use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class TestRangerPolicyValidator method test_isValidPolicyItem_failures.
@Test
public void test_isValidPolicyItem_failures() {
// empty access collections are invalid
RangerPolicyItem policyItem = mock(RangerPolicyItem.class);
when(policyItem.getAccesses()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
_utils.checkFailureForMissingValue(_failures, "policy item accesses");
List<RangerPolicyItemAccess> accesses = new ArrayList<>();
when(policyItem.getAccesses()).thenReturn(accesses);
_failures.clear();
Assert.assertFalse(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
_utils.checkFailureForMissingValue(_failures, "policy item accesses");
// both user and groups can't be null
RangerPolicyItemAccess access = mock(RangerPolicyItemAccess.class);
accesses.add(access);
when(policyItem.getUsers()).thenReturn(null);
when(policyItem.getGroups()).thenReturn(new ArrayList<String>());
_failures.clear();
Assert.assertFalse(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
_utils.checkFailureForMissingValue(_failures, "policy item users/user-groups");
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class TestRangerPolicyValidator method test_isValidPolicyItemAccess_happyPath.
@Test
public void test_isValidPolicyItemAccess_happyPath() {
RangerPolicyItemAccess access = mock(RangerPolicyItemAccess.class);
// valid
when(access.getType()).thenReturn("an-Access");
// valid accesses should be lower-cased
Set<String> validAccesses = Sets.newHashSet(new String[] { "an-access", "another-access" });
// both null or true access types are the same and valid
for (Boolean allowed : new Boolean[] { null, true }) {
when(access.getIsAllowed()).thenReturn(allowed);
Assert.assertTrue(_validator.isValidPolicyItemAccess(access, _failures, validAccesses));
Assert.assertTrue(_failures.isEmpty());
}
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class ValidationTestUtils method createPolicyItems.
List<RangerPolicyItem> createPolicyItems(Object[] data) {
List<RangerPolicyItem> policyItems = new ArrayList<>();
for (Object object : data) {
@SuppressWarnings("unchecked") Map<String, Object[]> map = (Map<String, Object[]>) object;
RangerPolicyItem policyItem = mock(RangerPolicyItem.class);
List<String> usersList = null;
if (map.containsKey("users")) {
usersList = Arrays.asList((String[]) map.get("users"));
}
when(policyItem.getUsers()).thenReturn(usersList);
List<String> groupsList = null;
if (map.containsKey("groups")) {
groupsList = Arrays.asList((String[]) map.get("groups"));
}
when(policyItem.getGroups()).thenReturn(groupsList);
String[] accesses = (String[]) map.get("accesses");
Boolean[] isAllowedFlags = (Boolean[]) map.get("isAllowed");
List<RangerPolicyItemAccess> accessesList = null;
if (accesses != null && isAllowedFlags != null) {
accessesList = new ArrayList<>();
for (int i = 0; i < accesses.length; i++) {
String access = accesses[i];
Boolean isAllowed = isAllowedFlags[i];
RangerPolicyItemAccess itemAccess = mock(RangerPolicyItemAccess.class);
when(itemAccess.getType()).thenReturn(access);
when(itemAccess.getIsAllowed()).thenReturn(isAllowed);
accessesList.add(itemAccess);
}
}
when(policyItem.getAccesses()).thenReturn(accessesList);
policyItems.add(policyItem);
}
return policyItems;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class RangerPolicyValidator method isValidItemAccesses.
boolean isValidItemAccesses(List<RangerPolicyItemAccess> accesses, List<ValidationFailureDetails> failures, RangerServiceDef serviceDef) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s)", accesses, failures, serviceDef));
}
boolean valid = true;
if (CollectionUtils.isEmpty(accesses)) {
LOG.debug("policy item accesses collection was null/empty!");
} else {
Set<String> accessTypes = getAccessTypes(serviceDef);
for (RangerPolicyItemAccess access : accesses) {
if (access == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ACCESS;
failures.add(new ValidationFailureDetailsBuilder().field("policy item access").isMissing().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
valid = false;
} else {
// we want to go through all elements even though one may be bad so all failures are captured
valid = isValidPolicyItemAccess(access, failures, accessTypes) && valid;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s): %b", accesses, failures, serviceDef, valid));
}
return valid;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.
the class TestRangerPolicyService method rangerPolicy.
private RangerPolicy rangerPolicy() {
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
List<String> users = new ArrayList<String>();
List<String> groups = new ArrayList<String>();
List<RangerPolicyItemCondition> conditions = new ArrayList<RangerPolicyItemCondition>();
List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setAccesses(accesses);
rangerPolicyItem.setConditions(conditions);
rangerPolicyItem.setGroups(groups);
rangerPolicyItem.setUsers(users);
rangerPolicyItem.setDelegateAdmin(false);
policyItems.add(rangerPolicyItem);
Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
rangerPolicyResource.setIsExcludes(true);
rangerPolicyResource.setIsRecursive(true);
rangerPolicyResource.setValue("1");
rangerPolicyResource.setValues(users);
RangerPolicy policy = new RangerPolicy();
policy.setId(Id);
policy.setCreateTime(new Date());
policy.setDescription("policy");
policy.setGuid("policyguid");
policy.setIsEnabled(true);
policy.setName("HDFS_1-1-20150316062453");
policy.setUpdatedBy("Admin");
policy.setUpdateTime(new Date());
policy.setService("HDFS_1-1-20150316062453");
policy.setIsAuditEnabled(true);
policy.setPolicyItems(policyItems);
policy.setResources(policyResource);
return policy;
}
Aggregations