Search in sources :

Example 16 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class TestRangerPolicyValidator method test_isValidResourceNames_failures.

@Test
public final void test_isValidResourceNames_failures() {
    String serviceName = "a-service-def";
    // setup service-def
    Date now = new Date();
    when(_serviceDef.getName()).thenReturn(serviceName);
    when(_serviceDef.getUpdateTime()).thenReturn(now);
    List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData_multipleHierarchies);
    when(_serviceDef.getResources()).thenReturn(resourceDefs);
    // setup policy
    Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad);
    when(_policy.getResources()).thenReturn(policyResources);
    Assert.assertFalse("Missing required resource and unknown resource", _validator.isValidResourceNames(_policy, _failures, _serviceDef));
    _utils.checkFailureForSemanticError(_failures, "policy resources");
    // another bad resource map that straddles multiple hierarchies
    policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad_multiple_hierarchies);
    when(_policy.getResources()).thenReturn(policyResources);
    _failures.clear();
    Assert.assertFalse("Policy with resources for multiple hierarchies", _validator.isValidResourceNames(_policy, _failures, _serviceDef));
    _utils.checkFailureForSemanticError(_failures, "policy resources", "incompatible");
    // another bad policy resource map that could match multiple hierarchies but is short on mandatory resources for all of those matches
    policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad_multiple_hierarchies_missing_mandatory);
    when(_policy.getResources()).thenReturn(policyResources);
    _failures.clear();
    Assert.assertFalse("Policy with resources for multiple hierarchies missing mandatory resources for all pontential matches", _validator.isValidResourceNames(_policy, _failures, _serviceDef));
    _utils.checkFailureForSemanticError(_failures, "policy resources", "missing mandatory");
}
Also used : RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) Date(java.util.Date) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef) Test(org.junit.Test)

Example 17 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class TestRangerValidator method test_getPolicyResources.

@Test
public void test_getPolicyResources() {
    Set<String> result;
    RangerPolicy policy = null;
    // null policy
    result = _validator.getPolicyResources(null);
    Assert.assertTrue(result != null);
    Assert.assertTrue(result.isEmpty());
    // null resource map
    policy = mock(RangerPolicy.class);
    when(policy.getResources()).thenReturn(null);
    result = _validator.getPolicyResources(null);
    Assert.assertTrue(result != null);
    Assert.assertTrue(result.isEmpty());
    // empty resource map
    Map<String, RangerPolicyResource> input = Maps.newHashMap();
    when(policy.getResources()).thenReturn(input);
    result = _validator.getPolicyResources(policy);
    Assert.assertTrue(result != null);
    Assert.assertTrue(result.isEmpty());
    // known resource map
    input.put("r1", mock(RangerPolicyResource.class));
    input.put("R2", mock(RangerPolicyResource.class));
    result = _validator.getPolicyResources(policy);
    Assert.assertEquals(2, result.size());
    Assert.assertTrue("r1", result.contains("r1"));
    // result should lowercase the resource-names
    Assert.assertTrue("R2", result.contains("r2"));
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) Test(org.junit.Test)

Example 18 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class ValidationTestUtils method createPolicyResourceMap.

public Map<String, RangerPolicyResource> createPolicyResourceMap(Object[][] input) {
    if (input == null) {
        return null;
    }
    Map<String, RangerPolicyResource> result = new HashMap<String, RangerPolicyResource>(input.length);
    for (Object[] row : input) {
        String resourceName = (String) row[0];
        String[] valuesArray = (String[]) row[1];
        Boolean isExcludes = (Boolean) row[2];
        Boolean isRecursive = (Boolean) row[3];
        RangerPolicyResource aResource = mock(RangerPolicyResource.class);
        if (valuesArray == null) {
            when(aResource.getValues()).thenReturn(null);
        } else {
            when(aResource.getValues()).thenReturn(Arrays.asList(valuesArray));
        }
        when(aResource.getIsExcludes()).thenReturn(isExcludes);
        when(aResource.getIsRecursive()).thenReturn(isRecursive);
        result.put(resourceName, aResource);
    }
    return result;
}
Also used : HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)

Example 19 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class RangerDefaultPolicyResourceMatcher method isCompleteMatch.

@Override
public boolean isCompleteMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + ")");
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.applyPolicyMatch()");
    }
    boolean ret = false;
    Collection<String> resourceKeys = resources == null ? null : resources.keySet();
    Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
    boolean keysMatch = resourceKeys != null && policyKeys != null && CollectionUtils.isEqualCollection(resourceKeys, policyKeys);
    if (keysMatch) {
        for (RangerResourceDef resourceDef : serviceDef.getResources()) {
            String resourceName = resourceDef.getName();
            RangerPolicyResource resourceValues = resources.get(resourceName);
            RangerPolicyResource policyValues = policyResources == null ? null : policyResources.get(resourceName);
            if (resourceValues == null || CollectionUtils.isEmpty(resourceValues.getValues())) {
                ret = (policyValues == null || CollectionUtils.isEmpty(policyValues.getValues()));
            } else if (policyValues != null && CollectionUtils.isNotEmpty(policyValues.getValues())) {
                ret = CollectionUtils.isEqualCollection(resourceValues.getValues(), policyValues.getValues());
            }
            if (!ret) {
                break;
            }
        }
    } else {
        if (LOG.isDebugEnabled()) {
            LOG.debug("isCompleteMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + "): " + ret);
    }
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)

Example 20 with RangerPolicyResource

use of org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource in project ranger by apache.

the class RangerDefaultPolicyResourceMatcher method isMatch.

@Override
public boolean isMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + ")");
    }
    boolean ret = false;
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.delegateAdminMatch()");
    }
    if (serviceDef != null && serviceDef.getResources() != null) {
        Collection<String> resourceKeys = resources == null ? null : resources.keySet();
        Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet();
        boolean keysMatch = CollectionUtils.isEmpty(resourceKeys) || (policyKeys != null && policyKeys.containsAll(resourceKeys));
        if (keysMatch) {
            for (RangerResourceDef resourceDef : serviceDef.getResources()) {
                String resourceName = resourceDef.getName();
                RangerPolicyResource resourceValues = resources == null ? null : resources.get(resourceName);
                List<String> values = resourceValues == null ? null : resourceValues.getValues();
                RangerResourceMatcher matcher = allMatchers == null ? null : allMatchers.get(resourceName);
                if (matcher != null) {
                    if (CollectionUtils.isNotEmpty(values)) {
                        for (String value : values) {
                            ret = matcher.isMatch(value, evalContext);
                            if (!ret) {
                                break;
                            }
                        }
                    } else {
                        ret = matcher.isMatchAny();
                    }
                } else {
                    ret = CollectionUtils.isEmpty(values);
                }
                if (!ret) {
                    break;
                }
            }
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("isMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys);
            }
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + "): " + ret);
    }
    return ret;
}
Also used : RangerResourceMatcher(org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)

Aggregations

RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)62 HashMap (java.util.HashMap)38 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)36 RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)28 ArrayList (java.util.ArrayList)27 RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)25 Test (org.junit.Test)23 VXString (org.apache.ranger.view.VXString)17 Date (java.util.Date)12 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)11 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)11 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)8 ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)8 XXServiceDef (org.apache.ranger.entity.XXServiceDef)7 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)7 IOException (java.io.IOException)6 XXService (org.apache.ranger.entity.XXService)5 RangerService (org.apache.ranger.plugin.model.RangerService)5 RangerServiceResource (org.apache.ranger.plugin.model.RangerServiceResource)5 Map (java.util.Map)4