Example 1 with DataMaskResult
use of org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult in project ranger by apache.
the class TestPolicyACLs method runTests.
private void runTests(InputStreamReader reader, String testName) throws Exception {
PolicyACLsTests testCases = gsonBuilder.fromJson(reader, PolicyACLsTests.class);
assertTrue("invalid input: " + testName, testCases != null && testCases.testCases != null);
for (PolicyACLsTests.TestCase testCase : testCases.testCases) {
String serviceType = testCase.servicePolicies.getServiceDef().getName();
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
RangerPluginContext pluginContext = new RangerPluginContext(new RangerPluginConfig(serviceType, null, "test-policy-acls", "cl1", "on-prem", policyEngineOptions));
RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testCase.servicePolicies, pluginContext, null);
for (PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
if (oneTest == null) {
continue;
}
RangerAccessRequestImpl request = new RangerAccessRequestImpl(oneTest.resource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
RangerResourceACLs acls = policyEngine.getResourceACLs(request);
boolean userACLsMatched = true, groupACLsMatched = true, roleACLsMatched = true, rowFiltersMatched = true, dataMaskingMatched = true;
if (MapUtils.isNotEmpty(acls.getUserACLs()) && MapUtils.isNotEmpty(oneTest.userPermissions)) {
for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getUserACLs().entrySet()) {
String userName = entry.getKey();
Map<String, RangerResourceACLs.AccessResult> expected = oneTest.userPermissions.get(userName);
if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
// Compare
for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
continue;
}
RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
if (expectedResult == null) {
userACLsMatched = false;
break;
} else if (!expectedResult.equals(privilege.getValue())) {
userACLsMatched = false;
break;
}
}
} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
Set<String> privileges = entry.getValue().keySet();
if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
userACLsMatched = true;
} else {
userACLsMatched = false;
}
break;
}
if (!userACLsMatched) {
break;
}
}
} else if (!(MapUtils.isEmpty(acls.getUserACLs()) && MapUtils.isEmpty(oneTest.userPermissions))) {
userACLsMatched = false;
}
if (acls.getDataMasks().isEmpty()) {
dataMaskingMatched = (oneTest.dataMasks == null || oneTest.dataMasks.isEmpty());
} else if (acls.getDataMasks().size() != (oneTest.dataMasks == null ? 0 : oneTest.dataMasks.size())) {
dataMaskingMatched = false;
} else {
for (int i = 0; i < acls.getDataMasks().size(); i++) {
DataMaskResult found = acls.getDataMasks().get(i);
DataMaskResult expected = oneTest.dataMasks.get(i);
dataMaskingMatched = found.equals(expected);
if (!dataMaskingMatched) {
break;
}
}
}
if (acls.getRowFilters().isEmpty()) {
rowFiltersMatched = (oneTest.rowFilters == null || oneTest.rowFilters.isEmpty());
} else if (acls.getRowFilters().size() != (oneTest.rowFilters == null ? 0 : oneTest.rowFilters.size())) {
rowFiltersMatched = false;
} else {
for (int i = 0; i < acls.getRowFilters().size(); i++) {
RowFilterResult found = acls.getRowFilters().get(i);
RowFilterResult expected = oneTest.rowFilters.get(i);
rowFiltersMatched = found.equals(expected);
if (!rowFiltersMatched) {
break;
}
}
}
if (MapUtils.isNotEmpty(acls.getGroupACLs()) && MapUtils.isNotEmpty(oneTest.groupPermissions)) {
for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getGroupACLs().entrySet()) {
String groupName = entry.getKey();
Map<String, RangerResourceACLs.AccessResult> expected = oneTest.groupPermissions.get(groupName);
if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
// Compare
for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
continue;
}
RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
if (expectedResult == null) {
groupACLsMatched = false;
break;
} else if (!expectedResult.equals(privilege.getValue())) {
groupACLsMatched = false;
break;
}
}
} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
Set<String> privileges = entry.getValue().keySet();
if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
groupACLsMatched = true;
} else {
groupACLsMatched = false;
}
break;
}
if (!groupACLsMatched) {
break;
}
}
} else if (!(MapUtils.isEmpty(acls.getGroupACLs()) && MapUtils.isEmpty(oneTest.groupPermissions))) {
groupACLsMatched = false;
}
if (MapUtils.isNotEmpty(acls.getRoleACLs()) && MapUtils.isNotEmpty(oneTest.rolePermissions)) {
for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getRoleACLs().entrySet()) {
String roleName = entry.getKey();
Map<String, RangerResourceACLs.AccessResult> expected = oneTest.rolePermissions.get(roleName);
if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
// Compare
for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
continue;
}
RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
if (expectedResult == null) {
roleACLsMatched = false;
break;
} else if (!expectedResult.equals(privilege.getValue())) {
roleACLsMatched = false;
break;
}
}
} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
Set<String> privileges = entry.getValue().keySet();
if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
roleACLsMatched = true;
} else {
roleACLsMatched = false;
}
break;
}
if (!roleACLsMatched) {
break;
}
}
} else if (!(MapUtils.isEmpty(acls.getRoleACLs()) && MapUtils.isEmpty(oneTest.rolePermissions))) {
roleACLsMatched = false;
}
assertTrue("getResourceACLs() failed! " + testCase.name + ":" + oneTest.name, userACLsMatched && groupACLsMatched && roleACLsMatched && rowFiltersMatched && dataMaskingMatched);
}
}
}
Also used :
RangerPluginConfig(org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)
Set(java.util.Set)
RowFilterResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult)
DataMaskResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult)
Map(java.util.Map)
Example 2 with DataMaskResult
use of org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult in project ranger by apache.
the class RangerPolicyEngineImpl method copyDataMask.
private DataMaskResult copyDataMask(DataMaskResult dataMask) {
DataMaskResult ret = new DataMaskResult(copyStrings(dataMask.getUsers()), copyStrings(dataMask.getGroups()), copyStrings(dataMask.getRoles()), copyStrings(dataMask.getAccessTypes()), new RangerPolicyItemDataMaskInfo(dataMask.getMaskInfo()));
ret.setIsConditional(dataMask.getIsConditional());
return ret;
}
Also used :
DataMaskResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult)
RangerPolicyItemDataMaskInfo(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo)
Example 3 with DataMaskResult
use of org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult in project ranger by apache.
the class RangerPolicyEngineImpl method updateDataMasksFromPolicy.
private void updateDataMasksFromPolicy(RangerPolicyEvaluator evaluator, Set<Long> policyIdForTemporalTags, RangerResourceACLs resourceACLs) {
PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
if (aclSummary != null) {
boolean isConditional = policyIdForTemporalTags.contains(evaluator.getId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
for (DataMaskResult dataMaskResult : aclSummary.getDataMasks()) {
dataMaskResult = copyDataMask(dataMaskResult);
if (isConditional) {
dataMaskResult.setIsConditional(true);
}
resourceACLs.getDataMasks().add(dataMaskResult);
}
}
}
Also used :
PolicyACLSummary(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary)
DataMaskResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult)
Aggregations
DataMaskResult (org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult)3
Map (java.util.Map)1
Set (java.util.Set)1
RangerPluginConfig (org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)1
RangerPolicyItemDataMaskInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo)1
RowFilterResult (org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult)1
PolicyACLSummary (org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary)1
