Example 36 with RangerResourceDef
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_happyPath.
@Test
public final void testIsValid_happyPath() throws Exception {
// valid policy has valid non-empty name and service name
when(_policy.getService()).thenReturn("service-name");
// service name exists
RangerService service = mock(RangerService.class);
when(service.getType()).thenReturn("service-type");
when(_store.getServiceByName("service-name")).thenReturn(service);
// service points to a valid service-def
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes);
when(_serviceDef.getName()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// a matching policy should exist for create when checked by id and not exist when checked by name.
when(_store.getPolicy(7L)).thenReturn(null);
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(8L);
when(existingPolicy.getService()).thenReturn("service-name");
when(_store.getPolicy(8L)).thenReturn(existingPolicy);
SearchFilter createFilter = new SearchFilter();
createFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
// this name would be used for create
createFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-1");
when(_store.getPolicies(createFilter)).thenReturn(new ArrayList<RangerPolicy>());
// a matching policy should not exist for update.
SearchFilter updateFilter = new SearchFilter();
updateFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
// this name would be used for update
updateFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-2");
List<RangerPolicy> existingPolicies = new ArrayList<>();
existingPolicies.add(existingPolicy);
when(_store.getPolicies(updateFilter)).thenReturn(existingPolicies);
// valid policy can have empty set of policy items if audit is turned on
// null value for audit is treated as audit on.
// for now we want to turn any resource related checking off
when(_policy.getResources()).thenReturn(null);
for (Action action : cu) {
for (Boolean auditEnabled : new Boolean[] { null, true }) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getIsAuditEnabled()).thenReturn(auditEnabled);
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
} else {
// update should work both when by-name is found or not, since nothing found by-name means name is being updated.
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-1");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
when(_policy.getName()).thenReturn("policy-name-2");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
}
}
// if audit is disabled then policy should have policy items and all of them should be valid
List<RangerPolicyItem> policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
when(_policy.getIsAuditEnabled()).thenReturn(false);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
Assert.assertTrue("" + action, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
// above succeeded as service def did not have any resources on it, mandatory or otherwise.
// policy should have all mandatory resources specified, and they should conform to the validation pattern in resource definition
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
Map<String, RangerPolicyResource> resourceMap = _utils.createPolicyResourceMap(policyResourceMap_good);
when(_policy.getResources()).thenReturn(resourceMap);
// let's add some other policies in the store for this service that have a different signature
// setup the signatures on the policies
RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
// setup the store to indicate that no other policy exists with matching signature
when(policySignature.getSignature()).thenReturn("hash-1");
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
// we are reusing the same policies collection here -- which is fine
for (Action action : cu) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
// since policy resource has excludes admin privilages would be required
Assert.assertTrue("" + action, _validator.isValid(_policy, action, true, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Example 37 with RangerResourceDef
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef in project ranger by apache.
the class TestRangerServiceDefHelper method test_isResourceGraphValid_forest_singleNodeTrees.
@Test
public final void test_isResourceGraphValid_forest_singleNodeTrees() {
/*
* Create a service-def which is a forest with a few single node trees
*
* Database
*
* Server
*
* Namespace -> package
* |
* v
* function
*
* Check that helper corrects reports back all of the hierarchies: levels in it and their order.
*/
RangerResourceDef database = createResourceDef("database", "");
RangerResourceDef server = createResourceDef("server", "");
RangerResourceDef namespace = createResourceDef("namespace", "");
RangerResourceDef function = createResourceDef("function", "namespace", true);
RangerResourceDef Package = createResourceDef("package", "namespace", true);
List<RangerResourceDef> resourceDefs = Lists.newArrayList(database, server, namespace, function, Package);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
_helper = new RangerServiceDefHelper(_serviceDef);
assertTrue(_helper.isResourceGraphValid());
Set<List<RangerResourceDef>> hierarchies = _helper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS);
Set<List<String>> expectedHierarchies = new HashSet<>();
expectedHierarchies.add(Lists.newArrayList("database"));
expectedHierarchies.add(Lists.newArrayList("server"));
expectedHierarchies.add(Lists.newArrayList("namespace", "package"));
expectedHierarchies.add(Lists.newArrayList("namespace", "function"));
for (List<RangerResourceDef> aHierarchy : hierarchies) {
List<String> resourceNames = _helper.getAllResourceNamesOrdered(aHierarchy);
assertTrue(expectedHierarchies.contains(resourceNames));
expectedHierarchies.remove(resourceNames);
}
// make sure we got back all hierarchies
assertTrue("Missing hierarchies: " + expectedHierarchies.toString(), expectedHierarchies.isEmpty());
}
Also used :
List(java.util.List)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 38 with RangerResourceDef
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef in project ranger by apache.
the class TestRangerServiceDefHelper method test_getResourceHierarchies_with_leaf_specification.
@Test
public void test_getResourceHierarchies_with_leaf_specification() {
/*
* Leaf Spec for resources:
* Database: non-leaf
* UDF: Not-specified
* Table: Leaf
* Column: Leaf
* Table-Attribute: Leaf
*
* Create a service-def with following resource graph
*
* Database -> UDF
* |
* v
* Table -> Column
* |
* v
* Table-Attribute
*
* It contains following hierarchies
* - [ Database UDF]
* - [ Database Table Column ]
* - [ Database Table ]
* - [ Database Table Table-Attribute ]
*/
RangerResourceDef Database = createResourceDef("Database", "", false);
RangerResourceDef UDF = createResourceDef("UDF", "Database");
RangerResourceDef Table = createResourceDef("Table", "Database", true);
RangerResourceDef Column = createResourceDef("Column", "Table", true);
RangerResourceDef Table_Attribute = createResourceDef("Table-Attribute", "Table", true);
// order of resources in list should not matter
List<RangerResourceDef> resourceDefs = Lists.newArrayList(Column, Database, Table, Table_Attribute, UDF);
// stuff this into a service-def
when(_serviceDef.getResources()).thenReturn(resourceDefs);
// now assert the behavior
_helper = new RangerServiceDefHelper(_serviceDef);
assertTrue(_helper.isResourceGraphValid());
Set<List<RangerResourceDef>> hierarchies = _helper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS);
// there should be
List<RangerResourceDef> hierarchy = Lists.newArrayList(Database, UDF);
assertTrue(hierarchies.contains(hierarchy));
hierarchy = Lists.newArrayList(Database, Table, Column);
assertTrue(hierarchies.contains(hierarchy));
hierarchy = Lists.newArrayList(Database, Table, Table_Attribute);
assertTrue(hierarchies.contains(hierarchy));
hierarchy = Lists.newArrayList(Database, Table);
assertTrue(hierarchies.contains(hierarchy));
hierarchy = Lists.newArrayList(Database);
assertFalse(hierarchies.contains(hierarchy));
}
Also used :
List(java.util.List)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Example 39 with RangerResourceDef
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef in project ranger by apache.
the class TestRangerServiceDefHelper method createResourceDef.
RangerResourceDef createResourceDef(String name, String parent, Boolean isValidLeaf) {
RangerResourceDef resourceDef = mock(RangerResourceDef.class);
when(resourceDef.getName()).thenReturn(name);
when(resourceDef.getParent()).thenReturn(parent);
when(resourceDef.getIsValidLeaf()).thenReturn(isValidLeaf);
return resourceDef;
}
Also used :
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Example 40 with RangerResourceDef
use of org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef in project ranger by apache.
the class TestRangerServiceDefHelper method test_invalid_resourceHierarchies_with_leaf_specification.
@Test
public void test_invalid_resourceHierarchies_with_leaf_specification() {
/*
* Leaf Spec for resources:
* Database: non-leaf
* UDF: Not-specified
* Table: Leaf
* Column: non-Leaf
* Table-Attribute: Leaf
*
* Create a service-def with following resource graph
*
* Database -> UDF
* |
* v
* Table -> Column
* |
* v
* Table-Attribute
*
* It should fail as the hierarchy is invalid ("Error in path: sink node:[Column] is not leaf node")
*
*/
RangerResourceDef Database = createResourceDef("Database", "", false);
RangerResourceDef UDF = createResourceDef("UDF", "Database");
RangerResourceDef Table = createResourceDef("Table", "Database", true);
RangerResourceDef Column = createResourceDef("Column", "Table", false);
RangerResourceDef Table_Attribute = createResourceDef("Table-Attribute", "Table", true);
// order of resources in list should not matter
List<RangerResourceDef> resourceDefs = Lists.newArrayList(Column, Database, Table, Table_Attribute, UDF);
// stuff this into a service-def
when(_serviceDef.getResources()).thenReturn(resourceDefs);
// now assert the behavior
_helper = new RangerServiceDefHelper(_serviceDef);
assertFalse(_helper.isResourceGraphValid());
}
Also used :
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Aggregations
RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)50
ArrayList (java.util.ArrayList)19
Test (org.junit.Test)15
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)12
RangerAccessTypeDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef)12
Date (java.util.Date)11
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)11
RangerContextEnricherDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef)10
RangerEnumDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumDef)10
RangerPolicyConditionDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef)10
RangerServiceConfigDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef)10
List (java.util.List)7
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)7
HashSet (java.util.HashSet)5
XXResourceDef (org.apache.ranger.entity.XXResourceDef)5
RangerServiceDefHelper (org.apache.ranger.plugin.model.validation.RangerServiceDefHelper)4
RangerResourceMatcher (org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher)4
VXString (org.apache.ranger.view.VXString)4
HashMap (java.util.HashMap)3
XXResourceDefDao (org.apache.ranger.db.XXResourceDefDao)3
