Example 36 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class TestPolicyEngine method runTests.
private void runTests(InputStreamReader reader, String testName) {
PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicyVersion(100L);
servicePolicies.setServiceName(testCase.serviceName);
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
servicePolicies.setSecurityZones(testCase.securityZones);
servicePolicies.setServiceConfig(testCase.serviceConfig);
if (StringUtils.isNotBlank(testCase.auditMode)) {
servicePolicies.setAuditMode(testCase.auditMode);
}
if (null != testCase.tagPolicyInfo) {
ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
tagPolicies.setServiceConfig(testCase.tagPolicyInfo.serviceConfig);
if (StringUtils.isNotBlank(testCase.auditMode)) {
tagPolicies.setAuditMode(testCase.auditMode);
}
servicePolicies.setTagPolicies(tagPolicies);
}
boolean useForwardedIPAddress = pluginContext.getConfig().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
String trustedProxyAddressString = pluginContext.getConfig().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
if (trustedProxyAddresses != null) {
for (int i = 0; i < trustedProxyAddresses.length; i++) {
trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
}
}
RangerRoles roles = new RangerRoles();
roles.setServiceName(testCase.serviceName);
roles.setRoleVersion(-1L);
Set<RangerRole> rolesSet = new HashSet<>();
Map<String, Set<String>> userRoleMapping = testCase.userRoles;
Map<String, Set<String>> groupRoleMapping = testCase.groupRoles;
Map<String, Set<String>> roleRoleMapping = testCase.roleRoles;
if (userRoleMapping != null) {
for (Map.Entry<String, Set<String>> userRole : userRoleMapping.entrySet()) {
String user = userRole.getKey();
Set<String> userRoles = userRole.getValue();
RangerRole.RoleMember userRoleMember = new RangerRole.RoleMember(user, true);
List<RangerRole.RoleMember> userRoleMembers = Arrays.asList(userRoleMember);
for (String usrRole : userRoles) {
RangerRole rangerUserRole = new RangerRole(usrRole, usrRole, null, userRoleMembers, null);
rolesSet.add(rangerUserRole);
}
}
}
if (groupRoleMapping != null) {
for (Map.Entry<String, Set<String>> groupRole : groupRoleMapping.entrySet()) {
String group = groupRole.getKey();
Set<String> groupRoles = groupRole.getValue();
RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(group, true);
List<RangerRole.RoleMember> groupRoleMembers = Arrays.asList(groupRoleMember);
for (String grpRole : groupRoles) {
RangerRole rangerGroupRole = new RangerRole(grpRole, grpRole, null, null, groupRoleMembers);
rolesSet.add(rangerGroupRole);
}
}
}
if (roleRoleMapping != null) {
for (Map.Entry<String, Set<String>> roleRole : roleRoleMapping.entrySet()) {
String role = roleRole.getKey();
Set<String> roleRoles = roleRole.getValue();
RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(role, true);
List<RangerRole.RoleMember> roleRoleMembers = Arrays.asList(roleRoleMember);
for (String rleRole : roleRoles) {
RangerRole rangerRoleRole = new RangerRole(rleRole, rleRole, null, null, null, roleRoleMembers);
rolesSet.add(rangerRoleRole);
}
}
}
roles.setRangerRoles(rolesSet);
RangerPolicyEngineOptions policyEngineOptions = pluginContext.getConfig().getPolicyEngineOptions();
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
setPluginConfig(pluginContext.getConfig(), ".super.users", testCase.superUsers);
setPluginConfig(pluginContext.getConfig(), ".super.groups", testCase.superGroups);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.users", testCase.auditExcludedUsers);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.groups", testCase.auditExcludedGroups);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.roles", testCase.auditExcludedRoles);
// so that setSuperUsersAndGroups(), setAuditExcludedUsersGroupsRoles() will be called on the pluginConfig
new RangerBasePlugin(pluginContext.getConfig());
RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false;
RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
runTestCaseTests(policyEngine, policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testCase.tests);
if (testCase.updatedPolicies != null) {
servicePolicies.setPolicyDeltas(testCase.updatedPolicies.policyDeltas);
servicePolicies.setSecurityZones(testCase.updatedPolicies.securityZones);
RangerPolicyEngine updatedPolicyEngine = RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
RangerPolicyEngine updatedPolicyEngineForEvaluatingWithACLs = RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs, servicePolicies);
runTestCaseTests(updatedPolicyEngine, updatedPolicyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testCase.updatedTests);
}
}
Also used :
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
Set(java.util.Set)
HashSet(java.util.HashSet)
RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 37 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class TestPolicyEngineForDeltas method runTests.
private void runTests(InputStreamReader reader, String testName) {
PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.testsInfo != null && testCase.testsInfo.tests != null);
ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicyVersion(100L);
servicePolicies.setServiceName(testCase.serviceName);
servicePolicies.setServiceDef(testCase.serviceDef);
servicePolicies.setPolicies(testCase.policies);
servicePolicies.setSecurityZones(testCase.securityZones);
servicePolicies.setServiceConfig(testCase.serviceConfig);
if (StringUtils.isNotBlank(testCase.auditMode)) {
servicePolicies.setAuditMode(testCase.auditMode);
}
if (null != testCase.tagPolicyInfo) {
ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
tagPolicies.setServiceConfig(testCase.tagPolicyInfo.serviceConfig);
if (StringUtils.isNotBlank(testCase.auditMode)) {
tagPolicies.setAuditMode(testCase.auditMode);
}
servicePolicies.setTagPolicies(tagPolicies);
}
boolean useForwardedIPAddress = pluginContext.getConfig().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
String trustedProxyAddressString = pluginContext.getConfig().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
if (trustedProxyAddresses != null) {
for (int i = 0; i < trustedProxyAddresses.length; i++) {
trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
}
}
RangerRoles roles = new RangerRoles();
roles.setServiceName(testCase.serviceName);
roles.setRoleVersion(-1L);
Set<RangerRole> rolesSet = new HashSet<>();
Map<String, Set<String>> userRoleMapping = testCase.userRoles;
Map<String, Set<String>> groupRoleMapping = testCase.groupRoles;
Map<String, Set<String>> roleRoleMapping = testCase.roleRoles;
if (userRoleMapping != null) {
for (Map.Entry<String, Set<String>> userRole : userRoleMapping.entrySet()) {
String user = userRole.getKey();
Set<String> userRoles = userRole.getValue();
RangerRole.RoleMember userRoleMember = new RangerRole.RoleMember(user, true);
List<RangerRole.RoleMember> userRoleMembers = Arrays.asList(userRoleMember);
for (String usrRole : userRoles) {
RangerRole rangerUserRole = new RangerRole(usrRole, usrRole, null, userRoleMembers, null);
rolesSet.add(rangerUserRole);
}
}
}
if (groupRoleMapping != null) {
for (Map.Entry<String, Set<String>> groupRole : groupRoleMapping.entrySet()) {
String group = groupRole.getKey();
Set<String> groupRoles = groupRole.getValue();
RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(group, true);
List<RangerRole.RoleMember> groupRoleMembers = Arrays.asList(groupRoleMember);
for (String grpRole : groupRoles) {
RangerRole rangerGroupRole = new RangerRole(grpRole, grpRole, null, null, groupRoleMembers);
rolesSet.add(rangerGroupRole);
}
}
}
if (roleRoleMapping != null) {
for (Map.Entry<String, Set<String>> roleRole : roleRoleMapping.entrySet()) {
String role = roleRole.getKey();
Set<String> roleRoles = roleRole.getValue();
RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(role, true);
List<RangerRole.RoleMember> roleRoleMembers = Arrays.asList(roleRoleMember);
for (String rleRole : roleRoles) {
RangerRole rangerRoleRole = new RangerRole(rleRole, rleRole, null, null, null, roleRoleMembers);
rolesSet.add(rangerRoleRole);
}
}
}
roles.setRangerRoles(rolesSet);
RangerPolicyEngineOptions policyEngineOptions = pluginContext.getConfig().getPolicyEngineOptions();
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
setPluginConfig(pluginContext.getConfig(), ".super.users", testCase.superUsers);
setPluginConfig(pluginContext.getConfig(), ".super.groups", testCase.superGroups);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.users", testCase.auditExcludedUsers);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.groups", testCase.auditExcludedGroups);
setPluginConfig(pluginContext.getConfig(), ".audit.exclude.roles", testCase.auditExcludedRoles);
// so that setSuperUsersAndGroups(), setAuditExcludedUsersGroupsRoles() will be called on the pluginConfig
new RangerBasePlugin(pluginContext.getConfig());
RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false;
RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
PolicyEngineTestCase.TestsInfo testsInfo = testCase.testsInfo;
do {
runTestCaseTests(policyEngine, policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testsInfo.tests);
if (testsInfo.updatedPolicies != null && CollectionUtils.isNotEmpty(testsInfo.updatedPolicies.policyDeltas)) {
servicePolicies.setPolicyDeltas(testsInfo.updatedPolicies.policyDeltas);
servicePolicies.setPolicies(null);
if (MapUtils.isNotEmpty(testsInfo.updatedPolicies.securityZones)) {
servicePolicies.setSecurityZones(testsInfo.updatedPolicies.securityZones);
}
policyEngine = (RangerPolicyEngineImpl) RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
policyEngineForEvaluatingWithACLs = (RangerPolicyEngineImpl) RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs, servicePolicies);
if (policyEngine != null && policyEngineForEvaluatingWithACLs != null) {
testsInfo = testsInfo.updatedTestsInfo;
} else {
testsInfo = null;
}
} else {
testsInfo = null;
}
} while (testsInfo != null && testsInfo.tests != null);
}
Also used :
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
HashSet(java.util.HashSet)
Set(java.util.Set)
RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Map(java.util.Map)
HashSet(java.util.HashSet)
Aggregations
RangerRole (org.apache.ranger.plugin.model.RangerRole)37
Predicate (org.apache.commons.collections.Predicate)7
ArrayList (java.util.ArrayList)6
HashSet (java.util.HashSet)5
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)5
IOException (java.io.IOException)4
SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)4
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)4
HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)4
RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)4
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)4
RangerRoles (org.apache.ranger.plugin.util.RangerRoles)4
UserSessionBase (org.apache.ranger.common.UserSessionBase)3
Gson (com.google.gson.Gson)2
GsonBuilder (com.google.gson.GsonBuilder)2
ClientResponse (com.sun.jersey.api.client.ClientResponse)2
UnsupportedEncodingException (java.io.UnsupportedEncodingException)2
PrivilegedAction (java.security.PrivilegedAction)2
HashMap (java.util.HashMap)2
Map (java.util.Map)2
