Example 11 with RangerSecurityZone
use of org.apache.ranger.plugin.model.RangerSecurityZone in project ranger by apache.
the class RangerSecurityZoneValidator method validateAgainstAllSecurityZones.
private boolean validateAgainstAllSecurityZones(RangerSecurityZone securityZone, Action action, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.validateAgainstAllSecurityZones(%s, %s, %s)", securityZone, action, failures));
}
boolean ret = true;
final String zoneName;
if (securityZone.getId() != -1L) {
RangerSecurityZone existingZone = getSecurityZone(securityZone.getId());
zoneName = existingZone.getName();
} else {
zoneName = securityZone.getName();
}
for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZone.getServices().entrySet()) {
String serviceName = entry.getKey();
RangerSecurityZone.RangerSecurityZoneService serviceResources = entry.getValue();
if (CollectionUtils.isNotEmpty(serviceResources.getResources())) {
SearchFilter filter = new SearchFilter();
List<RangerSecurityZone> zones = null;
filter.setParam(SearchFilter.SERVICE_NAME, serviceName);
filter.setParam(SearchFilter.ZONE_NAME, zoneName);
try {
zones = securityZoneStore.getSecurityZones(filter);
} catch (Exception excp) {
LOG.error("Failed to get Security-Zones", excp);
ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
failures.add(new ValidationFailureDetailsBuilder().becauseOf(error.getMessage(excp.getMessage())).errorCode(error.getErrorCode()).build());
ret = false;
}
if (CollectionUtils.isNotEmpty(zones)) {
RangerService service = getService(serviceName);
RangerServiceDef serviceDef = service != null ? getServiceDef(service.getType()) : null;
if (serviceDef == null) {
ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_INTERNAL_ERROR;
failures.add(new ValidationFailureDetailsBuilder().becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
ret = false;
} else {
zones.add(securityZone);
ret = ret && validateZoneServiceInAllZones(zones, serviceName, serviceDef, failures);
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.validateAgainstAllSecurityZones(%s, %s, %s) : %s", securityZone, action, failures, ret));
}
return ret;
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerService(org.apache.ranger.plugin.model.RangerService)
HashMap(java.util.HashMap)
Map(java.util.Map)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 12 with RangerSecurityZone
use of org.apache.ranger.plugin.model.RangerSecurityZone in project ranger by apache.
the class RangerPolicyValidator method isValid.
boolean isValid(RangerPolicy policy, Action action, boolean isAdmin, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.isValid(%s, %s, %s, %s)", policy, action, isAdmin, failures));
}
if (!(action == Action.CREATE || action == Action.UPDATE)) {
throw new IllegalArgumentException("isValid(RangerPolicy, ...) is only supported for create/update");
}
boolean valid = true;
if (policy == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_OBJECT;
failures.add(new ValidationFailureDetailsBuilder().field("policy").isMissing().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
valid = false;
} else {
Integer priority = policy.getPolicyPriority();
if (priority != null) {
if (priority < RangerPolicy.POLICY_PRIORITY_NORMAL || priority > RangerPolicy.POLICY_PRIORITY_OVERRIDE) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_INVALID_PRIORITY;
failures.add(new ValidationFailureDetailsBuilder().field("policyPriority").isSemanticallyIncorrect().becauseOf(error.getMessage("out of range")).errorCode(error.getErrorCode()).build());
valid = false;
}
}
Long id = policy.getId();
RangerPolicy existingPolicy = null;
if (action == Action.UPDATE) {
// id is ignored for CREATE
if (id == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("id").isMissing().becauseOf(error.getMessage("id")).errorCode(error.getErrorCode()).build());
valid = false;
}
existingPolicy = getPolicy(id);
if (existingPolicy == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_POLICY_ID;
failures.add(new ValidationFailureDetailsBuilder().field("id").isSemanticallyIncorrect().becauseOf(error.getMessage(id)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
String policyName = policy.getName();
String serviceName = policy.getService();
String policyServicetype = policy.getServiceType();
String zoneName = policy.getZoneName();
RangerService service = null;
RangerSecurityZone zone = null;
boolean serviceNameValid = false;
if (StringUtils.isBlank(serviceName)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("service name").isMissing().becauseOf(error.getMessage("service name")).errorCode(error.getErrorCode()).build());
valid = false;
} else {
service = getService(serviceName);
if (service == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_SERVICE_NAME;
failures.add(new ValidationFailureDetailsBuilder().field("service name").isSemanticallyIncorrect().becauseOf(error.getMessage(serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
} else {
serviceNameValid = true;
String serviceType = service.getType();
if (StringUtils.isNotEmpty(serviceType) && StringUtils.isNotEmpty(policyServicetype)) {
if (!serviceType.equalsIgnoreCase(policyServicetype)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_INVALID_SERVICE_TYPE;
failures.add(new ValidationFailureDetailsBuilder().field("service type").isSemanticallyIncorrect().becauseOf(error.getMessage(policyServicetype, serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
}
if (StringUtils.isNotEmpty(zoneName)) {
zone = getSecurityZone(zoneName);
if (zone == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NONEXISTANT_ZONE_NAME;
failures.add(new ValidationFailureDetailsBuilder().field("zoneName").isSemanticallyIncorrect().becauseOf(error.getMessage(id, zoneName)).errorCode(error.getErrorCode()).build());
valid = false;
}
List<String> tagSvcList = zone.getTagServices();
Set<String> svcNameSet = zone.getServices().keySet();
if (!svcNameSet.contains(serviceName) && !tagSvcList.contains(serviceName)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_SERVICE_NOT_ASSOCIATED_TO_ZONE;
failures.add(new ValidationFailureDetailsBuilder().field("zoneName").isSemanticallyIncorrect().becauseOf(error.getMessage(serviceName, zoneName)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
if (StringUtils.isBlank(policyName)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_FIELD;
failures.add(new ValidationFailureDetailsBuilder().field("name").isMissing().becauseOf(error.getMessage("name")).errorCode(error.getErrorCode()).build());
valid = false;
} else {
if (service != null && (StringUtils.isEmpty(zoneName) || zone != null)) {
Long zoneId = zone != null ? zone.getId() : RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID;
Long policyId = getPolicyId(service.getId(), policyName, zoneId);
if (policyId != null) {
if (action == Action.CREATE) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT;
failures.add(new ValidationFailureDetailsBuilder().field("policy name").isSemanticallyIncorrect().becauseOf(error.getMessage(policyId, serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
} else if (!policyId.equals(id)) {
// action == UPDATE
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_NAME_CONFLICT;
failures.add(new ValidationFailureDetailsBuilder().field("id/name").isSemanticallyIncorrect().becauseOf(error.getMessage(policyId, serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
}
if (existingPolicy != null) {
if (!StringUtils.equalsIgnoreCase(existingPolicy.getService(), policy.getService())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_UPDATE_MOVE_SERVICE_NOT_ALLOWED;
failures.add(new ValidationFailureDetailsBuilder().field("service name").isSemanticallyIncorrect().becauseOf(error.getMessage(policy.getId(), existingPolicy.getService(), policy.getService())).errorCode(error.getErrorCode()).build());
valid = false;
}
int existingPolicyType = existingPolicy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : existingPolicy.getPolicyType();
int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
if (existingPolicyType != policyType) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_POLICY_TYPE_CHANGE_NOT_ALLOWED;
failures.add(new ValidationFailureDetailsBuilder().field("policy type").isSemanticallyIncorrect().becauseOf(error.getMessage(policy.getId(), existingPolicyType, policyType)).errorCode(error.getErrorCode()).build());
valid = false;
}
String existingZoneName = existingPolicy.getZoneName();
if (StringUtils.isNotEmpty(zoneName) || StringUtils.isNotEmpty(existingZoneName)) {
if (!StringUtils.equals(existingZoneName, zoneName)) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_UPDATE_ZONE_NAME_NOT_ALLOWED;
failures.add(new ValidationFailureDetailsBuilder().field("zoneName").isSemanticallyIncorrect().becauseOf(error.getMessage(existingZoneName, zoneName)).errorCode(error.getErrorCode()).build());
valid = false;
}
}
}
boolean isAuditEnabled = getIsAuditEnabled(policy);
String serviceDefName = null;
RangerServiceDef serviceDef = null;
int policyItemsCount = 0;
int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
switch(policyType) {
case RangerPolicy.POLICY_TYPE_DATAMASK:
if (CollectionUtils.isNotEmpty(policy.getDataMaskPolicyItems())) {
policyItemsCount += policy.getDataMaskPolicyItems().size();
}
break;
case RangerPolicy.POLICY_TYPE_ROWFILTER:
if (CollectionUtils.isNotEmpty(policy.getRowFilterPolicyItems())) {
policyItemsCount += policy.getRowFilterPolicyItems().size();
}
break;
default:
if (CollectionUtils.isNotEmpty(policy.getPolicyItems())) {
policyItemsCount += policy.getPolicyItems().size();
}
if (CollectionUtils.isNotEmpty(policy.getDenyPolicyItems())) {
policyItemsCount += policy.getDenyPolicyItems().size();
}
break;
}
if (policyItemsCount == 0 && !isAuditEnabled) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_POLICY_ITEMS;
failures.add(new ValidationFailureDetailsBuilder().field("policy items").isMissing().becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
valid = false;
} else if (service != null) {
serviceDefName = service.getType();
serviceDef = getServiceDef(serviceDefName);
if (serviceDef == null) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_SERVICE_DEF;
failures.add(new ValidationFailureDetailsBuilder().field("policy service def").isAnInternalError().becauseOf(error.getMessage(serviceDefName, serviceName)).errorCode(error.getErrorCode()).build());
valid = false;
} else {
if (Boolean.TRUE.equals(policy.getIsDenyAllElse())) {
if (CollectionUtils.isNotEmpty(policy.getDenyPolicyItems()) || CollectionUtils.isNotEmpty(policy.getDenyExceptions())) {
ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_UNSUPPORTED_POLICY_ITEM_TYPE;
failures.add(new ValidationFailureDetailsBuilder().field("policy items").becauseOf(error.getMessage()).errorCode(error.getErrorCode()).build());
valid = false;
}
}
valid = isValidPolicyItems(policy.getPolicyItems(), failures, serviceDef) && valid;
valid = isValidPolicyItems(policy.getDenyPolicyItems(), failures, serviceDef) && valid;
valid = isValidPolicyItems(policy.getAllowExceptions(), failures, serviceDef) && valid;
valid = isValidPolicyItems(policy.getDenyExceptions(), failures, serviceDef) && valid;
}
}
if (serviceNameValid) {
// resource checks can't be done meaningfully otherwise
valid = isValidValiditySchedule(policy, failures, action) && valid;
valid = isValidResources(policy, failures, action, isAdmin, serviceDef) && valid;
valid = isValidAccessTypeDef(policy, failures, action, isAdmin, serviceDef) && valid;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.isValid(%s, %s, %s, %s): %s", policy, action, isAdmin, failures, valid));
}
return valid;
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerService(org.apache.ranger.plugin.model.RangerService)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 13 with RangerSecurityZone
use of org.apache.ranger.plugin.model.RangerSecurityZone in project ranger by apache.
the class RangerSecurityZoneValidator method validateZoneServiceInAllZones.
private boolean validateZoneServiceInAllZones(List<RangerSecurityZone> zones, String serviceName, RangerServiceDef serviceDef, List<ValidationFailureDetails> failures) {
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerPolicyValidator.validateZoneServiceInAllZones(%s, %s, %s, %s)", zones, serviceName, serviceDef, failures));
}
boolean ret = true;
// For each zone, get list-of-resources corresponding to serviceName.
// For each list-of-resources:
// get one resource (this is a map of <String, List<String>>); convert it into map of <String, RangerPolicyResource>. excludes is always false, recursive true only for HDFS
// build a subclass of RangerPolicyResourceEvaluator with id of zone, zoneName as a member, and RangerDefaultResourceMatcher as matcher.
// add this to list-of-evaluators
Map<String, List<RangerZoneResourceMatcher>> matchersForResourceDef = new HashMap<>();
for (RangerSecurityZone zone : zones) {
List<HashMap<String, List<String>>> resources = zone.getServices().get(serviceName).getResources();
for (Map<String, List<String>> resource : resources) {
Map<String, RangerPolicy.RangerPolicyResource> policyResources = new HashMap<>();
for (Map.Entry<String, List<String>> entry : resource.entrySet()) {
String resourceDefName = entry.getKey();
List<String> resourceValues = entry.getValue();
RangerPolicy.RangerPolicyResource policyResource = new RangerPolicy.RangerPolicyResource();
policyResource.setIsExcludes(false);
policyResource.setIsRecursive(EmbeddedServiceDefsUtil.isRecursiveEnabled(serviceDef, resourceDefName));
policyResource.setValues(resourceValues);
policyResources.put(resourceDefName, policyResource);
if (matchersForResourceDef.get(resourceDefName) == null) {
matchersForResourceDef.put(resourceDefName, new ArrayList<>());
}
}
RangerZoneResourceMatcher matcher = new RangerZoneResourceMatcher(zone.getName(), policyResources, serviceDef);
for (String resourceDefName : resource.keySet()) {
matchersForResourceDef.get(resourceDefName).add(matcher);
}
}
}
// Build a map of trie with list-of-evaluators with one entry corresponds to one resource-def if it exists in the list-of-resources
Map<String, RangerResourceTrie<RangerZoneResourceMatcher>> trieMap = new HashMap<>();
List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
for (Map.Entry<String, List<RangerZoneResourceMatcher>> entry : matchersForResourceDef.entrySet()) {
String resourceDefName = entry.getKey();
List<RangerZoneResourceMatcher> matchers = entry.getValue();
RangerServiceDef.RangerResourceDef resourceDef = null;
for (RangerServiceDef.RangerResourceDef element : resourceDefs) {
if (StringUtils.equals(element.getName(), resourceDefName)) {
resourceDef = element;
break;
}
}
trieMap.put(entry.getKey(), new RangerResourceTrie<>(resourceDef, matchers));
}
// For each zone, get list-of-resources corresponding to serviceName
// For each list-of-resources:
// get one resource; for each level in the resource, run it through map of trie and get possible evaluators.
// check each evaluator to see if the resource-match actually happens. If yes then add the zone-evaluator to matching evaluators.
// flag error if there are more than one matching evaluators with different zone-ids.
//
RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef, true);
for (RangerSecurityZone zone : zones) {
List<HashMap<String, List<String>>> resources = zone.getServices().get(serviceName).getResources();
for (Map<String, List<String>> resource : resources) {
Set<RangerZoneResourceMatcher> smallestList = null;
List<String> resourceKeys = serviceDefHelper.getOrderedResourceNames(resource.keySet());
for (String resourceDefName : resourceKeys) {
List<String> resourceValues = resource.get(resourceDefName);
RangerResourceTrie<RangerZoneResourceMatcher> trie = trieMap.get(resourceDefName);
Set<RangerZoneResourceMatcher> zoneMatchersForResource = trie.getEvaluatorsForResource(resourceValues);
Set<RangerZoneResourceMatcher> inheritedZoneMatchers = trie.getInheritedEvaluators();
if (LOG.isDebugEnabled()) {
LOG.debug("ResourceDefName:[" + resourceDefName + "], values:[" + resourceValues + "], matched-zones:[" + zoneMatchersForResource + "], inherited-zones:[" + inheritedZoneMatchers + "]");
}
if (smallestList != null) {
if (CollectionUtils.isEmpty(inheritedZoneMatchers) && CollectionUtils.isEmpty(zoneMatchersForResource)) {
smallestList = null;
} else if (CollectionUtils.isEmpty(inheritedZoneMatchers)) {
smallestList.retainAll(zoneMatchersForResource);
} else if (CollectionUtils.isEmpty(zoneMatchersForResource)) {
smallestList.retainAll(inheritedZoneMatchers);
} else {
Set<RangerZoneResourceMatcher> smaller, bigger;
if (zoneMatchersForResource.size() < inheritedZoneMatchers.size()) {
smaller = zoneMatchersForResource;
bigger = inheritedZoneMatchers;
} else {
smaller = inheritedZoneMatchers;
bigger = zoneMatchersForResource;
}
Set<RangerZoneResourceMatcher> tmp = new HashSet<>();
if (smallestList.size() < smaller.size()) {
smallestList.stream().filter(smaller::contains).forEach(tmp::add);
smallestList.stream().filter(bigger::contains).forEach(tmp::add);
} else {
smaller.stream().filter(smallestList::contains).forEach(tmp::add);
if (smallestList.size() < bigger.size()) {
smallestList.stream().filter(bigger::contains).forEach(tmp::add);
} else {
bigger.stream().filter(smallestList::contains).forEach(tmp::add);
}
}
smallestList = tmp;
}
} else {
if (CollectionUtils.isEmpty(inheritedZoneMatchers) || CollectionUtils.isEmpty(zoneMatchersForResource)) {
Set<RangerZoneResourceMatcher> tmp = CollectionUtils.isEmpty(inheritedZoneMatchers) ? zoneMatchersForResource : inheritedZoneMatchers;
smallestList = resourceKeys.size() == 1 || CollectionUtils.isEmpty(tmp) ? tmp : new HashSet<>(tmp);
} else {
smallestList = new HashSet<>(zoneMatchersForResource);
smallestList.addAll(inheritedZoneMatchers);
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Resource:[" + resource + "], matched-zones:[" + smallestList + "]");
}
if (CollectionUtils.isEmpty(smallestList) || smallestList.size() == 1) {
continue;
}
final Set<RangerZoneResourceMatcher> intersection = smallestList;
RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl();
accessResource.setServiceDef(serviceDef);
for (Map.Entry<String, List<String>> entry : resource.entrySet()) {
accessResource.setValue(entry.getKey(), entry.getValue());
}
Set<String> matchedZoneNames = new HashSet<>();
for (RangerZoneResourceMatcher zoneMatcher : intersection) {
if (LOG.isDebugEnabled()) {
LOG.debug("Trying to match resource:[" + accessResource + "] using zoneMatcher:[" + zoneMatcher + "]");
}
// These are potential matches. Try to really match them
if (zoneMatcher.getPolicyResourceMatcher().isMatch(accessResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Matched resource:[" + accessResource + "] using zoneMatcher:[" + zoneMatcher + "]");
}
// Actual match happened
matchedZoneNames.add(zoneMatcher.getSecurityZoneName());
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Did not match resource:[" + accessResource + "] using zoneMatcher:[" + zoneMatcher + "]");
}
}
}
LOG.info("The following zone-names matched resource:[" + resource + "]: " + matchedZoneNames);
if (matchedZoneNames.size() > 1) {
ValidationErrorCode error = ValidationErrorCode.SECURITY_ZONE_VALIDATION_ERR_ZONE_RESOURCE_CONFLICT;
failures.add(new ValidationFailureDetailsBuilder().becauseOf(error.getMessage(matchedZoneNames, resource)).errorCode(error.getErrorCode()).build());
ret = false;
break;
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug(String.format("<== RangerPolicyValidator.validateZoneServiceInAllZones(%s, %s, %s, %s) : %s", zones, serviceName, serviceDef, failures, ret));
}
return ret;
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
HashMap(java.util.HashMap)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerResourceTrie(org.apache.ranger.plugin.policyengine.RangerResourceTrie)
ArrayList(java.util.ArrayList)
List(java.util.List)
HashSet(java.util.HashSet)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
HashMap(java.util.HashMap)
Map(java.util.Map)
ValidationErrorCode(org.apache.ranger.plugin.errors.ValidationErrorCode)
Example 14 with RangerSecurityZone
use of org.apache.ranger.plugin.model.RangerSecurityZone in project ranger by apache.
the class TestXUserMgr method test125DeleteXUser.
@Test
public void test125DeleteXUser() {
destroySession();
setup();
boolean force = true;
VXUser vXUser = vxUser();
XXUser xXUser = new XXUser();
XXUserDao xXUserDao = Mockito.mock(XXUserDao.class);
Mockito.when(daoManager.getXXUser()).thenReturn(xXUserDao);
Mockito.when(xXUserDao.getById(vXUser.getId())).thenReturn(xXUser);
Mockito.when(xUserService.populateViewBean(xXUser)).thenReturn(vXUser);
VXPermMapList vXPermMapList = new VXPermMapList();
VXPermMap vXPermMap1 = getVXPermMap();
List<VXPermMap> vXPermMaps = new ArrayList<VXPermMap>();
vXPermMaps.add(vXPermMap1);
vXPermMapList.setVXPermMaps(vXPermMaps);
VXAuditMapList vXAuditMapList = new VXAuditMapList();
List<VXAuditMap> vXAuditMaps = new ArrayList<VXAuditMap>();
VXAuditMap vXAuditMap = getVXAuditMap();
vXAuditMaps.add(vXAuditMap);
vXAuditMapList.setVXAuditMaps(vXAuditMaps);
VXPortalUser vXPortalUser = userProfile();
XXPortalUser xXPortalUser = xxPortalUser(vXPortalUser);
XXPortalUserDao xXPortalUserDao = Mockito.mock(XXPortalUserDao.class);
Mockito.when(daoManager.getXXPortalUser()).thenReturn(xXPortalUserDao);
Mockito.when(xXPortalUserDao.findByLoginId(vXUser.getName().trim())).thenReturn(xXPortalUser);
Mockito.when(xPortalUserService.populateViewBean(xXPortalUser)).thenReturn(vXPortalUser);
XXPortalUserRole XXPortalUserRole = new XXPortalUserRole();
XXPortalUserRole.setId(userId);
XXPortalUserRole.setUserId(userId);
XXPortalUserRole.setUserRole("ROLE_USER");
List<XXAuthSession> xXAuthSessions = new ArrayList<XXAuthSession>();
XXAuthSession xXAuthSession = new XXAuthSession();
xXAuthSession.setId(userId);
xXAuthSession.setLoginId(vXPortalUser.getLoginId());
xXAuthSessions.add(xXAuthSession);
List<XXUserPermission> xXUserPermissions = new ArrayList<XXUserPermission>();
xXUserPermissions.add(xxUserPermission());
List<XXPortalUserRole> xXPortalUserRoles = new ArrayList<XXPortalUserRole>();
xXPortalUserRoles.add(XXPortalUserRole);
List<XXPolicy> xXPolicyList = new ArrayList<XXPolicy>();
XXPolicy xXPolicy = getXXPolicy();
xXPolicyList.add(xXPolicy);
XXSecurityZoneRefUser xZoneAdminUser = new XXSecurityZoneRefUser();
xZoneAdminUser.setZoneId(2L);
xZoneAdminUser.setUserId(userId);
xZoneAdminUser.setUserName(vXUser.getName());
xZoneAdminUser.setUserType(1);
List<XXSecurityZoneRefUser> zoneSecRefUser = new ArrayList<XXSecurityZoneRefUser>();
zoneSecRefUser.add(xZoneAdminUser);
XXSecurityZoneRefUserDao zoneSecRefUserDao = Mockito.mock(XXSecurityZoneRefUserDao.class);
Mockito.when(daoManager.getXXSecurityZoneRefUser()).thenReturn(zoneSecRefUserDao);
Mockito.when(zoneSecRefUserDao.findByUserId(userId)).thenReturn(zoneSecRefUser);
RangerSecurityZone securityZone = new RangerSecurityZone();
securityZone.setId(2L);
securityZone.setName("sz1");
XXSecurityZone xxSecurityZone = new XXSecurityZone();
xxSecurityZone.setId(2L);
xxSecurityZone.setName("sz1");
XXSecurityZoneDao xXSecurityZoneDao = Mockito.mock(XXSecurityZoneDao.class);
Mockito.when(daoManager.getXXSecurityZoneDao()).thenReturn(xXSecurityZoneDao);
Mockito.when(xXSecurityZoneDao.getById(xZoneAdminUser.getZoneId())).thenReturn(xxSecurityZone);
List<XXRoleRefUser> roleRefUser = new ArrayList<XXRoleRefUser>();
XXRoleRefUser xRoleRefUser = new XXRoleRefUser();
xRoleRefUser.setRoleId(userId);
xRoleRefUser.setUserId(userId);
xRoleRefUser.setUserName(vXUser.getName().trim());
xRoleRefUser.setUserType(0);
roleRefUser.add(xRoleRefUser);
XXRole xRole = new XXRole();
xRole.setId(userId);
xRole.setName("Role1");
VXResponse vXResponse = new VXResponse();
vXResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
vXResponse.setMsgDesc("Can Not Delete User '" + vXUser.getName().trim() + "' as its present in " + RangerConstants.ROLE_FIELD);
Mockito.when(restErrorUtil.generateRESTException((VXResponse) Mockito.any())).thenThrow(new WebApplicationException());
thrown.expect(WebApplicationException.class);
xUserMgr.deleteXUser(vXUser.getId(), force);
force = false;
xUserMgr.deleteXUser(vXUser.getId(), force);
}
Also used :
XXRoleRefUser(org.apache.ranger.entity.XXRoleRefUser)
XXUser(org.apache.ranger.entity.XXUser)
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
XXSecurityZoneDao(org.apache.ranger.db.XXSecurityZoneDao)
VXPermMap(org.apache.ranger.view.VXPermMap)
WebApplicationException(javax.ws.rs.WebApplicationException)
XXUserDao(org.apache.ranger.db.XXUserDao)
ArrayList(java.util.ArrayList)
XXSecurityZoneRefUser(org.apache.ranger.entity.XXSecurityZoneRefUser)
XXPolicy(org.apache.ranger.entity.XXPolicy)
VXAuditMap(org.apache.ranger.view.VXAuditMap)
VXPortalUser(org.apache.ranger.view.VXPortalUser)
XXPortalUserRole(org.apache.ranger.entity.XXPortalUserRole)
VXPermMapList(org.apache.ranger.view.VXPermMapList)
VXResponse(org.apache.ranger.view.VXResponse)
VXAuditMapList(org.apache.ranger.view.VXAuditMapList)
VXUser(org.apache.ranger.view.VXUser)
XXAuthSession(org.apache.ranger.entity.XXAuthSession)
XXUserPermission(org.apache.ranger.entity.XXUserPermission)
XXSecurityZone(org.apache.ranger.entity.XXSecurityZone)
XXPortalUser(org.apache.ranger.entity.XXPortalUser)
XXSecurityZoneRefUserDao(org.apache.ranger.db.XXSecurityZoneRefUserDao)
XXPortalUserDao(org.apache.ranger.db.XXPortalUserDao)
XXRole(org.apache.ranger.entity.XXRole)
Test(org.junit.Test)
Example 15 with RangerSecurityZone
use of org.apache.ranger.plugin.model.RangerSecurityZone in project ranger by apache.
the class TestSecurityZoneREST method createRangerSecurityZone.
private RangerSecurityZone createRangerSecurityZone() {
String testZone1 = "testzone1";
List<String> testZone1ResoursesList = new ArrayList(Arrays.asList("/path/to/resource1", "/path/to/resource2"));
List<String> userGroupList = new ArrayList(Arrays.asList("testuser", "testgroup"));
RangerSecurityZone zone = new RangerSecurityZone();
zone.setName(testZone1);
zone.setAdminUserGroups(userGroupList);
zone.setAdminUsers(userGroupList);
zone.setAuditUserGroups(userGroupList);
zone.setAuditUsers(userGroupList);
Map<String, RangerSecurityZoneService> services = new HashMap<>();
List<HashMap<String, List<String>>> resources = new ArrayList<>();
HashMap<String, List<String>> resource = new HashMap<String, List<String>>();
resource.put("resource_path", testZone1ResoursesList);
resources.add(resource);
RangerSecurityZoneService zoneService = new RangerSecurityZoneService();
zoneService.setResources(resources);
services.put("test_service_1", zoneService);
zone.setServices(services);
return zone;
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
ArrayList(java.util.ArrayList)
RangerSecurityZoneList(org.apache.ranger.view.RangerSecurityZoneList)
List(java.util.List)
Aggregations
RangerSecurityZone (org.apache.ranger.plugin.model.RangerSecurityZone)68
Test (org.junit.Test)40
ArrayList (java.util.ArrayList)27
XXSecurityZone (org.apache.ranger.entity.XXSecurityZone)16
WebApplicationException (javax.ws.rs.WebApplicationException)14
XXSecurityZoneDao (org.apache.ranger.db.XXSecurityZoneDao)12
RangerService (org.apache.ranger.plugin.model.RangerService)11
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)10
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)10
XXTrxLog (org.apache.ranger.entity.XXTrxLog)9
RangerSecurityZoneService (org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)7
HashMap (java.util.HashMap)6
ValidationErrorCode (org.apache.ranger.plugin.errors.ValidationErrorCode)5
HashSet (java.util.HashSet)4
List (java.util.List)4
XXGlobalStateDao (org.apache.ranger.db.XXGlobalStateDao)4
Map (java.util.Map)3
Path (javax.ws.rs.Path)3
XXServiceDao (org.apache.ranger.db.XXServiceDao)3
XXServiceDefDao (org.apache.ranger.db.XXServiceDefDao)3
