Example 1 with RangerPolicyResourceSignature
use of org.apache.ranger.plugin.model.RangerPolicyResourceSignature in project ranger by apache.
the class ServiceDBStore method updatePolicySignature.
void updatePolicySignature(RangerPolicy policy) {
RangerPolicyResourceSignature policySignature = factory.createPolicyResourceSignature(policy);
String signature = policySignature.getSignature();
policy.setResourceSignature(signature);
if (LOG.isDebugEnabled()) {
String message = String.format("Setting signature on policy id=%d, name=%s to [%s]", policy.getId(), policy.getName(), signature);
LOG.debug(message);
}
}
Also used :
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
VXString(org.apache.ranger.view.VXString)
Example 2 with RangerPolicyResourceSignature
use of org.apache.ranger.plugin.model.RangerPolicyResourceSignature in project ranger by apache.
the class TestRangerPolicyValidator method test_isPolicyResourceUnique.
@Test
public final void test_isPolicyResourceUnique() throws Exception {
// if store does not contain any matching policies then check should succeed
RangerPolicyResourceSignature signature = mock(RangerPolicyResourceSignature.class);
String hash = "hash-1";
when(signature.getSignature()).thenReturn(hash);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(signature);
when(_policy.getService()).thenReturn("service-name");
List<RangerPolicy> policies = null;
when(_store.getPoliciesByResourceSignature("service-name", hash, true)).thenReturn(policies);
policies = new ArrayList<>();
for (Action action : cu) {
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, action));
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, action));
}
/*
* If store has a policy with matching signature then the check should fail with appropriate error message.
* - For create any match is a problem
* - Signature check can never fail for disabled policies!
*/
RangerPolicy policy1 = mock(RangerPolicy.class);
policies.add(policy1);
when(_store.getPoliciesByResourceSignature("service-name", hash, true)).thenReturn(policies);
// ensure policy is enabled
when(_policy.getIsEnabled()).thenReturn(true);
_failures.clear();
Assert.assertFalse(_validator.isPolicyResourceUnique(_policy, _failures, Action.CREATE));
_utils.checkFailureForSemanticError(_failures, "resources");
// same check should pass if the policy is disabled
when(_policy.getIsEnabled()).thenReturn(false);
_failures.clear();
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.CREATE));
Assert.assertTrue("failures collection wasn't empty!", _failures.isEmpty());
// For Update match with itself is not a problem as long as it isn't itself, i.e. same id.
// ensure policy is enabled
when(_policy.getIsEnabled()).thenReturn(true);
when(policy1.getId()).thenReturn(103L);
when(_policy.getId()).thenReturn(103L);
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
// matching policy can't be some other policy (i.e. different id) because that implies a conflict.
when(policy1.getId()).thenReturn(104L);
Assert.assertFalse(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
_utils.checkFailureForSemanticError(_failures, "resources");
// same check should pass if the policy is disabled
when(_policy.getIsEnabled()).thenReturn(false);
_failures.clear();
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
Assert.assertTrue("failures collection wasn't empty!", _failures.isEmpty());
// And validation should never pass if there are more than one policies with matching signature, regardless of their ID!!
RangerPolicy policy2 = mock(RangerPolicy.class);
// has same id as the policy being tested (_policy)
when(policy2.getId()).thenReturn(103L);
policies.add(policy2);
// ensure policy is enabled
when(_policy.getIsEnabled()).thenReturn(true);
Assert.assertFalse(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
_utils.checkFailureForSemanticError(_failures, "resources");
// same check should pass if the policy is disabled
when(_policy.getIsEnabled()).thenReturn(false);
_failures.clear();
Assert.assertTrue(_validator.isPolicyResourceUnique(_policy, _failures, Action.UPDATE));
Assert.assertTrue("failures collection wasn't empty!", _failures.isEmpty());
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
Test(org.junit.Test)
Example 3 with RangerPolicyResourceSignature
use of org.apache.ranger.plugin.model.RangerPolicyResourceSignature in project ranger by apache.
the class TestServiceDBStore method tess26createPolicy.
@Test
public void tess26createPolicy() throws Exception {
setup();
XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
XXPolicy xPolicy = Mockito.mock(XXPolicy.class);
XXPolicyDao xPolicyDao = Mockito.mock(XXPolicyDao.class);
XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
XXServiceVersionInfoDao xServiceVersionInfoDao = Mockito.mock(XXServiceVersionInfoDao.class);
XXService xService = Mockito.mock(XXService.class);
XXServiceVersionInfo xServiceVersionInfo = Mockito.mock(XXServiceVersionInfo.class);
XXPolicyItemDao xPolicyItemDao = Mockito.mock(XXPolicyItemDao.class);
XXServiceDef xServiceDef = serviceDef();
Map<String, String> configs = new HashMap<String, String>();
configs.put("username", "servicemgr");
configs.put("password", "servicemgr");
configs.put("namenode", "servicemgr");
configs.put("hadoop.security.authorization", "No");
configs.put("hadoop.security.authentication", "Simple");
configs.put("hadoop.security.auth_to_local", "");
configs.put("dfs.datanode.kerberos.principal", "");
configs.put("dfs.namenode.kerberos.principal", "");
configs.put("dfs.secondary.namenode.kerberos.principal", "");
configs.put("hadoop.rpc.protection", "Privacy");
configs.put("commonNameForCertificate", "");
RangerService rangerService = new RangerService();
rangerService.setId(Id);
rangerService.setConfigs(configs);
rangerService.setCreateTime(new Date());
rangerService.setDescription("service policy");
rangerService.setGuid("1427365526516_835_0");
rangerService.setIsEnabled(true);
rangerService.setName("HDFS_1");
rangerService.setPolicyUpdateTime(new Date());
rangerService.setType("1");
rangerService.setUpdatedBy("Admin");
String policyName = "HDFS_1-1-20150316062345";
String name = "HDFS_1-1-20150316062453";
List<RangerPolicyItemAccess> accessesList = new ArrayList<RangerPolicyItemAccess>();
RangerPolicyItemAccess policyItemAccess = new RangerPolicyItemAccess();
policyItemAccess.setIsAllowed(true);
policyItemAccess.setType("1");
List<String> usersList = new ArrayList<String>();
List<String> groupsList = new ArrayList<String>();
List<String> policyLabels = new ArrayList<String>();
List<RangerPolicyItemCondition> conditionsList = new ArrayList<RangerPolicyItemCondition>();
RangerPolicyItemCondition policyItemCondition = new RangerPolicyItemCondition();
policyItemCondition.setType("1");
policyItemCondition.setValues(usersList);
conditionsList.add(policyItemCondition);
List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setDelegateAdmin(false);
rangerPolicyItem.setAccesses(accessesList);
rangerPolicyItem.setConditions(conditionsList);
rangerPolicyItem.setGroups(groupsList);
rangerPolicyItem.setUsers(usersList);
policyItems.add(rangerPolicyItem);
List<RangerPolicyItem> policyItemsSet = new ArrayList<RangerPolicy.RangerPolicyItem>();
RangerPolicyItem paramPolicyItem = new RangerPolicyItem(accessesList, usersList, groupsList, conditionsList, false);
paramPolicyItem.setDelegateAdmin(false);
paramPolicyItem.setAccesses(accessesList);
paramPolicyItem.setConditions(conditionsList);
paramPolicyItem.setGroups(groupsList);
rangerPolicyItem.setUsers(usersList);
policyItemsSet.add(paramPolicyItem);
XXPolicyItem xPolicyItem = new XXPolicyItem();
xPolicyItem.setDelegateAdmin(false);
xPolicyItem.setAddedByUserId(null);
xPolicyItem.setCreateTime(new Date());
xPolicyItem.setGUID(null);
xPolicyItem.setId(Id);
xPolicyItem.setOrder(null);
xPolicyItem.setPolicyId(Id);
xPolicyItem.setUpdatedByUserId(null);
xPolicyItem.setUpdateTime(new Date());
XXPolicy xxPolicy = new XXPolicy();
xxPolicy.setId(Id);
xxPolicy.setName(name);
xxPolicy.setAddedByUserId(Id);
xxPolicy.setCreateTime(new Date());
xxPolicy.setDescription("test");
xxPolicy.setIsAuditEnabled(true);
xxPolicy.setIsEnabled(true);
xxPolicy.setService(1L);
xxPolicy.setUpdatedByUserId(Id);
xxPolicy.setUpdateTime(new Date());
List<XXServiceConfigDef> xServiceConfigDefList = new ArrayList<XXServiceConfigDef>();
XXServiceConfigDef serviceConfigDefObj = new XXServiceConfigDef();
serviceConfigDefObj.setId(Id);
xServiceConfigDefList.add(serviceConfigDefObj);
List<XXServiceConfigMap> xConfMapList = new ArrayList<XXServiceConfigMap>();
XXServiceConfigMap xConfMap = new XXServiceConfigMap();
xConfMap.setAddedByUserId(null);
xConfMap.setConfigkey(name);
xConfMap.setConfigvalue(name);
xConfMap.setCreateTime(new Date());
xConfMap.setServiceId(null);
xConfMap.setId(Id);
xConfMap.setUpdatedByUserId(null);
xConfMap.setUpdateTime(new Date());
xConfMapList.add(xConfMap);
List<String> users = new ArrayList<String>();
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
rangerPolicyResource.setIsExcludes(true);
rangerPolicyResource.setIsRecursive(true);
rangerPolicyResource.setValue("1");
rangerPolicyResource.setValues(users);
Map<String, RangerPolicyResource> policyResource = new HashMap<String, RangerPolicyResource>();
policyResource.put(name, rangerPolicyResource);
policyResource.put(policyName, rangerPolicyResource);
RangerPolicy rangerPolicy = new RangerPolicy();
rangerPolicy.setId(Id);
rangerPolicy.setCreateTime(new Date());
rangerPolicy.setDescription("policy");
rangerPolicy.setGuid("policyguid");
rangerPolicy.setIsEnabled(true);
rangerPolicy.setName("HDFS_1-1-20150316062453");
rangerPolicy.setUpdatedBy("Admin");
rangerPolicy.setUpdateTime(new Date());
rangerPolicy.setService("HDFS_1-1-20150316062453");
rangerPolicy.setIsAuditEnabled(true);
rangerPolicy.setPolicyItems(policyItems);
rangerPolicy.setResources(policyResource);
rangerPolicy.setPolicyLabels(policyLabels);
XXPolicyResource xPolicyResource = new XXPolicyResource();
xPolicyResource.setAddedByUserId(Id);
xPolicyResource.setCreateTime(new Date());
xPolicyResource.setId(Id);
xPolicyResource.setIsExcludes(true);
xPolicyResource.setIsRecursive(true);
xPolicyResource.setPolicyId(Id);
xPolicyResource.setResDefId(Id);
xPolicyResource.setUpdatedByUserId(Id);
xPolicyResource.setUpdateTime(new Date());
List<XXPolicyConditionDef> policyConditionDefList = new ArrayList<XXPolicyConditionDef>();
XXPolicyConditionDef policyConditionDefObj = new XXPolicyConditionDef();
policyConditionDefObj.setAddedByUserId(Id);
policyConditionDefObj.setCreateTime(new Date());
policyConditionDefObj.setDefid(Id);
policyConditionDefObj.setDescription("policy");
policyConditionDefObj.setId(Id);
policyConditionDefObj.setName("country");
policyConditionDefObj.setOrder(0);
policyConditionDefObj.setUpdatedByUserId(Id);
policyConditionDefObj.setUpdateTime(new Date());
policyConditionDefList.add(policyConditionDefObj);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.findByName(name)).thenReturn(xService);
Mockito.when(daoManager.getXXServiceVersionInfo()).thenReturn(xServiceVersionInfoDao);
Mockito.when(xServiceVersionInfoDao.findByServiceId(Id)).thenReturn(xServiceVersionInfo);
Mockito.when(xServiceVersionInfoDao.update(xServiceVersionInfo)).thenReturn(xServiceVersionInfo);
Mockito.when(svcService.getPopulatedViewObject(xService)).thenReturn(rangerService);
Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
Mockito.when(xServiceDefDao.findByName(rangerService.getType())).thenReturn(xServiceDef);
Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
Mockito.when(policyService.create(rangerPolicy)).thenReturn(rangerPolicy);
Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
Mockito.when(xPolicyDao.getById(Id)).thenReturn(xPolicy);
Mockito.when(rangerAuditFields.populateAuditFields(Mockito.isA(XXPolicyItem.class), Mockito.isA(XXPolicy.class))).thenReturn(xPolicyItem);
Mockito.when(daoManager.getXXPolicyItem()).thenReturn(xPolicyItemDao);
Mockito.when(xPolicyItemDao.create(xPolicyItem)).thenReturn(xPolicyItem);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.getById(Id)).thenReturn(xService);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.getById(Id)).thenReturn(xService);
RangerPolicyResourceSignature signature = Mockito.mock(RangerPolicyResourceSignature.class);
Mockito.when(factory.createPolicyResourceSignature(rangerPolicy)).thenReturn(signature);
XXResourceDefDao xResourceDefDao = Mockito.mock(XXResourceDefDao.class);
XXResourceDef xResourceDef = Mockito.mock(XXResourceDef.class);
XXPolicyResourceDao xPolicyResourceDao = Mockito.mock(XXPolicyResourceDao.class);
XXPolicyConditionDefDao xPolicyConditionDefDao = Mockito.mock(XXPolicyConditionDefDao.class);
Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao);
Mockito.when(xResourceDefDao.findByNameAndPolicyId(policyName, Id)).thenReturn(xResourceDef);
Mockito.when(rangerAuditFields.populateAuditFields(Mockito.isA(XXPolicyResource.class), Mockito.isA(XXPolicy.class))).thenReturn(xPolicyResource);
Mockito.when(daoManager.getXXPolicyResource()).thenReturn(xPolicyResourceDao);
Mockito.when(xPolicyResourceDao.create(xPolicyResource)).thenReturn(xPolicyResource);
Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn(xPolicyConditionDefDao);
Mockito.when(xPolicyConditionDefDao.findByServiceDefIdAndName(Id, policyItemCondition.getType())).thenReturn(policyConditionDefObj);
for (Entry<String, RangerPolicyResource> resource : policyResource.entrySet()) {
Mockito.when(daoManager.getXXResourceDef()).thenReturn(xResourceDefDao);
Mockito.when(xResourceDefDao.findByNameAndPolicyId(resource.getKey(), rangerPolicy.getId())).thenReturn(xResourceDef);
}
Mockito.when(daoManager.getXXPolicyConditionDef()).thenReturn(xPolicyConditionDefDao);
Mockito.when(xPolicyConditionDefDao.findByServiceDefIdAndName(xServiceDef.getId(), policyItemCondition.getType())).thenReturn(policyConditionDefObj);
Mockito.when(!bizUtil.hasAccess(xService, null)).thenReturn(true);
RangerPolicy dbRangerPolicy = serviceDBStore.createPolicy(rangerPolicy);
Assert.assertNull(dbRangerPolicy);
Assert.assertEquals(Id, rangerPolicy.getId());
Mockito.verify(daoManager).getXXServiceDef();
Mockito.verify(policyService).create(rangerPolicy);
Mockito.verify(rangerAuditFields).populateAuditFields(Mockito.isA(XXPolicyItem.class), Mockito.isA(XXPolicy.class));
Mockito.verify(daoManager).getXXPolicyItem();
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
VXString(org.apache.ranger.view.VXString)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
Date(java.util.Date)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerPolicyItemCondition(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)
Test(org.junit.Test)
Example 4 with RangerPolicyResourceSignature
use of org.apache.ranger.plugin.model.RangerPolicyResourceSignature in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_failures.
@Test
public final void testIsValid_failures() throws Exception {
for (Action action : cu) {
// passing in a null policy should fail with appropriate failure reason
_policy = null;
checkFailure_isValid(action, "missing", "policy");
// policy must have a name on it
_policy = mock(RangerPolicy.class);
for (String name : new String[] { null, " " }) {
when(_policy.getName()).thenReturn(name);
when(_policy.getResources()).thenReturn(null);
checkFailure_isValid(action, "missing", "name");
}
// for update id is required!
if (action == Action.UPDATE) {
when(_policy.getId()).thenReturn(null);
checkFailure_isValid(action, "missing", "id");
}
}
/*
* Id is ignored for Create but name should not belong to an existing policy. For update, policy should exist for its id and should match its name.
*/
when(_policy.getName()).thenReturn("policy-name");
when(_policy.getService()).thenReturn("service-name");
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(7L);
List<RangerPolicy> existingPolicies = new ArrayList<>();
existingPolicies.add(existingPolicy);
SearchFilter filter = new SearchFilter();
filter.setParam(SearchFilter.SERVICE_NAME, "service-name");
filter.setParam(SearchFilter.POLICY_NAME, "policy-name");
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
checkFailure_isValid(Action.CREATE, "semantic", "policy name");
// update : does not exist for id
when(_policy.getId()).thenReturn(7L);
when(_store.getPolicy(7L)).thenReturn(null);
checkFailure_isValid(Action.UPDATE, "semantic", "id");
// Update: name should not point to an existing different policy, i.e. with a different id
when(_store.getPolicy(7L)).thenReturn(existingPolicy);
RangerPolicy anotherExistingPolicy = mock(RangerPolicy.class);
when(anotherExistingPolicy.getId()).thenReturn(8L);
existingPolicies.clear();
existingPolicies.add(anotherExistingPolicy);
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
checkFailure_isValid(Action.UPDATE, "semantic", "id/name");
// more than one policies with same name is also an internal error
when(_policy.getName()).thenReturn("policy-name");
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
existingPolicies.add(existingPolicy);
existingPolicy = mock(RangerPolicy.class);
existingPolicies.add(existingPolicy);
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, Action.UPDATE, isAdmin, _failures));
_utils.checkFailureForInternalError(_failures);
}
// policy must have service name on it and it should be valid
when(_policy.getName()).thenReturn("policy-name");
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
}
}
// service name should be valid
when(_store.getServiceByName("service-name")).thenReturn(null);
when(_store.getServiceByName("another-service-name")).thenThrow(new Exception());
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
when(_policy.getService()).thenReturn("another-service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
}
}
// policy must contain at least one policy item
List<RangerPolicyItem> policyItems = new ArrayList<>();
when(_policy.getService()).thenReturn("service-name");
RangerService service = mock(RangerService.class);
when(_store.getServiceByName("service-name")).thenReturn(service);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
// when it is null
when(_policy.getPolicyItems()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
// or when it is not null but empty.
when(_policy.getPolicyItems()).thenReturn(policyItems);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
}
}
// these are known good policy items -- same as used above in happypath
policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
// policy item check requires that service def should exist
when(service.getType()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForInternalError(_failures, "policy service def");
}
}
// service-def should contain the right access types on it.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes_bad, "service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy item access type");
}
}
// create the right service def with right resource defs - this is the same as in the happypath test above.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes, "service-type");
when(_store.getPolicies(filter)).thenReturn(null);
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// one mandatory is missing (tbl) and one unknown resource is specified (extra), and values of option resource don't conform to validation pattern (col)
Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad);
when(_policy.getResources()).thenReturn(policyResources);
// ensure thta policy is kosher when it comes to resource signature
RangerPolicyResourceSignature signature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(signature);
when(signature.getSignature()).thenReturn("hash-1");
// store does not have any policies for that signature hash
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
// for spurious resource: "extra"
_utils.checkFailureForSemanticError(_failures, "resource-values", "col");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isRecursive", "db");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isExcludes", "col");
}
}
// Check if error around resource signature clash are reported. have Store return policies for same signature
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(existingPolicies);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy resources");
}
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Example 5 with RangerPolicyResourceSignature
use of org.apache.ranger.plugin.model.RangerPolicyResourceSignature in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_happyPath.
@Test
public final void testIsValid_happyPath() throws Exception {
// valid policy has valid non-empty name and service name
when(_policy.getService()).thenReturn("service-name");
// service name exists
RangerService service = mock(RangerService.class);
when(service.getType()).thenReturn("service-type");
when(_store.getServiceByName("service-name")).thenReturn(service);
// service points to a valid service-def
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes);
when(_serviceDef.getName()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// a matching policy should exist for create when checked by id and not exist when checked by name.
when(_store.getPolicy(7L)).thenReturn(null);
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(8L);
when(existingPolicy.getService()).thenReturn("service-name");
when(_store.getPolicy(8L)).thenReturn(existingPolicy);
SearchFilter createFilter = new SearchFilter();
createFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
// this name would be used for create
createFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-1");
when(_store.getPolicies(createFilter)).thenReturn(new ArrayList<RangerPolicy>());
// a matching policy should not exist for update.
SearchFilter updateFilter = new SearchFilter();
updateFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
// this name would be used for update
updateFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-2");
List<RangerPolicy> existingPolicies = new ArrayList<>();
existingPolicies.add(existingPolicy);
when(_store.getPolicies(updateFilter)).thenReturn(existingPolicies);
// valid policy can have empty set of policy items if audit is turned on
// null value for audit is treated as audit on.
// for now we want to turn any resource related checking off
when(_policy.getResources()).thenReturn(null);
for (Action action : cu) {
for (Boolean auditEnabled : new Boolean[] { null, true }) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getIsAuditEnabled()).thenReturn(auditEnabled);
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
} else {
// update should work both when by-name is found or not, since nothing found by-name means name is being updated.
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-1");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
when(_policy.getName()).thenReturn("policy-name-2");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
}
}
// if audit is disabled then policy should have policy items and all of them should be valid
List<RangerPolicyItem> policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
when(_policy.getIsAuditEnabled()).thenReturn(false);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
Assert.assertTrue("" + action, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
// above succeeded as service def did not have any resources on it, mandatory or otherwise.
// policy should have all mandatory resources specified, and they should conform to the validation pattern in resource definition
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
Map<String, RangerPolicyResource> resourceMap = _utils.createPolicyResourceMap(policyResourceMap_good);
when(_policy.getResources()).thenReturn(resourceMap);
// let's add some other policies in the store for this service that have a different signature
// setup the signatures on the policies
RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
// setup the store to indicate that no other policy exists with matching signature
when(policySignature.getSignature()).thenReturn("hash-1");
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
// we are reusing the same policies collection here -- which is fine
for (Action action : cu) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
// since policy resource has excludes admin privilages would be required
Assert.assertTrue("" + action, _validator.isValid(_policy, action, true, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Aggregations
RangerPolicyResourceSignature (org.apache.ranger.plugin.model.RangerPolicyResourceSignature)7
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)6
Test (org.junit.Test)5
ArrayList (java.util.ArrayList)4
RangerService (org.apache.ranger.plugin.model.RangerService)4
RangerPolicyItem (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)3
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)3
Action (org.apache.ranger.plugin.model.validation.RangerValidator.Action)3
VXString (org.apache.ranger.view.VXString)3
Date (java.util.Date)2
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)2
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)2
HashMap (java.util.HashMap)1
ValidationErrorCode (org.apache.ranger.plugin.errors.ValidationErrorCode)1
RangerPolicyItemAccess (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)1
RangerPolicyItemCondition (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition)1
