You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by co...@apache.org on 2016/09/14 14:20:30 UTC
incubator-ranger git commit: Adding row masking test for Hive
Repository: incubator-ranger
Updated Branches:
refs/heads/master 68541c92a -> ed3f214b2
Adding row masking test for Hive
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ed3f214b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ed3f214b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ed3f214b
Branch: refs/heads/master
Commit: ed3f214b2bb44278b27826e7e5de5990df4f62eb
Parents: 68541c9
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Sep 14 15:20:05 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Sep 14 15:20:05 2016 +0100
----------------------------------------------------------------------
.../services/hive/HIVERangerAuthorizerTest.java | 41 +++
.../src/test/resources/hive-policies.json | 364 ++++++++++++++++---
hive-agent/src/test/resources/wordcount.txt | 1 +
3 files changed, 351 insertions(+), 55 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ed3f214b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
index 80534f1..6de1f43 100644
--- a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
+++ b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
@@ -46,6 +46,7 @@ import org.junit.Test;
* a) A user "bob" can do a select/update on the table "words"
* b) A group called "IT" can do a select only on the "count" column in "words"
* c) "bob" can create any database
+ * d) "dave" can do a select on the table "words" but only if the "count" column is >= 80
*
*/
public class HIVERangerAuthorizerTest {
@@ -518,5 +519,45 @@ public class HIVERangerAuthorizerTest {
connection.close();
}
+ @Test
+ public void testHiveRowFilter() throws Exception {
+
+ // dave can do a select where the count is >= 80
+ String url = "jdbc:hive2://localhost:" + port + "/rangerauthz";
+ Connection connection = DriverManager.getConnection(url, "dave", "dave");
+ Statement statement = connection.createStatement();
+
+ // "dave" can select where count >= 80
+ ResultSet resultSet = statement.executeQuery("SELECT * FROM words where count == '100'");
+ if (resultSet.next()) {
+ Assert.assertEquals("Mr.", resultSet.getString(1));
+ Assert.assertEquals(100, resultSet.getInt(2));
+ } else {
+ Assert.fail("No ResultSet found");
+ }
+
+ resultSet = statement.executeQuery("SELECT * FROM words where count == '79'");
+ if (resultSet.next()) {
+ Assert.fail("Authorization should not be granted for count < 80");
+ }
+
+ statement.close();
+ connection.close();
+
+ // "bob" should be able to read a count of "79" as the filter doesn't apply to him
+ connection = DriverManager.getConnection(url, "bob", "bob");
+ statement = connection.createStatement();
+
+ resultSet = statement.executeQuery("SELECT * FROM words where count == '79'");
+ if (resultSet.next()) {
+ Assert.assertEquals("cannot", resultSet.getString(1));
+ Assert.assertEquals(79, resultSet.getInt(2));
+ } else {
+ Assert.fail("No ResultSet found");
+ }
+
+ statement.close();
+ connection.close();
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ed3f214b/hive-agent/src/test/resources/hive-policies.json
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/resources/hive-policies.json b/hive-agent/src/test/resources/hive-policies.json
index 6b86751..e307b06 100644
--- a/hive-agent/src/test/resources/hive-policies.json
+++ b/hive-agent/src/test/resources/hive-policies.json
@@ -1,14 +1,13 @@
{
"serviceName": "HIVETest",
- "serviceId": 7,
- "policyVersion": 12,
- "policyUpdateTime": "20160610-11:07:20.000-+0100",
+ "serviceId": 2,
+ "policyVersion": 9,
+ "policyUpdateTime": "20160914-14:51:46.000-+0100",
"policies": [
{
"service": "HIVETest",
- "name": "HIVETest-1-20160609091836",
- "description": "Default Policy for Service: HIVETest",
- "resourceSignature": "6e79c1c989c79b7e53af663d3bdc2de6",
+ "name": "all - database, table, column",
+ "policyType": 0,
"isAuditEnabled": true,
"resources": {
"database": {
@@ -96,20 +95,14 @@
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
- "id": 30,
- "guid": "1465463916045_476_1125",
+ "id": 8,
"isEnabled": true,
- "createdBy": "Admin",
- "updatedBy": "Admin",
- "createTime": "20160609-10:18:36.000-+0100",
- "updateTime": "20160609-11:09:59.000-+0100",
"version": 2
},
{
"service": "HIVETest",
- "name": "HIVETest-2-20160609091836",
- "description": "Default Policy for Service: HIVETest",
- "resourceSignature": "c834ed2b8c7462d2aa8bbffdb05226c8",
+ "name": "all - database, udf",
+ "policyType": 0,
"isAuditEnabled": true,
"resources": {
"database": {
@@ -176,20 +169,14 @@
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
- "id": 31,
- "guid": "1465463916203_470_1126",
+ "id": 9,
"isEnabled": true,
- "createdBy": "Admin",
- "updatedBy": "Admin",
- "createTime": "20160609-10:18:36.000-+0100",
- "updateTime": "20160609-10:18:36.000-+0100",
"version": 1
},
{
"service": "HIVETest",
"name": "SelectUpdateAllWords",
- "description": "",
- "resourceSignature": "e6175b643348d03ee0aab3a381257e6e",
+ "policyType": 0,
"isAuditEnabled": true,
"resources": {
"database": {
@@ -232,6 +219,20 @@
"groups": [],
"conditions": [],
"delegateAdmin": false
+ },
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "dave"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false
}
],
"denyPolicyItems": [],
@@ -239,20 +240,14 @@
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
- "id": 32,
- "guid": "1465464434667_623_1161",
+ "id": 10,
"isEnabled": true,
- "createdBy": "Admin",
- "updatedBy": "Admin",
- "createTime": "20160609-10:27:14.000-+0100",
- "updateTime": "20160610-10:59:16.000-+0100",
- "version": 7
+ "version": 2
},
{
"service": "HIVETest",
"name": "SelectCountWords",
- "description": "",
- "resourceSignature": "ec1331571f87b9c87464086d961f4e89",
+ "policyType": 0,
"isAuditEnabled": true,
"resources": {
"database": {
@@ -298,20 +293,14 @@
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
- "id": 33,
- "guid": "1465466645682_874_1202",
+ "id": 11,
"isEnabled": true,
- "createdBy": "Admin",
- "updatedBy": "Admin",
- "createTime": "20160609-11:04:05.000-+0100",
- "updateTime": "20160610-11:07:20.000-+0100",
- "version": 5
+ "version": 1
},
{
"service": "HIVETest",
"name": "TmpUpdatePolicy",
- "description": "",
- "resourceSignature": "87d65f69544e63cfe302db8f9d006b6b",
+ "policyType": 0,
"isAuditEnabled": true,
"resources": {
"database": {
@@ -330,7 +319,7 @@
},
"table": {
"values": [
- "*__tmp__*"
+ "*_tmp_*"
],
"isExcludes": false,
"isRecursive": false
@@ -359,13 +348,57 @@
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
- "id": 34,
- "guid": "1465553055683_559_1400",
+ "id": 12,
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "HIVETest",
+ "name": "DaveFilter",
+ "policyType": 2,
+ "isAuditEnabled": true,
+ "resources": {
+ "database": {
+ "values": [
+ "rangerauthz"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "words"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [
+ {
+ "rowFilterInfo": {
+ "filterExpr": "count \u003e\u003d \u002780\u0027"
+ },
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "dave"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "id": 13,
"isEnabled": true,
- "createdBy": "Admin",
- "updatedBy": "Admin",
- "createTime": "20160610-11:04:15.000-+0100",
- "updateTime": "20160610-11:04:15.000-+0100",
"version": 1
}
],
@@ -574,19 +607,240 @@
"contextEnrichers": [],
"enums": [],
"dataMaskDef": {
- "maskTypes": [],
- "accessTypes": [],
- "resources": []
+ "maskTypes": [
+ {
+ "itemId": 1,
+ "name": "MASK",
+ "label": "Mask",
+ "description": "Replace lowercase with \u0027x\u0027, uppercase with \u0027X\u0027, digits with \u00270\u0027",
+ "transformer": "mask({col})",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 2,
+ "name": "MASK_SHOW_LAST_4",
+ "label": "Partial mask: show last 4",
+ "description": "Show last 4 characters; replace rest with \u0027x\u0027",
+ "transformer": "mask_show_last_n({col}, 4, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027)",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 3,
+ "name": "MASK_SHOW_FIRST_4",
+ "label": "Partial mask: show first 4",
+ "description": "Show first 4 characters; replace rest with \u0027x\u0027",
+ "transformer": "mask_show_first_n({col}, 4, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027)",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 4,
+ "name": "MASK_HASH",
+ "label": "Hash",
+ "description": "Hash the value",
+ "transformer": "mask_hash({col})",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 5,
+ "name": "MASK_NULL",
+ "label": "NULL",
+ "description": "Replace with NULL",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 6,
+ "name": "MASK_NONE",
+ "label": "No masking",
+ "description": "No masking",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 7,
+ "name": "MASK_DATE_DAY",
+ "label": "Date: mask day",
+ "description": "Date: mask day",
+ "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, 1, -1, -1)",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 8,
+ "name": "MASK_DATE_MONTH",
+ "label": "Date: mask month",
+ "description": "Date: mask month",
+ "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, -1, 0, -1)",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 9,
+ "name": "MASK_DATE_YEAR",
+ "label": "Date: mask year",
+ "description": "Date: mask year",
+ "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, -1, -1, 0)",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 10,
+ "name": "MASK_DATE_SHOW_DAY",
+ "label": "Date: show only day",
+ "description": "Date: show only day",
+ "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, -1, 0, 0)",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 11,
+ "name": "MASK_DATE_SHOW_MONTH",
+ "label": "Date: show only month",
+ "description": "Date: show only month",
+ "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, 1, -1, 0)",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 12,
+ "name": "MASK_DATE_SHOW_YEAR",
+ "label": "Date: show only year",
+ "description": "Date: show only year",
+ "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, 1, 0, -1)",
+ "dataMaskOptions": {}
+ },
+ {
+ "itemId": 13,
+ "name": "CUSTOM",
+ "label": "Custom",
+ "description": "Custom",
+ "dataMaskOptions": {}
+ }
+ ],
+ "accessTypes": [
+ {
+ "itemId": 1,
+ "name": "select",
+ "label": "select",
+ "impliedGrants": []
+ }
+ ],
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "database",
+ "type": "string",
+ "level": 10,
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "false",
+ "ignoreCase": "true"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "{ \"singleValue\":true }",
+ "label": "Hive Database",
+ "description": "Hive Database"
+ },
+ {
+ "itemId": 2,
+ "name": "table",
+ "type": "string",
+ "level": 20,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "false",
+ "ignoreCase": "true"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "{ \"singleValue\":true }",
+ "label": "Hive Table",
+ "description": "Hive Table"
+ },
+ {
+ "itemId": 4,
+ "name": "column",
+ "type": "string",
+ "level": 30,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "false",
+ "ignoreCase": "true"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "{ \"singleValue\":true }",
+ "label": "Hive Column",
+ "description": "Hive Column"
+ }
+ ]
},
"rowFilterDef": {
- "accessTypes": [],
- "resources": []
+ "accessTypes": [
+ {
+ "itemId": 1,
+ "name": "select",
+ "label": "select",
+ "impliedGrants": []
+ }
+ ],
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "database",
+ "type": "string",
+ "level": 10,
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "false",
+ "ignoreCase": "true"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "{ \"singleValue\":true }",
+ "label": "Hive Database",
+ "description": "Hive Database"
+ },
+ {
+ "itemId": 2,
+ "name": "table",
+ "type": "string",
+ "level": 20,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "false",
+ "ignoreCase": "true"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "{ \"singleValue\":true }",
+ "label": "Hive Table",
+ "description": "Hive Table"
+ }
+ ]
},
"id": 3,
"guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c",
"isEnabled": true,
- "createTime": "20160314-14:39:35.000-+0000",
- "updateTime": "20160314-14:39:35.000-+0000",
+ "createTime": "20160914-11:19:33.000-+0100",
+ "updateTime": "20160914-11:19:33.000-+0100",
"version": 1
}
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ed3f214b/hive-agent/src/test/resources/wordcount.txt
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/resources/wordcount.txt b/hive-agent/src/test/resources/wordcount.txt
index d6b8503..7b22c77 100644
--- a/hive-agent/src/test/resources/wordcount.txt
+++ b/hive-agent/src/test/resources/wordcount.txt
@@ -12,3 +12,4 @@ Murray's 8
Murray._ 1
Murray?" 1
Murray_. 2
+cannot 79