Example 41 with SearchFilter
use of org.apache.ranger.plugin.util.SearchFilter in project ranger by apache.
the class ServiceREST method getServicePolicies.
@GET
@Path("/policies/service/{id}")
@Produces({ "application/json", "application/xml" })
public RangerPolicyList getServicePolicies(@PathParam("id") Long serviceId, @Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getServicePolicies(" + serviceId + ")");
}
RangerPolicyList ret = new RangerPolicyList();
RangerPerfTracer perf = null;
SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields);
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceId=" + serviceId + ")");
}
if (isAdminUserWithNoFilterParams(filter)) {
PList<RangerPolicy> policies = svcStore.getPaginatedServicePolicies(serviceId, filter);
ret = toRangerPolicyList(policies);
} else {
// get all policies from the store; pick the page to return after applying filter
int savedStartIndex = filter == null ? 0 : filter.getStartIndex();
int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows();
if (filter != null) {
filter.setStartIndex(0);
filter.setMaxRows(Integer.MAX_VALUE);
}
List<RangerPolicy> servicePolicies = svcStore.getServicePolicies(serviceId, filter);
if (filter != null) {
filter.setStartIndex(savedStartIndex);
filter.setMaxRows(savedMaxRows);
}
servicePolicies = applyAdminAccessFilter(servicePolicies);
ret = toRangerPolicyList(servicePolicies, filter);
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("getServicePolicies(" + serviceId + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getServicePolicies(" + serviceId + "): count=" + (ret == null ? 0 : ret.getListSize()));
}
return ret;
}
Also used :
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
RangerPolicyList(org.apache.ranger.view.RangerPolicyList)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 42 with SearchFilter
use of org.apache.ranger.plugin.util.SearchFilter in project ranger by apache.
the class ServiceREST method getServiceDefs.
@GET
@Path("/definitions")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEFS + "\")")
public RangerServiceDefList getServiceDefs(@Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getServiceDefs()");
}
RangerServiceDefList ret = null;
RangerPerfTracer perf = null;
PList<RangerServiceDef> paginatedSvcDefs = null;
SearchFilter filter = searchUtil.getSearchFilter(request, serviceDefService.sortFields);
String pageSource = null;
pageSource = request.getParameter("pageSource");
if (pageSource != null)
filter.setParam("pageSource", pageSource);
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefs()");
}
paginatedSvcDefs = svcStore.getPaginatedServiceDefs(filter);
if (paginatedSvcDefs != null) {
ret = new RangerServiceDefList();
ret.setServiceDefs(paginatedSvcDefs.getList());
ret.setPageSize(paginatedSvcDefs.getPageSize());
ret.setResultSize(paginatedSvcDefs.getResultSize());
ret.setStartIndex(paginatedSvcDefs.getStartIndex());
ret.setTotalCount(paginatedSvcDefs.getTotalCount());
ret.setSortBy(paginatedSvcDefs.getSortBy());
ret.setSortType(paginatedSvcDefs.getSortType());
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("getServiceDefs() failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getServiceDefs(): count=" + (ret == null ? 0 : ret.getListSize()));
}
return ret;
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
VXString(org.apache.ranger.view.VXString)
RangerServiceDefList(org.apache.ranger.view.RangerServiceDefList)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 43 with SearchFilter
use of org.apache.ranger.plugin.util.SearchFilter in project ranger by apache.
the class ServiceREST method importPoliciesFromFile.
@POST
@Path("/policies/importPoliciesFromFile")
@Consumes({ MediaType.MULTIPART_FORM_DATA, MediaType.APPLICATION_JSON })
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAdminOrKeyAdminRole()")
public void importPoliciesFromFile(@Context HttpServletRequest request, @FormDataParam("servicesMapJson") InputStream serviceMapStream, @FormDataParam("file") InputStream uploadedInputStream, @FormDataParam("file") FormDataContentDisposition fileDetail, @QueryParam("isOverride") Boolean isOverride) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.importPoliciesFromFile()");
}
RangerPerfTracer perf = null;
String metaDataInfo = null;
List<XXTrxLog> trxLogListError = new ArrayList<XXTrxLog>();
XXTrxLog xxTrxLogError = new XXTrxLog();
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.importPoliciesFromFile()");
}
List<XXTrxLog> trxLogList = new ArrayList<XXTrxLog>();
XXTrxLog xxTrxLog = new XXTrxLog();
xxTrxLog.setAction("IMPORT START");
xxTrxLog.setObjectClassType(AppConstants.CLASS_TYPE_RANGER_POLICY);
xxTrxLog.setPreviousValue("IMPORT START");
trxLogList.add(xxTrxLog);
bizUtil.createTrxLog(trxLogList);
if (isOverride == null) {
isOverride = false;
}
List<String> serviceNameList = new ArrayList<String>();
String serviceType = null;
List<String> serviceTypeList = null;
SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields);
if (StringUtils.isNotEmpty(request.getParameter(PARAM_SERVICE_TYPE))) {
serviceType = request.getParameter(PARAM_SERVICE_TYPE);
}
if (StringUtils.isNotEmpty(serviceType)) {
serviceTypeList = new ArrayList<String>(Arrays.asList(serviceType.split(",")));
}
List<RangerService> rangerServiceList = null;
List<RangerService> rangerServiceLists = new ArrayList<RangerService>();
if (CollectionUtils.isNotEmpty(serviceTypeList)) {
for (String s : serviceTypeList) {
filter.removeParam(PARAM_SERVICE_TYPE);
filter.setParam(PARAM_SERVICE_TYPE, s.trim());
rangerServiceList = getServices(filter);
rangerServiceLists.addAll(rangerServiceList);
}
}
if (!CollectionUtils.sizeIsEmpty(rangerServiceLists)) {
for (RangerService rService : rangerServiceLists) {
if (StringUtils.isNotEmpty(rService.getName())) {
serviceNameList.add(rService.getName());
}
}
}
Map<String, String> servicesMappingMap = new LinkedHashMap<String, String>();
List<String> sourceServices = new ArrayList<String>();
List<String> destinationServices = new ArrayList<String>();
if (serviceMapStream != null) {
servicesMappingMap = svcStore.getServiceMap(serviceMapStream);
}
if (!CollectionUtils.sizeIsEmpty(servicesMappingMap)) {
for (Entry<String, String> map : servicesMappingMap.entrySet()) {
String sourceServiceName = null;
String destinationServiceName = null;
if (StringUtils.isNotEmpty(map.getKey().trim()) && StringUtils.isNotEmpty(map.getValue().trim())) {
sourceServiceName = map.getKey().trim();
destinationServiceName = map.getValue().trim();
} else {
LOG.error("Source service or destonation service name is not provided!!");
throw restErrorUtil.createRESTException("Source service or destonation service name is not provided!!");
}
if (StringUtils.isNotEmpty(sourceServiceName) && StringUtils.isNotEmpty(destinationServiceName)) {
sourceServices.add(sourceServiceName);
destinationServices.add(destinationServiceName);
}
}
}
String fileName = fileDetail.getFileName();
int totalPolicyCreate = 0;
Map<String, RangerPolicy> policiesMap = new LinkedHashMap<String, RangerPolicy>();
List<String> dataFileSourceServices = new ArrayList<String>();
if (fileName.endsWith("json")) {
try {
RangerExportPolicyList rangerExportPolicyList = null;
List<RangerPolicy> policies = null;
Gson gson = new Gson();
String policiesString = IOUtils.toString(uploadedInputStream);
policiesString = policiesString.trim();
if (StringUtils.isNotEmpty(policiesString)) {
gson.fromJson(policiesString, RangerExportPolicyList.class);
rangerExportPolicyList = new ObjectMapper().readValue(policiesString, RangerExportPolicyList.class);
} else {
LOG.error("Provided json file is empty!!");
throw restErrorUtil.createRESTException("Provided json file is empty!!");
}
if (rangerExportPolicyList != null && !CollectionUtils.sizeIsEmpty(rangerExportPolicyList.getMetaDataInfo())) {
metaDataInfo = new ObjectMapper().writeValueAsString(rangerExportPolicyList.getMetaDataInfo());
} else {
LOG.info("metadata info is not provided!!");
}
if (rangerExportPolicyList != null && !CollectionUtils.sizeIsEmpty(rangerExportPolicyList.getPolicies())) {
policies = rangerExportPolicyList.getPolicies();
} else {
LOG.error("Provided json file does not contain any policy!!");
throw restErrorUtil.createRESTException("Provided json file does not contain any policy!!");
}
if (CollectionUtils.sizeIsEmpty(servicesMappingMap) && isOverride) {
if (policies != null && !CollectionUtils.sizeIsEmpty(policies)) {
for (RangerPolicy policyInJson : policies) {
if (policyInJson != null) {
if (StringUtils.isNotEmpty(policyInJson.getService().trim())) {
String serviceName = policyInJson.getService().trim();
if (CollectionUtils.isNotEmpty(serviceNameList) && serviceNameList.contains(serviceName)) {
sourceServices.add(serviceName);
destinationServices.add(serviceName);
} else if (CollectionUtils.isEmpty(serviceNameList)) {
sourceServices.add(serviceName);
destinationServices.add(serviceName);
}
} else {
LOG.error("Service Name or Policy Name is not provided!!");
throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!");
}
}
}
}
} else if (!CollectionUtils.sizeIsEmpty(servicesMappingMap)) {
if (policies != null && !CollectionUtils.sizeIsEmpty(policies)) {
for (RangerPolicy policyInJson : policies) {
if (policyInJson != null) {
if (StringUtils.isNotEmpty(policyInJson.getService().trim())) {
dataFileSourceServices.add(policyInJson.getService().trim());
} else {
LOG.error("Service Name or Policy Name is not provided!!");
throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!");
}
}
}
if (!dataFileSourceServices.containsAll(sourceServices)) {
LOG.error("Json File does not contain sepcified source service name.");
throw restErrorUtil.createRESTException("Json File does not contain sepcified source service name.");
}
}
}
String updateIfExists = request.getParameter(PARAM_UPDATE_IF_EXISTS);
String polResource = request.getParameter(SearchFilter.POL_RESOURCE);
if (updateIfExists == null || updateIfExists.isEmpty()) {
updateIfExists = "false";
} else if (updateIfExists.equalsIgnoreCase("true")) {
isOverride = false;
}
if (isOverride && "false".equalsIgnoreCase(updateIfExists) && StringUtils.isEmpty(polResource)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Deleting Policy from provided services in servicesMapJson file...");
}
if (CollectionUtils.isNotEmpty(sourceServices) && CollectionUtils.isNotEmpty(destinationServices)) {
deletePoliciesProvidedInServiceMap(sourceServices, destinationServices);
}
}
if ("true".equalsIgnoreCase(updateIfExists) && StringUtils.isNotEmpty(polResource)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Deleting Policy from provided services in servicesMapJson file for specific resource...");
}
if (CollectionUtils.isNotEmpty(sourceServices) && CollectionUtils.isNotEmpty(destinationServices)) {
deletePoliciesForResource(sourceServices, destinationServices, polResource, request, policies);
}
}
if (policies != null && !CollectionUtils.sizeIsEmpty(policies)) {
for (RangerPolicy policyInJson : policies) {
if (policyInJson != null) {
policiesMap = svcStore.createPolicyMap(servicesMappingMap, sourceServices, destinationServices, policyInJson, policiesMap);
}
}
}
if (!CollectionUtils.sizeIsEmpty(policiesMap.entrySet())) {
for (Entry<String, RangerPolicy> entry : policiesMap.entrySet()) {
RangerPolicy policy = entry.getValue();
if (policy != null) {
if (!CollectionUtils.isEmpty(serviceNameList)) {
for (String service : serviceNameList) {
if (StringUtils.isNotEmpty(service.trim()) && StringUtils.isNotEmpty(policy.getService().trim())) {
if (policy.getService().trim().equalsIgnoreCase(service.trim())) {
if (updateIfExists != null && !updateIfExists.isEmpty()) {
request.setAttribute(PARAM_SERVICE_NAME, policy.getService());
request.setAttribute(PARAM_POLICY_NAME, policy.getName());
}
createPolicy(policy, request);
totalPolicyCreate = totalPolicyCreate + 1;
if (LOG.isDebugEnabled()) {
LOG.debug("Policy " + policy.getName() + " created successfully.");
}
break;
}
} else {
LOG.error("Service Name or Policy Name is not provided!!");
throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!");
}
}
} else {
if (updateIfExists != null && !updateIfExists.isEmpty()) {
request.setAttribute(PARAM_SERVICE_NAME, policy.getService());
request.setAttribute(PARAM_POLICY_NAME, policy.getName());
}
createPolicy(policy, request);
totalPolicyCreate = totalPolicyCreate + 1;
if (LOG.isDebugEnabled()) {
LOG.debug("Policy " + policy.getName() + " created successfully.");
}
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("Total Policy Created From Json file : " + totalPolicyCreate);
}
if (!(totalPolicyCreate > 0)) {
LOG.error("zero policy is created from provided data file!!");
throw restErrorUtil.createRESTException("zero policy is created from provided data file!!");
}
}
} catch (IOException e) {
LOG.error(e.getMessage());
throw restErrorUtil.createRESTException(e.getMessage());
}
} else {
LOG.error("Provided file format is not supported!!");
throw restErrorUtil.createRESTException("Provided file format is not supported!!");
}
} catch (JsonSyntaxException ex) {
LOG.error("Provided json file is not valid!!", ex);
xxTrxLogError.setAction("IMPORT ERROR");
xxTrxLogError.setObjectClassType(AppConstants.CLASS_TYPE_RANGER_POLICY);
if (StringUtils.isNotEmpty(metaDataInfo)) {
xxTrxLogError.setPreviousValue(metaDataInfo);
}
trxLogListError.add(xxTrxLogError);
bizUtil.createTrxLog(trxLogListError);
throw restErrorUtil.createRESTException(ex.getMessage());
} catch (WebApplicationException excp) {
LOG.error("Error while importing policy from file!!", excp);
xxTrxLogError.setAction("IMPORT ERROR");
xxTrxLogError.setObjectClassType(AppConstants.CLASS_TYPE_RANGER_POLICY);
if (StringUtils.isNotEmpty(metaDataInfo)) {
xxTrxLogError.setPreviousValue(metaDataInfo);
}
trxLogListError.add(xxTrxLogError);
bizUtil.createTrxLog(trxLogListError);
throw excp;
} catch (Throwable excp) {
LOG.error("Error while importing policy from file!!", excp);
xxTrxLogError.setAction("IMPORT ERROR");
xxTrxLogError.setObjectClassType(AppConstants.CLASS_TYPE_RANGER_POLICY);
if (StringUtils.isNotEmpty(metaDataInfo)) {
xxTrxLogError.setPreviousValue(metaDataInfo);
}
trxLogListError.add(xxTrxLogError);
bizUtil.createTrxLog(trxLogListError);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
List<XXTrxLog> trxLogListEnd = new ArrayList<XXTrxLog>();
XXTrxLog xxTrxLogEnd = new XXTrxLog();
xxTrxLogEnd.setAction("IMPORT END");
xxTrxLogEnd.setObjectClassType(AppConstants.CLASS_TYPE_RANGER_POLICY);
if (StringUtils.isNotEmpty(metaDataInfo)) {
xxTrxLogEnd.setPreviousValue(metaDataInfo);
}
trxLogListEnd.add(xxTrxLogEnd);
bizUtil.createTrxLog(trxLogListEnd);
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.importPoliciesFromFile()");
}
}
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerExportPolicyList(org.apache.ranger.view.RangerExportPolicyList)
ArrayList(java.util.ArrayList)
Gson(com.google.gson.Gson)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
VXString(org.apache.ranger.view.VXString)
LinkedHashMap(java.util.LinkedHashMap)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerService(org.apache.ranger.plugin.model.RangerService)
ObjectMapper(org.codehaus.jackson.map.ObjectMapper)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
XXTrxLog(org.apache.ranger.entity.XXTrxLog)
IOException(java.io.IOException)
JsonSyntaxException(com.google.gson.JsonSyntaxException)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Consumes(javax.ws.rs.Consumes)
Produces(javax.ws.rs.Produces)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 44 with SearchFilter
use of org.apache.ranger.plugin.util.SearchFilter in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_failures.
@Test
public final void testIsValid_failures() throws Exception {
for (Action action : cu) {
// passing in a null policy should fail with appropriate failure reason
_policy = null;
checkFailure_isValid(action, "missing", "policy");
// policy must have a name on it
_policy = mock(RangerPolicy.class);
for (String name : new String[] { null, " " }) {
when(_policy.getName()).thenReturn(name);
when(_policy.getResources()).thenReturn(null);
checkFailure_isValid(action, "missing", "name");
}
// for update id is required!
if (action == Action.UPDATE) {
when(_policy.getId()).thenReturn(null);
checkFailure_isValid(action, "missing", "id");
}
}
/*
* Id is ignored for Create but name should not belong to an existing policy. For update, policy should exist for its id and should match its name.
*/
when(_policy.getName()).thenReturn("policy-name");
when(_policy.getService()).thenReturn("service-name");
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(7L);
List<RangerPolicy> existingPolicies = new ArrayList<>();
existingPolicies.add(existingPolicy);
SearchFilter filter = new SearchFilter();
filter.setParam(SearchFilter.SERVICE_NAME, "service-name");
filter.setParam(SearchFilter.POLICY_NAME, "policy-name");
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
checkFailure_isValid(Action.CREATE, "semantic", "policy name");
// update : does not exist for id
when(_policy.getId()).thenReturn(7L);
when(_store.getPolicy(7L)).thenReturn(null);
checkFailure_isValid(Action.UPDATE, "semantic", "id");
// Update: name should not point to an existing different policy, i.e. with a different id
when(_store.getPolicy(7L)).thenReturn(existingPolicy);
RangerPolicy anotherExistingPolicy = mock(RangerPolicy.class);
when(anotherExistingPolicy.getId()).thenReturn(8L);
existingPolicies.clear();
existingPolicies.add(anotherExistingPolicy);
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
checkFailure_isValid(Action.UPDATE, "semantic", "id/name");
// more than one policies with same name is also an internal error
when(_policy.getName()).thenReturn("policy-name");
when(_store.getPolicies(filter)).thenReturn(existingPolicies);
existingPolicies.add(existingPolicy);
existingPolicy = mock(RangerPolicy.class);
existingPolicies.add(existingPolicy);
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, Action.UPDATE, isAdmin, _failures));
_utils.checkFailureForInternalError(_failures);
}
// policy must have service name on it and it should be valid
when(_policy.getName()).thenReturn("policy-name");
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
}
}
// service name should be valid
when(_store.getServiceByName("service-name")).thenReturn(null);
when(_store.getServiceByName("another-service-name")).thenThrow(new Exception());
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "service name");
when(_policy.getService()).thenReturn("service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
when(_policy.getService()).thenReturn("another-service-name");
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "service name");
}
}
// policy must contain at least one policy item
List<RangerPolicyItem> policyItems = new ArrayList<>();
when(_policy.getService()).thenReturn("service-name");
RangerService service = mock(RangerService.class);
when(_store.getServiceByName("service-name")).thenReturn(service);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
// when it is null
when(_policy.getPolicyItems()).thenReturn(null);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
// or when it is not null but empty.
when(_policy.getPolicyItems()).thenReturn(policyItems);
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForMissingValue(_failures, "policy items");
}
}
// these are known good policy items -- same as used above in happypath
policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
// policy item check requires that service def should exist
when(service.getType()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForInternalError(_failures, "policy service def");
}
}
// service-def should contain the right access types on it.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes_bad, "service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy item access type");
}
}
// create the right service def with right resource defs - this is the same as in the happypath test above.
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes, "service-type");
when(_store.getPolicies(filter)).thenReturn(null);
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// one mandatory is missing (tbl) and one unknown resource is specified (extra), and values of option resource don't conform to validation pattern (col)
Map<String, RangerPolicyResource> policyResources = _utils.createPolicyResourceMap(policyResourceMap_bad);
when(_policy.getResources()).thenReturn(policyResources);
// ensure thta policy is kosher when it comes to resource signature
RangerPolicyResourceSignature signature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(signature);
when(signature.getSignature()).thenReturn("hash-1");
// store does not have any policies for that signature hash
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
// for spurious resource: "extra"
_utils.checkFailureForSemanticError(_failures, "resource-values", "col");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isRecursive", "db");
// for specifying it as true when def did not allow it
_utils.checkFailureForSemanticError(_failures, "isExcludes", "col");
}
}
// Check if error around resource signature clash are reported. have Store return policies for same signature
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(existingPolicies);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
_failures.clear();
Assert.assertFalse(_validator.isValid(_policy, action, isAdmin, _failures));
_utils.checkFailureForSemanticError(_failures, "policy resources");
}
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Example 45 with SearchFilter
use of org.apache.ranger.plugin.util.SearchFilter in project ranger by apache.
the class TestRangerPolicyValidator method testIsValid_happyPath.
@Test
public final void testIsValid_happyPath() throws Exception {
// valid policy has valid non-empty name and service name
when(_policy.getService()).thenReturn("service-name");
// service name exists
RangerService service = mock(RangerService.class);
when(service.getType()).thenReturn("service-type");
when(_store.getServiceByName("service-name")).thenReturn(service);
// service points to a valid service-def
_serviceDef = _utils.createServiceDefWithAccessTypes(accessTypes);
when(_serviceDef.getName()).thenReturn("service-type");
when(_store.getServiceDefByName("service-type")).thenReturn(_serviceDef);
// a matching policy should exist for create when checked by id and not exist when checked by name.
when(_store.getPolicy(7L)).thenReturn(null);
RangerPolicy existingPolicy = mock(RangerPolicy.class);
when(existingPolicy.getId()).thenReturn(8L);
when(existingPolicy.getService()).thenReturn("service-name");
when(_store.getPolicy(8L)).thenReturn(existingPolicy);
SearchFilter createFilter = new SearchFilter();
createFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
// this name would be used for create
createFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-1");
when(_store.getPolicies(createFilter)).thenReturn(new ArrayList<RangerPolicy>());
// a matching policy should not exist for update.
SearchFilter updateFilter = new SearchFilter();
updateFilter.setParam(SearchFilter.SERVICE_TYPE, "service-type");
// this name would be used for update
updateFilter.setParam(SearchFilter.POLICY_NAME, "policy-name-2");
List<RangerPolicy> existingPolicies = new ArrayList<>();
existingPolicies.add(existingPolicy);
when(_store.getPolicies(updateFilter)).thenReturn(existingPolicies);
// valid policy can have empty set of policy items if audit is turned on
// null value for audit is treated as audit on.
// for now we want to turn any resource related checking off
when(_policy.getResources()).thenReturn(null);
for (Action action : cu) {
for (Boolean auditEnabled : new Boolean[] { null, true }) {
for (boolean isAdmin : new boolean[] { true, false }) {
when(_policy.getIsAuditEnabled()).thenReturn(auditEnabled);
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
} else {
// update should work both when by-name is found or not, since nothing found by-name means name is being updated.
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-1");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
when(_policy.getName()).thenReturn("policy-name-2");
Assert.assertTrue("" + action + ", " + auditEnabled, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
}
}
// if audit is disabled then policy should have policy items and all of them should be valid
List<RangerPolicyItem> policyItems = _utils.createPolicyItems(policyItemsData);
when(_policy.getPolicyItems()).thenReturn(policyItems);
when(_policy.getIsAuditEnabled()).thenReturn(false);
for (Action action : cu) {
for (boolean isAdmin : new boolean[] { true, false }) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
Assert.assertTrue("" + action, _validator.isValid(_policy, action, isAdmin, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
// above succeeded as service def did not have any resources on it, mandatory or otherwise.
// policy should have all mandatory resources specified, and they should conform to the validation pattern in resource definition
List<RangerResourceDef> resourceDefs = _utils.createResourceDefs(resourceDefData);
when(_serviceDef.getResources()).thenReturn(resourceDefs);
Map<String, RangerPolicyResource> resourceMap = _utils.createPolicyResourceMap(policyResourceMap_good);
when(_policy.getResources()).thenReturn(resourceMap);
// let's add some other policies in the store for this service that have a different signature
// setup the signatures on the policies
RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
// setup the store to indicate that no other policy exists with matching signature
when(policySignature.getSignature()).thenReturn("hash-1");
when(_store.getPoliciesByResourceSignature("service-name", "hash-1", true)).thenReturn(null);
// we are reusing the same policies collection here -- which is fine
for (Action action : cu) {
if (action == Action.CREATE) {
when(_policy.getId()).thenReturn(7L);
when(_policy.getName()).thenReturn("policy-name-1");
} else {
when(_policy.getId()).thenReturn(8L);
when(_policy.getName()).thenReturn("policy-name-2");
}
// since policy resource has excludes admin privilages would be required
Assert.assertTrue("" + action, _validator.isValid(_policy, action, true, _failures));
Assert.assertTrue(_failures.isEmpty());
}
}
Also used :
Action(org.apache.ranger.plugin.model.validation.RangerValidator.Action)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
ArrayList(java.util.ArrayList)
SearchFilter(org.apache.ranger.plugin.util.SearchFilter)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerPolicyResourceSignature(org.apache.ranger.plugin.model.RangerPolicyResourceSignature)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerResourceDef(org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)
Test(org.junit.Test)
Aggregations
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)61
Test (org.junit.Test)32
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)30
ArrayList (java.util.ArrayList)27
RangerService (org.apache.ranger.plugin.model.RangerService)24
Path (javax.ws.rs.Path)13
Produces (javax.ws.rs.Produces)13
HttpServletRequest (javax.servlet.http.HttpServletRequest)12
GET (javax.ws.rs.GET)12
WebApplicationException (javax.ws.rs.WebApplicationException)11
RangerPolicyList (org.apache.ranger.view.RangerPolicyList)11
VXString (org.apache.ranger.view.VXString)10
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)9
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)7
RangerServiceDefList (org.apache.ranger.view.RangerServiceDefList)6
RangerServiceList (org.apache.ranger.view.RangerServiceList)6
HashMap (java.util.HashMap)5
PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)5
XXTrxLog (org.apache.ranger.entity.XXTrxLog)4
RangerExportPolicyList (org.apache.ranger.view.RangerExportPolicyList)4
