Search in sources :

Example 1 with RangerPolicyResourceSignature

use of org.apache.ranger.plugin.model.RangerPolicyResourceSignature in project ranger by apache.

the class ServiceDBStore method updatePolicySignature.

void updatePolicySignature(RangerPolicy policy) {
    RangerPolicyResourceSignature policySignature = factory.createPolicyResourceSignature(policy);
    String signature = policySignature.getSignature();
    policy.setResourceSignature(signature);
    if (LOG.isDebugEnabled()) {
        String message = String.format("Setting signature on policy id=%d, name=%s to [%s]", policy.getId(), policy.getName(), signature);
        LOG.debug(message);
    }
}
Also used : RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature) VXString(org.apache.ranger.view.VXString)

Example 2 with RangerPolicyResourceSignature

use of org.apache.ranger.plugin.model.RangerPolicyResourceSignature in project ranger by apache.

the class TestRangerPolicyValidator method test_isPolicyResourceUnique.

@Test
public final void test_isPolicyResourceUnique() throws Exception {
    // if store does not contain any matching policies then check should succeed
    RangerPolicyResourceSignature signature = mock(RangerPolicyResourceSignature.class);
    String hash = "hash-1";
    when(signature.getSignature()).thenReturn(hash);
    when(_factory.createPolicyResourceSignature(_policy)).thenReturn(signature);
    when(_policy.getService()).thenReturn("service-name");
    List<RangerPolicy> policies = null;
    when(_store.getPoliciesByResourceSignature("service-name", hash, true)).thenReturn(policies);
    policies = new ArrayList<>();
    for (Action action : cu) {
        Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, action));
        Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, action));
    }
    /*
		 * If store has a policy with matching signature then the check should fail with appropriate error message.
		 * - For create any match is a problem
		 * - Signature check can never fail for disabled policies!
		 */
    RangerPolicy policy1 = mock(RangerPolicy.class);
    policies.add(policy1);
    when(_store.getPoliciesByResourceSignature("service-name", hash, true)).thenReturn(policies);
    // ensure policy is enabled
    when(_policy.getIsEnabled()).thenReturn(true);
    _failures.clear();
    Assert.assertFalse(_validator.isPolicyResourceUnique(_policy, _failures, Action.CREATE));
    _utils.checkFailureForSemanticError(_failures, "resources");
    // same check should pass if the policy is disabled
    when(_policy.getIsEnabled()).thenReturn(false);
    _failures.clear();
    Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.CREATE));
    Assert.assertTrue("failures collection wasn't empty!", _failures.isEmpty());
    // For Update match with itself is not a problem as long as it isn't itself, i.e. same id.
    // ensure policy is enabled
    when(_policy.getIsEnabled()).thenReturn(true);
    when(policy1.getId()).thenReturn(103L);
    when(_policy.getId()).thenReturn(103L);
    Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
    // matching policy can't be some other policy (i.e. different id) because that implies a conflict.
    when(policy1.getId()).thenReturn(104L);
    Assert.assertFalse(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
    _utils.checkFailureForSemanticError(_failures, "resources");
    // same check should pass if the policy is disabled
    when(_policy.getIsEnabled()).thenReturn(false);
    _failures.clear();
    Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
    Assert.assertTrue("failures collection wasn't empty!", _failures.isEmpty());
    // And validation should never pass if there are more than one policies with matching signature, regardless of their ID!!
    RangerPolicy policy2 = mock(RangerPolicy.class);
    // has same id as the policy being tested (_policy)
    when(policy2.getId()).thenReturn(103L);
    policies.add(policy2);
    // ensure policy is enabled
    when(_policy.getIsEnabled()).thenReturn(true);
    Assert.assertFalse(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
    _utils.checkFailureForSemanticError(_failures, "resources");
    // same check should pass if the policy is disabled
    when(_policy.getIsEnabled()).thenReturn(false);
    _failures.clear();
    Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
    Assert.assertTrue("failures collection wasn't empty!", _failures.isEmpty());
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action) RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature) Test(org.junit.Test)

Example 3 with RangerPolicyResourceSignature

use of org.apache.ranger.plugin.model.RangerPolicyResourceSignature in project ranger by apache.

the class TestServiceDBStore method tess26createPolicy.

@Test
public void tess26createPolicy() throws Exception {
    setup();
    XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
    XXPolicy xPolicy = Mockito.mock(XXPolicy.class);
    XXPolicyDao xPolicyDao = Mockito.mock(XXPolicyDao.class);
    XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
    XXServiceVersionInfoDao xServiceVersionInfoDao = Mockito.mock(XXServiceVersionInfoDao.class);
    XXService xService = Mockito.mock(XXService.class);
    XXServiceVersionInfo xServiceVersionInfo = Mockito.mock(XXServiceVersionInfo.class);
    XXPolicyItemDao xPolicyItemDao = Mockito.mock(XXPolicyItemDao.class);
    XXServiceDef xServiceDef = serviceDef();
    Map<String, String> configs = new HashMap<String, String>();
    configs.put("username", "servicemgr");
    configs.put("password", "servicemgr");
    configs.put("namenode", "servicemgr");
    configs.put("hadoop.security.authorization", "No");
    configs.put("hadoop.security.authentication", "Simple");
    configs.put("hadoop.security.auth_to_local", "");
    configs.put("dfs.datanode.kerberos.principal", "");
    configs.put("dfs.namenode.kerberos.principal", "");
    configs.put("dfs.secondary.namenode.kerberos.principal", "");
    configs.put("hadoop.rpc.protection", "Privacy");
    configs.put("commonNameForCertificate", "");
    RangerService rangerService = new RangerService();
    rangerService.setId(Id);
    rangerService.setConfigs(configs);
    rangerService.setCreateTime(new Date());
    rangerService.setDescription("service policy");
    rangerService.setGuid("1427365526516_835_0");
    rangerService.setIsEnabled(true);
    rangerService.setName("HDFS_1");
    rangerService.setPolicyUpdateTime(new Date());
    rangerService.setType("1");
    rangerService.setUpdatedBy("Admin");
    String policyName = "HDFS_1-1-20150316062345";
    String name = "HDFS_1-1-20150316062453";
    List<RangerPolicyItemAccess> accessesList = new ArrayList<RangerPolicyItemAccess>();
    RangerPolicyItemAccess policyItemAccess = new RangerPolicyItemAccess();
    policyItemAccess.setIsAllowed(true);
    policyItemAccess.setType("1");
    List<String> usersList = new ArrayList<String>();
    List<String> groupsList = new ArrayList<String>();
    List<String> policyLabels = new ArrayList<String>();
    List<RangerPolicyItemCondition> conditionsList = new ArrayList<RangerPolicyItemCondition>();
    RangerPolicyItemCondition policyItemCondition = new RangerPolicyItemCondition();
    policyItemCondition.setType("1");
    policyItemCondition.setValues(usersList);
    conditionsList.add(policyItemCondition);
    List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
    RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
    rangerPolicyItem.setDelegateAdmin(false);
    rangerPolicyItem.setAccesses(accessesList);
    rangerPolicyItem.setConditions(conditionsList);
    rangerPolicyItem.setGroups(groupsList);
    rangerPolicyItem.setUsers(usersList);
    policyItems.add(rangerPolicyItem);
    List<RangerPolicyItem> policyItemsSet = new ArrayList<RangerPolicy.RangerPolicyItem>();
    RangerPolicyItem paramPolicyItem = new RangerPolicyItem(accessesList, usersList, groupsList, conditionsList, false);
    paramPolicyItem.setDelegateAdmin(false);
    paramPolicyItem.setAccesses(accessesList);
    paramPolicyItem.setConditions(conditionsList);
    paramPolicyItem.setGroups(groupsList);
    rangerPolicyItem.setUsers(usersList);
    policyItemsSet.add(paramPolicyItem);
    XXPolicyItem xPolicyItem = new XXPolicyItem();
    xPolicyItem.setDelegateAdmin(false);
    xPolicyItem.setAddedByUserId(null);
    xPolicyItem.setCreateTime(new Date());
    xPolicyItem.setGUID(null);
    xPolicyItem.setId(Id);
    xPolicyItem.setOrder(null);
    xPolicyItem.setPolicyId(Id);
    xPolicyItem.setUpdatedByUserId(null);
    xPolicyItem.setUpdateTime(new Date());
    XXPolicy xxPolicy = new XXPolicy();
    xxPolicy.setId(Id);
    xxPolicy.setName(name);
    xxPolicy.setAddedByUserId(Id);
    xxPolicy.setCreateTime(new Date());
    xxPolicy.setDescription("test");
    xxPolicy.setIsAuditEnabled(true);
    xxPolicy.setIsEnabled(true);
    xxPolicy.setService(1L);
    xxPolicy.setUpdatedByUserId(Id);
    xxPolicy.setUpdateTime(new Date());
    List<XXServiceConfigDef> xServiceConfigDefList = new ArrayList<XXServiceConfigDef>();
    XXServiceConfigDef serviceConfigDefObj = new XXServiceConfigDef();
    serviceConfigDefObj.setId(Id);
    xServiceConfigDefList.add(serviceConfigDefObj);
    List<XXServiceConfigMap> xConfMapList = new ArrayList<XXServiceConfigMap>();
    XXServiceConfigMap xConfMap = new XXServiceConfigMap();
    xConfMap.setAddedByUserId(null);
    xConfMap.setConfigkey(name);
    xConfMap.setConfigvalue(name);
    xConfMap.setCreateTime(new Date());
    xConfMap.setServiceId(null);
    xConfMap.setId(Id);
    xConfMap.setUpdatedByUserId(null);
    xConfMap.setUpdateTime(new Date());
    xConfMapList.add(xConfMap);
    List<String> users = new ArrayList<String>();
    RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
    rangerPolicyResource.setIsExcludes(true);
    rangerPolicyResource.setIsRecursive(true);
    rangerPolicyResource.setValue("1");
    rangerPolicyResource.setValues(users);
    Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
    policyResource.put(name, rangerPolicyResource);
    policyResource.put(policyName, rangerPolicyResource);
    RangerPolicy rangerPolicy = new RangerPolicy();
    rangerPolicy.setId(Id);
    rangerPolicy.setCreateTime(new Date());
    rangerPolicy.setDescription("policy");
    rangerPolicy.setGuid("policyguid");
    rangerPolicy.setIsEnabled(true);
    rangerPolicy.setName("HDFS_1-1-20150316062453");
    rangerPolicy.setUpdatedBy("Admin");
    rangerPolicy.setUpdateTime(new Date());
    rangerPolicy.setService("HDFS_1-1-20150316062453");
    rangerPolicy.setIsAuditEnabled(true);
    rangerPolicy.setPolicyItems(policyItems);
    rangerPolicy.setResources(policyResource);
    rangerPolicy.setPolicyLabels(policyLabels);
    XXPolicyResource xPolicyResource = new XXPolicyResource();
    xPolicyResource.setAddedByUserId(Id);
    xPolicyResource.setCreateTime(new Date());
    xPolicyResource.setId(Id);
    xPolicyResource.setIsExcludes(true);
    xPolicyResource.setIsRecursive(true);
    xPolicyResource.setPolicyId(Id);
    xPolicyResource.setResDefId(Id);
    xPolicyResource.setUpdatedByUserId(Id);
    xPolicyResource.setUpdateTime(new Date());
    List<XXPolicyConditionDef> policyConditionDefList = new ArrayList<XXPolicyConditionDef>();
    XXPolicyConditionDef policyConditionDefObj = new XXPolicyConditionDef();
    policyConditionDefObj.setAddedByUserId(Id);
    policyConditionDefObj.setCreateTime(new Date());
    policyConditionDefObj.setDefid(Id);
    policyConditionDefObj.setDescription("policy");
    policyConditionDefObj.setId(Id);
    policyConditionDefObj.setName("country");
    policyConditionDefObj.setOrder(0);
    policyConditionDefObj.setUpdatedByUserId(Id);
    policyConditionDefObj.setUpdateTime(new Date());
    policyConditionDefList.add(policyConditionDefObj);
    Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
    Mockito.when(xServiceDao.findByName(name)).thenReturn(xService);
    Mockito.when(daoManager.getXXServiceVersionInfo()).thenReturn(xServiceVersionInfoDao);
    Mockito.when(xServiceVersionInfoDao.findByServiceId(Id)).thenReturn(xServiceVersionInfo);
    Mockito.when(xServiceVersionInfoDao.update(xServiceVersionInfo)).thenReturn(xServiceVersionInfo);
    Mockito.when(svcService.getPopulatedViewObject(xService)).thenReturn(rangerService);
    Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
    Mockito.when(xServiceDefDao.findByName(rangerService.getType())).thenReturn(xServiceDef);
    Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
    Mockito.when(policyService.create(rangerPolicy)).thenReturn(rangerPolicy);
    Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
    Mockito.when(xPolicyDao.getById(Id)).thenReturn(xPolicy);
    Mockito.when(rangerAuditFields.populateAuditFields(Mockito.isA(XXPolicyItem.class), Mockito.isA(XXPolicy.class))).thenReturn(xPolicyItem);
    Mockito.when(daoManager.getXXPolicyItem()).thenReturn(xPolicyItemDao);
    Mockito.when(xPolicyItemDao.create(xPolicyItem)).thenReturn(xPolicyItem);
    Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
    Mockito.when(xServiceDao.getById(Id)).thenReturn(xService);
    Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
    Mockito.when(xServiceDao.getById(Id)).thenReturn(xService);
    RangerPolicyResourceSignature signature = Mockito.mock(RangerPolicyResourceSignature.class);
    Mockito.when(factory.createPolicyResourceSignature(rangerPolicy)).thenReturn(signature);
    XXResourceDefDao xResourceDefDao = Mockito.mock(XXResourceDefDao.class);
    XXResourceDef xResourceDef = Mockito.mock(XXResourceDef.class);
    XXPolicyResourceDao xPolicyResourceDao = Mockito.mock(XXPolicyResourceDao.class);
    XXPolicyConditionDefDao xPolicyConditionDefDao = Mockito.mock(XXPolicyConditionDefDao.class);
    Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao);
    Mockito.when(xResourceDefDao.findByNameAndPolicyId(policyName, Id)).thenReturn(xResourceDef);
    Mockito.when(rangerAuditFields.populateAuditFields(Mockito.isA(XXPolicyResource.class), Mockito.isA(XXPolicy.class))).thenReturn(xPolicyResource);
    Mockito.when(daoManager.getXXPolicyResource()).thenReturn(xPolicyResourceDao);
    Mockito.when(xPolicyResourceDao.create(xPolicyResource)).thenReturn(xPolicyResource);
    Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn(xPolicyConditionDefDao);
    Mockito.when(xPolicyConditionDefDao.findByServiceDefIdAndName(Id, policyItemCondition.getType())).thenReturn(policyConditionDefObj);
    for (Entry<String, RangerPolicyResource> resource : policyResource.entrySet()) {
        Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao);
        Mockito.when(xResourceDefDao.findByNameAndPolicyId(resource.getKey(), rangerPolicy.getId())).thenReturn(xResourceDef);
    }
    Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn(xPolicyConditionDefDao);
    Mockito.when(xPolicyConditionDefDao.findByServiceDefIdAndName(xServiceDef.getId(), policyItemCondition.getType())).thenReturn(policyConditionDefObj);
    Mockito.when(!bizUtil.hasAccess(xService, null)).thenReturn(true);
    RangerPolicy dbRangerPolicy = serviceDBStore.createPolicy(rangerPolicy);
    Assert.assertNull(dbRangerPolicy);
    Assert.assertEquals(Id, rangerPolicy.getId());
    Mockito.verify(daoManager).getXXServiceDef();
    Mockito.verify(policyService).create(rangerPolicy);
    Mockito.verify(rangerAuditFields).populateAuditFields(Mockito.isA(XXPolicyItem.class), Mockito.isA(XXPolicy.class));
    Mockito.verify(daoManager).getXXPolicyItem();
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) VXString(org.apache.ranger.view.VXString) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature) RangerService(org.apache.ranger.plugin.model.RangerService) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) Date(java.util.Date) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition) Test(org.junit.Test)

Example 4 with RangerPolicyResourceSignature

use of org.apache.ranger.plugin.model.RangerPolicyResourceSignature in project ranger by apache.

the class TestRangerPolicyValidator method testIsValid_failures.

@Test
public final void testIsValid_failures() throws Exception {
    for (Action action : cu) {
        // passing in a null policy should fail with appropriate failure reason
        _policy = null;
        checkFailure_isValid(action, "missing", "policy");
        // policy must have a name on it
        _policy = mock(RangerPolicy.class);
        for (String name : new String[] { null, "  " }) {
            when(_policy.getName()).thenReturn(name);
            when(_policy.getResources()).thenReturn(null);
            checkFailure_isValid(action, "missing", "name");
        }
        // for update id is required!
        if (action == Action.UPDATE) {
            when(_policy.getId()).thenReturn(null);
            checkFailure_isValid(action, "missing", "id");
        }
    }
    /*
		 * Id is ignored for Create but name should not belong to an existing policy.  For update, policy should exist for its id and should match its name.
		 */
    when(_policy.getName()).thenReturn("policy-name");
    when(_policy.getService()).thenReturn("service-name");
    RangerPolicy existingPolicy = mock(RangerPolicy.class);
    when(existingPolicy.getId()).thenReturn(7L);
    List<RangerPolicy> existingPolicies = new ArrayList<>();
    existingPolicies.add(existingPolicy);
    SearchFilter filter = new SearchFilter();
    filter.setParam(SearchFilter.SERVICE_NAME, "service-name");
    filter.setParam(SearchFilter.POLICY_NAME, "policy-name");
    when(_store.getPolicies(filter)).thenReturn(existingPolicies);
    checkFailure_isValid(Action.CREATE, "semantic", "policy name");
    // update : does not exist for id
    when(_policy.getId()).thenReturn(7L);
    when(_store.getPolicy(7L)).thenReturn(null);
    checkFailure_isValid(Action.UPDATE, "semantic", "id");
    // Update: name should not point to an existing different policy, i.e. with a different id
    when(_store.getPolicy(7L)).thenReturn(existingPolicy);
    RangerPolicy anotherExistingPolicy = mock(RangerPolicy.class);
    when(anotherExistingPolicy.getId()).thenReturn(8L);
    existingPolicies.clear();
    existingPolicies.add(anotherExistingPolicy);
    when(_store.getPolicies(filter)).thenReturn(existingPolicies);
    checkFailure_isValid(Action.UPDATE, "semantic", "id/name");
    // more than one policies with same name is also an internal error
    when(_policy.getName()).thenReturn("policy-name");
    when(_store.getPolicies(filter)).thenReturn(existingPolicies);
    existingPolicies.add(existingPolicy);
    existingPolicy = mock(RangerPolicy.class);
    existingPolicies.add(existingPolicy);
    for (boolean isAdmin : new boolean[] { true, false }) {
        _failures.clear();
        Assert.assertFalse(_validator.isValid(_policy, Action.UPDATE, isAdmin, _failures));
        _utils.checkFailureForInternalError(_failures);
    }
    // policy must have service name on it and it should be valid
    when(_policy.getName()).thenReturn("policy-name");
    for (Action action : cu) {
        for (boolean isAdmin : new boolean[] { true, false }) {
            when(_policy.getService()).thenReturn(null);
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForMissingValue(_failures, "service name");
            when(_policy.getService()).thenReturn("");
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForMissingValue(_failures, "service name");
        }
    }
    // service name should be valid
    when(_store.getServiceByName("service-name")).thenReturn(null);
    when(_store.getServiceByName("another-service-name")).thenThrow(new Exception());
    for (Action action : cu) {
        for (boolean isAdmin : new boolean[] { true, false }) {
            when(_policy.getService()).thenReturn(null);
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForMissingValue(_failures, "service name");
            when(_policy.getService()).thenReturn(null);
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForMissingValue(_failures, "service name");
            when(_policy.getService()).thenReturn("service-name");
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForSemanticError(_failures, "service name");
            when(_policy.getService()).thenReturn("another-service-name");
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForSemanticError(_failures, "service name");
        }
    }
    // policy must contain at least one policy item
    List<RangerPolicyItem> policyItems = new ArrayList<>();
    when(_policy.getService()).thenReturn("service-name");
    RangerService service = mock(RangerService.class);
    when(_store.getServiceByName("service-name")).thenReturn(service);
    for (Action action : cu) {
        for (boolean isAdmin : new boolean[] { true, false }) {
            // when it is null
            when(_policy.getPolicyItems()).thenReturn(null);
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForMissingValue(_failures, "policy items");
            // or when it is not null but empty.
            when(_policy.getPolicyItems()).thenReturn(policyItems);
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForMissingValue(_failures, "policy items");
        }
    }
    // these are known good policy items -- same as used above in happypath
    policyItems = _utils.createPolicyItems(policyItemsData);
    when(_policy.getPolicyItems()).thenReturn(policyItems);
    // policy item check requires that service def should exist
    when(service.getType()).thenReturn("service-type");
    when(_store.getServiceDefByName("service-type")).thenReturn(null);
    for (Action action : cu) {
        for (boolean isAdmin : new boolean[] { true, false }) {
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForInternalError(_failures, "policy service def");
        }
    }
    // service-def should contain the right access types on it.
    _serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes_bad, "service-type");
    when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
    for (Action action : cu) {
        for (boolean isAdmin : new boolean[] { true, false }) {
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForSemanticError(_failures, "policy item access type");
        }
    }
    // create the right service def with right resource defs - this is the same as in the happypath test above.
    _serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes, "service-type");
    when(_store.getPolicies(filter)).thenReturn(null);
    List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
    when(_serviceDef.getResources()).thenReturn(resourceDefs);
    when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
    // one mandatory is missing (tbl) and one unknown resource is specified (extra), and values of option resource don't conform to validation pattern (col)
    Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad);
    when(_policy.getResources()).thenReturn(policyResources);
    // ensure thta policy is kosher when it comes to resource signature
    RangerPolicyResourceSignature signature = mock(RangerPolicyResourceSignature.class);
    when(_factory.createPolicyResourceSignature(_policy)).thenReturn(signature);
    when(signature.getSignature()).thenReturn("hash-1");
    // store does not have any policies for that signature hash
    when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
    for (Action action : cu) {
        for (boolean isAdmin : new boolean[] { true, false }) {
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            // for spurious resource: "extra"
            _utils.checkFailureForSemanticError(_failures, "resource-values", "col");
            // for specifying it as true when def did not allow it
            _utils.checkFailureForSemanticError(_failures, "isRecursive", "db");
            // for specifying it as true when def did not allow it
            _utils.checkFailureForSemanticError(_failures, "isExcludes", "col");
        }
    }
    // Check if error around resource signature clash are reported.  have Store return policies for same signature
    when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(existingPolicies);
    for (Action action : cu) {
        for (boolean isAdmin : new boolean[] { true, false }) {
            _failures.clear();
            Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
            _utils.checkFailureForSemanticError(_failures, "policy resources");
        }
    }
}
Also used : Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) ArrayList(java.util.ArrayList) SearchFilter(org.apache.ranger.plugin.util.SearchFilter) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature) RangerService(org.apache.ranger.plugin.model.RangerService) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef) Test(org.junit.Test)

Example 5 with RangerPolicyResourceSignature

use of org.apache.ranger.plugin.model.RangerPolicyResourceSignature in project ranger by apache.

the class TestRangerPolicyValidator method testIsValid_happyPath.

@Test
public final void testIsValid_happyPath() throws Exception {
    // valid policy has valid non-empty name and service name
    when(_policy.getService()).thenReturn("service-name");
    // service name exists
    RangerService service = mock(RangerService.class);
    when(service.getType()).thenReturn("service-type");
    when(_store.getServiceByName("service-name")).thenReturn(service);
    // service points to a valid service-def
    _serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes);
    when(_serviceDef.getName()).thenReturn("service-type");
    when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
    // a matching policy should exist for create when checked by id and not exist when checked by name.
    when(_store.getPolicy(7L)).thenReturn(null);
    RangerPolicy existingPolicy = mock(RangerPolicy.class);
    when(existingPolicy.getId()).thenReturn(8L);
    when(existingPolicy.getService()).thenReturn("service-name");
    when(_store.getPolicy(8L)).thenReturn(existingPolicy);
    SearchFilter createFilter = new SearchFilter();
    createFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
    // this name would be used for create
    createFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-1");
    when(_store.getPolicies(createFilter)).thenReturn(new ArrayList<RangerPolicy>());
    // a matching policy should not exist for update.
    SearchFilter updateFilter = new SearchFilter();
    updateFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
    // this name would be used for update
    updateFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-2");
    List<RangerPolicy> existingPolicies = new ArrayList<>();
    existingPolicies.add(existingPolicy);
    when(_store.getPolicies(updateFilter)).thenReturn(existingPolicies);
    // valid policy can have empty set of policy items if audit is turned on
    // null value for audit is treated as audit on.
    // for now we want to turn any resource related checking off
    when(_policy.getResources()).thenReturn(null);
    for (Action action : cu) {
        for (Boolean auditEnabled : new Boolean[] { null, true }) {
            for (boolean isAdmin : new boolean[] { true, false }) {
                when(_policy.getIsAuditEnabled()).thenReturn(auditEnabled);
                if (action == Action.CREATE) {
                    when(_policy.getId()).thenReturn(7L);
                    when(_policy.getName()).thenReturn("policy-name-1");
                    Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
                    Assert.assertTrue(_failures.isEmpty());
                } else {
                    // update should work both when by-name is found or not, since nothing found by-name means name is being updated.
                    when(_policy.getId()).thenReturn(8L);
                    when(_policy.getName()).thenReturn("policy-name-1");
                    Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
                    Assert.assertTrue(_failures.isEmpty());
                    when(_policy.getName()).thenReturn("policy-name-2");
                    Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
                    Assert.assertTrue(_failures.isEmpty());
                }
            }
        }
    }
    // if audit is disabled then policy should have policy items and all of them should be valid
    List<RangerPolicyItem> policyItems = _utils.createPolicyItems(policyItemsData);
    when(_policy.getPolicyItems()).thenReturn(policyItems);
    when(_policy.getIsAuditEnabled()).thenReturn(false);
    for (Action action : cu) {
        for (boolean isAdmin : new boolean[] { true, false }) {
            if (action == Action.CREATE) {
                when(_policy.getId()).thenReturn(7L);
                when(_policy.getName()).thenReturn("policy-name-1");
            } else {
                when(_policy.getId()).thenReturn(8L);
                when(_policy.getName()).thenReturn("policy-name-2");
            }
            Assert.assertTrue("" + action, _validator.isValid(_policy, action, isAdmin, _failures));
            Assert.assertTrue(_failures.isEmpty());
        }
    }
    // above succeeded as service def did not have any resources on it, mandatory or otherwise.
    // policy should have all mandatory resources specified, and they should conform to the validation pattern in resource definition
    List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
    when(_serviceDef.getResources()).thenReturn(resourceDefs);
    Map<String, RangerPolicyResource> resourceMap = _utils.createPolicyResourceMap(policyResourceMap_good);
    when(_policy.getResources()).thenReturn(resourceMap);
    // let's add some other policies in the store for this service that have a different signature
    // setup the signatures on the policies
    RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
    when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
    // setup the store to indicate that no other policy exists with matching signature
    when(policySignature.getSignature()).thenReturn("hash-1");
    when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
    // we are reusing the same policies collection here -- which is fine
    for (Action action : cu) {
        if (action == Action.CREATE) {
            when(_policy.getId()).thenReturn(7L);
            when(_policy.getName()).thenReturn("policy-name-1");
        } else {
            when(_policy.getId()).thenReturn(8L);
            when(_policy.getName()).thenReturn("policy-name-2");
        }
        // since policy resource has excludes admin privilages would be required
        Assert.assertTrue("" + action, _validator.isValid(_policy, action, true, _failures));
        Assert.assertTrue(_failures.isEmpty());
    }
}
Also used : Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) ArrayList(java.util.ArrayList) SearchFilter(org.apache.ranger.plugin.util.SearchFilter) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature) RangerService(org.apache.ranger.plugin.model.RangerService) RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef) Test(org.junit.Test)

Aggregations

RangerPolicyResourceSignature (org.apache.ranger.plugin.model.RangerPolicyResourceSignature)7 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)6 Test (org.junit.Test)5 ArrayList (java.util.ArrayList)4 RangerService (org.apache.ranger.plugin.model.RangerService)4 RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)3 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)3 Action (org.apache.ranger.plugin.model.validation.RangerValidator.Action)3 VXString (org.apache.ranger.view.VXString)3 Date (java.util.Date)2 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)2 SearchFilter (org.apache.ranger.plugin.util.SearchFilter)2 HashMap (java.util.HashMap)1 ValidationErrorCode (org.apache.ranger.plugin.errors.ValidationErrorCode)1 RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)1 RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)1