Example 46 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class AbstractPredicateUtil method addPredicateForPolicyResource.
private Predicate addPredicateForPolicyResource(final String resourceValue, List<Predicate> predicates) {
if (StringUtils.isEmpty(resourceValue)) {
return null;
}
Predicate ret = new Predicate() {
@Override
public boolean evaluate(Object object) {
if (object == null) {
return false;
}
boolean ret = false;
if (object instanceof RangerPolicy) {
RangerPolicy policy = (RangerPolicy) object;
Map<String, RangerPolicyResource> policyResources = policy.getResources();
if (MapUtils.isNotEmpty(policyResources)) {
for (Map.Entry<String, RangerPolicyResource> entry : policyResources.entrySet()) {
RangerPolicyResource policyResource = entry.getValue();
if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
for (String policyResoureValue : policyResource.getValues()) {
if (StringUtils.containsIgnoreCase(policyResoureValue, resourceValue)) {
ret = true;
break;
}
}
}
}
}
} else {
ret = true;
}
return ret;
}
};
if (predicates != null) {
predicates.add(ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerBaseModelObject(org.apache.ranger.plugin.model.RangerBaseModelObject)
HashMap(java.util.HashMap)
Map(java.util.Map)
Predicate(org.apache.commons.collections.Predicate)
Example 47 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class AbstractPredicateUtil method addPredicateForIsRecursive.
private Predicate addPredicateForIsRecursive(final String isRecursiveStr, List<Predicate> predicates) {
if (StringUtils.isEmpty(isRecursiveStr)) {
return null;
}
final boolean isRecursive = Boolean.parseBoolean(isRecursiveStr);
Predicate ret = new Predicate() {
@Override
public boolean evaluate(Object object) {
if (object == null) {
return false;
}
boolean ret = true;
if (object instanceof RangerPolicy) {
RangerPolicy policy = (RangerPolicy) object;
if (!MapUtils.isEmpty(policy.getResources())) {
for (Map.Entry<String, RangerPolicyResource> e : policy.getResources().entrySet()) {
RangerPolicyResource resValue = e.getValue();
if (resValue.getIsRecursive() == null) {
ret = !isRecursive;
} else {
ret = resValue.getIsRecursive().booleanValue() == isRecursive;
}
if (ret) {
break;
}
}
}
}
return ret;
}
};
if (predicates != null) {
predicates.add(ret);
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerBaseModelObject(org.apache.ranger.plugin.model.RangerBaseModelObject)
HashMap(java.util.HashMap)
Map(java.util.Map)
Predicate(org.apache.commons.collections.Predicate)
Example 48 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyResourceSignature method test_RangerPolicyResourceView_toString.
@Test
public void test_RangerPolicyResourceView_toString() {
// null resource
RangerPolicyResource resource = null;
ResourceSerializer serializer = new ResourceSerializer(resource);
Assert.assertEquals("{}", serializer.toString());
// non-null policy resource with null values/recursive flag
resource = createPolicyResource(null, null, null);
serializer = new ResourceSerializer(resource);
Assert.assertEquals("{values=,excludes=false,recursive=false}", serializer.toString());
// valid values in non-asending order
resource = createPolicyResource(new String[] { "b", "a", "d", "c" }, true, false);
serializer = new ResourceSerializer(resource);
Assert.assertEquals("{values=[a, b, c, d],excludes=false,recursive=true}", serializer.toString());
// recursive flag is false and different variation of values to show lexicographic ordering
resource = createPolicyResource(new String[] { "9", "A", "e", "_" }, false, true);
serializer = new ResourceSerializer(resource);
Assert.assertEquals("{values=[9, A, _, e],excludes=true,recursive=false}", serializer.toString());
}
Also used :
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ResourceSerializer(org.apache.ranger.plugin.model.RangerPolicyResourceSignature.ResourceSerializer)
Test(org.junit.Test)
Example 49 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_failures.
@Test
public final void testIsValid_failures() throws Exception {
for (Action action : cu) {
// passing in a null policy should fail with appropriate failure reason
_policy = null;
checkFailure_isValid(action, "missing", "policy");
// policy must have a name on it
_policy = mock(RangerPolicy.class);
for (String name : new String[] { null, " " }) {
when(_policy.getName()).thenReturn(name);
when(_policy.getResources()).thenReturn(null);
checkFailure_isValid(action, "missing", "name");
}
// for update id is required!
if (action == Action.UPDATE) {
when(_policy.getId()).thenReturn(null);
checkFailure_isValid(action, "missing", "id");
}
}
/*
* Id is ignored for Create but name should not belong to an existing policy. For update, policy should exist for its id and should match its name.
*/
when(_policy.getName()).thenReturn("policy-name");
when(_policy.getService()).thenReturn("service-name");
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(7L);
List<RangerPolicy> existingPolicies = new ArrayList<>();
existingPolicies.add(existingPolicy);
SearchFilter filter = new SearchFilter();
filter.setParam(SearchFilter.SERVICE_NAME, "service-name");
filter.setParam(SearchFilter.POLICY_NAME, "policy-name");
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
checkFailure_isValid(Action.CREATE, "semantic", "policy name");
// update : does not exist for id
when(_policy.getId()).thenReturn(7L);
when(_store.getPolicy(7L)).thenReturn(null);
checkFailure_isValid(Action.UPDATE, "semantic", "id");
// Update: name should not point to an existing different policy, i.e. with a different id
when(_store.getPolicy(7L)).thenReturn(existingPolicy);
RangerPolicy anotherExistingPolicy = mock(RangerPolicy.class);
when(anotherExistingPolicy.getId()).thenReturn(8L);
existingPolicies.clear();
existingPolicies.add(anotherExistingPolicy);
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
checkFailure_isValid(Action.UPDATE, "semantic", "id/name");
// more than one policies with same name is also an internal error
when(_policy.getName()).thenReturn("policy-name");
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
existingPolicies.add(existingPolicy);
existingPolicy = mock(RangerPolicy.class);
existingPolicies.add(existingPolicy);
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, Action.UPDATE, isAdmin, _failures));
_utils.checkFailureForInternalError(_failures);
}
// policy must have service name on it and it should be valid
when(_policy.getName()).thenReturn("policy-name");
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
}
}
// service name should be valid
when(_store.getServiceByName("service-name")).thenReturn(null);
when(_store.getServiceByName("another-service-name")).thenThrow(new Exception());
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
when(_policy.getService()).thenReturn("another-service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
}
}
// policy must contain at least one policy item
List<RangerPolicyItem> policyItems = new ArrayList<>();
when(_policy.getService()).thenReturn("service-name");
RangerService service = mock(RangerService.class);
when(_store.getServiceByName("service-name")).thenReturn(service);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
// when it is null
when(_policy.getPolicyItems()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
// or when it is not null but empty.
when(_policy.getPolicyItems()).thenReturn(policyItems);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
}
}
// these are known good policy items -- same as used above in happypath
policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
// policy item check requires that service def should exist
when(service.getType()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForInternalError(_failures, "policy service def");
}
}
// service-def should contain the right access types on it.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes_bad, "service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy item access type");
}
}
// create the right service def with right resource defs - this is the same as in the happypath test above.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes, "service-type");
when(_store.getPolicies(filter)).thenReturn(null);
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// one mandatory is missing (tbl) and one unknown resource is specified (extra), and values of option resource don't conform to validation pattern (col)
Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad);
when(_policy.getResources()).thenReturn(policyResources);
// ensure thta policy is kosher when it comes to resource signature
RangerPolicyResourceSignature signature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(signature);
when(signature.getSignature()).thenReturn("hash-1");
// store does not have any policies for that signature hash
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
// for spurious resource: "extra"
_utils.checkFailureForSemanticError(_failures, "resource-values", "col");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isRecursive", "db");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isExcludes", "col");
}
}
// Check if error around resource signature clash are reported. have Store return policies for same signature
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(existingPolicies);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy resources");
}
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Example 50 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyValidator method test_isValidResourceNames_happyPath.
@Test
public final void test_isValidResourceNames_happyPath() {
String serviceName = "a-service-def";
// setup service-def
Date now = new Date();
when(_serviceDef.getName()).thenReturn(serviceName);
when(_serviceDef.getUpdateTime()).thenReturn(now);
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData_multipleHierarchies);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
// setup policy
Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_goodMultipleHierarchies);
when(_policy.getResources()).thenReturn(policyResources);
Assert.assertTrue(_validator.isValidResourceNames(_policy, _failures, _serviceDef));
}
Also used :
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
Date(java.util.Date)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Aggregations
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)62
HashMap (java.util.HashMap)38
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)36
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)28
ArrayList (java.util.ArrayList)27
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)25
Test (org.junit.Test)23
VXString (org.apache.ranger.view.VXString)17
Date (java.util.Date)12
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)11
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)11
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)8
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8
XXServiceDef (org.apache.ranger.entity.XXServiceDef)7
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)7
IOException (java.io.IOException)6
XXService (org.apache.ranger.entity.XXService)5
RangerService (org.apache.ranger.plugin.model.RangerService)5
RangerServiceResource (org.apache.ranger.plugin.model.RangerServiceResource)5
Map (java.util.Map)4
