Example 1 with RowFilterResult
use of org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult in project ranger by apache.
the class TestPolicyACLs method runTests.
private void runTests(InputStreamReader reader, String testName) throws Exception {
PolicyACLsTests testCases = gsonBuilder.fromJson(reader, PolicyACLsTests.class);
assertTrue("invalid input: " + testName, testCases != null && testCases.testCases != null);
for (PolicyACLsTests.TestCase testCase : testCases.testCases) {
String serviceType = testCase.servicePolicies.getServiceDef().getName();
RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
RangerPluginContext pluginContext = new RangerPluginContext(new RangerPluginConfig(serviceType, null, "test-policy-acls", "cl1", "on-prem", policyEngineOptions));
RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testCase.servicePolicies, pluginContext, null);
for (PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
if (oneTest == null) {
continue;
}
RangerAccessRequestImpl request = new RangerAccessRequestImpl(oneTest.resource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
RangerResourceACLs acls = policyEngine.getResourceACLs(request);
boolean userACLsMatched = true, groupACLsMatched = true, roleACLsMatched = true, rowFiltersMatched = true, dataMaskingMatched = true;
if (MapUtils.isNotEmpty(acls.getUserACLs()) && MapUtils.isNotEmpty(oneTest.userPermissions)) {
for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getUserACLs().entrySet()) {
String userName = entry.getKey();
Map<String, RangerResourceACLs.AccessResult> expected = oneTest.userPermissions.get(userName);
if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
// Compare
for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
continue;
}
RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
if (expectedResult == null) {
userACLsMatched = false;
break;
} else if (!expectedResult.equals(privilege.getValue())) {
userACLsMatched = false;
break;
}
}
} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
Set<String> privileges = entry.getValue().keySet();
if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
userACLsMatched = true;
} else {
userACLsMatched = false;
}
break;
}
if (!userACLsMatched) {
break;
}
}
} else if (!(MapUtils.isEmpty(acls.getUserACLs()) && MapUtils.isEmpty(oneTest.userPermissions))) {
userACLsMatched = false;
}
if (acls.getDataMasks().isEmpty()) {
dataMaskingMatched = (oneTest.dataMasks == null || oneTest.dataMasks.isEmpty());
} else if (acls.getDataMasks().size() != (oneTest.dataMasks == null ? 0 : oneTest.dataMasks.size())) {
dataMaskingMatched = false;
} else {
for (int i = 0; i < acls.getDataMasks().size(); i++) {
DataMaskResult found = acls.getDataMasks().get(i);
DataMaskResult expected = oneTest.dataMasks.get(i);
dataMaskingMatched = found.equals(expected);
if (!dataMaskingMatched) {
break;
}
}
}
if (acls.getRowFilters().isEmpty()) {
rowFiltersMatched = (oneTest.rowFilters == null || oneTest.rowFilters.isEmpty());
} else if (acls.getRowFilters().size() != (oneTest.rowFilters == null ? 0 : oneTest.rowFilters.size())) {
rowFiltersMatched = false;
} else {
for (int i = 0; i < acls.getRowFilters().size(); i++) {
RowFilterResult found = acls.getRowFilters().get(i);
RowFilterResult expected = oneTest.rowFilters.get(i);
rowFiltersMatched = found.equals(expected);
if (!rowFiltersMatched) {
break;
}
}
}
if (MapUtils.isNotEmpty(acls.getGroupACLs()) && MapUtils.isNotEmpty(oneTest.groupPermissions)) {
for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getGroupACLs().entrySet()) {
String groupName = entry.getKey();
Map<String, RangerResourceACLs.AccessResult> expected = oneTest.groupPermissions.get(groupName);
if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
// Compare
for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
continue;
}
RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
if (expectedResult == null) {
groupACLsMatched = false;
break;
} else if (!expectedResult.equals(privilege.getValue())) {
groupACLsMatched = false;
break;
}
}
} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
Set<String> privileges = entry.getValue().keySet();
if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
groupACLsMatched = true;
} else {
groupACLsMatched = false;
}
break;
}
if (!groupACLsMatched) {
break;
}
}
} else if (!(MapUtils.isEmpty(acls.getGroupACLs()) && MapUtils.isEmpty(oneTest.groupPermissions))) {
groupACLsMatched = false;
}
if (MapUtils.isNotEmpty(acls.getRoleACLs()) && MapUtils.isNotEmpty(oneTest.rolePermissions)) {
for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : acls.getRoleACLs().entrySet()) {
String roleName = entry.getKey();
Map<String, RangerResourceACLs.AccessResult> expected = oneTest.rolePermissions.get(roleName);
if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
// Compare
for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
continue;
}
RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
if (expectedResult == null) {
roleACLsMatched = false;
break;
} else if (!expectedResult.equals(privilege.getValue())) {
roleACLsMatched = false;
break;
}
}
} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))) {
Set<String> privileges = entry.getValue().keySet();
if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
roleACLsMatched = true;
} else {
roleACLsMatched = false;
}
break;
}
if (!roleACLsMatched) {
break;
}
}
} else if (!(MapUtils.isEmpty(acls.getRoleACLs()) && MapUtils.isEmpty(oneTest.rolePermissions))) {
roleACLsMatched = false;
}
assertTrue("getResourceACLs() failed! " + testCase.name + ":" + oneTest.name, userACLsMatched && groupACLsMatched && roleACLsMatched && rowFiltersMatched && dataMaskingMatched);
}
}
}
Also used :
RangerPluginConfig(org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)
Set(java.util.Set)
RowFilterResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult)
DataMaskResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult)
Map(java.util.Map)
Example 2 with RowFilterResult
use of org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult in project ranger by apache.
the class RangerPolicyEngineImpl method updateRowFiltersFromPolicy.
private void updateRowFiltersFromPolicy(RangerPolicyEvaluator evaluator, Set<Long> policyIdForTemporalTags, RangerResourceACLs resourceACLs) {
PolicyACLSummary aclSummary = evaluator.getPolicyACLSummary();
if (aclSummary != null) {
boolean isConditional = policyIdForTemporalTags.contains(evaluator.getId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
for (RowFilterResult rowFilterResult : aclSummary.getRowFilters()) {
rowFilterResult = copyRowFilter(rowFilterResult);
if (isConditional) {
rowFilterResult.setIsConditional(true);
}
resourceACLs.getRowFilters().add(rowFilterResult);
}
}
}
Also used :
PolicyACLSummary(org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary)
RowFilterResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult)
Example 3 with RowFilterResult
use of org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult in project ranger by apache.
the class RangerPolicyEngineImpl method copyRowFilter.
private RowFilterResult copyRowFilter(RowFilterResult rowFilter) {
RowFilterResult ret = new RowFilterResult(copyStrings(rowFilter.getUsers()), copyStrings(rowFilter.getGroups()), copyStrings(rowFilter.getRoles()), copyStrings(rowFilter.getAccessTypes()), new RangerPolicyItemRowFilterInfo(rowFilter.getFilterInfo()));
ret.setIsConditional(rowFilter.getIsConditional());
return ret;
}
Also used :
RowFilterResult(org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult)
RangerPolicyItemRowFilterInfo(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo)
Aggregations
RowFilterResult (org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult)3
Map (java.util.Map)1
Set (java.util.Set)1
RangerPluginConfig (org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)1
RangerPolicyItemRowFilterInfo (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo)1
DataMaskResult (org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult)1
PolicyACLSummary (org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary)1
