You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/01/08 22:12:56 UTC
incubator-ranger git commit: RANGER-203: Policyengine updated to
support the notion of "any" access
Repository: incubator-ranger
Updated Branches:
refs/heads/stack 7d00538b3 -> 7a87f4d6c
RANGER-203: Policyengine updated to support the notion of "any" access
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7a87f4d6
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7a87f4d6
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7a87f4d6
Branch: refs/heads/stack
Commit: 7a87f4d6c28149f4e306ddbf04c506e2a33405c7
Parents: 7d00538
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu Jan 8 13:05:59 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Jan 8 13:05:59 2015 -0800
----------------------------------------------------------------------
.../ranger/plugin/model/RangerService.java | 1 -
.../plugin/policyengine/RangerAccessResult.java | 14 +-
.../plugin/policyengine/RangerPolicyEngine.java | 2 +-
.../policyengine/RangerPolicyEngineImpl.java | 118 ++++++------
.../RangerDefaultPolicyEvaluator.java | 192 ++++++++++++-------
.../policyengine/test_policyengine_01.json | 68 +++----
6 files changed, 216 insertions(+), 179 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
index 2f8d5e5..ea2182a 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
@@ -26,7 +26,6 @@ import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
-import org.apache.ranger.plugin.manager.CustomizedMapDeserializer;
import org.codehaus.jackson.annotate.JsonAutoDetect;
import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.annotate.JsonAutoDetect.Visibility;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index 57094a4..a5a1ef3 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -58,19 +58,7 @@ public class RangerAccessResult {
* @return the accessTypeResult
*/
public ResultDetail getAccessTypeResult(String accessType) {
- if(accessTypeResults == null) {
- accessTypeResults = new HashMap<String, ResultDetail>();
- }
-
- ResultDetail ret = accessTypeResults.get(accessType);
-
- if(ret == null) {
- ret = new ResultDetail();
-
- accessTypeResults.put(accessType, ret);
- }
-
- return ret;
+ return accessTypeResults == null ? null : accessTypeResults.get(accessType);
}
/**
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 0f70b09..f5f10e8 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -28,7 +28,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
public interface RangerPolicyEngine {
public static final String GROUP_PUBLIC = "public";
- public static final String ACCESS_ANY = "any";
+ public static final String ANY_ACCESS = "any";
public static final long UNKNOWN_POLICY = -1;
void setPolicies(String serviceName, RangerServiceDef serviceDef, List<RangerPolicy> policies);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 4b26c27..c3b3098 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -67,12 +67,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
List<RangerPolicyEvaluator> evaluators = new ArrayList<RangerPolicyEvaluator>();
for(RangerPolicy policy : policies) {
- if(policy.getIsEnabled()) {
- RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef);
-
- if(evaluator != null) {
- evaluators.add(evaluator);
- }
+ if(! policy.getIsEnabled()) {
+ continue;
+ }
+
+ RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef);
+
+ if(evaluator != null) {
+ evaluators.add(evaluator);
}
}
@@ -246,53 +248,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
-
- /*
- public void init(String svcName) throws Exception {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl.init(" + svcName + ")");
- }
-
- ServiceManager svcMgr = new ServiceManager();
- ServiceDefManager sdMgr = new ServiceDefManager();
-
- RangerServiceDef serviceDef = null;
- List<RangerPolicy> policies = null;
-
- RangerService service = svcMgr.getByName(svcName);
-
- if(service == null) {
- String msg = svcName + ": service not found";
-
- LOG.error(msg);
-
- throw new Exception(msg);
- } else {
- serviceDef = sdMgr.getByName(service.getType());
-
- if(serviceDef == null) {
- String msg = service.getType() + ": service-def not found";
-
- LOG.error(msg);
-
- throw new Exception(msg);
- }
-
- policies = svcMgr.getPolicies(service.getId());
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("RangerPolicyEngineImpl.init(): found " + (policyEvaluators == null ? 0 : policyEvaluators.size()) + " policies in service '" + svcName + "'");
- }
- }
-
- setPolicies(serviceDef, policies);
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.init(" + svcName + ")");
- }
- }
- */
-
public String getResourceName(RangerResource resource) {
String ret = null;
@@ -350,11 +305,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
if(request != null) {
if(CollectionUtils.isEmpty(request.getAccessTypes())) {
- ret.setAccessTypeResult(RangerPolicyEngine.ACCESS_ANY, new RangerAccessResult.ResultDetail());
- } else {
- for(String accessType : request.getAccessTypes()) {
- ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail());
- }
+ request.getAccessTypes().add(ANY_ACCESS);
+ }
+
+ for(String accessType : request.getAccessTypes()) {
+ ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail());
}
List<RangerPolicyEvaluator> evaluators = policyEvaluators;
@@ -421,4 +376,51 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
return sb;
}
+
+
+ /*
+ public void init(String svcName) throws Exception {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyEngineImpl.init(" + svcName + ")");
+ }
+
+ ServiceManager svcMgr = new ServiceManager();
+ ServiceDefManager sdMgr = new ServiceDefManager();
+
+ RangerServiceDef serviceDef = null;
+ List<RangerPolicy> policies = null;
+
+ RangerService service = svcMgr.getByName(svcName);
+
+ if(service == null) {
+ String msg = svcName + ": service not found";
+
+ LOG.error(msg);
+
+ throw new Exception(msg);
+ } else {
+ serviceDef = sdMgr.getByName(service.getType());
+
+ if(serviceDef == null) {
+ String msg = service.getType() + ": service-def not found";
+
+ LOG.error(msg);
+
+ throw new Exception(msg);
+ }
+
+ policies = svcMgr.getPolicies(service.getId());
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("RangerPolicyEngineImpl.init(): found " + (policyEvaluators == null ? 0 : policyEvaluators.size()) + " policies in service '" + svcName + "'");
+ }
+ }
+
+ setPolicies(serviceDef, policies);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyEngineImpl.init(" + svcName + ")");
+ }
+ }
+ */
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index ee2503f..a09a958 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -19,10 +19,10 @@
package org.apache.ranger.plugin.policyevaluator;
-import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
-import java.util.List;
+import java.util.HashMap;
+import java.util.Map;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
@@ -45,7 +45,7 @@ import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyEvaluator.class);
- private List<RangerResourceMatcher> matchers = null;
+ private Map<String, RangerResourceMatcher> matchers = null;
@Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef) {
@@ -55,7 +55,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
super.init(policy, serviceDef);
- this.matchers = new ArrayList<RangerResourceMatcher>();
+ this.matchers = new HashMap<String, RangerResourceMatcher>();
if(policy != null && policy.getResources() != null && serviceDef != null) {
for(RangerResourceDef resourceDef : serviceDef.getResources()) {
@@ -65,7 +65,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
RangerResourceMatcher matcher = createResourceMatcher(resourceDef, policyResource);
if(matcher != null) {
- matchers.add(matcher);
+ matchers.put(resourceName, matcher);
} else {
LOG.error("failed to find matcher for resource " + resourceName);
}
@@ -86,83 +86,72 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
RangerPolicy policy = getPolicy();
if(policy != null && request != null && result != null) {
- if(matchResource(request.getResource())) {
- for(RangerPolicyItem policyItem : policy.getPolicyItems()) {
-
- // if no access is requested, grant if ***any*** access is available
- if(CollectionUtils.isEmpty(request.getAccessTypes())) {
- RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(RangerPolicyEngine.ACCESS_ANY);
+ boolean isResourceMatch = matchResource(request.getResource());
+ boolean isResourceHeadMatch = isResourceMatch || matchResourceHead(request.getResource());
- if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
- accessResult.setIsAudited(true);
- }
-
- if(! matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) {
- continue;
- }
+ for(RangerPolicyItem policyItem : policy.getPolicyItems()) {
+ boolean isUserGroupMatch = matchUserGroup(policyItem, request.getUser(), request.getUserGroups());
+ boolean isCustomConditionsMatch = matchCustomConditions(policyItem, request);
- if(! matchCustomConditions(policyItem, request)) {
- continue;
- }
+ if(! isCustomConditionsMatch) {
+ continue;
+ }
- if(CollectionUtils.isEmpty(policyItem.getAccesses())) {
- continue;
- }
+ for(String accessType : request.getAccessTypes()) {
+ RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType);
- for(RangerPolicyItemAccess access : policyItem.getAccesses()) {
- if(!accessResult.isAllowed() && access.getIsAllowed()) {
- accessResult.setIsAllowed(true);
- accessResult.setPolicyId(policy.getId());
+ // are we done with this accessType?
+ if(accessResult.isAllowed() && accessResult.isAudited()) {
+ continue;
+ }
- break;
- }
- }
- } else {
- if(! matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) {
- continue;
- }
+ boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS);
- if(! matchCustomConditions(policyItem, request)) {
+ // partial match is only for "any" access
+ if(!isResourceMatch) {
+ if(!isResourceHeadMatch || !isAnyAccess) {
continue;
}
+ }
- for(String accessType : request.getAccessTypes()) {
- RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType);
-
- if(CollectionUtils.isEmpty(policyItem.getAccesses())) {
- if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
- accessResult.setIsAudited(true);
- }
+ if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
+ accessResult.setIsAudited(true);
+ }
- continue;
- }
-
- RangerPolicyItemAccess access = getAccess(policyItem, accessType);
-
- if(access == null) {
- continue;
- }
+ if(!isUserGroupMatch) {
+ continue;
+ }
+ if(CollectionUtils.isEmpty(policyItem.getAccesses())) {
+ continue;
+ }
- if(accessResult.isAllowed() && accessResult.isAudited()) {
- continue;
- }
-
- if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
- accessResult.setIsAudited(true);
- }
-
+ if(isAnyAccess) {
+ for(RangerPolicyItemAccess access : policyItem.getAccesses()) {
if(!accessResult.isAllowed() && access.getIsAllowed()) {
accessResult.setIsAllowed(true);
accessResult.setPolicyId(policy.getId());
}
+
+ break;
+ }
+ } else {
+ RangerPolicyItemAccess access = getAccess(policyItem, accessType);
+
+ if(access == null) {
+ continue;
}
- }
- if(result.isAllAllowedAndAudited()) {
- break;
+ if(!accessResult.isAllowed() && access.getIsAllowed()) {
+ accessResult.setIsAllowed(true);
+ accessResult.setPolicyId(policy.getId());
+ }
}
}
+
+ if(result.isAllAllowedAndAudited()) {
+ break;
+ }
}
}
@@ -178,18 +167,24 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
boolean ret = false;
- if(matchers != null && !matchers.isEmpty()) {
- ret = true;
+ RangerServiceDef serviceDef = getServiceDef();
- for(RangerResourceMatcher matcher : matchers) {
- String resourceName = matcher.getResourceDef().getName();
- String resourceValue = resource.getValue(resourceName);
+ if(serviceDef != null && serviceDef.getResources() != null) {
+ for(RangerResourceDef resourceDef : serviceDef.getResources()) {
+ String resourceName = resourceDef.getName();
+ String resourceValue = resource == null ? null : resource.getValue(resourceName);
+ RangerResourceMatcher matcher = matchers == null ? null : matchers.get(resourceName);
- ret = matcher.isMatch(resourceValue);
+ // when no value exists for a resourceName, consider it a match only if (policy doesn't have a matcher OR matcher allows no-value resource)
+ if(StringUtils.isEmpty(resourceValue)) {
+ ret = matcher == null || matcher.isMatch(resourceValue);
+ } else {
+ ret = matcher != null && matcher.isMatch(resourceValue);
+ }
- if(! ret) {
- break;
- }
+ if(! ret) {
+ break;
+ }
}
}
@@ -200,6 +195,59 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
+ protected boolean matchResourceHead(RangerResource resource) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerDefaultPolicyEvaluator.matchResourceHead(" + resource + ")");
+ }
+
+ boolean ret = false;
+
+ RangerServiceDef serviceDef = getServiceDef();
+
+ if(serviceDef != null && serviceDef.getResources() != null) {
+ int numMatched = 0;
+ int numUnmatched = 0;
+
+ for(RangerResourceDef resourceDef : serviceDef.getResources()) {
+ String resourceName = resourceDef.getName();
+ String resourceValue = resource == null ? null : resource.getValue(resourceName);
+ RangerResourceMatcher matcher = matchers == null ? null : matchers.get(resourceName);
+
+ if(numUnmatched > 0) { // no further values are expected in the resource
+ if(! StringUtils.isEmpty(resourceValue)) {
+ break;
+ }
+
+ numUnmatched++;
+ continue;
+ } else {
+ boolean isMatch = false;
+
+ // when no value exists for a resourceName, consider it a match only if (policy doesn't have a matcher OR matcher allows no-value resource)
+ if(StringUtils.isEmpty(resourceValue)) {
+ isMatch = matcher == null || matcher.isMatch(resourceValue);
+ } else {
+ isMatch = matcher != null && matcher.isMatch(resourceValue);
+ }
+
+ if(isMatch) {
+ numMatched++;
+ } else {
+ numUnmatched++;
+ }
+ }
+ }
+
+ ret = (numMatched > 0) && serviceDef.getResources().size() == (numMatched + numUnmatched);
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerDefaultPolicyEvaluator.matchResourceHead(" + resource + "): " + ret);
+ }
+
+ return ret;
+ }
+
protected boolean matchUserGroup(RangerPolicyItem policyItem, String user, Collection<String> groups) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.matchUserGroup(" + policyItem + ", " + user + ", " + groups + ")");
@@ -314,7 +362,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
sb.append("matchers={");
if(matchers != null) {
- for(RangerResourceMatcher matcher : matchers) {
+ for(RangerResourceMatcher matcher : matchers.values()) {
sb.append("{").append(matcher).append("} ");
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a87f4d6/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
index ef45c84..d4dcc55 100644
--- a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
+++ b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
@@ -23,8 +23,8 @@
},
"policies":[
- {"id":1,"name":"audit-all-select","isEnabled":true,"isAuditEnabled":true,
- "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
+ {"id":1,"name":"db=default: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"database":{"values":["default"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
]
@@ -41,23 +41,23 @@
],
"tests":[
- {"name":"'use default;' as user1 ==> DENIED",
+ {"name":"ALLOW 'use default;' for user1",
"request":{
"resource":{"elements":{"database":"default"}},
"accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use default"
},
- "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'use default;' as user2 ==> DENIED",
+ {"name":"ALLOW 'use default;' for user2",
"request":{
"resource":{"elements":{"database":"default"}},
"accessTypes":[],"user":"user2","userGroups":["users"],"requestData":"use default"
},
- "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'use default;' as user3 ==> DENIED",
+ {"name":"DENY 'use default;' to user3",
"request":{
"resource":{"elements":{"database":"default"}},
"accessTypes":[],"user":"user3","userGroups":["users"],"requestData":"use default"
@@ -65,23 +65,23 @@
"result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'use default;' as user3, group1 ==> DENIED",
+ {"name":"ALLOW 'use default;' to group1",
"request":{
"resource":{"elements":{"database":"default"}},
"accessTypes":[],"user":"user3","userGroups":["users", "group1"],"requestData":"use default"
},
- "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'use default;' as user3, group2 ==> DENIED",
+ {"name":"ALLOW 'use default;' to group2",
"request":{
"resource":{"elements":{"database":"default"}},
"accessTypes":[],"user":"user3","userGroups":["users", "group2"],"requestData":"use default"
},
- "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'use default;' as user3, group3 ==> DENIED",
+ {"name":"DENY 'use default;' to user3/group3",
"request":{
"resource":{"elements":{"database":"default"}},
"accessTypes":[],"user":"user3","userGroups":["users", "group3"],"requestData":"use default"
@@ -89,15 +89,15 @@
"result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'use finance;' as user3, group3 ==> DENIED",
+ {"name":"DENY 'use finance;' to user3/group3",
"request":{
"resource":{"elements":{"database":"finance"}},
"accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use finance"
},
- "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+ "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
}
,
- {"name":"'select col1 from default.testtable;' as user1 ==> ALLOWED",
+ {"name":"ALLOW 'select col1 from default.testtable;' to user1",
"request":{
"resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
"accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.testtable"
@@ -105,7 +105,7 @@
"result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'select col1 from default.testtable;' as user2 ==> ALLOWED",
+ {"name":"ALLOW 'select col1 from default.testtable;' to user2",
"request":{
"resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
"accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"select col1 from default.testtable"
@@ -113,7 +113,7 @@
"result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'select col1 from default.testtable;' as user3 ==> DENIED",
+ {"name":"DENY 'select col1 from default.testtable;' to user3",
"request":{
"resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
"accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.testtable"
@@ -121,7 +121,7 @@
"result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'select col1 from default.testtable;' as user3, group1 ==> ALLOWED",
+ {"name":"ALLOW 'select col1 from default.testtable;' to group1",
"request":{
"resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
"accessTypes":["select"],"user":"user3","userGroups":["users","group1"],"requestData":"select col1 from default.testtable"
@@ -129,7 +129,7 @@
"result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'select col1 from default.testtable;' as user3, group2 ==> ALLOWED",
+ {"name":"ALLOW 'select col1 from default.testtable;' to group2",
"request":{
"resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
"accessTypes":["select"],"user":"user3","userGroups":["users","group2"],"requestData":"select col1 from default.testtable"
@@ -137,7 +137,7 @@
"result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'select col1 from default.testtable;' as user3, group3 ==> DENIED",
+ {"name":"DENY 'select col1 from default.testtable;' to user3/group3",
"request":{
"resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
"accessTypes":["select"],"user":"user3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable"
@@ -145,7 +145,7 @@
"result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'select col1 from default.table1;' as user1 ==> DENIED",
+ {"name":"DENY 'select col1 from default.table1;' to user1",
"request":{
"resource":{"elements":{"database":"default","table":"table1","column":"col1"}},
"accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select col1 from default.table1"
@@ -153,7 +153,7 @@
"result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'create table default.testtable1;' as user1 ==> DENIED",
+ {"name":"DENY 'create table default.testtable1;' to user1",
"request":{
"resource":{"elements":{"database":"default","table":"testtable1"}},
"accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1"
@@ -161,7 +161,7 @@
"result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'create table default.testtable1;' as user1, group1 ==> DENIED",
+ {"name":"DENY 'create table default.testtable1;' to user1/group1",
"request":{
"resource":{"elements":{"database":"default","table":"testtable1"}},
"accessTypes":["create"],"user":"user1","userGroups":["users","group1"],"requestData":"create table default.testtable1"
@@ -169,7 +169,7 @@
"result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'create table default.testtable1;' as admin ==> ALLOWED",
+ {"name":"ALLOW 'create table default.testtable1;' to admin",
"request":{
"resource":{"elements":{"database":"default","table":"testtable1"}},
"accessTypes":["create"],"user":"admin","userGroups":["users"],"requestData":"create table default.testtable1"
@@ -177,7 +177,7 @@
"result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'create table default.testtable1;' as user1, admin ==> ALLOWED",
+ {"name":"ALLOW 'create table default.testtable1;' to user1/admin",
"request":{
"resource":{"elements":{"database":"default","table":"testtable1"}},
"accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1"
@@ -185,7 +185,7 @@
"result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'drop table default.testtable1;' as user1 ==> DENIED",
+ {"name":"DENY 'drop table default.testtable1;' to user1",
"request":{
"resource":{"elements":{"database":"default","table":"testtable1"}},
"accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1"
@@ -193,7 +193,7 @@
"result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'drop table default.testtable1;' as user1, group1 ==> DENIED",
+ {"name":"DENY 'drop table default.testtable1;' to user1/group1",
"request":{
"resource":{"elements":{"database":"default","table":"testtable1"}},
"accessTypes":["drop"],"user":"user1","userGroups":["users","group1"],"requestData":"drop table default.testtable1"
@@ -201,7 +201,7 @@
"result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'drop table default.testtable1;' as admin ==> ALLOWED",
+ {"name":"ALLOW 'drop table default.testtable1;' to admin",
"request":{
"resource":{"elements":{"database":"default","table":"testtable1"}},
"accessTypes":["drop"],"user":"admin","userGroups":["users"],"requestData":"drop table default.testtable1"
@@ -209,7 +209,7 @@
"result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'drop table default.testtable1;' as user1, admin ==> ALLOWED",
+ {"name":"ALLOW 'drop table default.testtable1;' to user1/admin",
"request":{
"resource":{"elements":{"database":"default","table":"testtable1"}},
"accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1"
@@ -217,7 +217,7 @@
"result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}}
}
,
- {"name":"'create table default.table1;' as user1 ==> DENIED",
+ {"name":"DENY 'create table default.table1;' to user1",
"request":{
"resource":{"elements":{"database":"default","table":"table1"}},
"accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create table default.testtable1"
@@ -225,7 +225,7 @@
"result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'create table default.table1;' as user1, admin ==> DENIED",
+ {"name":"DENY 'create table default.table1;' to user1/admin",
"request":{
"resource":{"elements":{"database":"default","table":"table1"}},
"accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create table default.testtable1"
@@ -233,7 +233,7 @@
"result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'drop table default.table1;' as user1 ==> DENIED",
+ {"name":"DENY 'drop table default.table1;' to user1",
"request":{
"resource":{"elements":{"database":"default","table":"table1"}},
"accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table default.testtable1"
@@ -241,7 +241,7 @@
"result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'drop table default.table1;' as user1, admin ==> DENIED",
+ {"name":"DENY 'drop table default.table1;' to user1/admin",
"request":{
"resource":{"elements":{"database":"default","table":"table1"}},
"accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop table default.testtable1"
@@ -249,7 +249,7 @@
"result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
}
,
- {"name":"'select col1 from default.table1;' as user3 ==> DENIED",
+ {"name":"DENY 'select col1 from default.table1;' to user3",
"request":{
"resource":{"elements":{"database":"default","table":"table1","column":"col1"}},
"accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select col1 from default.table1"