Search in sources :

Example 26 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class TestRangerPolicyValidator method test_isValidPolicyItem_failures.

@Test
public void test_isValidPolicyItem_failures() {
    // empty access collections are invalid
    RangerPolicyItem policyItem = mock(RangerPolicyItem.class);
    when(policyItem.getAccesses()).thenReturn(null);
    _failures.clear();
    Assert.assertFalse(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
    _utils.checkFailureForMissingValue(_failures, "policy item accesses");
    List<RangerPolicyItemAccess> accesses = new ArrayList<>();
    when(policyItem.getAccesses()).thenReturn(accesses);
    _failures.clear();
    Assert.assertFalse(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
    _utils.checkFailureForMissingValue(_failures, "policy item accesses");
    // both user and groups can't be null
    RangerPolicyItemAccess access = mock(RangerPolicyItemAccess.class);
    accesses.add(access);
    when(policyItem.getUsers()).thenReturn(null);
    when(policyItem.getGroups()).thenReturn(new ArrayList<String>());
    _failures.clear();
    Assert.assertFalse(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
    _utils.checkFailureForMissingValue(_failures, "policy item users/user-groups");
}
Also used : RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) ArrayList(java.util.ArrayList) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) Test(org.junit.Test)

Example 27 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class TestRangerPolicyValidator method test_isValidPolicyItemAccess_happyPath.

@Test
public void test_isValidPolicyItemAccess_happyPath() {
    RangerPolicyItemAccess access = mock(RangerPolicyItemAccess.class);
    // valid
    when(access.getType()).thenReturn("an-Access");
    // valid accesses should be lower-cased
    Set<String> validAccesses = Sets.newHashSet(new String[] { "an-access", "another-access" });
    // both null or true access types are the same and valid
    for (Boolean allowed : new Boolean[] { null, true }) {
        when(access.getIsAllowed()).thenReturn(allowed);
        Assert.assertTrue(_validator.isValidPolicyItemAccess(access, _failures, validAccesses));
        Assert.assertTrue(_failures.isEmpty());
    }
}
Also used : RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) Test(org.junit.Test)

Example 28 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class ValidationTestUtils method createPolicyItems.

List<RangerPolicyItem> createPolicyItems(Object[] data) {
    List<RangerPolicyItem> policyItems = new ArrayList<>();
    for (Object object : data) {
        @SuppressWarnings("unchecked") Map<String, Object[]> map = (Map<String, Object[]>) object;
        RangerPolicyItem policyItem = mock(RangerPolicyItem.class);
        List<String> usersList = null;
        if (map.containsKey("users")) {
            usersList = Arrays.asList((String[]) map.get("users"));
        }
        when(policyItem.getUsers()).thenReturn(usersList);
        List<String> groupsList = null;
        if (map.containsKey("groups")) {
            groupsList = Arrays.asList((String[]) map.get("groups"));
        }
        when(policyItem.getGroups()).thenReturn(groupsList);
        String[] accesses = (String[]) map.get("accesses");
        Boolean[] isAllowedFlags = (Boolean[]) map.get("isAllowed");
        List<RangerPolicyItemAccess> accessesList = null;
        if (accesses != null && isAllowedFlags != null) {
            accessesList = new ArrayList<>();
            for (int i = 0; i < accesses.length; i++) {
                String access = accesses[i];
                Boolean isAllowed = isAllowedFlags[i];
                RangerPolicyItemAccess itemAccess = mock(RangerPolicyItemAccess.class);
                when(itemAccess.getType()).thenReturn(access);
                when(itemAccess.getIsAllowed()).thenReturn(isAllowed);
                accessesList.add(itemAccess);
            }
        }
        when(policyItem.getAccesses()).thenReturn(accessesList);
        policyItems.add(policyItem);
    }
    return policyItems;
}
Also used : ArrayList(java.util.ArrayList) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) HashMap(java.util.HashMap) Map(java.util.Map)

Example 29 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class RangerPolicyValidator method isValidItemAccesses.

boolean isValidItemAccesses(List<RangerPolicyItemAccess> accesses, List<ValidationFailureDetails> failures, RangerServiceDef serviceDef) {
    if (LOG.isDebugEnabled()) {
        LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s)", accesses, failures, serviceDef));
    }
    boolean valid = true;
    if (CollectionUtils.isEmpty(accesses)) {
        LOG.debug("policy item accesses collection was null/empty!");
    } else {
        Set<String> accessTypes = getAccessTypes(serviceDef);
        for (RangerPolicyItemAccess access : accesses) {
            if (access == null) {
                ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ACCESS;
                failures.add(new ValidationFailureDetailsBuilder().field("policy item access").isMissing().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
                valid = false;
            } else {
                // we want to go through all elements even though one may be bad so all failures are captured
                valid = isValidPolicyItemAccess(access, failures, accessTypes) && valid;
            }
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s): %b", accesses, failures, serviceDef, valid));
    }
    return valid;
}
Also used : RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)

Example 30 with RangerPolicyItemAccess

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess in project ranger by apache.

the class TestRangerPolicyService method rangerPolicy.

private RangerPolicy rangerPolicy() {
    List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
    List<String> users = new ArrayList<String>();
    List<String> groups = new ArrayList<String>();
    List<RangerPolicyItemCondition> conditions = new ArrayList<RangerPolicyItemCondition>();
    List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
    RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
    rangerPolicyItem.setAccesses(accesses);
    rangerPolicyItem.setConditions(conditions);
    rangerPolicyItem.setGroups(groups);
    rangerPolicyItem.setUsers(users);
    rangerPolicyItem.setDelegateAdmin(false);
    policyItems.add(rangerPolicyItem);
    Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
    RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
    rangerPolicyResource.setIsExcludes(true);
    rangerPolicyResource.setIsRecursive(true);
    rangerPolicyResource.setValue("1");
    rangerPolicyResource.setValues(users);
    RangerPolicy policy = new RangerPolicy();
    policy.setId(Id);
    policy.setCreateTime(new Date());
    policy.setDescription("policy");
    policy.setGuid("policyguid");
    policy.setIsEnabled(true);
    policy.setName("HDFS_1-1-20150316062453");
    policy.setUpdatedBy("Admin");
    policy.setUpdateTime(new Date());
    policy.setService("HDFS_1-1-20150316062453");
    policy.setIsAuditEnabled(true);
    policy.setPolicyItems(policyItems);
    policy.setResources(policyResource);
    return policy;
}
Also used : HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) ArrayList(java.util.ArrayList) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) Date(java.util.Date) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)

Aggregations

RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)39 ArrayList (java.util.ArrayList)30 RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)28 HashMap (java.util.HashMap)27 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)27 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)25 Test (org.junit.Test)17 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)13 VXString (org.apache.ranger.view.VXString)12 Date (java.util.Date)9 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)8 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8 IOException (java.io.IOException)3 XXService (org.apache.ranger.entity.XXService)3 XXServiceDef (org.apache.ranger.entity.XXServiceDef)3 VXPermMap (org.apache.ranger.view.VXPermMap)3 JsonSyntaxException (com.google.gson.JsonSyntaxException)2 LinkedHashMap (java.util.LinkedHashMap)2 List (java.util.List)2 Map (java.util.Map)2