Search in sources :

Example 1 with DataMaskResult

use of org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult in project ranger by apache.

the class TestPolicyACLs method runTests.

private void runTests(InputStreamReader reader, String testName) throws Exception {
    PolicyACLsTests testCases = gsonBuilder.fromJson(reader, PolicyACLsTests.class);
    assertTrue("invalid input: " + testName, testCases != null && testCases.testCases != null);
    for (PolicyACLsTests.TestCase testCase : testCases.testCases) {
        String serviceType = testCase.servicePolicies.getServiceDef().getName();
        RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
        RangerPluginContext pluginContext = new RangerPluginContext(new RangerPluginConfig(serviceType, null, "test-policy-acls", "cl1", "on-prem", policyEngineOptions));
        RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testCase.servicePolicies, pluginContext, null);
        for (PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
            if (oneTest == null) {
                continue;
            }
            RangerAccessRequestImpl request = new RangerAccessRequestImpl(oneTest.resource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
            RangerResourceACLs acls = policyEngine.getResourceACLs(request);
            boolean userACLsMatched = true, groupACLsMatched = true, roleACLsMatched = true, rowFiltersMatched = true, dataMaskingMatched = true;
            if (MapUtils.isNotEmpty(acls.getUserACLs()) && MapUtils.isNotEmpty(oneTest.userPermissions)) {
                for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getUserACLs().entrySet()) {
                    String userName = entry.getKey();
                    Map<String, RangerResourceACLs.AccessResult> expected = oneTest.userPermissions.get(userName);
                    if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
                        // Compare
                        for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
                            if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
                                continue;
                            }
                            RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
                            if (expectedResult == null) {
                                userACLsMatched = false;
                                break;
                            } else if (!expectedResult.equals(privilege.getValue())) {
                                userACLsMatched = false;
                                break;
                            }
                        }
                    } else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
                        Set<String> privileges = entry.getValue().keySet();
                        if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
                            userACLsMatched = true;
                        } else {
                            userACLsMatched = false;
                        }
                        break;
                    }
                    if (!userACLsMatched) {
                        break;
                    }
                }
            } else if (!(MapUtils.isEmpty(acls.getUserACLs()) && MapUtils.isEmpty(oneTest.userPermissions))) {
                userACLsMatched = false;
            }
            if (acls.getDataMasks().isEmpty()) {
                dataMaskingMatched = (oneTest.dataMasks == null || oneTest.dataMasks.isEmpty());
            } else if (acls.getDataMasks().size() != (oneTest.dataMasks == null ? 0 : oneTest.dataMasks.size())) {
                dataMaskingMatched = false;
            } else {
                for (int i = 0; i < acls.getDataMasks().size(); i++) {
                    DataMaskResult found = acls.getDataMasks().get(i);
                    DataMaskResult expected = oneTest.dataMasks.get(i);
                    dataMaskingMatched = found.equals(expected);
                    if (!dataMaskingMatched) {
                        break;
                    }
                }
            }
            if (acls.getRowFilters().isEmpty()) {
                rowFiltersMatched = (oneTest.rowFilters == null || oneTest.rowFilters.isEmpty());
            } else if (acls.getRowFilters().size() != (oneTest.rowFilters == null ? 0 : oneTest.rowFilters.size())) {
                rowFiltersMatched = false;
            } else {
                for (int i = 0; i < acls.getRowFilters().size(); i++) {
                    RowFilterResult found = acls.getRowFilters().get(i);
                    RowFilterResult expected = oneTest.rowFilters.get(i);
                    rowFiltersMatched = found.equals(expected);
                    if (!rowFiltersMatched) {
                        break;
                    }
                }
            }
            if (MapUtils.isNotEmpty(acls.getGroupACLs()) && MapUtils.isNotEmpty(oneTest.groupPermissions)) {
                for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getGroupACLs().entrySet()) {
                    String groupName = entry.getKey();
                    Map<String, RangerResourceACLs.AccessResult> expected = oneTest.groupPermissions.get(groupName);
                    if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
                        // Compare
                        for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
                            if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
                                continue;
                            }
                            RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
                            if (expectedResult == null) {
                                groupACLsMatched = false;
                                break;
                            } else if (!expectedResult.equals(privilege.getValue())) {
                                groupACLsMatched = false;
                                break;
                            }
                        }
                    } else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
                        Set<String> privileges = entry.getValue().keySet();
                        if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
                            groupACLsMatched = true;
                        } else {
                            groupACLsMatched = false;
                        }
                        break;
                    }
                    if (!groupACLsMatched) {
                        break;
                    }
                }
            } else if (!(MapUtils.isEmpty(acls.getGroupACLs()) && MapUtils.isEmpty(oneTest.groupPermissions))) {
                groupACLsMatched = false;
            }
            if (MapUtils.isNotEmpty(acls.getRoleACLs()) && MapUtils.isNotEmpty(oneTest.rolePermissions)) {
                for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getRoleACLs().entrySet()) {
                    String roleName = entry.getKey();
                    Map<String, RangerResourceACLs.AccessResult> expected = oneTest.rolePermissions.get(roleName);
                    if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
                        // Compare
                        for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
                            if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
                                continue;
                            }
                            RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
                            if (expectedResult == null) {
                                roleACLsMatched = false;
                                break;
                            } else if (!expectedResult.equals(privilege.getValue())) {
                                roleACLsMatched = false;
                                break;
                            }
                        }
                    } else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
                        Set<String> privileges = entry.getValue().keySet();
                        if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
                            roleACLsMatched = true;
                        } else {
                            roleACLsMatched = false;
                        }
                        break;
                    }
                    if (!roleACLsMatched) {
                        break;
                    }
                }
            } else if (!(MapUtils.isEmpty(acls.getRoleACLs()) && MapUtils.isEmpty(oneTest.rolePermissions))) {
                roleACLsMatched = false;
            }
            assertTrue("getResourceACLs() failed! " + testCase.name + ":" + oneTest.name, userACLsMatched && groupACLsMatched && roleACLsMatched && rowFiltersMatched && dataMaskingMatched);
        }
    }
}
Also used : RangerPluginConfig(org.apache.ranger.authorization.hadoop.config.RangerPluginConfig) Set(java.util.Set) RowFilterResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult) DataMaskResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult) Map(java.util.Map)

Example 2 with DataMaskResult

use of org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult in project ranger by apache.

the class RangerPolicyEngineImpl method copyDataMask.

private DataMaskResult copyDataMask(DataMaskResult dataMask) {
    DataMaskResult ret = new DataMaskResult(copyStrings(dataMask.getUsers()), copyStrings(dataMask.getGroups()), copyStrings(dataMask.getRoles()), copyStrings(dataMask.getAccessTypes()), new RangerPolicyItemDataMaskInfo(dataMask.getMaskInfo()));
    ret.setIsConditional(dataMask.getIsConditional());
    return ret;
}
Also used : DataMaskResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult) RangerPolicyItemDataMaskInfo(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo)

Example 3 with DataMaskResult

use of org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult in project ranger by apache.

the class RangerPolicyEngineImpl method updateDataMasksFromPolicy.

private void updateDataMasksFromPolicy(RangerPolicyEvaluator evaluator, Set<Long> policyIdForTemporalTags, RangerResourceACLs resourceACLs) {
    PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
    if (aclSummary != null) {
        boolean isConditional = policyIdForTemporalTags.contains(evaluator.getId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
        for (DataMaskResult dataMaskResult : aclSummary.getDataMasks()) {
            dataMaskResult = copyDataMask(dataMaskResult);
            if (isConditional) {
                dataMaskResult.setIsConditional(true);
            }
            resourceACLs.getDataMasks().add(dataMaskResult);
        }
    }
}
Also used : PolicyACLSummary(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary) DataMaskResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult)

Aggregations

DataMaskResult (org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult)3 Map (java.util.Map)1 Set (java.util.Set)1 RangerPluginConfig (org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)1 RangerPolicyItemDataMaskInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo)1 RowFilterResult (org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult)1 PolicyACLSummary (org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary)1