Example 51 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_happyPath.
@Test
public final void testIsValid_happyPath() throws Exception {
// valid policy has valid non-empty name and service name
when(_policy.getService()).thenReturn("service-name");
// service name exists
RangerService service = mock(RangerService.class);
when(service.getType()).thenReturn("service-type");
when(_store.getServiceByName("service-name")).thenReturn(service);
// service points to a valid service-def
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes);
when(_serviceDef.getName()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// a matching policy should exist for create when checked by id and not exist when checked by name.
when(_store.getPolicy(7L)).thenReturn(null);
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(8L);
when(existingPolicy.getService()).thenReturn("service-name");
when(_store.getPolicy(8L)).thenReturn(existingPolicy);
SearchFilter createFilter = new SearchFilter();
createFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
// this name would be used for create
createFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-1");
when(_store.getPolicies(createFilter)).thenReturn(new ArrayList<RangerPolicy>());
// a matching policy should not exist for update.
SearchFilter updateFilter = new SearchFilter();
updateFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
// this name would be used for update
updateFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-2");
List<RangerPolicy> existingPolicies = new ArrayList<>();
existingPolicies.add(existingPolicy);
when(_store.getPolicies(updateFilter)).thenReturn(existingPolicies);
// valid policy can have empty set of policy items if audit is turned on
// null value for audit is treated as audit on.
// for now we want to turn any resource related checking off
when(_policy.getResources()).thenReturn(null);
for (Action action : cu) {
for (Boolean auditEnabled : new Boolean[] { null, true }) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getIsAuditEnabled()).thenReturn(auditEnabled);
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
} else {
// update should work both when by-name is found or not, since nothing found by-name means name is being updated.
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-1");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
when(_policy.getName()).thenReturn("policy-name-2");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
}
}
// if audit is disabled then policy should have policy items and all of them should be valid
List<RangerPolicyItem> policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
when(_policy.getIsAuditEnabled()).thenReturn(false);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
Assert.assertTrue("" + action, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
// above succeeded as service def did not have any resources on it, mandatory or otherwise.
// policy should have all mandatory resources specified, and they should conform to the validation pattern in resource definition
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
Map<String, RangerPolicyResource> resourceMap = _utils.createPolicyResourceMap(policyResourceMap_good);
when(_policy.getResources()).thenReturn(resourceMap);
// let's add some other policies in the store for this service that have a different signature
// setup the signatures on the policies
RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
// setup the store to indicate that no other policy exists with matching signature
when(policySignature.getSignature()).thenReturn("hash-1");
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
// we are reusing the same policies collection here -- which is fine
for (Action action : cu) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
// since policy resource has excludes admin privilages would be required
Assert.assertTrue("" + action, _validator.isValid(_policy, action, true, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Example 52 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class RangerPolicyValidator method isValidResourceValues.
boolean isValidResourceValues(Map<String, RangerPolicyResource> resourceMap, List<ValidationFailureDetails> failures, RangerServiceDef serviceDef) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValidResourceValues(%s, %s, %s)", resourceMap, failures, serviceDef));
}
boolean valid = true;
Map<String, String> validationRegExMap = getValidationRegExes(serviceDef);
for (Map.Entry<String, RangerPolicyResource> entry : resourceMap.entrySet()) {
String name = entry.getKey();
RangerPolicyResource policyResource = entry.getValue();
if (policyResource != null) {
if (CollectionUtils.isNotEmpty(policyResource.getValues())) {
Set<String> resources = new HashSet<>(policyResource.getValues());
for (String aValue : resources) {
if (StringUtils.isBlank(aValue)) {
policyResource.getValues().remove(aValue);
}
}
}
if (CollectionUtils.isEmpty(policyResource.getValues())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_RESOURCE_LIST;
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("Resource list was empty or contains null: value[%s], resource-name[%s], service-def-name[%s]", policyResource.getValues(), name, serviceDef.getName()));
}
failures.add(new ValidationFailureDetailsBuilder().field("resource-values").subField(name).isMissing().becauseOf(error.getMessage(name)).errorCode(error.getErrorCode()).build());
valid = false;
}
if (validationRegExMap.containsKey(name) && CollectionUtils.isNotEmpty(policyResource.getValues())) {
String regEx = validationRegExMap.get(name);
for (String aValue : policyResource.getValues()) {
if (!aValue.matches(regEx)) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("Resource failed regex check: value[%s], resource-name[%s], regEx[%s], service-def-name[%s]", aValue, name, regEx, serviceDef.getName()));
}
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_RESOURCE_VALUE_REGEX;
failures.add(new ValidationFailureDetailsBuilder().field("resource-values").subField(name).isSemanticallyIncorrect().becauseOf(error.getMessage(aValue, name)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValidResourceValues(%s, %s, %s): %s", resourceMap, failures, serviceDef, valid));
}
return valid;
}
Also used :
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 53 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class RangerPolicyValidator method isValidResourceFlags.
boolean isValidResourceFlags(final Map<String, RangerPolicyResource> inputPolicyResources, final List<ValidationFailureDetails> failures, final List<RangerResourceDef> resourceDefs, final String serviceDefName, final String policyName, boolean isAdmin) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValidResourceFlags(%s, %s, %s, %s, %s, %s)", inputPolicyResources, failures, resourceDefs, serviceDefName, policyName, isAdmin));
}
boolean valid = true;
if (resourceDefs == null) {
LOG.debug("isValidResourceFlags: service Def is null");
} else {
Map<String, RangerPolicyResource> policyResources = getPolicyResourceWithLowerCaseKeys(inputPolicyResources);
for (RangerResourceDef resourceDef : resourceDefs) {
if (resourceDef == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_RESOURCE_DEF;
failures.add(new ValidationFailureDetailsBuilder().field("resource-def").isAnInternalError().becauseOf(error.getMessage(serviceDefName)).errorCode(error.getErrorCode()).build());
valid = false;
} else if (StringUtils.isBlank(resourceDef.getName())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_RESOURCE_DEF_NAME;
failures.add(new ValidationFailureDetailsBuilder().field("resource-def-name").isAnInternalError().becauseOf(error.getMessage(serviceDefName)).errorCode(error.getErrorCode()).build());
valid = false;
} else {
String resourceName = resourceDef.getName().toLowerCase();
RangerPolicyResource policyResource = policyResources.get(resourceName);
if (policyResource == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("a policy-resource object for resource[" + resourceName + "] on policy [" + policyName + "] was null");
}
} else {
// could be null
boolean excludesSupported = Boolean.TRUE.equals(resourceDef.getExcludesSupported());
// could be null
boolean policyResourceIsExcludes = Boolean.TRUE.equals(policyResource.getIsExcludes());
if (policyResourceIsExcludes && !excludesSupported) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_EXCLUDES_NOT_SUPPORTED;
failures.add(new ValidationFailureDetailsBuilder().field("isExcludes").subField(resourceName).isSemanticallyIncorrect().becauseOf(error.getMessage(resourceName)).errorCode(error.getErrorCode()).build());
valid = false;
}
if (policyResourceIsExcludes && !isAdmin) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_EXCLUDES_REQUIRES_ADMIN;
failures.add(new ValidationFailureDetailsBuilder().field("isExcludes").subField("isAdmin").isSemanticallyIncorrect().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
valid = false;
}
boolean recursiveSupported = Boolean.TRUE.equals(resourceDef.getRecursiveSupported());
boolean policyIsRecursive = Boolean.TRUE.equals(policyResource.getIsRecursive());
if (policyIsRecursive && !recursiveSupported) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_RECURSIVE_NOT_SUPPORTED;
failures.add(new ValidationFailureDetailsBuilder().field("isRecursive").subField(resourceName).isSemanticallyIncorrect().becauseOf(error.getMessage(resourceName)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValidResourceFlags(%s, %s, %s, %s, %s, %s): %s", inputPolicyResources, failures, resourceDefs, serviceDefName, policyName, isAdmin, valid));
}
return valid;
}
Also used :
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 54 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyService method rangerPolicy.
private RangerPolicy rangerPolicy() {
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
List<String> users = new ArrayList<String>();
List<String> groups = new ArrayList<String>();
List<RangerPolicyItemCondition> conditions = new ArrayList<RangerPolicyItemCondition>();
List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setAccesses(accesses);
rangerPolicyItem.setConditions(conditions);
rangerPolicyItem.setGroups(groups);
rangerPolicyItem.setUsers(users);
rangerPolicyItem.setDelegateAdmin(false);
policyItems.add(rangerPolicyItem);
Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
rangerPolicyResource.setIsExcludes(true);
rangerPolicyResource.setIsRecursive(true);
rangerPolicyResource.setValue("1");
rangerPolicyResource.setValues(users);
RangerPolicy policy = new RangerPolicy();
policy.setId(Id);
policy.setCreateTime(new Date());
policy.setDescription("policy");
policy.setGuid("policyguid");
policy.setIsEnabled(true);
policy.setName("HDFS_1-1-20150316062453");
policy.setUpdatedBy("Admin");
policy.setUpdateTime(new Date());
policy.setService("HDFS_1-1-20150316062453");
policy.setIsAuditEnabled(true);
policy.setPolicyItems(policyItems);
policy.setResources(policyResource);
return policy;
}
Also used :
HashMap(java.util.HashMap)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Date(java.util.Date)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
Example 55 with RangerPolicyResource
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyServiceBase method rangerPolicy.
private RangerPolicy rangerPolicy() {
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
List<String> users = new ArrayList<String>();
List<String> groups = new ArrayList<String>();
List<RangerPolicyItemCondition> conditions = new ArrayList<RangerPolicyItemCondition>();
List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setAccesses(accesses);
rangerPolicyItem.setConditions(conditions);
rangerPolicyItem.setGroups(groups);
rangerPolicyItem.setUsers(users);
rangerPolicyItem.setDelegateAdmin(false);
policyItems.add(rangerPolicyItem);
Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
rangerPolicyResource.setIsExcludes(true);
rangerPolicyResource.setIsRecursive(true);
rangerPolicyResource.setValue("1");
rangerPolicyResource.setValues(users);
RangerPolicy policy = new RangerPolicy();
policy.setId(Id);
policy.setCreateTime(new Date());
policy.setDescription("policy");
policy.setGuid("policyguid");
policy.setIsEnabled(true);
policy.setName("HDFS_1-1-20150316062453");
policy.setUpdatedBy("Admin");
policy.setUpdateTime(new Date());
policy.setService("HDFS_1-1-20150316062453");
policy.setIsAuditEnabled(true);
policy.setPolicyItems(policyItems);
policy.setResources(policyResource);
return policy;
}
Also used :
HashMap(java.util.HashMap)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Date(java.util.Date)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
Aggregations
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)62
HashMap (java.util.HashMap)38
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)36
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)28
ArrayList (java.util.ArrayList)27
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)25
Test (org.junit.Test)23
VXString (org.apache.ranger.view.VXString)17
Date (java.util.Date)12
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)11
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)11
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)8
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8
XXServiceDef (org.apache.ranger.entity.XXServiceDef)7
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)7
IOException (java.io.IOException)6
XXService (org.apache.ranger.entity.XXService)5
RangerService (org.apache.ranger.plugin.model.RangerService)5
RangerServiceResource (org.apache.ranger.plugin.model.RangerServiceResource)5
Map (java.util.Map)4
