Example 66 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class TestRangerPolicyValidator method test_isValidPolicyItem_failures.
@Test
public void test_isValidPolicyItem_failures() {
// empty access collections are invalid
RangerPolicyItem policyItem = mock(RangerPolicyItem.class);
when(policyItem.getAccesses()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
_utils.checkFailureForMissingValue(_failures, "policy item accesses");
List<RangerPolicyItemAccess> accesses = new ArrayList<>();
when(policyItem.getAccesses()).thenReturn(accesses);
_failures.clear();
Assert.assertFalse(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
_utils.checkFailureForMissingValue(_failures, "policy item accesses");
// both user and groups can't be null
RangerPolicyItemAccess access = mock(RangerPolicyItemAccess.class);
accesses.add(access);
when(policyItem.getUsers()).thenReturn(null);
when(policyItem.getGroups()).thenReturn(new ArrayList<String>());
_failures.clear();
Assert.assertFalse(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
_utils.checkFailureForMissingValue(_failures, "policy item users/user-groups/roles");
}
Also used :
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
ArrayList(java.util.ArrayList)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Test(org.junit.Test)
Example 67 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_happyPath.
@Test
public final void testIsValid_happyPath() throws Exception {
// valid policy has valid non-empty name and service name
when(_policy.getService()).thenReturn("service-name");
// service name exists
RangerService service = mock(RangerService.class);
when(service.getType()).thenReturn("service-type");
when(service.getId()).thenReturn(2L);
when(_store.getServiceByName("service-name")).thenReturn(service);
// service points to a valid service-def
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes);
when(_serviceDef.getName()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// a matching policy should exist for create when checked by id and not exist when checked by name.
when(_store.getPolicy(7L)).thenReturn(null);
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(8L);
when(existingPolicy.getService()).thenReturn("service-name");
when(_store.getPolicy(8L)).thenReturn(existingPolicy);
// a matching policy should not exist for update.
// valid policy can have empty set of policy items if audit is turned on
// null value for audit is treated as audit on.
// for now we want to turn any resource related checking off
when(_policy.getResources()).thenReturn(null);
for (Action action : cu) {
for (Boolean auditEnabled : new Boolean[] { null, true }) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getIsAuditEnabled()).thenReturn(auditEnabled);
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
when(_store.getPolicyId(service.getId(), _policy.getName(), _zoneId)).thenReturn(null);
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
} else {
// update should work both when by-name is found or not, since nothing found by-name means name is being updated.
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-1");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
when(_policy.getName()).thenReturn("policy-name-2");
when(_store.getPolicyId(service.getId(), _policy.getName(), _zoneId)).thenReturn(null);
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
}
}
// if audit is disabled then policy should have policy items and all of them should be valid
List<RangerPolicyItem> policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
when(_policy.getIsAuditEnabled()).thenReturn(false);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
Assert.assertTrue("" + action, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
// above succeeded as service def did not have any resources on it, mandatory or otherwise.
// policy should have all mandatory resources specified, and they should conform to the validation pattern in resource definition
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
Map<String, RangerPolicyResource> resourceMap = _utils.createPolicyResourceMap(policyResourceMap_good);
when(_policy.getResources()).thenReturn(resourceMap);
// let's add some other policies in the store for this service that have a different signature
// setup the signatures on the policies
RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
// setup the store to indicate that no other policy exists with matching signature
when(policySignature.getSignature()).thenReturn("hash-1");
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
// we are reusing the same policies collection here -- which is fine
for (Action action : cu) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
// since policy resource has excludes admin privilages would be required
Assert.assertTrue("" + action, _validator.isValid(_policy, action, true, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Example 68 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_failures.
@Test
public final void testIsValid_failures() throws Exception {
for (Action action : cu) {
// passing in a null policy should fail with appropriate failure reason
_policy = null;
checkFailure_isValid(action, "missing", "policy");
// policy must have a name on it
_policy = mock(RangerPolicy.class);
for (String name : new String[] { null, " " }) {
when(_policy.getName()).thenReturn(name);
when(_policy.getResources()).thenReturn(null);
checkFailure_isValid(action, "missing", "name");
}
// for update id is required!
if (action == Action.UPDATE) {
when(_policy.getId()).thenReturn(null);
checkFailure_isValid(action, "missing", "id");
}
}
RangerService service = mock(RangerService.class);
/*
* Id is ignored for Create but name should not belong to an existing policy. For update, policy should exist for its id and should match its name.
*/
when(_policy.getName()).thenReturn("policy-name");
when(_policy.getService()).thenReturn("service-name");
when(_store.getServiceByName("service-name")).thenReturn(service);
when(service.getId()).thenReturn(2L);
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(7L);
when(existingPolicy.getService()).thenReturn("service-name");
List<RangerPolicy> existingPolicies = new ArrayList<>();
when(_store.getPolicyId(service.getId(), "policy-name", _zoneId)).thenReturn(7L);
checkFailure_isValid(Action.CREATE, "semantic", "policy name");
// update : does not exist for id
when(_policy.getId()).thenReturn(7L);
when(_store.getPolicy(7L)).thenReturn(null);
checkFailure_isValid(Action.UPDATE, "semantic", "id");
// Update: name should not point to an existing different policy, i.e. with a different id
when(_store.getPolicy(7L)).thenReturn(existingPolicy);
RangerPolicy anotherExistingPolicy = mock(RangerPolicy.class);
when(anotherExistingPolicy.getId()).thenReturn(8L);
when(anotherExistingPolicy.getService()).thenReturn("service-name");
existingPolicies.add(anotherExistingPolicy);
when(_store.getPolicyId(service.getId(), "policy-name", _zoneId)).thenReturn(8L);
checkFailure_isValid(Action.UPDATE, "semantic", "id/name");
// policy must have service name on it and it should be valid
when(_policy.getName()).thenReturn("policy-name");
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
}
}
// service name should be valid
when(_store.getServiceByName("service-name")).thenReturn(null);
when(_store.getServiceByName("another-service-name")).thenThrow(new Exception());
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
when(_policy.getService()).thenReturn("another-service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
}
}
// policy must contain at least one policy item
List<RangerPolicyItem> policyItems = new ArrayList<>();
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
// when it is null
when(_policy.getPolicyItems()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
// or when it is not null but empty.
when(_policy.getPolicyItems()).thenReturn(policyItems);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
}
}
// these are known good policy items -- same as used above in happypath
policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
// policy item check requires that service def should exist
when(service.getType()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn("service-name");
when(_store.getServiceByName("service-name")).thenReturn(service);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForInternalError(_failures, "policy service def");
}
}
// service-def should contain the right access types on it.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes_bad, "service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy item access type");
}
}
// create the right service def with right resource defs - this is the same as in the happypath test above.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes, "service-type");
when(_store.getPolicyId(service.getId(), "policy-name", _zoneId)).thenReturn(null);
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// one mandatory is missing (tbl) and one unknown resource is specified (extra), and values of option resource don't conform to validation pattern (col)
Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad);
when(_policy.getResources()).thenReturn(policyResources);
// ensure thta policy is kosher when it comes to resource signature
RangerPolicyResourceSignature signature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(signature);
when(signature.getSignature()).thenReturn("hash-1");
// store does not have any policies for that signature hash
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
// for spurious resource: "extra"
_utils.checkFailureForSemanticError(_failures, "resource-values", "col");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isRecursive", "db");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isExcludes", "col");
}
}
// Check if error around resource signature clash are reported. have Store return policies for same signature
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(existingPolicies);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy resources");
}
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Example 69 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class TestRangerPolicy method test_01_Policy_SetListMethods.
@Test
public void test_01_Policy_SetListMethods() {
RangerPolicy policy = new RangerPolicy();
List<RangerPolicyItem> policyItemList = getList(new RangerPolicyItem());
Assert.assertEquals("RangerPolicy.getPolicyItems()", 0, policy.getPolicyItems().size());
policy.getPolicyItems().add(new RangerPolicyItem());
Assert.assertEquals("RangerPolicy.getPolicyItems().add()", 1, policy.getPolicyItems().size());
policy.setPolicyItems(policyItemList);
Assert.assertEquals("RangerPolicy.setPolicyItems()", policyItemList.size(), policy.getPolicyItems().size());
Assert.assertEquals("RangerPolicy.getDenyPolicyItems()", 0, policy.getDenyPolicyItems().size());
policy.getDenyPolicyItems().add(new RangerPolicyItem());
Assert.assertEquals("RangerPolicy.getDenyPolicyItems().add()", 1, policy.getDenyPolicyItems().size());
policy.setDenyPolicyItems(policyItemList);
Assert.assertEquals("RangerPolicy.setDenyPolicyItems()", policyItemList.size(), policy.getDenyPolicyItems().size());
Assert.assertEquals("RangerPolicy.getAllowExceptions()", 0, policy.getAllowExceptions().size());
policy.getAllowExceptions().add(new RangerPolicyItem());
Assert.assertEquals("RangerPolicy.getAllowExceptions().add()", 1, policy.getAllowExceptions().size());
policy.setAllowExceptions(policyItemList);
Assert.assertEquals("RangerPolicy.setAllowExceptions()", policyItemList.size(), policy.getAllowExceptions().size());
Assert.assertEquals("RangerPolicy.getDenyExceptions()", 0, policy.getDenyExceptions().size());
policy.getDenyExceptions().add(new RangerPolicyItem());
Assert.assertEquals("RangerPolicy.getDenyExceptions().add()", 1, policy.getDenyExceptions().size());
policy.setDenyExceptions(policyItemList);
Assert.assertEquals("RangerPolicy.setDenyExceptions()", policyItemList.size(), policy.getDenyExceptions().size());
}
Also used :
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Test(org.junit.Test)
Example 70 with RangerPolicyItem
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem in project ranger by apache.
the class TestRangerPolicy method test_02_PolicyItem_SetListMethods.
@Test
public void test_02_PolicyItem_SetListMethods() {
RangerPolicyItem policyItem = new RangerPolicyItem();
List<RangerPolicyItemAccess> accesses = getList(new RangerPolicyItemAccess());
List<String> users = getList("user");
List<String> groups = getList("group");
List<RangerPolicyItemCondition> conditions = getList(new RangerPolicyItemCondition());
Assert.assertEquals("RangerPolicyItem.getAccesses()", 0, policyItem.getAccesses().size());
policyItem.getAccesses().add(new RangerPolicyItemAccess());
Assert.assertEquals("RangerPolicyItem.getAccesses().add()", 1, policyItem.getAccesses().size());
policyItem.setAccesses(accesses);
Assert.assertEquals("RangerPolicyItem.setAccesses()", accesses.size(), policyItem.getAccesses().size());
Assert.assertEquals("RangerPolicyItem.getUsers()", 0, policyItem.getUsers().size());
policyItem.getUsers().add(new String());
Assert.assertEquals("RangerPolicyItem.getUsers().add()", 1, policyItem.getUsers().size());
policyItem.setUsers(users);
Assert.assertEquals("RangerPolicyItem.setUsers()", users.size(), policyItem.getUsers().size());
Assert.assertEquals("RangerPolicyItem.getGroups()", 0, policyItem.getGroups().size());
policyItem.getGroups().add(new String());
Assert.assertEquals("RangerPolicyItem.getGroups().add()", 1, policyItem.getGroups().size());
policyItem.setGroups(groups);
Assert.assertEquals("RangerPolicyItem.setGroups()", groups.size(), policyItem.getGroups().size());
Assert.assertEquals("RangerPolicyItem.getConditions()", 0, policyItem.getConditions().size());
policyItem.getConditions().add(new RangerPolicyItemCondition());
Assert.assertEquals("RangerPolicyItem.getConditions().add()", 1, policyItem.getConditions().size());
policyItem.setConditions(conditions);
Assert.assertEquals("RangerPolicyItem.setConditions()", conditions.size(), policyItem.getConditions().size());
}
Also used :
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Test(org.junit.Test)
Aggregations
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)85
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)65
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)56
ArrayList (java.util.ArrayList)52
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)35
HashMap (java.util.HashMap)34
Test (org.junit.Test)24
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)21
VXString (org.apache.ranger.view.VXString)17
Date (java.util.Date)15
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)14
RangerService (org.apache.ranger.plugin.model.RangerService)11
LinkedHashMap (java.util.LinkedHashMap)8
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8
RangerDataMaskPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)7
XXServiceDef (org.apache.ranger.entity.XXServiceDef)6
IOException (java.io.IOException)5
List (java.util.List)5
XXService (org.apache.ranger.entity.XXService)5
RangerRowFilterPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem)5
