Search in sources :

Example 36 with RangerRole

use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.

the class TestPolicyEngine method runTests.

private void runTests(InputStreamReader reader, String testName) {
    PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
    assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null);
    ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setPolicyVersion(100L);
    servicePolicies.setServiceName(testCase.serviceName);
    servicePolicies.setServiceDef(testCase.serviceDef);
    servicePolicies.setPolicies(testCase.policies);
    servicePolicies.setSecurityZones(testCase.securityZones);
    servicePolicies.setServiceConfig(testCase.serviceConfig);
    if (StringUtils.isNotBlank(testCase.auditMode)) {
        servicePolicies.setAuditMode(testCase.auditMode);
    }
    if (null != testCase.tagPolicyInfo) {
        ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
        tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
        tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
        tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
        tagPolicies.setServiceConfig(testCase.tagPolicyInfo.serviceConfig);
        if (StringUtils.isNotBlank(testCase.auditMode)) {
            tagPolicies.setAuditMode(testCase.auditMode);
        }
        servicePolicies.setTagPolicies(tagPolicies);
    }
    boolean useForwardedIPAddress = pluginContext.getConfig().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
    String trustedProxyAddressString = pluginContext.getConfig().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
    String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
    if (trustedProxyAddresses != null) {
        for (int i = 0; i < trustedProxyAddresses.length; i++) {
            trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
        }
    }
    RangerRoles roles = new RangerRoles();
    roles.setServiceName(testCase.serviceName);
    roles.setRoleVersion(-1L);
    Set<RangerRole> rolesSet = new HashSet<>();
    Map<String, Set<String>> userRoleMapping = testCase.userRoles;
    Map<String, Set<String>> groupRoleMapping = testCase.groupRoles;
    Map<String, Set<String>> roleRoleMapping = testCase.roleRoles;
    if (userRoleMapping != null) {
        for (Map.Entry<String, Set<String>> userRole : userRoleMapping.entrySet()) {
            String user = userRole.getKey();
            Set<String> userRoles = userRole.getValue();
            RangerRole.RoleMember userRoleMember = new RangerRole.RoleMember(user, true);
            List<RangerRole.RoleMember> userRoleMembers = Arrays.asList(userRoleMember);
            for (String usrRole : userRoles) {
                RangerRole rangerUserRole = new RangerRole(usrRole, usrRole, null, userRoleMembers, null);
                rolesSet.add(rangerUserRole);
            }
        }
    }
    if (groupRoleMapping != null) {
        for (Map.Entry<String, Set<String>> groupRole : groupRoleMapping.entrySet()) {
            String group = groupRole.getKey();
            Set<String> groupRoles = groupRole.getValue();
            RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(group, true);
            List<RangerRole.RoleMember> groupRoleMembers = Arrays.asList(groupRoleMember);
            for (String grpRole : groupRoles) {
                RangerRole rangerGroupRole = new RangerRole(grpRole, grpRole, null, null, groupRoleMembers);
                rolesSet.add(rangerGroupRole);
            }
        }
    }
    if (roleRoleMapping != null) {
        for (Map.Entry<String, Set<String>> roleRole : roleRoleMapping.entrySet()) {
            String role = roleRole.getKey();
            Set<String> roleRoles = roleRole.getValue();
            RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(role, true);
            List<RangerRole.RoleMember> roleRoleMembers = Arrays.asList(roleRoleMember);
            for (String rleRole : roleRoles) {
                RangerRole rangerRoleRole = new RangerRole(rleRole, rleRole, null, null, null, roleRoleMembers);
                rolesSet.add(rangerRoleRole);
            }
        }
    }
    roles.setRangerRoles(rolesSet);
    RangerPolicyEngineOptions policyEngineOptions = pluginContext.getConfig().getPolicyEngineOptions();
    policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
    setPluginConfig(pluginContext.getConfig(), ".super.users", testCase.superUsers);
    setPluginConfig(pluginContext.getConfig(), ".super.groups", testCase.superGroups);
    setPluginConfig(pluginContext.getConfig(), ".audit.exclude.users", testCase.auditExcludedUsers);
    setPluginConfig(pluginContext.getConfig(), ".audit.exclude.groups", testCase.auditExcludedGroups);
    setPluginConfig(pluginContext.getConfig(), ".audit.exclude.roles", testCase.auditExcludedRoles);
    // so that setSuperUsersAndGroups(), setAuditExcludedUsersGroupsRoles() will be called on the pluginConfig
    new RangerBasePlugin(pluginContext.getConfig());
    RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
    policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
    policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
    policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false;
    RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
    policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
    policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
    runTestCaseTests(policyEngine, policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testCase.tests);
    if (testCase.updatedPolicies != null) {
        servicePolicies.setPolicyDeltas(testCase.updatedPolicies.policyDeltas);
        servicePolicies.setSecurityZones(testCase.updatedPolicies.securityZones);
        RangerPolicyEngine updatedPolicyEngine = RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
        RangerPolicyEngine updatedPolicyEngineForEvaluatingWithACLs = RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs, servicePolicies);
        runTestCaseTests(updatedPolicyEngine, updatedPolicyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testCase.updatedTests);
    }
}
Also used : ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) RangerRoles(org.apache.ranger.plugin.util.RangerRoles) Set(java.util.Set) HashSet(java.util.HashSet) RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin) RangerRole(org.apache.ranger.plugin.model.RangerRole) Map(java.util.Map) HashSet(java.util.HashSet)

Example 37 with RangerRole

use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.

the class TestPolicyEngineForDeltas method runTests.

private void runTests(InputStreamReader reader, String testName) {
    PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
    assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.testsInfo != null && testCase.testsInfo.tests != null);
    ServicePolicies servicePolicies = new ServicePolicies();
    servicePolicies.setPolicyVersion(100L);
    servicePolicies.setServiceName(testCase.serviceName);
    servicePolicies.setServiceDef(testCase.serviceDef);
    servicePolicies.setPolicies(testCase.policies);
    servicePolicies.setSecurityZones(testCase.securityZones);
    servicePolicies.setServiceConfig(testCase.serviceConfig);
    if (StringUtils.isNotBlank(testCase.auditMode)) {
        servicePolicies.setAuditMode(testCase.auditMode);
    }
    if (null != testCase.tagPolicyInfo) {
        ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
        tagPolicies.setServiceName(testCase.tagPolicyInfo.serviceName);
        tagPolicies.setServiceDef(testCase.tagPolicyInfo.serviceDef);
        tagPolicies.setPolicies(testCase.tagPolicyInfo.tagPolicies);
        tagPolicies.setServiceConfig(testCase.tagPolicyInfo.serviceConfig);
        if (StringUtils.isNotBlank(testCase.auditMode)) {
            tagPolicies.setAuditMode(testCase.auditMode);
        }
        servicePolicies.setTagPolicies(tagPolicies);
    }
    boolean useForwardedIPAddress = pluginContext.getConfig().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
    String trustedProxyAddressString = pluginContext.getConfig().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
    String[] trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, ';');
    if (trustedProxyAddresses != null) {
        for (int i = 0; i < trustedProxyAddresses.length; i++) {
            trustedProxyAddresses[i] = trustedProxyAddresses[i].trim();
        }
    }
    RangerRoles roles = new RangerRoles();
    roles.setServiceName(testCase.serviceName);
    roles.setRoleVersion(-1L);
    Set<RangerRole> rolesSet = new HashSet<>();
    Map<String, Set<String>> userRoleMapping = testCase.userRoles;
    Map<String, Set<String>> groupRoleMapping = testCase.groupRoles;
    Map<String, Set<String>> roleRoleMapping = testCase.roleRoles;
    if (userRoleMapping != null) {
        for (Map.Entry<String, Set<String>> userRole : userRoleMapping.entrySet()) {
            String user = userRole.getKey();
            Set<String> userRoles = userRole.getValue();
            RangerRole.RoleMember userRoleMember = new RangerRole.RoleMember(user, true);
            List<RangerRole.RoleMember> userRoleMembers = Arrays.asList(userRoleMember);
            for (String usrRole : userRoles) {
                RangerRole rangerUserRole = new RangerRole(usrRole, usrRole, null, userRoleMembers, null);
                rolesSet.add(rangerUserRole);
            }
        }
    }
    if (groupRoleMapping != null) {
        for (Map.Entry<String, Set<String>> groupRole : groupRoleMapping.entrySet()) {
            String group = groupRole.getKey();
            Set<String> groupRoles = groupRole.getValue();
            RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(group, true);
            List<RangerRole.RoleMember> groupRoleMembers = Arrays.asList(groupRoleMember);
            for (String grpRole : groupRoles) {
                RangerRole rangerGroupRole = new RangerRole(grpRole, grpRole, null, null, groupRoleMembers);
                rolesSet.add(rangerGroupRole);
            }
        }
    }
    if (roleRoleMapping != null) {
        for (Map.Entry<String, Set<String>> roleRole : roleRoleMapping.entrySet()) {
            String role = roleRole.getKey();
            Set<String> roleRoles = roleRole.getValue();
            RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(role, true);
            List<RangerRole.RoleMember> roleRoleMembers = Arrays.asList(roleRoleMember);
            for (String rleRole : roleRoles) {
                RangerRole rangerRoleRole = new RangerRole(rleRole, rleRole, null, null, null, roleRoleMembers);
                rolesSet.add(rangerRoleRole);
            }
        }
    }
    roles.setRangerRoles(rolesSet);
    RangerPolicyEngineOptions policyEngineOptions = pluginContext.getConfig().getPolicyEngineOptions();
    policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
    setPluginConfig(pluginContext.getConfig(), ".super.users", testCase.superUsers);
    setPluginConfig(pluginContext.getConfig(), ".super.groups", testCase.superGroups);
    setPluginConfig(pluginContext.getConfig(), ".audit.exclude.users", testCase.auditExcludedUsers);
    setPluginConfig(pluginContext.getConfig(), ".audit.exclude.groups", testCase.auditExcludedGroups);
    setPluginConfig(pluginContext.getConfig(), ".audit.exclude.roles", testCase.auditExcludedRoles);
    // so that setSuperUsersAndGroups(), setAuditExcludedUsersGroupsRoles() will be called on the pluginConfig
    new RangerBasePlugin(pluginContext.getConfig());
    RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
    policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
    policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
    policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false;
    RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
    policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
    policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
    PolicyEngineTestCase.TestsInfo testsInfo = testCase.testsInfo;
    do {
        runTestCaseTests(policyEngine, policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testsInfo.tests);
        if (testsInfo.updatedPolicies != null && CollectionUtils.isNotEmpty(testsInfo.updatedPolicies.policyDeltas)) {
            servicePolicies.setPolicyDeltas(testsInfo.updatedPolicies.policyDeltas);
            servicePolicies.setPolicies(null);
            if (MapUtils.isNotEmpty(testsInfo.updatedPolicies.securityZones)) {
                servicePolicies.setSecurityZones(testsInfo.updatedPolicies.securityZones);
            }
            policyEngine = (RangerPolicyEngineImpl) RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
            policyEngineForEvaluatingWithACLs = (RangerPolicyEngineImpl) RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs, servicePolicies);
            if (policyEngine != null && policyEngineForEvaluatingWithACLs != null) {
                testsInfo = testsInfo.updatedTestsInfo;
            } else {
                testsInfo = null;
            }
        } else {
            testsInfo = null;
        }
    } while (testsInfo != null && testsInfo.tests != null);
}
Also used : ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies) RangerRoles(org.apache.ranger.plugin.util.RangerRoles) HashSet(java.util.HashSet) Set(java.util.Set) RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin) RangerRole(org.apache.ranger.plugin.model.RangerRole) Map(java.util.Map) HashSet(java.util.HashSet)

Aggregations

RangerRole (org.apache.ranger.plugin.model.RangerRole)37 Predicate (org.apache.commons.collections.Predicate)7 ArrayList (java.util.ArrayList)6 HashSet (java.util.HashSet)5 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)5 IOException (java.io.IOException)4 SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)4 HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)4 HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)4 RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)4 RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)4 RangerRoles (org.apache.ranger.plugin.util.RangerRoles)4 UserSessionBase (org.apache.ranger.common.UserSessionBase)3 Gson (com.google.gson.Gson)2 GsonBuilder (com.google.gson.GsonBuilder)2 ClientResponse (com.sun.jersey.api.client.ClientResponse)2 UnsupportedEncodingException (java.io.UnsupportedEncodingException)2 PrivilegedAction (java.security.PrivilegedAction)2 HashMap (java.util.HashMap)2 Map (java.util.Map)2