use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerPolicyValidator method test_isValidResourceNames_failures.
@Test
public final void test_isValidResourceNames_failures() {
String serviceName = "a-service-def";
// setup service-def
Date now = new Date();
when(_serviceDef.getName()).thenReturn(serviceName);
when(_serviceDef.getUpdateTime()).thenReturn(now);
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData_multipleHierarchies);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
// setup policy
Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad);
when(_policy.getResources()).thenReturn(policyResources);
Assert.assertFalse("Missing required resource and unknown resource", _validator.isValidResourceNames(_policy, _failures, _serviceDef));
_utils.checkFailureForSemanticError(_failures, "policy resources");
// another bad resource map that straddles multiple hierarchies
policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad_multiple_hierarchies);
when(_policy.getResources()).thenReturn(policyResources);
_failures.clear();
Assert.assertFalse("Policy with resources for multiple hierarchies", _validator.isValidResourceNames(_policy, _failures, _serviceDef));
_utils.checkFailureForSemanticError(_failures, "policy resources", "incompatible");
// another bad policy resource map that could match multiple hierarchies but is short on mandatory resources for all of those matches
policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad_multiple_hierarchies_missing_mandatory);
when(_policy.getResources()).thenReturn(policyResources);
_failures.clear();
Assert.assertFalse("Policy with resources for multiple hierarchies missing mandatory resources for all pontential matches", _validator.isValidResourceNames(_policy, _failures, _serviceDef));
_utils.checkFailureForSemanticError(_failures, "policy resources", "missing mandatory");
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class TestRangerValidator method test_getPolicyResources.
@Test
public void test_getPolicyResources() {
Set<String> result;
RangerPolicy policy = null;
// null policy
result = _validator.getPolicyResources(null);
Assert.assertTrue(result != null);
Assert.assertTrue(result.isEmpty());
// null resource map
policy = mock(RangerPolicy.class);
when(policy.getResources()).thenReturn(null);
result = _validator.getPolicyResources(null);
Assert.assertTrue(result != null);
Assert.assertTrue(result.isEmpty());
// empty resource map
Map<String, RangerPolicyResource> input = Maps.newHashMap();
when(policy.getResources()).thenReturn(input);
result = _validator.getPolicyResources(policy);
Assert.assertTrue(result != null);
Assert.assertTrue(result.isEmpty());
// known resource map
input.put("r1", mock(RangerPolicyResource.class));
input.put("R2", mock(RangerPolicyResource.class));
result = _validator.getPolicyResources(policy);
Assert.assertEquals(2, result.size());
Assert.assertTrue("r1", result.contains("r1"));
// result should lowercase the resource-names
Assert.assertTrue("R2", result.contains("r2"));
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class ValidationTestUtils method createPolicyResourceMap.
public Map<String, RangerPolicyResource> createPolicyResourceMap(Object[][] input) {
if (input == null) {
return null;
}
Map<String, RangerPolicyResource> result = new HashMap<String, RangerPolicyResource>(input.length);
for (Object[] row : input) {
String resourceName = (String) row[0];
String[] valuesArray = (String[]) row[1];
Boolean isExcludes = (Boolean) row[2];
Boolean isRecursive = (Boolean) row[3];
RangerPolicyResource aResource = mock(RangerPolicyResource.class);
if (valuesArray == null) {
when(aResource.getValues()).thenReturn(null);
} else {
when(aResource.getValues()).thenReturn(Arrays.asList(valuesArray));
}
when(aResource.getIsExcludes()).thenReturn(isExcludes);
when(aResource.getIsRecursive()).thenReturn(isRecursive);
result.put(resourceName, aResource);
}
return result;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isCompleteMatch.
@Override
public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + ")");
}
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.applyPolicyMatch()");
}
boolean ret = false;
Collection<String> resourceKeys = resources == null ? null : resources.keySet();
Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
boolean keysMatch = resourceKeys != null && policyKeys != null && CollectionUtils.isEqualCollection(resourceKeys, policyKeys);
if (keysMatch) {
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
RangerPolicyResource resourceValues = resources.get(resourceName);
RangerPolicyResource policyValues = policyResources == null ? null : policyResources.get(resourceName);
if (resourceValues == null || CollectionUtils.isEmpty(resourceValues.getValues())) {
ret = (policyValues == null || CollectionUtils.isEmpty(policyValues.getValues()));
} else if (policyValues != null && CollectionUtils.isNotEmpty(policyValues.getValues())) {
ret = CollectionUtils.isEqualCollection(resourceValues.getValues(), policyValues.getValues());
}
if (!ret) {
break;
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + "): " + ret);
}
return ret;
}
use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.
the class RangerDefaultPolicyResourceMatcher method isMatch.
@Override
public boolean isMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + ")");
}
boolean ret = false;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.delegateAdminMatch()");
}
if (serviceDef != null && serviceDef.getResources() != null) {
Collection<String> resourceKeys = resources == null ? null : resources.keySet();
Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
boolean keysMatch = CollectionUtils.isEmpty(resourceKeys) || (policyKeys != null && policyKeys.containsAll(resourceKeys));
if (keysMatch) {
for (RangerResourceDef resourceDef : serviceDef.getResources()) {
String resourceName = resourceDef.getName();
RangerPolicyResource resourceValues = resources == null ? null : resources.get(resourceName);
List<String> values = resourceValues == null ? null : resourceValues.getValues();
RangerResourceMatcher matcher = allMatchers == null ? null : allMatchers.get(resourceName);
if (matcher != null) {
if (CollectionUtils.isNotEmpty(values)) {
for (String value : values) {
ret = matcher.isMatch(value, evalContext);
if (!ret) {
break;
}
}
} else {
ret = matcher.isMatchAny();
}
} else {
ret = CollectionUtils.isEmpty(values);
}
if (!ret) {
break;
}
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("isMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
}
}
}
RangerPerfTracer.log(perf);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + "): " + ret);
}
return ret;
}
Aggregations