
- }
-
- private void createDefaultTagPolicy(XXService createdService) throws Exception {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> ServiceDBStore.createDefaultTagPolicy() ");
- }
-
- String tagResourceDefName = null;
- boolean isConditionDefFound = false;
-
- RangerServiceDef tagServiceDef = getServiceDef(createdService.getType());
- List<RangerResourceDef> tagResourceDef = tagServiceDef.getResources();
- if (tagResourceDef != null && tagResourceDef.size() > 0) {
- // Assumption : First (and perhaps the only) resourceDef is the name of the tag resource
- RangerResourceDef theTagResourceDef = tagResourceDef.get(0);
- tagResourceDefName = theTagResourceDef.getName();
- } else {
- LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy: Cannot get tagResourceDef Name.");
- }
-
- List<RangerPolicyConditionDef> policyConditionDefs = tagServiceDef.getPolicyConditions();
-
- if (CollectionUtils.isNotEmpty(policyConditionDefs)) {
- for (RangerPolicyConditionDef conditionDef : policyConditionDefs) {
- if (conditionDef.getName().equals(RANGER_TAG_EXPIRY_CONDITION_NAME)) {
- isConditionDefFound = true;
- break;
- }
- }
- }
- if (!isConditionDefFound) {
- LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy: Cannot get tagPolicyConditionDef with name=" + RANGER_TAG_EXPIRY_CONDITION_NAME);
- }
-
- if (tagResourceDefName != null && isConditionDefFound) {
-
- String tagType = "EXPIRES_ON";
-
- String policyName = tagType;
-
- RangerPolicy policy = new RangerPolicy();
-
- policy.setIsEnabled(true);
- policy.setVersion(1L);
- policy.setName(StringUtils.trim(policyName));
- policy.setService(createdService.getName());
- policy.setDescription("Policy for data with " + tagType + " tag");
- policy.setIsAuditEnabled(true);
-
- Map<String, RangerPolicyResource> resourceMap = new HashMap<String, RangerPolicyResource>();
-
- RangerPolicyResource polRes = new RangerPolicyResource();
- polRes.setIsExcludes(false);
- polRes.setIsRecursive(false);
- polRes.setValue(tagType);
- resourceMap.put(tagResourceDefName, polRes);
-
- policy.setResources(resourceMap);
-
- List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
-
- RangerPolicyItem policyItem = new RangerPolicyItem();
-
- List<String> groups = new ArrayList<String>();
- groups.add(RangerConstants.GROUP_PUBLIC);
- policyItem.setGroups(groups);
+ void createDefaultPolicies(RangerService createdService) throws Exception {
- List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
- List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
- for (XXAccessTypeDef accessTypeDef : accessTypeDefs) {
- RangerPolicyItemAccess access = new RangerPolicyItemAccess();
- access.setType(accessTypeDef.getName());
- access.setIsAllowed(true);
- accesses.add(access);
- }
- policyItem.setAccesses(accesses);
-
- List<RangerPolicyItemCondition> policyItemConditions = new ArrayList<RangerPolicyItemCondition>();
- List<String> values = new ArrayList<String>();
- values.add("yes");
- RangerPolicyItemCondition policyItemCondition = new RangerPolicyItemCondition(RANGER_TAG_EXPIRY_CONDITION_NAME, values);
- policyItemConditions.add(policyItemCondition);
-
- policyItem.setConditions(policyItemConditions);
- policyItem.setDelegateAdmin(Boolean.FALSE);
-
- policyItems.add(policyItem);
-
- policy.setDenyPolicyItems(policyItems);
-
- policy = createPolicy(policy);
- } else {
- LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy, tagResourceDefName=" + tagResourceDefName +
- ", tagPolicyConditionName=" + RANGER_TAG_EXPIRY_CONDITION_NAME);
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== ServiceDBStore.createDefaultTagPolicy()");
- }
- }
-
- private String buildPolicyName(List<RangerResourceDef> resourceHierarchy) {
- String ret = "all";
- if (CollectionUtils.isNotEmpty(resourceHierarchy)) {
- int resourceDefCount = 0;
- for (RangerResourceDef resourceDef : resourceHierarchy) {
- if (resourceDefCount > 0) {
- ret += ", ";
- } else {
- ret += " - ";
- }
- ret += resourceDef.getName();
- resourceDefCount++;
- }
- }
- return ret;
- }
+ RangerBaseService svc = serviceMgr.getRangerServiceByService(createdService, this);
- void createDefaultPolicy(RangerPolicy policy, XXService createdService, VXUser vXUser, List<RangerResourceDef> resourceHierarchy) throws Exception {
+ List<String> serviceCheckUsers = getServiceCheckUsers(createdService);
- String policyName=buildPolicyName(resourceHierarchy);
+ List<RangerPolicy.RangerPolicyItemAccess> allAccesses = svc.getAndAllowAllAccesses();
- policy.setIsEnabled(true);
- policy.setVersion(1L);
- policy.setName(StringUtils.trim(policyName));
- policy.setService(createdService.getName());
- policy.setDescription("Policy for " + policyName);
- policy.setIsAuditEnabled(true);
+ for (RangerPolicy defaultPolicy : svc.getDefaultRangerPolicies()) {
- policy.setResources(createDefaultPolicyResource(resourceHierarchy));
+ if (CollectionUtils.isNotEmpty(serviceCheckUsers)
+ && StringUtils.equalsIgnoreCase(defaultPolicy.getService(), createdService.getName())) {
- if (vXUser != null) {
- List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
- List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
- //Create Default policy item for the service user
- RangerPolicyItem policyItem = createDefaultPolicyItem(createdService, vXUser, accessTypeDefs);
- policyItems.add(policyItem);
- // For KMS add default policies for HDFS & HIVE users.
- XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(createdService.getType());
- if (xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
- List<XXAccessTypeDef> hdfsAccessTypeDefs = new ArrayList<XXAccessTypeDef>();
- List<XXAccessTypeDef> hiveAccessTypeDefs = new ArrayList<XXAccessTypeDef>();
- for(XXAccessTypeDef accessTypeDef : accessTypeDefs) {
- if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
- hdfsAccessTypeDefs.add(accessTypeDef);
- hiveAccessTypeDefs.add(accessTypeDef);
- } else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) {
- hdfsAccessTypeDefs.add(accessTypeDef);
- } else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
- hiveAccessTypeDefs.add(accessTypeDef);
- }
- }
+ RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
- String hdfsUser = PropertiesUtil.getProperty("ranger.kms.service.user.hdfs", "hdfs");
- if (hdfsUser != null && !hdfsUser.isEmpty()) {
- XXUser xxUser = daoMgr.getXXUser().findByUserName(hdfsUser);
- if (xxUser != null) {
- vXUser = xUserService.populateViewBean(xxUser);
- } else {
- vXUser = xUserMgr.createServiceConfigUser(hdfsUser);
- }
- if (vXUser != null) {
- LOG.info("Creating default KMS policy item for " + hdfsUser);
- policyItem = createDefaultPolicyItem(createdService, vXUser, hdfsAccessTypeDefs);
- policyItems.add(policyItem);
- }
- }
+ policyItem.setUsers(serviceCheckUsers);
+ policyItem.setAccesses(allAccesses);
+ policyItem.setDelegateAdmin(true);
- String hiveUser = PropertiesUtil.getProperty("ranger.kms.service.user.hive", "hive");
- if (hiveUser != null && !hiveUser.isEmpty()) {
- XXUser xxUser = daoMgr.getXXUser().findByUserName(hiveUser);
- if (xxUser != null) {
- vXUser = xUserService.populateViewBean(xxUser);
- } else {
- vXUser = xUserMgr.createServiceConfigUser(hiveUser);
- }
- if (vXUser != null) {
- LOG.info("Creating default KMS policy item for " + hiveUser);
- policyItem = createDefaultPolicyItem(createdService, vXUser, hiveAccessTypeDefs);
- policyItems.add(policyItem);
- }
- }
+ defaultPolicy.getPolicyItems().add(policyItem);
}
- policy.setPolicyItems(policyItems);
+ createPolicy(defaultPolicy);
}
}
- private RangerPolicyItem createDefaultPolicyItem(XXService createdService, VXUser vXUser, List<XXAccessTypeDef> accessTypeDefs) throws Exception {
- String adminPrincipal = PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL);
- String adminKeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB);
- String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE,"simple");
- String lookupPrincipal = PropertiesUtil.getProperty(LOOKUP_PRINCIPAL);
- String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
-
- RangerPolicyItem policyItem = new RangerPolicyItem();
-
- List<String> users = new ArrayList<String>();
- users.add(vXUser.getName());
- VXUser vXLookupUser = getLookupUser(authType, lookupPrincipal, lookupKeytab);
-
- XXService xService = daoMgr.getXXService().findByName(createdService.getName());
- XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(xService.getType());
- if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)){
- VXUser vXAdminUser = getLookupUser(authType, adminPrincipal, adminKeytab);
- if(vXAdminUser != null){
- users.add(vXAdminUser.getName());
- }
- }else if(vXLookupUser != null){
- users.add(vXLookupUser.getName());
- }else{
- // do nothing
- }
-
- if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.ATLAS_IMPL_CLASS_NAME)){
- VXUser vXUserAdmin = chkAdminUserExists("admin");
- if(vXUserAdmin != null){
- users.add(vXUserAdmin.getName());
- }
- }
-
- RangerService rangerService = getServiceByName(createdService.getName());
- if (rangerService != null){
- Map<String, String> map = rangerService.getConfigs();
- if (map != null && map.containsKey(AMBARI_SERVICE_CHECK_USER)){
- String userNames = map.get(AMBARI_SERVICE_CHECK_USER);
- String[] userList = userNames.split(",");
- if(userList != null){
- for (String userName : userList) {
- if(!StringUtils.isEmpty(userName)){
- XXUser xxUser = daoMgr.getXXUser().findByUserName(userName);
- if (xxUser != null) {
- vXUser = xUserService.populateViewBean(xxUser);
- } else {
- vXUser = xUserMgr.createServiceConfigUser(userName);
- LOG.info("Creating Ambari Service Check User : "+vXUser.getName());
- }
- if(vXUser != null){
- users.add(vXUser.getName());
- }
- }
- }
- }
- }
- }
- policyItem.setUsers(users);
-
- List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
- for(XXAccessTypeDef accessTypeDef : accessTypeDefs) {
- RangerPolicyItemAccess access = new RangerPolicyItemAccess();
- access.setType(accessTypeDef.getName());
- access.setIsAllowed(true);
- accesses.add(access);
- }
- policyItem.setAccesses(accesses);
-
- policyItem.setDelegateAdmin(true);
- return policyItem;
- }
+ List<String> getServiceCheckUsers(RangerService createdService) {
+ List<String> ret = new ArrayList<String>();
- private VXUser chkAdminUserExists(String adminUser) {
- VXUser vXUser = null;
- if(!StringUtils.isEmpty(adminUser)){
- XXUser xxUser = daoMgr.getXXUser().findByUserName(adminUser);
- if (xxUser != null) {
- vXUser = xUserService.populateViewBean(xxUser);
- }
- }
- return vXUser;
- }
+ Map<String, String> serviceConfig = createdService.getConfigs();
- private VXUser getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) {
- VXUser vXUser = null;
- if(!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)){
- if(SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
- KerberosName krbName = new KerberosName(lookupPrincipal);
- String lookupUser=null;
- try {
- lookupUser = krbName.getShortName();
- } catch (IOException e) {
- throw restErrorUtil.createRESTException("Please provide proper value of lookup user principal : "+ lookupPrincipal, MessageEnums.INVALID_INPUT_DATA);
- }
-
- if(LOG.isDebugEnabled()){
- LOG.debug("Checking for Lookup User : "+lookupUser);
- }
- if(!StringUtils.isEmpty(lookupUser)){
- XXUser xxUser = daoMgr.getXXUser().findByUserName(lookupUser);
- if (xxUser != null) {
- vXUser = xUserService.populateViewBean(xxUser);
- } else {
- vXUser = xUserMgr.createServiceConfigUser(lookupUser);
- LOG.info("Creating Lookup User : "+vXUser.getName());
- }
+ if (serviceConfig.containsKey(AMBARI_SERVICE_CHECK_USER)) {
+ String userNames = serviceConfig.get(AMBARI_SERVICE_CHECK_USER);
+ String[] userList = userNames.split(",");
+ for (String userName : userList) {
+ if (!StringUtils.isEmpty(userName)) {
+ ret.add(userName);
}
}
}
- return vXUser;
- }
-
- Map<String, RangerPolicyResource> createDefaultPolicyResource(List<RangerResourceDef> resourceHierarchy) throws Exception {
- Map<String, RangerPolicyResource> resourceMap = new HashMap<>();
-
- for (RangerResourceDef resourceDef : resourceHierarchy) {
- RangerPolicyResource polRes = new RangerPolicyResource();
- polRes.setIsExcludes(false);
- polRes.setIsRecursive(false);
-
- String value = "*";
- if("path".equalsIgnoreCase(resourceDef.getName())) {
- value = "/*";
- }
-
- if(resourceDef.getRecursiveSupported()) {
- polRes.setIsRecursive(Boolean.TRUE);
- }
-
- polRes.setValue(value);
- resourceMap.put(resourceDef.getName(), polRes);
- }
- return resourceMap;
+ return ret;
}
private Map<String, String> validateRequiredConfigParams(RangerService service, Map<String, String> configs) {
@@ -2932,10 +2637,12 @@ public class ServiceDBStore extends AbstractServiceStore {
List<String> users = policyItem.getUsers();
for(int i = 0; i < users.size(); i++) {
String user = users.get(i);
-
+ if (StringUtils.isBlank(user)) {
+ continue;
+ }
XXUser xUser = daoMgr.getXXUser().findByUserName(user);
if(xUser == null) {
- throw new Exception(user + ": user does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
+ throw new Exception(user + ": user does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "' user='" + user +"'");
}
XXPolicyItemUserPerm xUserPerm = new XXPolicyItemUserPerm();
xUserPerm = (XXPolicyItemUserPerm) rangerAuditFields.populateAuditFields(xUserPerm, xPolicyItem);
@@ -2948,10 +2655,12 @@ public class ServiceDBStore extends AbstractServiceStore {
List<String> groups = policyItem.getGroups();
for(int i = 0; i < groups.size(); i++) {
String group = groups.get(i);
-
+ if (StringUtils.isBlank(group)) {
+ continue;
+ }
XXGroup xGrp = daoMgr.getXXGroup().findByGroupName(group);
if(xGrp == null) {
- throw new Exception(group + ": group does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
+ throw new Exception(group + ": group does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "' group='" + group + "'");
}
XXPolicyItemGroupPerm xGrpPerm = new XXPolicyItemGroupPerm();
xGrpPerm = (XXPolicyItemGroupPerm) rangerAuditFields.populateAuditFields(xGrpPerm, xPolicyItem);
@@ -2991,7 +2700,7 @@ public class ServiceDBStore extends AbstractServiceStore {
if(CollectionUtils.isNotEmpty(policyItems)) {
for (int itemOrder = 0; itemOrder < policyItems.size(); itemOrder++) {
RangerPolicyItem policyItem = policyItems.get(itemOrder);
- XXPolicyItem xPolicyItem = createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef, itemOrder, policyItemType);
+ createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef, itemOrder, policyItemType);
}
}
}
@@ -3019,7 +2728,7 @@ public class ServiceDBStore extends AbstractServiceStore {
xxDataMaskInfo.setConditionExpr(dataMaskInfo.getConditionExpr());
xxDataMaskInfo.setValueExpr(dataMaskInfo.getValueExpr());
- xxDataMaskInfo = daoMgr.getXXPolicyItemDataMaskInfo().create(xxDataMaskInfo);
+ daoMgr.getXXPolicyItemDataMaskInfo().create(xxDataMaskInfo);
}
}
}
@@ -3755,6 +3464,10 @@ public class ServiceDBStore extends AbstractServiceStore {
private void writeBookForPolicyItems(RangerPolicy policy, RangerPolicyItem policyItem,
RangerDataMaskPolicyItem dataMaskPolicyItem, RangerRowFilterPolicyItem rowFilterPolicyItem, Row row, String policyConditonType) {
+ if (LOG.isDebugEnabled()) {
+ // To avoid PMD violation
+ LOG.debug("policyConditonType:[" + policyConditonType + "]");
+ }
List<String> groups = new ArrayList<String>();
List<String> users = new ArrayList<String>();
String groupNames = "";
http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
index 2b773da..cf3485e 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
@@ -45,7 +45,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumElementDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef;
-import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+//import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.store.PList;
import org.apache.ranger.plugin.store.ServicePredicateUtil;
import org.apache.ranger.plugin.util.SearchFilter;
@@ -137,22 +137,6 @@ public class TestServiceDBStore {
.getCurrentUserSession();
currentUserSession.setUserAdmin(true);
}
-
- private XXAccessTypeDef rangerKmsAccessTypes(String accessTypeName, int itemId) {
- XXAccessTypeDef accessTypeDefObj = new XXAccessTypeDef();
- accessTypeDefObj.setAddedByUserId(Id);
- accessTypeDefObj.setCreateTime(new Date());
- accessTypeDefObj.setDefid(Long.valueOf(itemId));
- accessTypeDefObj.setId(Long.valueOf(itemId));
- accessTypeDefObj.setItemId(Long.valueOf(itemId));
- accessTypeDefObj.setLabel(accessTypeName);
- accessTypeDefObj.setName(accessTypeName);
- accessTypeDefObj.setOrder(null);
- accessTypeDefObj.setRbkeylabel(null);
- accessTypeDefObj.setUpdatedByUserId(Id);
- accessTypeDefObj.setUpdateTime(new Date());
- return accessTypeDefObj;
- }
private RangerServiceDef rangerServiceDef() {
List<RangerServiceConfigDef> configs = new ArrayList<RangerServiceConfigDef>();
@@ -222,28 +206,6 @@ public class TestServiceDBStore {
return rangerService;
}
-
- private RangerService rangerKMSService() {
- Map<String, String> configs = new HashMap<String, String>();
- configs.put("username", "servicemgr");
- configs.put("password", "servicemgr");
- configs.put("provider", "kmsurl");
-
- RangerService rangerService = new RangerService();
- rangerService.setId(Id);
- rangerService.setConfigs(configs);
- rangerService.setCreateTime(new Date());
- rangerService.setDescription("service kms policy");
- rangerService.setGuid("1427365526516_835_1");
- rangerService.setIsEnabled(true);
- rangerService.setName("KMS_1");
- rangerService.setPolicyUpdateTime(new Date());
- rangerService.setType("7");
- rangerService.setUpdatedBy("Admin");
- rangerService.setUpdateTime(new Date());
-
- return rangerService;
- }
private RangerPolicy rangerPolicy() {
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
@@ -1234,10 +1196,10 @@ public class TestServiceDBStore {
ServiceDBStore spy = Mockito.spy(serviceDBStore);
- Mockito.doNothing().when(spy).createDefaultPolicies(xService, vXUser);
+ Mockito.doNothing().when(spy).createDefaultPolicies(rangerService);
spy.createService(rangerService);
-
+
Mockito.verify(daoManager, Mockito.atLeast(1)).getXXService();
Mockito.verify(daoManager).getXXServiceConfigMap();
}
@@ -2676,131 +2638,4 @@ public class TestServiceDBStore {
Assert.assertNotNull(policyList);
Mockito.verify(daoManager).getXXPolicy();
}
-
- @Test
- public void test41createKMSService() throws Exception {
- XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
- XXPolicy xPolicy = Mockito.mock(XXPolicy.class);
- XXPolicyDao xPolicyDao = Mockito.mock(XXPolicyDao.class);
- XXAccessTypeDefDao xAccessTypeDefDao = Mockito
- .mock(XXAccessTypeDefDao.class);
- XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
- XXServiceConfigMapDao xServiceConfigMapDao = Mockito
- .mock(XXServiceConfigMapDao.class);
- XXUserDao xUserDao = Mockito.mock(XXUserDao.class);
- XXServiceConfigDefDao xServiceConfigDefDao = Mockito
- .mock(XXServiceConfigDefDao.class);
- XXService xService = Mockito.mock(XXService.class);
- XXUser xUser = Mockito.mock(XXUser.class);
- XXServiceDef xServiceDef = Mockito.mock(XXServiceDef.class);
- Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
- Mockito.when(xServiceDefDao.findByName("KMS_1")).thenReturn(
- xServiceDef);
- Mockito.when(xService.getName()).thenReturn(
- "KMS_1");
- Mockito.when(xServiceDao.findByName("KMS_1")).thenReturn(
- xService);
- Mockito.when(!bizUtil.hasAccess(xService, null)).thenReturn(true);
-
- RangerService rangerService = rangerKMSService();
- VXUser vXUser = null;
- String userName = "servicemgr";
- Mockito.when(xService.getType()).thenReturn(Long.valueOf(rangerService.getType()));
- Mockito.when(xServiceDefDao.getById(Long.valueOf(rangerService.getType()))).thenReturn(xServiceDef);
- Mockito.when(xServiceDef.getImplclassname()).thenReturn(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME);
- List<XXServiceConfigDef> svcConfDefList = new ArrayList<XXServiceConfigDef>();
- XXServiceConfigDef serviceConfigDefObj = new XXServiceConfigDef();
- serviceConfigDefObj.setId(Id);
- serviceConfigDefObj.setType("7");
- svcConfDefList.add(serviceConfigDefObj);
- Mockito.when(daoManager.getXXServiceConfigDef()).thenReturn(
- xServiceConfigDefDao);
- Mockito.when(xServiceConfigDefDao.findByServiceDefName(userName))
- .thenReturn(svcConfDefList);
-
- Mockito.when(svcService.create(rangerService)).thenReturn(rangerService);
-
- Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
- Mockito.when(xServiceDao.getById(rangerService.getId())).thenReturn(
- xService);
- Mockito.when(daoManager.getXXServiceConfigMap()).thenReturn(
- xServiceConfigMapDao);
-
- Mockito.when(stringUtil.getValidUserName(userName))
- .thenReturn(userName);
- Mockito.when(daoManager.getXXUser()).thenReturn(xUserDao);
- Mockito.when(xUserDao.findByUserName(userName)).thenReturn(xUser);
-
- Mockito.when(xUserService.populateViewBean(xUser)).thenReturn(vXUser);
- Mockito.when(xUserMgr.createServiceConfigUser(userName)).thenReturn(vXUser);
- VXUser vXUserHdfs = new VXUser();
- vXUserHdfs.setName("hdfs");
- vXUserHdfs.setPassword("hdfs");
- Mockito.when(xUserMgr.createServiceConfigUser("hdfs")).thenReturn(vXUserHdfs);
- VXUser vXUserHive = new VXUser();
- vXUserHive.setName("hive");
- vXUserHive.setPassword("hive");
- Mockito.when(xUserMgr.createServiceConfigUser("hive")).thenReturn(vXUserHive);
-
- XXServiceConfigMap xConfMap = new XXServiceConfigMap();
- Mockito.when(rangerAuditFields.populateAuditFields(xConfMap, xService))
- .thenReturn(xService);
-
- Mockito.when(svcService.getPopulatedViewObject(xService)).thenReturn(
- rangerService);
-
- Mockito.when(
- rangerAuditFields.populateAuditFields(
- Mockito.isA(XXServiceConfigMap.class),
- Mockito.isA(XXService.class))).thenReturn(xConfMap);
-
- Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
-
- Mockito.when(xPolicyDao.getById(Id)).thenReturn(xPolicy);
-
-
- List<XXAccessTypeDef> accessTypeDefList = new ArrayList<XXAccessTypeDef>();
- accessTypeDefList.add(rangerKmsAccessTypes("getmetadata", 7));
- accessTypeDefList.add(rangerKmsAccessTypes("generateeek", 8));
- accessTypeDefList.add(rangerKmsAccessTypes("decrypteek", 9));
-
- RangerServiceDef ran = new RangerServiceDef();
- ran.setName("KMS Test");
- Mockito.when(serviceDefService.read(1L)).thenReturn(ran);
- Long serviceDefId = ran.getId();
-
- ServiceDBStore spy = Mockito.spy(serviceDBStore);
-
- Mockito.when(daoManager.getXXAccessTypeDef()).thenReturn(
- xAccessTypeDefDao);
- Mockito.when(xAccessTypeDefDao.findByServiceDefId(serviceDefId))
- .thenReturn(accessTypeDefList);
- Mockito.when(spy.getServiceByName("KMS_1")).thenReturn(
- rangerService);
- Mockito.doNothing().when(spy).createDefaultPolicies(xService, vXUser);
-
- RangerPolicy policy = new RangerPolicy();
- RangerResourceDef resourceDef = new RangerResourceDef();
- resourceDef.setItemId(Id);
- resourceDef.setName("keyname");
- resourceDef.setType("string");
- resourceDef.setType("string");
- resourceDef.setLabel("Key Name");
- resourceDef.setDescription("Key Name");
-
- List<RangerResourceDef> resourceHierarchy = new ArrayList<RangerResourceDef>();
- resourceHierarchy.addAll(resourceHierarchy);
-
- spy.createService(rangerService);
- vXUser = new VXUser();
- vXUser.setName(userName);
- vXUser.setPassword(userName);
-
- spy.createDefaultPolicy(policy, xService, vXUser, resourceHierarchy);
-
- Mockito.verify(daoManager, Mockito.atLeast(1)).getXXService();
- Mockito.verify(daoManager).getXXServiceConfigMap();
- //Assert.assertNull(policy);
- Assert.assertEquals(3, policy.getPolicyItems().size());
- }
}