Search in sources :

Example 1 with RangerPolicyItem

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.

the class ServiceDBStore method createDefaultPolicies.

void createDefaultPolicies(RangerService createdService) throws Exception {
    RangerBaseService svc = serviceMgr.getRangerServiceByService(createdService, this);
    if (svc != null) {
        List<String> serviceCheckUsers = getServiceCheckUsers(createdService);
        List<RangerPolicy> defaultPolicies = svc.getDefaultRangerPolicies();
        if (CollectionUtils.isNotEmpty(defaultPolicies)) {
            createDefaultPolicyUsersAndGroups(defaultPolicies);
            for (RangerPolicy defaultPolicy : defaultPolicies) {
                if (CollectionUtils.isNotEmpty(serviceCheckUsers) && StringUtils.equalsIgnoreCase(defaultPolicy.getService(), createdService.getName())) {
                    RangerPolicyItem defaultAllowPolicyItem = CollectionUtils.isNotEmpty(defaultPolicy.getPolicyItems()) ? defaultPolicy.getPolicyItems().get(0) : null;
                    if (defaultAllowPolicyItem == null) {
                        LOG.error("There is no allow-policy-item in the default-policy:[" + defaultPolicy + "]");
                    } else {
                        RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
                        policyItem.setUsers(serviceCheckUsers);
                        policyItem.setAccesses(defaultAllowPolicyItem.getAccesses());
                        policyItem.setDelegateAdmin(true);
                        defaultPolicy.getPolicyItems().add(policyItem);
                    }
                }
                boolean isPolicyItemValid = validatePolicyItems(defaultPolicy.getPolicyItems()) && validatePolicyItems(defaultPolicy.getDenyPolicyItems()) && validatePolicyItems(defaultPolicy.getAllowExceptions()) && validatePolicyItems(defaultPolicy.getDenyExceptions()) && validatePolicyItems(defaultPolicy.getDataMaskPolicyItems()) && validatePolicyItems(defaultPolicy.getRowFilterPolicyItems());
                if (isPolicyItemValid) {
                    createPolicy(defaultPolicy);
                } else {
                    LOG.warn("Default policy won't be created,since policyItems not valid-either users/groups not present or access not present in policy.");
                }
            }
        }
    }
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerBaseService(org.apache.ranger.plugin.service.RangerBaseService) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) VXString(org.apache.ranger.view.VXString) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)

Example 2 with RangerPolicyItem

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.

the class TestServiceDBStore method tess26createPolicy.

@Test
public void tess26createPolicy() throws Exception {
    setup();
    XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
    XXPolicy xPolicy = Mockito.mock(XXPolicy.class);
    XXPolicyDao xPolicyDao = Mockito.mock(XXPolicyDao.class);
    XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
    XXServiceVersionInfoDao xServiceVersionInfoDao = Mockito.mock(XXServiceVersionInfoDao.class);
    XXService xService = Mockito.mock(XXService.class);
    XXServiceVersionInfo xServiceVersionInfo = Mockito.mock(XXServiceVersionInfo.class);
    XXPolicyItemDao xPolicyItemDao = Mockito.mock(XXPolicyItemDao.class);
    XXServiceDef xServiceDef = serviceDef();
    Map<String, String> configs = new HashMap<String, String>();
    configs.put("username", "servicemgr");
    configs.put("password", "servicemgr");
    configs.put("namenode", "servicemgr");
    configs.put("hadoop.security.authorization", "No");
    configs.put("hadoop.security.authentication", "Simple");
    configs.put("hadoop.security.auth_to_local", "");
    configs.put("dfs.datanode.kerberos.principal", "");
    configs.put("dfs.namenode.kerberos.principal", "");
    configs.put("dfs.secondary.namenode.kerberos.principal", "");
    configs.put("hadoop.rpc.protection", "Privacy");
    configs.put("commonNameForCertificate", "");
    RangerService rangerService = new RangerService();
    rangerService.setId(Id);
    rangerService.setConfigs(configs);
    rangerService.setCreateTime(new Date());
    rangerService.setDescription("service policy");
    rangerService.setGuid("1427365526516_835_0");
    rangerService.setIsEnabled(true);
    rangerService.setName("HDFS_1");
    rangerService.setPolicyUpdateTime(new Date());
    rangerService.setType("1");
    rangerService.setUpdatedBy("Admin");
    String policyName = "HDFS_1-1-20150316062345";
    String name = "HDFS_1-1-20150316062453";
    List<RangerPolicyItemAccess> accessesList = new ArrayList<RangerPolicyItemAccess>();
    RangerPolicyItemAccess policyItemAccess = new RangerPolicyItemAccess();
    policyItemAccess.setIsAllowed(true);
    policyItemAccess.setType("1");
    List<String> usersList = new ArrayList<String>();
    List<String> groupsList = new ArrayList<String>();
    List<String> policyLabels = new ArrayList<String>();
    List<RangerPolicyItemCondition> conditionsList = new ArrayList<RangerPolicyItemCondition>();
    RangerPolicyItemCondition policyItemCondition = new RangerPolicyItemCondition();
    policyItemCondition.setType("1");
    policyItemCondition.setValues(usersList);
    conditionsList.add(policyItemCondition);
    List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
    RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
    rangerPolicyItem.setDelegateAdmin(false);
    rangerPolicyItem.setAccesses(accessesList);
    rangerPolicyItem.setConditions(conditionsList);
    rangerPolicyItem.setGroups(groupsList);
    rangerPolicyItem.setUsers(usersList);
    policyItems.add(rangerPolicyItem);
    List<RangerPolicyItem> policyItemsSet = new ArrayList<RangerPolicy.RangerPolicyItem>();
    RangerPolicyItem paramPolicyItem = new RangerPolicyItem(accessesList, usersList, groupsList, conditionsList, false);
    paramPolicyItem.setDelegateAdmin(false);
    paramPolicyItem.setAccesses(accessesList);
    paramPolicyItem.setConditions(conditionsList);
    paramPolicyItem.setGroups(groupsList);
    rangerPolicyItem.setUsers(usersList);
    policyItemsSet.add(paramPolicyItem);
    XXPolicyItem xPolicyItem = new XXPolicyItem();
    xPolicyItem.setDelegateAdmin(false);
    xPolicyItem.setAddedByUserId(null);
    xPolicyItem.setCreateTime(new Date());
    xPolicyItem.setGUID(null);
    xPolicyItem.setId(Id);
    xPolicyItem.setOrder(null);
    xPolicyItem.setPolicyId(Id);
    xPolicyItem.setUpdatedByUserId(null);
    xPolicyItem.setUpdateTime(new Date());
    XXPolicy xxPolicy = new XXPolicy();
    xxPolicy.setId(Id);
    xxPolicy.setName(name);
    xxPolicy.setAddedByUserId(Id);
    xxPolicy.setCreateTime(new Date());
    xxPolicy.setDescription("test");
    xxPolicy.setIsAuditEnabled(true);
    xxPolicy.setIsEnabled(true);
    xxPolicy.setService(1L);
    xxPolicy.setUpdatedByUserId(Id);
    xxPolicy.setUpdateTime(new Date());
    List<XXServiceConfigDef> xServiceConfigDefList = new ArrayList<XXServiceConfigDef>();
    XXServiceConfigDef serviceConfigDefObj = new XXServiceConfigDef();
    serviceConfigDefObj.setId(Id);
    xServiceConfigDefList.add(serviceConfigDefObj);
    List<XXServiceConfigMap> xConfMapList = new ArrayList<XXServiceConfigMap>();
    XXServiceConfigMap xConfMap = new XXServiceConfigMap();
    xConfMap.setAddedByUserId(null);
    xConfMap.setConfigkey(name);
    xConfMap.setConfigvalue(name);
    xConfMap.setCreateTime(new Date());
    xConfMap.setServiceId(null);
    xConfMap.setId(Id);
    xConfMap.setUpdatedByUserId(null);
    xConfMap.setUpdateTime(new Date());
    xConfMapList.add(xConfMap);
    List<String> users = new ArrayList<String>();
    RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
    rangerPolicyResource.setIsExcludes(true);
    rangerPolicyResource.setIsRecursive(true);
    rangerPolicyResource.setValue("1");
    rangerPolicyResource.setValues(users);
    Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
    policyResource.put(name, rangerPolicyResource);
    policyResource.put(policyName, rangerPolicyResource);
    RangerPolicy rangerPolicy = new RangerPolicy();
    rangerPolicy.setId(Id);
    rangerPolicy.setCreateTime(new Date());
    rangerPolicy.setDescription("policy");
    rangerPolicy.setGuid("policyguid");
    rangerPolicy.setIsEnabled(true);
    rangerPolicy.setName("HDFS_1-1-20150316062453");
    rangerPolicy.setUpdatedBy("Admin");
    rangerPolicy.setUpdateTime(new Date());
    rangerPolicy.setService("HDFS_1-1-20150316062453");
    rangerPolicy.setIsAuditEnabled(true);
    rangerPolicy.setPolicyItems(policyItems);
    rangerPolicy.setResources(policyResource);
    rangerPolicy.setPolicyLabels(policyLabels);
    XXPolicyResource xPolicyResource = new XXPolicyResource();
    xPolicyResource.setAddedByUserId(Id);
    xPolicyResource.setCreateTime(new Date());
    xPolicyResource.setId(Id);
    xPolicyResource.setIsExcludes(true);
    xPolicyResource.setIsRecursive(true);
    xPolicyResource.setPolicyId(Id);
    xPolicyResource.setResDefId(Id);
    xPolicyResource.setUpdatedByUserId(Id);
    xPolicyResource.setUpdateTime(new Date());
    List<XXPolicyConditionDef> policyConditionDefList = new ArrayList<XXPolicyConditionDef>();
    XXPolicyConditionDef policyConditionDefObj = new XXPolicyConditionDef();
    policyConditionDefObj.setAddedByUserId(Id);
    policyConditionDefObj.setCreateTime(new Date());
    policyConditionDefObj.setDefid(Id);
    policyConditionDefObj.setDescription("policy");
    policyConditionDefObj.setId(Id);
    policyConditionDefObj.setName("country");
    policyConditionDefObj.setOrder(0);
    policyConditionDefObj.setUpdatedByUserId(Id);
    policyConditionDefObj.setUpdateTime(new Date());
    policyConditionDefList.add(policyConditionDefObj);
    Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
    Mockito.when(xServiceDao.findByName(name)).thenReturn(xService);
    Mockito.when(daoManager.getXXServiceVersionInfo()).thenReturn(xServiceVersionInfoDao);
    Mockito.when(xServiceVersionInfoDao.findByServiceId(Id)).thenReturn(xServiceVersionInfo);
    Mockito.when(xServiceVersionInfoDao.update(xServiceVersionInfo)).thenReturn(xServiceVersionInfo);
    Mockito.when(svcService.getPopulatedViewObject(xService)).thenReturn(rangerService);
    Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
    Mockito.when(xServiceDefDao.findByName(rangerService.getType())).thenReturn(xServiceDef);
    Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
    Mockito.when(policyService.create(rangerPolicy)).thenReturn(rangerPolicy);
    Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
    Mockito.when(xPolicyDao.getById(Id)).thenReturn(xPolicy);
    Mockito.when(rangerAuditFields.populateAuditFields(Mockito.isA(XXPolicyItem.class), Mockito.isA(XXPolicy.class))).thenReturn(xPolicyItem);
    Mockito.when(daoManager.getXXPolicyItem()).thenReturn(xPolicyItemDao);
    Mockito.when(xPolicyItemDao.create(xPolicyItem)).thenReturn(xPolicyItem);
    Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
    Mockito.when(xServiceDao.getById(Id)).thenReturn(xService);
    Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
    Mockito.when(xServiceDao.getById(Id)).thenReturn(xService);
    RangerPolicyResourceSignature signature = Mockito.mock(RangerPolicyResourceSignature.class);
    Mockito.when(factory.createPolicyResourceSignature(rangerPolicy)).thenReturn(signature);
    XXResourceDefDao xResourceDefDao = Mockito.mock(XXResourceDefDao.class);
    XXResourceDef xResourceDef = Mockito.mock(XXResourceDef.class);
    XXPolicyResourceDao xPolicyResourceDao = Mockito.mock(XXPolicyResourceDao.class);
    XXPolicyConditionDefDao xPolicyConditionDefDao = Mockito.mock(XXPolicyConditionDefDao.class);
    Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao);
    Mockito.when(xResourceDefDao.findByNameAndPolicyId(policyName, Id)).thenReturn(xResourceDef);
    Mockito.when(rangerAuditFields.populateAuditFields(Mockito.isA(XXPolicyResource.class), Mockito.isA(XXPolicy.class))).thenReturn(xPolicyResource);
    Mockito.when(daoManager.getXXPolicyResource()).thenReturn(xPolicyResourceDao);
    Mockito.when(xPolicyResourceDao.create(xPolicyResource)).thenReturn(xPolicyResource);
    Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn(xPolicyConditionDefDao);
    Mockito.when(xPolicyConditionDefDao.findByServiceDefIdAndName(Id, policyItemCondition.getType())).thenReturn(policyConditionDefObj);
    for (Entry<String, RangerPolicyResource> resource : policyResource.entrySet()) {
        Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao);
        Mockito.when(xResourceDefDao.findByNameAndPolicyId(resource.getKey(), rangerPolicy.getId())).thenReturn(xResourceDef);
    }
    Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn(xPolicyConditionDefDao);
    Mockito.when(xPolicyConditionDefDao.findByServiceDefIdAndName(xServiceDef.getId(), policyItemCondition.getType())).thenReturn(policyConditionDefObj);
    Mockito.when(!bizUtil.hasAccess(xService, null)).thenReturn(true);
    RangerPolicy dbRangerPolicy = serviceDBStore.createPolicy(rangerPolicy);
    Assert.assertNull(dbRangerPolicy);
    Assert.assertEquals(Id, rangerPolicy.getId());
    Mockito.verify(daoManager).getXXServiceDef();
    Mockito.verify(policyService).create(rangerPolicy);
    Mockito.verify(rangerAuditFields).populateAuditFields(Mockito.isA(XXPolicyItem.class), Mockito.isA(XXPolicy.class));
    Mockito.verify(daoManager).getXXPolicyItem();
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) VXString(org.apache.ranger.view.VXString) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature) RangerService(org.apache.ranger.plugin.model.RangerService) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) Date(java.util.Date) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition) Test(org.junit.Test)

Example 3 with RangerPolicyItem

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project nifi by apache.

the class TestRangerBasePluginWithPolicies method testPoliciesWithUserGroupProvider.

@Test
public void testPoliciesWithUserGroupProvider() {
    // unknown according to user group provider
    final String user1 = "user-1";
    // known according to user group provider
    final String user2 = "user-2";
    // unknown according to user group provider
    final String group1 = "group-1";
    // known according to user group provider
    final String group2 = "group-2";
    final UserGroupProvider userGroupProvider = new UserGroupProvider() {

        @Override
        public Set<User> getUsers() throws AuthorizationAccessException {
            return Stream.of(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build()).collect(Collectors.toSet());
        }

        @Override
        public User getUser(String identifier) throws AuthorizationAccessException {
            final User u2 = new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
            if (u2.getIdentifier().equals(identifier)) {
                return u2;
            } else {
                return null;
            }
        }

        @Override
        public User getUserByIdentity(String identity) throws AuthorizationAccessException {
            if (user2.equals(identity)) {
                return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
            } else {
                return null;
            }
        }

        @Override
        public Set<Group> getGroups() throws AuthorizationAccessException {
            return Stream.of(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build()).collect(Collectors.toSet());
        }

        @Override
        public Group getGroup(String identifier) throws AuthorizationAccessException {
            final Group g2 = new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build();
            if (g2.getIdentifier().equals(identifier)) {
                return g2;
            } else {
                return null;
            }
        }

        @Override
        public UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException {
            if (user2.equals(identity)) {
                return new UserAndGroups() {

                    @Override
                    public User getUser() {
                        return new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build();
                    }

                    @Override
                    public Set<Group> getGroups() {
                        return Collections.EMPTY_SET;
                    }
                };
            } else {
                return null;
            }
        }

        @Override
        public void initialize(UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException {
        }

        @Override
        public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
        }

        @Override
        public void preDestruction() throws AuthorizerDestructionException {
        }
    };
    final String resourceIdentifier1 = "/resource-1";
    RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
    final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
    policy1Resources.put(resourceIdentifier1, resource1);
    final RangerPolicyItem policy1Item = new RangerPolicyItem();
    policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
    policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
    policy1Item.setGroups(Stream.of(group2).collect(Collectors.toList()));
    final RangerPolicy policy1 = new RangerPolicy();
    policy1.setResources(policy1Resources);
    policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
    final String resourceIdentifier2 = "/resource-2";
    RangerPolicyResource resource2 = new RangerPolicyResource(resourceIdentifier2);
    final Map<String, RangerPolicyResource> policy2Resources = new HashMap<>();
    policy2Resources.put(resourceIdentifier2, resource2);
    final RangerPolicyItem policy2Item = new RangerPolicyItem();
    policy2Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
    policy2Item.setUsers(Stream.of(user2).collect(Collectors.toList()));
    policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
    final RangerPolicy policy2 = new RangerPolicy();
    policy2.setResources(policy2Resources);
    policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
    final List<RangerPolicy> policies = new ArrayList<>();
    policies.add(policy1);
    policies.add(policy2);
    final RangerServiceDef serviceDef = new RangerServiceDef();
    serviceDef.setName("nifi");
    final ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setPolicies(policies);
    servicePolicies.setServiceDef(serviceDef);
    // set all the policies in the plugin
    final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi", userGroupProvider);
    pluginWithPolicies.setPolicies(servicePolicies);
    // ensure the two ranger policies converted into 3 nifi access policies
    final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
    assertEquals(3, accessPolicies.size());
    // resource 1 -> read but no write
    assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
    // read
    final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
    assertNotNull(readResource1);
    assertTrue(accessPolicies.contains(readResource1));
    assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
    assertTrue(readResource1.getUsers().isEmpty());
    assertEquals(1, readResource1.getGroups().size());
    assertTrue(readResource1.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group2).name(group2).build().getIdentifier()));
    // but no write
    assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
    // resource 2 -> read and write
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
    // read
    final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
    assertNotNull(readResource2);
    assertTrue(accessPolicies.contains(readResource2));
    assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
    assertEquals(1, readResource2.getUsers().size());
    assertTrue(readResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
    assertTrue(readResource2.getGroups().isEmpty());
    // and write
    final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
    assertNotNull(writeResource2);
    assertTrue(accessPolicies.contains(writeResource2));
    assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
    assertEquals(1, writeResource2.getUsers().size());
    assertTrue(writeResource2.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user2).identity(user2).build().getIdentifier()));
    assertTrue(writeResource2.getGroups().isEmpty());
}
Also used : Group(org.apache.nifi.authorization.Group) User(org.apache.nifi.authorization.User) UserGroupProviderInitializationContext(org.apache.nifi.authorization.UserGroupProviderInitializationContext) ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) ArrayList(java.util.ArrayList) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) AccessPolicy(org.apache.nifi.authorization.AccessPolicy) UserAndGroups(org.apache.nifi.authorization.UserAndGroups) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef) UserGroupProvider(org.apache.nifi.authorization.UserGroupProvider) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) AuthorizerConfigurationContext(org.apache.nifi.authorization.AuthorizerConfigurationContext) Test(org.junit.Test)

Example 4 with RangerPolicyItem

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project nifi by apache.

the class TestRangerBasePluginWithPolicies method testPoliciesWithoutUserGroupProvider.

@Test
public void testPoliciesWithoutUserGroupProvider() {
    final String user1 = "user-1";
    final String group1 = "group-1";
    final String resourceIdentifier1 = "/resource-1";
    RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
    final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
    policy1Resources.put(resourceIdentifier1, resource1);
    final RangerPolicyItem policy1Item = new RangerPolicyItem();
    policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
    policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
    final RangerPolicy policy1 = new RangerPolicy();
    policy1.setResources(policy1Resources);
    policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
    final String resourceIdentifier2 = "/resource-2";
    RangerPolicyResource resource2 = new RangerPolicyResource(resourceIdentifier2);
    final Map<String, RangerPolicyResource> policy2Resources = new HashMap<>();
    policy2Resources.put(resourceIdentifier2, resource2);
    final RangerPolicyItem policy2Item = new RangerPolicyItem();
    policy2Item.setAccesses(Stream.of(new RangerPolicyItemAccess("READ"), new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
    policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
    final RangerPolicy policy2 = new RangerPolicy();
    policy2.setResources(policy2Resources);
    policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
    final List<RangerPolicy> policies = new ArrayList<>();
    policies.add(policy1);
    policies.add(policy2);
    final RangerServiceDef serviceDef = new RangerServiceDef();
    serviceDef.setName("nifi");
    final ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setPolicies(policies);
    servicePolicies.setServiceDef(serviceDef);
    // set all the policies in the plugin
    final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
    pluginWithPolicies.setPolicies(servicePolicies);
    // ensure the two ranger policies converted into 3 nifi access policies
    final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
    assertEquals(3, accessPolicies.size());
    // resource 1 -> read but no write
    assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
    // read
    final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
    assertNotNull(readResource1);
    assertTrue(accessPolicies.contains(readResource1));
    assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
    assertEquals(1, readResource1.getUsers().size());
    assertTrue(readResource1.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user1).identity(user1).build().getIdentifier()));
    assertTrue(readResource1.getGroups().isEmpty());
    // but no write
    assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
    // resource 2 -> read and write
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
    assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
    // read
    final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
    assertNotNull(readResource2);
    assertTrue(accessPolicies.contains(readResource2));
    assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
    assertTrue(readResource2.getUsers().isEmpty());
    assertEquals(1, readResource2.getGroups().size());
    assertTrue(readResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
    // and write
    final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
    assertNotNull(writeResource2);
    assertTrue(accessPolicies.contains(writeResource2));
    assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
    assertTrue(writeResource2.getUsers().isEmpty());
    assertEquals(1, writeResource2.getGroups().size());
    assertTrue(writeResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
    // resource 3 -> no read or write
    assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.WRITE));
    assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.READ));
    // no read or write
    assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.WRITE));
    assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.READ));
}
Also used : ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) ArrayList(java.util.ArrayList) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) AccessPolicy(org.apache.nifi.authorization.AccessPolicy) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) Test(org.junit.Test)

Example 5 with RangerPolicyItem

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project nifi by apache.

the class TestRangerBasePluginWithPolicies method testRecursivePolicy.

@Test
public void testRecursivePolicy() {
    final String resourceIdentifier1 = "/resource-1";
    RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
    resource1.setIsRecursive(true);
    final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
    policy1Resources.put(resourceIdentifier1, resource1);
    final RangerPolicyItem policy1Item = new RangerPolicyItem();
    policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
    final RangerPolicy policy1 = new RangerPolicy();
    policy1.setResources(policy1Resources);
    policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
    final List<RangerPolicy> policies = new ArrayList<>();
    policies.add(policy1);
    final RangerServiceDef serviceDef = new RangerServiceDef();
    serviceDef.setName("nifi");
    final ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setPolicies(policies);
    servicePolicies.setServiceDef(serviceDef);
    // set all the policies in the plugin
    final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
    pluginWithPolicies.setPolicies(servicePolicies);
    // ensure the policy was skipped
    assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
    assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
    assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) ArrayList(java.util.ArrayList) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) Test(org.junit.Test)

Aggregations

RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)85 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)65 RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)56 ArrayList (java.util.ArrayList)52 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)35 HashMap (java.util.HashMap)34 Test (org.junit.Test)24 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)21 VXString (org.apache.ranger.view.VXString)17 Date (java.util.Date)15 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)14 RangerService (org.apache.ranger.plugin.model.RangerService)11 LinkedHashMap (java.util.LinkedHashMap)8 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8 RangerDataMaskPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)7 XXServiceDef (org.apache.ranger.entity.XXServiceDef)6 IOException (java.io.IOException)5 List (java.util.List)5 XXService (org.apache.ranger.entity.XXService)5 RangerRowFilterPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)5