use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class AbstractPredicateUtil method addPredicateForIsRecursive.
private Predicate addPredicateForIsRecursive(final String isRecursiveStr, List<Predicate> predicates) {
if (StringUtils.isEmpty(isRecursiveStr)) {
return null;
}
final boolean isRecursive = Boolean.parseBoolean(isRecursiveStr);
Predicate ret = new Predicate() {
@Override
public boolean evaluate(Object object) {
if (object == null) {
return false;
}
boolean ret = true;
if (object instanceof RangerPolicy) {
RangerPolicy policy = (RangerPolicy) object;
if (!MapUtils.isEmpty(policy.getResources())) {
for (Map.Entry<String, RangerPolicyResource> e : policy.getResources().entrySet()) {
RangerPolicyResource resValue = e.getValue();
if (resValue.getIsRecursive() == null) {
ret = !isRecursive;
} else {
ret = resValue.getIsRecursive().booleanValue() == isRecursive;
}
if (ret) {
break;
}
}
}
}
return ret;
}
};
if (predicates != null) {
predicates.add(ret);
}
return ret;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class AbstractPredicateUtil method addPredicateForPolicyResource.
private Predicate addPredicateForPolicyResource(final String resourceValue, List<Predicate> predicates) {
if (StringUtils.isEmpty(resourceValue)) {
return null;
}
Predicate ret = new Predicate() {
@Override
public boolean evaluate(Object object) {
if (object == null) {
return false;
}
boolean ret = false;
if (object instanceof RangerPolicy) {
RangerPolicy policy = (RangerPolicy) object;
Map<String, RangerPolicyResource> policyResources = policy.getResources();
if (MapUtils.isNotEmpty(policyResources)) {
for (Map.Entry<String, RangerPolicyResource> entry : policyResources.entrySet()) {
RangerPolicyResource policyResource = entry.getValue();
if (policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
for (String policyResoureValue : policyResource.getValues()) {
if (StringUtils.containsIgnoreCase(policyResoureValue, resourceValue)) {
ret = true;
break;
}
}
}
}
}
} else {
ret = true;
}
return ret;
}
};
if (predicates != null) {
predicates.add(ret);
}
return ret;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class AtlasStormResourceMapper method buildResource.
@Override
public RangerServiceResource buildResource(final RangerAtlasEntity entity) throws Exception {
String qualifiedName = (String) entity.getAttributes().get(AtlasResourceMapper.ENTITY_ATTRIBUTE_QUALIFIED_NAME);
String topology = getResourceNameFromQualifiedName(qualifiedName);
if (StringUtils.isEmpty(topology)) {
throwExceptionWithMessage("topology not found in attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "'");
}
String clusterName = getClusterNameFromQualifiedName(qualifiedName);
if (StringUtils.isEmpty(clusterName)) {
clusterName = defaultClusterName;
}
if (StringUtils.isEmpty(clusterName)) {
throwExceptionWithMessage("attribute '" + ENTITY_ATTRIBUTE_QUALIFIED_NAME + "' not found in entity");
}
Map<String, RangerPolicyResource> elements = new HashMap<>();
Boolean isExcludes = Boolean.FALSE;
Boolean isRecursive = Boolean.TRUE;
elements.put(RANGER_TYPE_STORM_TOPOLOGY, new RangerPolicyResource(topology, isExcludes, isRecursive));
String entityGuid = entity.getGuid();
String serviceName = getRangerServiceName(clusterName);
return new RangerServiceResource(entityGuid, serviceName, elements);
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyValidator method test_isValidResourceNames_happyPath.
@Test
public final void test_isValidResourceNames_happyPath() {
String serviceName = "a-service-def";
// setup service-def
Date now = new Date();
when(_serviceDef.getName()).thenReturn(serviceName);
when(_serviceDef.getUpdateTime()).thenReturn(now);
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData_multipleHierarchies);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
// setup policy
Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_goodMultipleHierarchies);
when(_policy.getResources()).thenReturn(policyResources);
Assert.assertTrue(_validator.isValidResourceNames(_policy, _failures, _serviceDef));
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_happyPath.
@Test
public final void testIsValid_happyPath() throws Exception {
// valid policy has valid non-empty name and service name
when(_policy.getService()).thenReturn("service-name");
// service name exists
RangerService service = mock(RangerService.class);
when(service.getType()).thenReturn("service-type");
when(service.getId()).thenReturn(2L);
when(_store.getServiceByName("service-name")).thenReturn(service);
// service points to a valid service-def
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes);
when(_serviceDef.getName()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// a matching policy should exist for create when checked by id and not exist when checked by name.
when(_store.getPolicy(7L)).thenReturn(null);
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(8L);
when(existingPolicy.getService()).thenReturn("service-name");
when(_store.getPolicy(8L)).thenReturn(existingPolicy);
// a matching policy should not exist for update.
// valid policy can have empty set of policy items if audit is turned on
// null value for audit is treated as audit on.
// for now we want to turn any resource related checking off
when(_policy.getResources()).thenReturn(null);
for (Action action : cu) {
for (Boolean auditEnabled : new Boolean[] { null, true }) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getIsAuditEnabled()).thenReturn(auditEnabled);
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
when(_store.getPolicyId(service.getId(), _policy.getName(), _zoneId)).thenReturn(null);
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
} else {
// update should work both when by-name is found or not, since nothing found by-name means name is being updated.
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-1");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
when(_policy.getName()).thenReturn("policy-name-2");
when(_store.getPolicyId(service.getId(), _policy.getName(), _zoneId)).thenReturn(null);
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
}
}
// if audit is disabled then policy should have policy items and all of them should be valid
List<RangerPolicyItem> policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
when(_policy.getIsAuditEnabled()).thenReturn(false);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
Assert.assertTrue("" + action, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
// above succeeded as service def did not have any resources on it, mandatory or otherwise.
// policy should have all mandatory resources specified, and they should conform to the validation pattern in resource definition
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
Map<String, RangerPolicyResource> resourceMap = _utils.createPolicyResourceMap(policyResourceMap_good);
when(_policy.getResources()).thenReturn(resourceMap);
// let's add some other policies in the store for this service that have a different signature
// setup the signatures on the policies
RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
// setup the store to indicate that no other policy exists with matching signature
when(policySignature.getSignature()).thenReturn("hash-1");
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
// we are reusing the same policies collection here -- which is fine
for (Action action : cu) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
// since policy resource has excludes admin privilages would be required
Assert.assertTrue("" + action, _validator.isValid(_policy, action, true, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
Aggregations