use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_failures.
@Test
public final void testIsValid_failures() throws Exception {
for (Action action : cu) {
// passing in a null policy should fail with appropriate failure reason
_policy = null;
checkFailure_isValid(action, "missing", "policy");
// policy must have a name on it
_policy = mock(RangerPolicy.class);
for (String name : new String[] { null, " " }) {
when(_policy.getName()).thenReturn(name);
when(_policy.getResources()).thenReturn(null);
checkFailure_isValid(action, "missing", "name");
}
// for update id is required!
if (action == Action.UPDATE) {
when(_policy.getId()).thenReturn(null);
checkFailure_isValid(action, "missing", "id");
}
}
RangerService service = mock(RangerService.class);
/*
* Id is ignored for Create but name should not belong to an existing policy. For update, policy should exist for its id and should match its name.
*/
when(_policy.getName()).thenReturn("policy-name");
when(_policy.getService()).thenReturn("service-name");
when(_store.getServiceByName("service-name")).thenReturn(service);
when(service.getId()).thenReturn(2L);
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(7L);
when(existingPolicy.getService()).thenReturn("service-name");
List<RangerPolicy> existingPolicies = new ArrayList<>();
when(_store.getPolicyId(service.getId(), "policy-name", _zoneId)).thenReturn(7L);
checkFailure_isValid(Action.CREATE, "semantic", "policy name");
// update : does not exist for id
when(_policy.getId()).thenReturn(7L);
when(_store.getPolicy(7L)).thenReturn(null);
checkFailure_isValid(Action.UPDATE, "semantic", "id");
// Update: name should not point to an existing different policy, i.e. with a different id
when(_store.getPolicy(7L)).thenReturn(existingPolicy);
RangerPolicy anotherExistingPolicy = mock(RangerPolicy.class);
when(anotherExistingPolicy.getId()).thenReturn(8L);
when(anotherExistingPolicy.getService()).thenReturn("service-name");
existingPolicies.add(anotherExistingPolicy);
when(_store.getPolicyId(service.getId(), "policy-name", _zoneId)).thenReturn(8L);
checkFailure_isValid(Action.UPDATE, "semantic", "id/name");
// policy must have service name on it and it should be valid
when(_policy.getName()).thenReturn("policy-name");
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
}
}
// service name should be valid
when(_store.getServiceByName("service-name")).thenReturn(null);
when(_store.getServiceByName("another-service-name")).thenThrow(new Exception());
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
when(_policy.getService()).thenReturn("another-service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
}
}
// policy must contain at least one policy item
List<RangerPolicyItem> policyItems = new ArrayList<>();
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
// when it is null
when(_policy.getPolicyItems()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
// or when it is not null but empty.
when(_policy.getPolicyItems()).thenReturn(policyItems);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
}
}
// these are known good policy items -- same as used above in happypath
policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
// policy item check requires that service def should exist
when(service.getType()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn("service-name");
when(_store.getServiceByName("service-name")).thenReturn(service);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForInternalError(_failures, "policy service def");
}
}
// service-def should contain the right access types on it.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes_bad, "service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy item access type");
}
}
// create the right service def with right resource defs - this is the same as in the happypath test above.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes, "service-type");
when(_store.getPolicyId(service.getId(), "policy-name", _zoneId)).thenReturn(null);
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// one mandatory is missing (tbl) and one unknown resource is specified (extra), and values of option resource don't conform to validation pattern (col)
Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad);
when(_policy.getResources()).thenReturn(policyResources);
// ensure thta policy is kosher when it comes to resource signature
RangerPolicyResourceSignature signature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(signature);
when(signature.getSignature()).thenReturn("hash-1");
// store does not have any policies for that signature hash
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
// for spurious resource: "extra"
_utils.checkFailureForSemanticError(_failures, "resource-values", "col");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isRecursive", "db");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isExcludes", "col");
}
}
// Check if error around resource signature clash are reported. have Store return policies for same signature
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(existingPolicies);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy resources");
}
}
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyResourceSignature method test_RangerPolicyResourceView_toString.
@Test
public void test_RangerPolicyResourceView_toString() {
// null resource
RangerPolicyResource resource = null;
ResourceSerializer serializer = new ResourceSerializer(resource);
Assert.assertEquals("{}", serializer.toString());
// non-null policy resource with null values/recursive flag
resource = createPolicyResource(null, null, null);
serializer = new ResourceSerializer(resource);
Assert.assertEquals("{values=,excludes=false,recursive=false}", serializer.toString());
// valid values in non-asending order
resource = createPolicyResource(new String[] { "b", "a", "d", "c" }, true, false);
serializer = new ResourceSerializer(resource);
Assert.assertEquals("{values=[a, b, c, d],excludes=false,recursive=true}", serializer.toString());
// recursive flag is false and different variation of values to show lexicographic ordering
resource = createPolicyResource(new String[] { "9", "A", "e", "_" }, false, true);
serializer = new ResourceSerializer(resource);
Assert.assertEquals("{values=[9, A, _, e],excludes=true,recursive=false}", serializer.toString());
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class ServiceDBStore method writeBookForPolicyItems.
private void writeBookForPolicyItems(RangerPolicy policy, RangerPolicyItem policyItem, RangerDataMaskPolicyItem dataMaskPolicyItem, RangerRowFilterPolicyItem rowFilterPolicyItem, Row row, String policyConditionType) {
if (LOG.isDebugEnabled()) {
// To avoid PMD violation
LOG.debug("policyConditionType:[" + policyConditionType + "]");
}
List<String> groups = new ArrayList<String>();
List<String> users = new ArrayList<String>();
List<String> roles = new ArrayList<String>();
String roleNames = "";
String groupNames = "";
String policyConditionTypeValue = "";
String userNames = "";
String policyLabelNames = "";
String accessType = "";
String policyStatus = "";
String policyType = "";
Boolean delegateAdmin = false;
String isRecursive = "";
String isExcludes = "";
String serviceName = "";
String description = "";
Boolean isAuditEnabled = true;
isAuditEnabled = policy.getIsAuditEnabled();
String isExcludesValue = "";
Cell cell = row.createCell(0);
cell.setCellValue(policy.getId());
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
List<RangerPolicyItemCondition> conditionsList = new ArrayList<RangerPolicyItemCondition>();
String conditionKeyValue = "";
List<String> policyLabels = new ArrayList<String>();
String resValue = "";
String resourceKeyVal = "";
String isRecursiveValue = "";
String resKey = "";
StringBuffer sb = new StringBuffer();
StringBuffer sbIsRecursive = new StringBuffer();
StringBuffer sbIsExcludes = new StringBuffer();
Map<String, RangerPolicyResource> resources = policy.getResources();
RangerPolicy.RangerPolicyItemDataMaskInfo dataMaskInfo = new RangerPolicy.RangerPolicyItemDataMaskInfo();
RangerPolicy.RangerPolicyItemRowFilterInfo filterInfo = new RangerPolicy.RangerPolicyItemRowFilterInfo();
cell = row.createCell(1);
cell.setCellValue(policy.getName());
cell = row.createCell(2);
if (resources != null) {
for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
resKey = resource.getKey();
RangerPolicyResource policyResource = resource.getValue();
List<String> resvalueList = policyResource.getValues();
isExcludes = policyResource.getIsExcludes().toString();
isRecursive = policyResource.getIsRecursive().toString();
resValue = resvalueList.toString();
sb = sb.append(resourceKeyVal).append("; ").append(resKey).append("=").append(resValue);
sbIsExcludes = sbIsExcludes.append(resourceKeyVal).append("; ").append(resKey).append("=[").append(isExcludes).append("]");
sbIsRecursive = sbIsRecursive.append(resourceKeyVal).append("; ").append(resKey).append("=[").append(isRecursive).append("]");
}
isExcludesValue = sbIsExcludes.toString();
isExcludesValue = isExcludesValue.substring(1);
isRecursiveValue = sbIsRecursive.toString();
isRecursiveValue = isRecursiveValue.substring(1);
resourceKeyVal = sb.toString();
resourceKeyVal = resourceKeyVal.substring(1);
cell.setCellValue(resourceKeyVal);
if (policyItem != null && dataMaskPolicyItem == null && rowFilterPolicyItem == null) {
roles = policyItem.getRoles();
groups = policyItem.getGroups();
users = policyItem.getUsers();
accesses = policyItem.getAccesses();
delegateAdmin = policyItem.getDelegateAdmin();
conditionsList = policyItem.getConditions();
} else if (dataMaskPolicyItem != null && policyItem == null && rowFilterPolicyItem == null) {
roles = dataMaskPolicyItem.getRoles();
groups = dataMaskPolicyItem.getGroups();
users = dataMaskPolicyItem.getUsers();
accesses = dataMaskPolicyItem.getAccesses();
delegateAdmin = dataMaskPolicyItem.getDelegateAdmin();
conditionsList = dataMaskPolicyItem.getConditions();
dataMaskInfo = dataMaskPolicyItem.getDataMaskInfo();
String dataMaskType = dataMaskInfo.getDataMaskType();
String conditionExpr = dataMaskInfo.getConditionExpr();
String valueExpr = dataMaskInfo.getValueExpr();
String maskingInfo = "dataMasktype=[" + dataMaskType + "]";
if (conditionExpr != null && !conditionExpr.isEmpty() && valueExpr != null && !valueExpr.isEmpty()) {
maskingInfo = maskingInfo + "; conditionExpr=[" + conditionExpr + "]";
}
cell = row.createCell(18);
cell.setCellValue(maskingInfo);
} else if (rowFilterPolicyItem != null && policyItem == null && dataMaskPolicyItem == null) {
roles = rowFilterPolicyItem.getRoles();
groups = rowFilterPolicyItem.getGroups();
users = rowFilterPolicyItem.getUsers();
accesses = rowFilterPolicyItem.getAccesses();
delegateAdmin = rowFilterPolicyItem.getDelegateAdmin();
conditionsList = rowFilterPolicyItem.getConditions();
filterInfo = rowFilterPolicyItem.getRowFilterInfo();
String filterExpr = filterInfo.getFilterExpr();
cell = row.createCell(19);
cell.setCellValue(filterExpr);
}
if (CollectionUtils.isNotEmpty(accesses)) {
for (RangerPolicyItemAccess access : accesses) {
accessType = accessType + access.getType();
accessType = accessType + " ,";
}
accessType = accessType.substring(0, accessType.lastIndexOf(","));
}
if (CollectionUtils.isNotEmpty(roles)) {
roleNames = roleNames + roles.toString();
StringTokenizer roleToken = new StringTokenizer(roleNames, "[]");
while (roleToken.hasMoreTokens()) {
roleNames = roleToken.nextToken().toString();
}
}
if (CollectionUtils.isNotEmpty(groups)) {
groupNames = groupNames + groups.toString();
StringTokenizer groupToken = new StringTokenizer(groupNames, "[]");
while (groupToken.hasMoreTokens()) {
groupNames = groupToken.nextToken().toString();
}
}
if (CollectionUtils.isNotEmpty(users)) {
userNames = userNames + users.toString();
StringTokenizer userToken = new StringTokenizer(userNames, "[]");
while (userToken.hasMoreTokens()) {
userNames = userToken.nextToken().toString();
}
}
String conditionValue = "";
for (RangerPolicyItemCondition conditions : conditionsList) {
String conditionType = conditions.getType();
List<String> conditionList = conditions.getValues();
conditionValue = conditionList.toString();
conditionKeyValue = conditionType + "=" + conditionValue;
}
cell = row.createCell(3);
cell.setCellValue(roleNames);
cell = row.createCell(4);
cell.setCellValue(groupNames);
cell = row.createCell(5);
cell.setCellValue(userNames);
cell = row.createCell(6);
cell.setCellValue(accessType.trim());
cell = row.createCell(7);
XXService xxservice = daoMgr.getXXService().findByName(policy.getService());
String ServiceType = "";
if (xxservice != null) {
Long ServiceId = xxservice.getType();
XXServiceDef xxservDef = daoMgr.getXXServiceDef().getById(ServiceId);
if (xxservDef != null) {
ServiceType = xxservDef.getName();
}
}
if (policyConditionType != null) {
policyConditionTypeValue = policyConditionType;
}
if (policyConditionType == null && ServiceType.equalsIgnoreCase("tag")) {
policyConditionTypeValue = POLICY_ALLOW_INCLUDE;
} else if (policyConditionType == null) {
policyConditionTypeValue = "";
}
cell.setCellValue(ServiceType);
cell = row.createCell(8);
}
if (policy.getIsEnabled()) {
policyStatus = "Enabled";
} else {
policyStatus = "Disabled";
}
policyLabels = policy.getPolicyLabels();
if (CollectionUtils.isNotEmpty(policyLabels)) {
policyLabelNames = policyLabelNames + policyLabels.toString();
StringTokenizer policyLabelToken = new StringTokenizer(policyLabelNames, "[]");
while (policyLabelToken.hasMoreTokens()) {
policyLabelNames = policyLabelToken.nextToken().toString();
}
}
cell.setCellValue(policyStatus);
cell = row.createCell(9);
int policyTypeInt = policy.getPolicyType();
switch(policyTypeInt) {
case RangerPolicy.POLICY_TYPE_ACCESS:
policyType = POLICY_TYPE_ACCESS;
break;
case RangerPolicy.POLICY_TYPE_DATAMASK:
policyType = POLICY_TYPE_DATAMASK;
break;
case RangerPolicy.POLICY_TYPE_ROWFILTER:
policyType = POLICY_TYPE_ROWFILTER;
break;
}
cell.setCellValue(policyType);
cell = row.createCell(10);
cell.setCellValue(delegateAdmin.toString().toUpperCase());
cell = row.createCell(11);
cell.setCellValue(isRecursiveValue);
cell = row.createCell(12);
cell.setCellValue(isExcludesValue);
cell = row.createCell(13);
serviceName = policy.getService();
cell.setCellValue(serviceName);
cell = row.createCell(14);
description = policy.getDescription();
cell.setCellValue(description);
cell = row.createCell(15);
cell.setCellValue(isAuditEnabled.toString().toUpperCase());
cell = row.createCell(16);
cell.setCellValue(conditionKeyValue.trim());
cell = row.createCell(17);
cell.setCellValue(policyConditionTypeValue);
cell = row.createCell(20);
cell.setCellValue(policyLabelNames);
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class RangerPolicyAdminImpl method isDelegatedAdminAccessAllowedForPolicy.
private boolean isDelegatedAdminAccessAllowedForPolicy(RangerPolicyRepository matchedRepository, RangerPolicy policy, String user, Set<String> userGroups, Set<String> roles, Set<String> accessTypes, boolean isRead, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyAdminImpl.isDelegatedAdminAccessAllowedForPolicy(" + policy.getId() + ", " + user + ", " + userGroups + ", " + roles + ", accessTypes" + accessTypes + ", " + isRead + ", " + evalContext + ")");
}
boolean ret = false;
if (CollectionUtils.isEmpty(accessTypes)) {
LOG.error("Could not get access-types for policy-id:[" + policy.getId() + "]");
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Checking delegate-admin access for the access-types:[" + accessTypes + "]");
}
// RANGER-3082
// Convert policy resources to by substituting macros with ASTERISK
Map<String, RangerPolicyResource> modifiedPolicyResources = getPolicyResourcesWithMacrosReplaced(policy.getResources(), wildcardEvalContext);
for (RangerPolicyEvaluator evaluator : matchedRepository.getPolicyEvaluators()) {
Set<String> allowedAccesses = evaluator.getAllowedAccesses(modifiedPolicyResources, user, userGroups, roles, accessTypes, evalContext);
if (allowedAccesses == null) {
continue;
}
boolean isAllowedAccessesModified = accessTypes.removeAll(allowedAccesses);
if (isRead && isAllowedAccessesModified) {
ret = true;
break;
}
if (CollectionUtils.isEmpty(accessTypes)) {
ret = true;
break;
}
}
if (!ret && CollectionUtils.isNotEmpty(accessTypes)) {
LOG.info("Accesses : " + accessTypes + " are not authorized for the policy:[" + policy.getId() + "] by any of delegated-admin policies");
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyAdminImpl.isDelegatedAdminAccessAllowedForPolicy(" + policy.getId() + ", " + user + ", " + userGroups + ", " + roles + ", accessTypes" + accessTypes + ", " + isRead + ", " + evalContext + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyService method rangerPolicy.
private RangerPolicy rangerPolicy() {
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
List<String> users = new ArrayList<String>();
List<String> groups = new ArrayList<String>();
List<RangerPolicyItemCondition> conditions = new ArrayList<RangerPolicyItemCondition>();
List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setAccesses(accesses);
rangerPolicyItem.setConditions(conditions);
rangerPolicyItem.setGroups(groups);
rangerPolicyItem.setUsers(users);
rangerPolicyItem.setDelegateAdmin(false);
policyItems.add(rangerPolicyItem);
Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
rangerPolicyResource.setIsExcludes(true);
rangerPolicyResource.setIsRecursive(true);
rangerPolicyResource.setValue("1");
rangerPolicyResource.setValues(users);
RangerPolicy policy = new RangerPolicy();
policy.setId(Id);
policy.setCreateTime(new Date());
policy.setDescription("policy");
policy.setGuid("policyguid");
policy.setIsEnabled(true);
policy.setName("HDFS_1-1-20150316062453");
policy.setUpdatedBy("Admin");
policy.setUpdateTime(new Date());
policy.setService("HDFS_1-1-20150316062453");
policy.setIsAuditEnabled(true);
policy.setPolicyItems(policyItems);
policy.setResources(policyResource);
policy.setPolicyType(0);
return policy;
}
Aggregations