Example 1 with RangerPluginConfig
use of org.apache.ranger.authorization.hadoop.config.RangerPluginConfig in project ranger by apache.
the class TestPolicyEngineComparison method runTests.
private void runTests(InputStreamReader reader, String testName) throws Exception {
ComparisonTests testCases = gsonBuilder.fromJson(reader, ComparisonTests.class);
assertTrue("invalid input: " + testName, testCases != null && testCases.testCases != null);
RangerPolicyEngineOptions options = new RangerPolicyEngineOptions();
options.optimizeTrieForRetrieval = true;
for (ComparisonTests.TestCase testCase : testCases.testCases) {
assertTrue("invalid input: " + testCase.name, testCase.me != null && testCase.other != null);
ComparisonTests.TestCase.PolicyEngineData myData = testCase.me;
ComparisonTests.TestCase.PolicyEngineData otherData = testCase.other;
assertFalse("invalid input: " + testCase.name, myData.servicePoliciesFile == null || otherData.servicePoliciesFile == null);
assertTrue("invalid input: " + testCase.name, myData.serviceTagsFile == null || otherData.serviceTagsFile != null);
// Read servicePoliciesFile
ServicePolicies myServicePolicies = readServicePolicies(myData.servicePoliciesFile);
ServicePolicies otherServicePolicies = readServicePolicies(otherData.servicePoliciesFile);
assertFalse("invalid input: " + testCase.name, myServicePolicies == null || otherServicePolicies == null);
ServiceTags myServiceTags = null;
ServiceTags otherServiceTags = null;
if (myData.serviceTagsFile != null) {
myServiceTags = readServiceTags(myData.serviceTagsFile);
otherServiceTags = readServiceTags(otherData.serviceTagsFile);
assertFalse("invalid input: " + testCase.name, myServiceTags == null || otherServiceTags == null);
}
boolean isPolicyEnginesEqual = true;
boolean isTagsEqual = true;
if (myServicePolicies != null) {
RangerPluginContext myPluginContext = new RangerPluginContext(new RangerPluginConfig(myServicePolicies.getServiceDef().getName(), null, "test-compare-my-tags", null, null, options));
RangerPluginContext otherPluginContext = new RangerPluginContext(new RangerPluginConfig(myServicePolicies.getServiceDef().getName(), null, "test-compare-other-tags", null, null, options));
RangerPolicyEngineImpl myPolicyEngine = new RangerPolicyEngineImpl(myServicePolicies, myPluginContext, null);
RangerPolicyEngineImpl otherPolicyEngine = new RangerPolicyEngineImpl(otherServicePolicies, otherPluginContext, null);
isPolicyEnginesEqual = TestPolicyEngine.compare(myPolicyEngine.getPolicyEngine(), otherPolicyEngine.getPolicyEngine()) && TestPolicyEngine.compare(otherPolicyEngine.getPolicyEngine(), myPolicyEngine.getPolicyEngine());
if (myServiceTags != null) {
RangerTagEnricher myTagEnricher = new RangerTagEnricher();
RangerTagEnricher otherTagEnricher = new RangerTagEnricher();
myTagEnricher.setAppId("test-compare-my-tags");
myTagEnricher.setServiceDef(myServicePolicies.getServiceDef());
myTagEnricher.setServiceName(myServiceTags.getServiceName());
myTagEnricher.init();
myTagEnricher.setServiceTags(myServiceTags);
otherTagEnricher.setAppId("test-compare-other-tags");
otherTagEnricher.setServiceDef(myServicePolicies.getServiceDef());
otherTagEnricher.setServiceName(otherServiceTags.getServiceName());
otherTagEnricher.init();
otherTagEnricher.setServiceTags(otherServiceTags);
isTagsEqual = TestPolicyEngine.compare(myTagEnricher, otherTagEnricher) && TestPolicyEngine.compare(otherTagEnricher, myTagEnricher);
}
}
assertEquals("PolicyEngines are not equal " + testCase.name, isPolicyEnginesEqual, testCase.isPolicyEnginesEqual);
assertEquals("Tags are not equal " + testCase.name, isTagsEqual, testCase.isTagsEqual);
}
}
Also used :
RangerPluginConfig(org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
RangerTagEnricher(org.apache.ranger.plugin.contextenricher.RangerTagEnricher)
ServiceTags(org.apache.ranger.plugin.util.ServiceTags)
Example 2 with RangerPluginConfig
use of org.apache.ranger.authorization.hadoop.config.RangerPluginConfig in project ranger by apache.
the class TestPolicyACLs method runTests.
private void runTests(InputStreamReader reader, String testName) throws Exception {
PolicyACLsTests testCases = gsonBuilder.fromJson(reader, PolicyACLsTests.class);
assertTrue("invalid input: " + testName, testCases != null && testCases.testCases != null);
for (PolicyACLsTests.TestCase testCase : testCases.testCases) {
String serviceType = testCase.servicePolicies.getServiceDef().getName();
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
RangerPluginContext pluginContext = new RangerPluginContext(new RangerPluginConfig(serviceType, null, "test-policy-acls", "cl1", "on-prem", policyEngineOptions));
RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testCase.servicePolicies, pluginContext, null);
for (PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
if (oneTest == null) {
continue;
}
RangerAccessRequestImpl request = new RangerAccessRequestImpl(oneTest.resource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
RangerResourceACLs acls = policyEngine.getResourceACLs(request);
boolean userACLsMatched = true, groupACLsMatched = true, roleACLsMatched = true, rowFiltersMatched = true, dataMaskingMatched = true;
if (MapUtils.isNotEmpty(acls.getUserACLs()) && MapUtils.isNotEmpty(oneTest.userPermissions)) {
for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getUserACLs().entrySet()) {
String userName = entry.getKey();
Map<String, RangerResourceACLs.AccessResult> expected = oneTest.userPermissions.get(userName);
if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
// Compare
for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
continue;
}
RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
if (expectedResult == null) {
userACLsMatched = false;
break;
} else if (!expectedResult.equals(privilege.getValue())) {
userACLsMatched = false;
break;
}
}
} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
Set<String> privileges = entry.getValue().keySet();
if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
userACLsMatched = true;
} else {
userACLsMatched = false;
}
break;
}
if (!userACLsMatched) {
break;
}
}
} else if (!(MapUtils.isEmpty(acls.getUserACLs()) && MapUtils.isEmpty(oneTest.userPermissions))) {
userACLsMatched = false;
}
if (acls.getDataMasks().isEmpty()) {
dataMaskingMatched = (oneTest.dataMasks == null || oneTest.dataMasks.isEmpty());
} else if (acls.getDataMasks().size() != (oneTest.dataMasks == null ? 0 : oneTest.dataMasks.size())) {
dataMaskingMatched = false;
} else {
for (int i = 0; i < acls.getDataMasks().size(); i++) {
DataMaskResult found = acls.getDataMasks().get(i);
DataMaskResult expected = oneTest.dataMasks.get(i);
dataMaskingMatched = found.equals(expected);
if (!dataMaskingMatched) {
break;
}
}
}
if (acls.getRowFilters().isEmpty()) {
rowFiltersMatched = (oneTest.rowFilters == null || oneTest.rowFilters.isEmpty());
} else if (acls.getRowFilters().size() != (oneTest.rowFilters == null ? 0 : oneTest.rowFilters.size())) {
rowFiltersMatched = false;
} else {
for (int i = 0; i < acls.getRowFilters().size(); i++) {
RowFilterResult found = acls.getRowFilters().get(i);
RowFilterResult expected = oneTest.rowFilters.get(i);
rowFiltersMatched = found.equals(expected);
if (!rowFiltersMatched) {
break;
}
}
}
if (MapUtils.isNotEmpty(acls.getGroupACLs()) && MapUtils.isNotEmpty(oneTest.groupPermissions)) {
for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getGroupACLs().entrySet()) {
String groupName = entry.getKey();
Map<String, RangerResourceACLs.AccessResult> expected = oneTest.groupPermissions.get(groupName);
if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
// Compare
for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
continue;
}
RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
if (expectedResult == null) {
groupACLsMatched = false;
break;
} else if (!expectedResult.equals(privilege.getValue())) {
groupACLsMatched = false;
break;
}
}
} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
Set<String> privileges = entry.getValue().keySet();
if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
groupACLsMatched = true;
} else {
groupACLsMatched = false;
}
break;
}
if (!groupACLsMatched) {
break;
}
}
} else if (!(MapUtils.isEmpty(acls.getGroupACLs()) && MapUtils.isEmpty(oneTest.groupPermissions))) {
groupACLsMatched = false;
}
if (MapUtils.isNotEmpty(acls.getRoleACLs()) && MapUtils.isNotEmpty(oneTest.rolePermissions)) {
for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getRoleACLs().entrySet()) {
String roleName = entry.getKey();
Map<String, RangerResourceACLs.AccessResult> expected = oneTest.rolePermissions.get(roleName);
if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
// Compare
for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
continue;
}
RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
if (expectedResult == null) {
roleACLsMatched = false;
break;
} else if (!expectedResult.equals(privilege.getValue())) {
roleACLsMatched = false;
break;
}
}
} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
Set<String> privileges = entry.getValue().keySet();
if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
roleACLsMatched = true;
} else {
roleACLsMatched = false;
}
break;
}
if (!roleACLsMatched) {
break;
}
}
} else if (!(MapUtils.isEmpty(acls.getRoleACLs()) && MapUtils.isEmpty(oneTest.rolePermissions))) {
roleACLsMatched = false;
}
assertTrue("getResourceACLs() failed! " + testCase.name + ":" + oneTest.name, userACLsMatched && groupACLsMatched && roleACLsMatched && rowFiltersMatched && dataMaskingMatched);
}
}
}
Also used :
RangerPluginConfig(org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)
Set(java.util.Set)
RowFilterResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult)
DataMaskResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult)
Map(java.util.Map)
Example 3 with RangerPluginConfig
use of org.apache.ranger.authorization.hadoop.config.RangerPluginConfig in project ranger by apache.
the class RangerPolicyEngineImpl method isAuditExcludedUser.
private boolean isAuditExcludedUser(String userName, Set<String> userGroups, Set<String> userRoles) {
boolean ret = serviceConfig.isAuditExcludedUser(userName);
if (!ret) {
RangerPluginConfig pluginConfig = policyEngine.getPluginContext().getConfig();
ret = pluginConfig.isAuditExcludedUser(userName);
if (!ret && userGroups != null && userGroups.size() > 0) {
ret = serviceConfig.hasAuditExcludedGroup(userGroups) || pluginConfig.hasAuditExcludedGroup(userGroups);
}
if (!ret && userRoles != null && userRoles.size() > 0) {
ret = serviceConfig.hasAuditExcludedRole(userRoles) || pluginConfig.hasAuditExcludedRole(userRoles);
}
}
return ret;
}
Also used :
RangerPluginConfig(org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)
Example 4 with RangerPluginConfig
use of org.apache.ranger.authorization.hadoop.config.RangerPluginConfig in project ranger by apache.
the class RangerPolicyEngineImpl method isServiceAdmin.
public boolean isServiceAdmin(String userName) {
boolean ret = serviceConfig.isServiceAdmin(userName);
if (!ret) {
RangerPluginConfig pluginConfig = policyEngine.getPluginContext().getConfig();
ret = pluginConfig.isServiceAdmin(userName);
}
return ret;
}
Also used :
RangerPluginConfig(org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)
Example 5 with RangerPluginConfig
use of org.apache.ranger.authorization.hadoop.config.RangerPluginConfig in project ranger by apache.
the class RangerAdminTagRetriever method init.
@Override
public void init(Map<String, String> options) {
if (StringUtils.isNotBlank(serviceName) && serviceDef != null && StringUtils.isNotBlank(appId)) {
RangerPluginConfig pluginConfig = super.pluginConfig;
if (pluginConfig == null) {
pluginConfig = new RangerPluginConfig(serviceDef.getName(), serviceName, appId, null, null, null);
}
RangerPluginContext pluginContext = getPluginContext();
RangerAdminClient rangerAdmin = pluginContext.getAdminClient();
this.adminClient = (rangerAdmin != null) ? rangerAdmin : pluginContext.createAdminClient(pluginConfig);
} else {
LOG.error("FATAL: Cannot find service/serviceDef to use for retrieving tags. Will NOT be able to retrieve tags.");
}
}
Also used :
RangerPluginConfig(org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)
RangerAdminClient(org.apache.ranger.admin.client.RangerAdminClient)
RangerPluginContext(org.apache.ranger.plugin.policyengine.RangerPluginContext)
Aggregations
RangerPluginConfig (org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)16
RangerPluginContext (org.apache.ranger.plugin.policyengine.RangerPluginContext)6
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)4
GsonBuilder (com.google.gson.GsonBuilder)3
RangerDefaultAuditHandler (org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)3
File (java.io.File)2
FileInputStream (java.io.FileInputStream)2
FileOutputStream (java.io.FileOutputStream)2
OutputStreamWriter (java.io.OutputStreamWriter)2
Properties (java.util.Properties)2
RangerAdminClient (org.apache.ranger.admin.client.RangerAdminClient)2
AuditHandler (org.apache.ranger.audit.provider.AuditHandler)2
AuditProviderFactory (org.apache.ranger.audit.provider.AuditProviderFactory)2
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)2
RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)2
RangerPolicyEngineImpl (org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl)2
RangerPolicyEngineOptions (org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions)2
BeforeClass (org.junit.BeforeClass)2
Gson (com.google.gson.Gson)1
InputStream (java.io.InputStream)1
