Example 1 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class ServiceDBStore method createDefaultPolicies.
void createDefaultPolicies(RangerService createdService) throws Exception {
RangerBaseService svc = serviceMgr.getRangerServiceByService(createdService, this);
if (svc != null) {
List<String> serviceCheckUsers = getServiceCheckUsers(createdService);
List<RangerPolicy> defaultPolicies = svc.getDefaultRangerPolicies();
if (CollectionUtils.isNotEmpty(defaultPolicies)) {
createDefaultPolicyUsersAndGroups(defaultPolicies);
for (RangerPolicy defaultPolicy : defaultPolicies) {
if (CollectionUtils.isNotEmpty(serviceCheckUsers) && StringUtils.equalsIgnoreCase(defaultPolicy.getService(), createdService.getName())) {
RangerPolicyItem defaultAllowPolicyItem = CollectionUtils.isNotEmpty(defaultPolicy.getPolicyItems()) ? defaultPolicy.getPolicyItems().get(0) : null;
if (defaultAllowPolicyItem == null) {
LOG.error("There is no allow-policy-item in the default-policy:[" + defaultPolicy + "]");
} else {
RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
policyItem.setUsers(serviceCheckUsers);
policyItem.setAccesses(defaultAllowPolicyItem.getAccesses());
policyItem.setDelegateAdmin(true);
defaultPolicy.getPolicyItems().add(policyItem);
}
}
boolean isPolicyItemValid = validatePolicyItems(defaultPolicy.getPolicyItems()) && validatePolicyItems(defaultPolicy.getDenyPolicyItems()) && validatePolicyItems(defaultPolicy.getAllowExceptions()) && validatePolicyItems(defaultPolicy.getDenyExceptions()) && validatePolicyItems(defaultPolicy.getDataMaskPolicyItems()) && validatePolicyItems(defaultPolicy.getRowFilterPolicyItems());
if (isPolicyItemValid) {
createPolicy(defaultPolicy);
} else {
LOG.warn("Default policy won't be created,since policyItems not valid-either users/groups not present or access not present in policy.");
}
}
}
}
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerBaseService(org.apache.ranger.plugin.service.RangerBaseService)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
VXString(org.apache.ranger.view.VXString)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Example 2 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class TestServiceDBStore method tess26createPolicy.
@Test
public void tess26createPolicy() throws Exception {
setup();
XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
XXPolicy xPolicy = Mockito.mock(XXPolicy.class);
XXPolicyDao xPolicyDao = Mockito.mock(XXPolicyDao.class);
XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
XXServiceVersionInfoDao xServiceVersionInfoDao = Mockito.mock(XXServiceVersionInfoDao.class);
XXService xService = Mockito.mock(XXService.class);
XXServiceVersionInfo xServiceVersionInfo = Mockito.mock(XXServiceVersionInfo.class);
XXPolicyItemDao xPolicyItemDao = Mockito.mock(XXPolicyItemDao.class);
XXServiceDef xServiceDef = serviceDef();
Map<String, String> configs = new HashMap<String, String>();
configs.put("username", "servicemgr");
configs.put("password", "servicemgr");
configs.put("namenode", "servicemgr");
configs.put("hadoop.security.authorization", "No");
configs.put("hadoop.security.authentication", "Simple");
configs.put("hadoop.security.auth_to_local", "");
configs.put("dfs.datanode.kerberos.principal", "");
configs.put("dfs.namenode.kerberos.principal", "");
configs.put("dfs.secondary.namenode.kerberos.principal", "");
configs.put("hadoop.rpc.protection", "Privacy");
configs.put("commonNameForCertificate", "");
RangerService rangerService = new RangerService();
rangerService.setId(Id);
rangerService.setConfigs(configs);
rangerService.setCreateTime(new Date());
rangerService.setDescription("service policy");
rangerService.setGuid("1427365526516_835_0");
rangerService.setIsEnabled(true);
rangerService.setName("HDFS_1");
rangerService.setPolicyUpdateTime(new Date());
rangerService.setType("1");
rangerService.setUpdatedBy("Admin");
String policyName = "HDFS_1-1-20150316062345";
String name = "HDFS_1-1-20150316062453";
List<RangerPolicyItemAccess> accessesList = new ArrayList<RangerPolicyItemAccess>();
RangerPolicyItemAccess policyItemAccess = new RangerPolicyItemAccess();
policyItemAccess.setIsAllowed(true);
policyItemAccess.setType("1");
List<String> usersList = new ArrayList<String>();
List<String> groupsList = new ArrayList<String>();
List<String> policyLabels = new ArrayList<String>();
List<RangerPolicyItemCondition> conditionsList = new ArrayList<RangerPolicyItemCondition>();
RangerPolicyItemCondition policyItemCondition = new RangerPolicyItemCondition();
policyItemCondition.setType("1");
policyItemCondition.setValues(usersList);
conditionsList.add(policyItemCondition);
List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setDelegateAdmin(false);
rangerPolicyItem.setAccesses(accessesList);
rangerPolicyItem.setConditions(conditionsList);
rangerPolicyItem.setGroups(groupsList);
rangerPolicyItem.setUsers(usersList);
policyItems.add(rangerPolicyItem);
List<RangerPolicyItem> policyItemsSet = new ArrayList<RangerPolicy.RangerPolicyItem>();
RangerPolicyItem paramPolicyItem = new RangerPolicyItem(accessesList, usersList, groupsList, conditionsList, false);
paramPolicyItem.setDelegateAdmin(false);
paramPolicyItem.setAccesses(accessesList);
paramPolicyItem.setConditions(conditionsList);
paramPolicyItem.setGroups(groupsList);
rangerPolicyItem.setUsers(usersList);
policyItemsSet.add(paramPolicyItem);
XXPolicyItem xPolicyItem = new XXPolicyItem();
xPolicyItem.setDelegateAdmin(false);
xPolicyItem.setAddedByUserId(null);
xPolicyItem.setCreateTime(new Date());
xPolicyItem.setGUID(null);
xPolicyItem.setId(Id);
xPolicyItem.setOrder(null);
xPolicyItem.setPolicyId(Id);
xPolicyItem.setUpdatedByUserId(null);
xPolicyItem.setUpdateTime(new Date());
XXPolicy xxPolicy = new XXPolicy();
xxPolicy.setId(Id);
xxPolicy.setName(name);
xxPolicy.setAddedByUserId(Id);
xxPolicy.setCreateTime(new Date());
xxPolicy.setDescription("test");
xxPolicy.setIsAuditEnabled(true);
xxPolicy.setIsEnabled(true);
xxPolicy.setService(1L);
xxPolicy.setUpdatedByUserId(Id);
xxPolicy.setUpdateTime(new Date());
List<XXServiceConfigDef> xServiceConfigDefList = new ArrayList<XXServiceConfigDef>();
XXServiceConfigDef serviceConfigDefObj = new XXServiceConfigDef();
serviceConfigDefObj.setId(Id);
xServiceConfigDefList.add(serviceConfigDefObj);
List<XXServiceConfigMap> xConfMapList = new ArrayList<XXServiceConfigMap>();
XXServiceConfigMap xConfMap = new XXServiceConfigMap();
xConfMap.setAddedByUserId(null);
xConfMap.setConfigkey(name);
xConfMap.setConfigvalue(name);
xConfMap.setCreateTime(new Date());
xConfMap.setServiceId(null);
xConfMap.setId(Id);
xConfMap.setUpdatedByUserId(null);
xConfMap.setUpdateTime(new Date());
xConfMapList.add(xConfMap);
List<String> users = new ArrayList<String>();
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
rangerPolicyResource.setIsExcludes(true);
rangerPolicyResource.setIsRecursive(true);
rangerPolicyResource.setValue("1");
rangerPolicyResource.setValues(users);
Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
policyResource.put(name, rangerPolicyResource);
policyResource.put(policyName, rangerPolicyResource);
RangerPolicy rangerPolicy = new RangerPolicy();
rangerPolicy.setId(Id);
rangerPolicy.setCreateTime(new Date());
rangerPolicy.setDescription("policy");
rangerPolicy.setGuid("policyguid");
rangerPolicy.setIsEnabled(true);
rangerPolicy.setName("HDFS_1-1-20150316062453");
rangerPolicy.setUpdatedBy("Admin");
rangerPolicy.setUpdateTime(new Date());
rangerPolicy.setService("HDFS_1-1-20150316062453");
rangerPolicy.setIsAuditEnabled(true);
rangerPolicy.setPolicyItems(policyItems);
rangerPolicy.setResources(policyResource);
rangerPolicy.setPolicyLabels(policyLabels);
XXPolicyResource xPolicyResource = new XXPolicyResource();
xPolicyResource.setAddedByUserId(Id);
xPolicyResource.setCreateTime(new Date());
xPolicyResource.setId(Id);
xPolicyResource.setIsExcludes(true);
xPolicyResource.setIsRecursive(true);
xPolicyResource.setPolicyId(Id);
xPolicyResource.setResDefId(Id);
xPolicyResource.setUpdatedByUserId(Id);
xPolicyResource.setUpdateTime(new Date());
List<XXPolicyConditionDef> policyConditionDefList = new ArrayList<XXPolicyConditionDef>();
XXPolicyConditionDef policyConditionDefObj = new XXPolicyConditionDef();
policyConditionDefObj.setAddedByUserId(Id);
policyConditionDefObj.setCreateTime(new Date());
policyConditionDefObj.setDefid(Id);
policyConditionDefObj.setDescription("policy");
policyConditionDefObj.setId(Id);
policyConditionDefObj.setName("country");
policyConditionDefObj.setOrder(0);
policyConditionDefObj.setUpdatedByUserId(Id);
policyConditionDefObj.setUpdateTime(new Date());
policyConditionDefList.add(policyConditionDefObj);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.findByName(name)).thenReturn(xService);
Mockito.when(daoManager.getXXServiceVersionInfo()).thenReturn(xServiceVersionInfoDao);
Mockito.when(xServiceVersionInfoDao.findByServiceId(Id)).thenReturn(xServiceVersionInfo);
Mockito.when(xServiceVersionInfoDao.update(xServiceVersionInfo)).thenReturn(xServiceVersionInfo);
Mockito.when(svcService.getPopulatedViewObject(xService)).thenReturn(rangerService);
Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
Mockito.when(xServiceDefDao.findByName(rangerService.getType())).thenReturn(xServiceDef);
Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
Mockito.when(policyService.create(rangerPolicy)).thenReturn(rangerPolicy);
Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
Mockito.when(xPolicyDao.getById(Id)).thenReturn(xPolicy);
Mockito.when(rangerAuditFields.populateAuditFields(Mockito.isA(XXPolicyItem.class), Mockito.isA(XXPolicy.class))).thenReturn(xPolicyItem);
Mockito.when(daoManager.getXXPolicyItem()).thenReturn(xPolicyItemDao);
Mockito.when(xPolicyItemDao.create(xPolicyItem)).thenReturn(xPolicyItem);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.getById(Id)).thenReturn(xService);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.getById(Id)).thenReturn(xService);
RangerPolicyResourceSignature signature = Mockito.mock(RangerPolicyResourceSignature.class);
Mockito.when(factory.createPolicyResourceSignature(rangerPolicy)).thenReturn(signature);
XXResourceDefDao xResourceDefDao = Mockito.mock(XXResourceDefDao.class);
XXResourceDef xResourceDef = Mockito.mock(XXResourceDef.class);
XXPolicyResourceDao xPolicyResourceDao = Mockito.mock(XXPolicyResourceDao.class);
XXPolicyConditionDefDao xPolicyConditionDefDao = Mockito.mock(XXPolicyConditionDefDao.class);
Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao);
Mockito.when(xResourceDefDao.findByNameAndPolicyId(policyName, Id)).thenReturn(xResourceDef);
Mockito.when(rangerAuditFields.populateAuditFields(Mockito.isA(XXPolicyResource.class), Mockito.isA(XXPolicy.class))).thenReturn(xPolicyResource);
Mockito.when(daoManager.getXXPolicyResource()).thenReturn(xPolicyResourceDao);
Mockito.when(xPolicyResourceDao.create(xPolicyResource)).thenReturn(xPolicyResource);
Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn(xPolicyConditionDefDao);
Mockito.when(xPolicyConditionDefDao.findByServiceDefIdAndName(Id, policyItemCondition.getType())).thenReturn(policyConditionDefObj);
for (Entry<String, RangerPolicyResource> resource : policyResource.entrySet()) {
Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao);
Mockito.when(xResourceDefDao.findByNameAndPolicyId(resource.getKey(), rangerPolicy.getId())).thenReturn(xResourceDef);
}
Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn(xPolicyConditionDefDao);
Mockito.when(xPolicyConditionDefDao.findByServiceDefIdAndName(xServiceDef.getId(), policyItemCondition.getType())).thenReturn(policyConditionDefObj);
Mockito.when(!bizUtil.hasAccess(xService, null)).thenReturn(true);
RangerPolicy dbRangerPolicy = serviceDBStore.createPolicy(rangerPolicy);
Assert.assertNull(dbRangerPolicy);
Assert.assertEquals(Id, rangerPolicy.getId());
Mockito.verify(daoManager).getXXServiceDef();
Mockito.verify(policyService).create(rangerPolicy);
Mockito.verify(rangerAuditFields).populateAuditFields(Mockito.isA(XXPolicyItem.class), Mockito.isA(XXPolicy.class));
Mockito.verify(daoManager).getXXPolicyItem();
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
VXString(org.apache.ranger.view.VXString)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Date(java.util.Date)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
Test(org.junit.Test)
Example 3 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project nifi by apache.
the class TestRangerBasePluginWithPolicies method testPoliciesWithUserGroupProvider.
@Test
public void testPoliciesWithUserGroupProvider() {
// unknown according to user group provider
final String user1 = "user-1";
// known according to user group provider
final String user2 = "user-2";
// unknown according to user group provider
final String group1 = "group-1";
// known according to user group provider
final String group2 = "group-2";
final UserGroupProvider userGroupProvider = new UserGroupProvider() {
@Override
public Set<User> getUsers() throws AuthorizationAccessException {
return Stream.of(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build()).collect(Collectors.toSet());
}
@Override
public User getUser(String identifier) throws AuthorizationAccessException {
final User u2 = new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
if (u2.getIdentifier().equals(identifier)) {
return u2;
} else {
return null;
}
}
@Override
public User getUserByIdentity(String identity) throws AuthorizationAccessException {
if (user2.equals(identity)) {
return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
} else {
return null;
}
}
@Override
public Set<Group> getGroups() throws AuthorizationAccessException {
return Stream.of(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build()).collect(Collectors.toSet());
}
@Override
public Group getGroup(String identifier) throws AuthorizationAccessException {
final Group g2 = new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build();
if (g2.getIdentifier().equals(identifier)) {
return g2;
} else {
return null;
}
}
@Override
public UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException {
if (user2.equals(identity)) {
return new UserAndGroups() {
@Override
public User getUser() {
return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
}
@Override
public Set<Group> getGroups() {
return Collections.EMPTY_SET;
}
};
} else {
return null;
}
}
@Override
public void initialize(UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException {
}
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
}
@Override
public void preDestruction() throws AuthorizerDestructionException {
}
};
final String resourceIdentifier1 = "/resource-1";
RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicyItem policy1Item = new RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
policy1Item.setGroups(Stream.of(group2).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final String resourceIdentifier2 = "/resource-2";
RangerPolicyResource resource2 = new RangerPolicyResource(resourceIdentifier2);
final Map<String, RangerPolicyResource> policy2Resources = new HashMap<>();
policy2Resources.put(resourceIdentifier2, resource2);
final RangerPolicyItem policy2Item = new RangerPolicyItem();
policy2Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
policy2Item.setUsers(Stream.of(user2).collect(Collectors.toList()));
policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
final RangerPolicy policy2 = new RangerPolicy();
policy2.setResources(policy2Resources);
policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
policies.add(policy2);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi", userGroupProvider);
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the two ranger policies converted into 3 nifi access policies
final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
assertEquals(3, accessPolicies.size());
// resource 1 -> read but no write
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
// read
final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
assertNotNull(readResource1);
assertTrue(accessPolicies.contains(readResource1));
assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
assertTrue(readResource1.getUsers().isEmpty());
assertEquals(1, readResource1.getGroups().size());
assertTrue(readResource1.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build().getIdentifier()));
// but no write
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
// resource 2 -> read and write
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
// read
final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(readResource2);
assertTrue(accessPolicies.contains(readResource2));
assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
assertEquals(1, readResource2.getUsers().size());
assertTrue(readResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
assertTrue(readResource2.getGroups().isEmpty());
// and write
final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(writeResource2);
assertTrue(accessPolicies.contains(writeResource2));
assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
assertEquals(1, writeResource2.getUsers().size());
assertTrue(writeResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
assertTrue(writeResource2.getGroups().isEmpty());
}
Also used :
Group(org.apache.nifi.authorization.Group)
User(org.apache.nifi.authorization.User)
UserGroupProviderInitializationContext(org.apache.nifi.authorization.UserGroupProviderInitializationContext)
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
HashMap(java.util.HashMap)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
AccessPolicy(org.apache.nifi.authorization.AccessPolicy)
UserAndGroups(org.apache.nifi.authorization.UserAndGroups)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
UserGroupProvider(org.apache.nifi.authorization.UserGroupProvider)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
AuthorizerConfigurationContext(org.apache.nifi.authorization.AuthorizerConfigurationContext)
Test(org.junit.Test)
Example 4 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project nifi by apache.
the class TestRangerBasePluginWithPolicies method testPoliciesWithoutUserGroupProvider.
@Test
public void testPoliciesWithoutUserGroupProvider() {
final String user1 = "user-1";
final String group1 = "group-1";
final String resourceIdentifier1 = "/resource-1";
RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicyItem policy1Item = new RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final String resourceIdentifier2 = "/resource-2";
RangerPolicyResource resource2 = new RangerPolicyResource(resourceIdentifier2);
final Map<String, RangerPolicyResource> policy2Resources = new HashMap<>();
policy2Resources.put(resourceIdentifier2, resource2);
final RangerPolicyItem policy2Item = new RangerPolicyItem();
policy2Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
final RangerPolicy policy2 = new RangerPolicy();
policy2.setResources(policy2Resources);
policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
policies.add(policy2);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the two ranger policies converted into 3 nifi access policies
final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
assertEquals(3, accessPolicies.size());
// resource 1 -> read but no write
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
// read
final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
assertNotNull(readResource1);
assertTrue(accessPolicies.contains(readResource1));
assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
assertEquals(1, readResource1.getUsers().size());
assertTrue(readResource1.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user1).identity(user1).build().getIdentifier()));
assertTrue(readResource1.getGroups().isEmpty());
// but no write
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
// resource 2 -> read and write
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
// read
final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(readResource2);
assertTrue(accessPolicies.contains(readResource2));
assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
assertTrue(readResource2.getUsers().isEmpty());
assertEquals(1, readResource2.getGroups().size());
assertTrue(readResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
// and write
final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(writeResource2);
assertTrue(accessPolicies.contains(writeResource2));
assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
assertTrue(writeResource2.getUsers().isEmpty());
assertEquals(1, writeResource2.getGroups().size());
assertTrue(writeResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
// resource 3 -> no read or write
assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.WRITE));
assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.READ));
// no read or write
assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.WRITE));
assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.READ));
}
Also used :
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
HashMap(java.util.HashMap)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
AccessPolicy(org.apache.nifi.authorization.AccessPolicy)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
Test(org.junit.Test)
Example 5 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project nifi by apache.
the class TestRangerBasePluginWithPolicies method testRecursivePolicy.
@Test
public void testRecursivePolicy() {
final String resourceIdentifier1 = "/resource-1";
RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
resource1.setIsRecursive(true);
final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicyItem policy1Item = new RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the policy was skipped
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
HashMap(java.util.HashMap)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
ArrayList(java.util.ArrayList)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Test(org.junit.Test)
Aggregations
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)85
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)65
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)56
ArrayList (java.util.ArrayList)52
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)35
HashMap (java.util.HashMap)34
Test (org.junit.Test)24
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)21
VXString (org.apache.ranger.view.VXString)17
Date (java.util.Date)15
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)14
RangerService (org.apache.ranger.plugin.model.RangerService)11
LinkedHashMap (java.util.LinkedHashMap)8
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8
RangerDataMaskPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)7
XXServiceDef (org.apache.ranger.entity.XXServiceDef)6
IOException (java.io.IOException)5
List (java.util.List)5
XXService (org.apache.ranger.entity.XXService)5
RangerRowFilterPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)5
