RANGER-1781: Policy model update to support restricted access-types based on selected resource (more performance improvements)
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/2a1406df Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/2a1406df Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/2a1406df Branch: refs/heads/master Commit: 2a1406df8125b96b3051616cb61ba01fc96f93c3 Parents: 0688f5e Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Fri Nov 10 07:34:34 2017 -0800 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Fri Nov 10 07:34:34 2017 -0800 ---------------------------------------------------------------------- .../policyengine/RangerPolicyEngineImpl.java | 4 +- .../RangerDefaultPolicyResourceMatcher.java | 364 ++++++---- .../RangerPolicyResourceMatcher.java | 2 +- .../RangerAbstractResourceMatcher.java | 2 +- .../validation/TestRangerServiceDefHelper.java | 16 +- .../plugin/policyengine/TestPolicyDb.java | 40 +- .../TestDefaultPolicyResourceMatcher.java | 46 +- ...stDefaultPolicyResourceMatcherForPolicy.java | 55 +- .../service-defs/test-hbase-servicedef.json | 241 +++++++ .../service-defs/test-hdfs-servicedef.json | 286 ++++++++ .../service-defs/test-hive-servicedef.json | 679 +++++++++++++------ .../admin/service-defs/test-tag-servicedef.json | 82 +++ agents-common/src/test/resources/log4j.xml | 18 +- .../policyengine/test_policydb_hive.json | 441 ++++++++++++ .../test_defaultpolicyresourcematcher.json | 28 +- ...ltpolicyresourcematcher_for_hive_policy.json | 410 +++++++++++ ...defaultpolicyresourcematcher_for_policy.json | 315 --------- ...rcematcher_for_resource_specific_policy.json | 335 --------- .../test/resources/testdata/test_modules.txt | 2 + 19 files changed, 2300 insertions(+), 1066 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 2bebb95..cff7a5e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -572,7 +572,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { for (List<RangerPolicyEvaluator> evaluators : likelyEvaluators) { for (RangerPolicyEvaluator evaluator : evaluators) { RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher(); - if (matcher != null && matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR_OR_DESCENDANT, null)) { + if (matcher != null && matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) { ret.add(evaluator.getPolicy()); } } @@ -591,7 +591,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { for (List<RangerPolicyEvaluator> evaluators : likelyEvaluators) { for (RangerPolicyEvaluator evaluator : evaluators) { RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher(); - if (matcher != null && matcher.isMatch(resource, RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR_OR_DESCENDANT, null)) { + if (matcher != null && matcher.isMatch(resource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) { ret.add(evaluator.getPolicy()); } } http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java index 74b70be..415263e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java @@ -20,7 +20,6 @@ package org.apache.ranger.plugin.policyresourcematcher; import java.util.Collection; -import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.Set; @@ -40,10 +39,14 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher; import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; +import org.apache.ranger.plugin.util.RangerPerfTracer; public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceMatcher { private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyResourceMatcher.class); + private static final Log PERF_POLICY_RESOURCE_MATCHER_INIT_LOG = RangerPerfTracer.getPerfLogger("policyresourcematcher.init"); + private static final Log PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG = RangerPerfTracer.getPerfLogger("policyresourcematcher.match"); + protected RangerServiceDef serviceDef; protected int policyType; protected Map<String, RangerPolicyResource> policyResources; @@ -74,7 +77,6 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } else { setPolicyResources(policy.getResources(), policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType()); } - } @Override @@ -98,6 +100,16 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } @Override + public RangerServiceDef getServiceDef() { + return serviceDef; + } + + @Override + public RangerResourceMatcher getResourceMatcher(String resourceName) { + return allMatchers != null ? allMatchers.get(resourceName) : null; + } + + @Override public boolean getNeedsDynamicEval() { return needsDynamicEval; } @Override @@ -110,10 +122,15 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM needsDynamicEval = false; validResourceHierarchy = null; isInitialized = false; - serviceDefHelper = null; String errorText = ""; + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_INIT_LOG, "RangerDefaultPolicyResourceMatcher.init()"); + } + if (policyResources != null && !policyResources.isEmpty() && serviceDef != null) { serviceDefHelper = serviceDefHelper == null ? new RangerServiceDefHelper(serviceDef, false) : serviceDefHelper; @@ -204,35 +221,37 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM isInitialized = true; } + RangerPerfTracer.log(perf); + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultPolicyResourceMatcher.init(): ret=" + isInitialized); } } @Override - public RangerServiceDef getServiceDef() { - return serviceDef; - } + public String toString() { + StringBuilder sb = new StringBuilder(); - @Override - public RangerResourceMatcher getResourceMatcher(String resourceName) { - return allMatchers != null ? allMatchers.get(resourceName) : null; + return toString(sb).toString(); } @Override - public boolean isMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + ")"); - } - - boolean ret = isMatch(resources, MatchScope.SELF_OR_ANCESTOR, true, evalContext); + public StringBuilder toString(StringBuilder sb) { + sb.append("RangerDefaultPolicyResourceMatcher={"); + sb.append("isInitialized=").append(isInitialized).append(", "); - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + "): " + ret); + sb.append("matchers={"); + if(allMatchers != null) { + for(RangerResourceMatcher matcher : allMatchers.values()) { + sb.append("{").append(matcher).append("} "); + } } + sb.append("} "); - return ret; + sb.append("}"); + + return sb; } @Override @@ -241,6 +260,12 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ", " + evalContext + ")"); } + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()"); + } + boolean ret = false; Collection<String> resourceKeys = resource == null ? null : resource.getKeys(); Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet(); @@ -268,6 +293,8 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } } + RangerPerfTracer.log(perf); + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resource + ", " + evalContext + "): " + ret); } @@ -281,6 +308,12 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM LOG.debug("==> RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + ")"); } + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.applyPolicyMatch()"); + } + boolean ret = false; Collection<String> resourceKeys = resources == null ? null : resources.keySet(); Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet(); @@ -308,6 +341,8 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } } + RangerPerfTracer.log(perf); + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultPolicyResourceMatcher.isCompleteMatch(" + resources + ", " + evalContext + "): " + ret); } @@ -316,19 +351,18 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } @Override - public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) { - return isMatch(resource, MatchScope.SELF_OR_ANCESTOR, evalContext); - } - - @Override public boolean isMatch(RangerPolicy policy, MatchScope scope, Map<String, Object> evalContext) { - return policy.getPolicyType() == policyType && isMatch(policy.getResources(), scope, false, evalContext); - } - - private boolean isMatch(Map<String, RangerPolicyResource> resources, MatchScope scope, boolean mustMatchAllPolicyValues, Map<String, Object> evalContext) { boolean ret = false; - if (MapUtils.isNotEmpty(resources)) { + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getPoliciesNonLegacy()"); + } + + Map<String, RangerPolicyResource> resources = policy.getResources(); + + if (policy.getPolicyType() == policyType && MapUtils.isNotEmpty(resources)) { List<RangerResourceDef> hierarchy = getMatchingHierarchy(resources.keySet()); if (CollectionUtils.isNotEmpty(hierarchy)) { @@ -349,9 +383,10 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM // level, the final matchType (which is for the entire policy) is checked against // requested scope to determine the match-result. - // Unit tests in TestDefaultPolicyResourceForPolicy.java, test_defaultpolicyresourcematcher_for_policy.json, + // Unit tests in TestDefaultPolicyResourceForPolicy.java, TestDefaultPolicyResourceMatcher.java // test_defaultpolicyresourcematcher_for_hdfs_policy.json, and - // test_defaultpolicyresourcematcher_for_resource_specific_policy.json + // test_defaultpolicyresourcematcher_for_hive_policy.json, and + // test_defaultPolicyResourceMatcher.json boolean skipped = false; @@ -371,10 +406,7 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM if (matchType != MatchType.NONE) { // One value for this resourceDef matched ret = true; - - if (!mustMatchAllPolicyValues) { - break; - } + break; } } } else { @@ -388,10 +420,107 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM break; } } + ret = ret && isMatch(scope, matchType); } } + RangerPerfTracer.log(perf); + + return ret; + } + + @Override + public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) { + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.grantRevokeMatch()"); + } + + /* + * There is already API to get the delegateAdmin permissions for a map of policyResources. + * That implementation should be reused for figuring out delegateAdmin permissions for a resource as well. + */ + + Map<String, RangerPolicyResource> policyResources = null; + + for (RangerResourceDef resourceDef : serviceDef.getResources()) { + String resourceName = resourceDef.getName(); + String resourceValue = resource.getValue(resourceName); + if (resourceValue != null) { + if (policyResources == null) { + policyResources = new HashMap<>(); + } + policyResources.put(resourceName, new RangerPolicyResource(resourceValue)); + } + } + final boolean ret = MapUtils.isNotEmpty(policyResources) && isMatch(policyResources, evalContext); + + RangerPerfTracer.log(perf); + + return ret; + } + + @Override + public boolean isMatch(Map<String, RangerPolicyResource> resources, Map<String, Object> evalContext) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + ")"); + } + + boolean ret = false; + + RangerPerfTracer perf = null; + + if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.delegateAdminMatch()"); + } + + if(serviceDef != null && serviceDef.getResources() != null) { + Collection<String> resourceKeys = resources == null ? null : resources.keySet(); + Collection<String> policyKeys = policyResources == null ? null : policyResources.keySet(); + + boolean keysMatch = CollectionUtils.isEmpty(resourceKeys) || (policyKeys != null && policyKeys.containsAll(resourceKeys)); + + if(keysMatch) { + for(RangerResourceDef resourceDef : serviceDef.getResources()) { + String resourceName = resourceDef.getName(); + RangerPolicyResource resourceValues = resources == null ? null : resources.get(resourceName); + List<String> values = resourceValues == null ? null : resourceValues.getValues(); + RangerResourceMatcher matcher = allMatchers == null ? null : allMatchers.get(resourceName); + + if (matcher != null) { + if (CollectionUtils.isNotEmpty(values)) { + for (String value : values) { + ret = matcher.isMatch(value, evalContext); + if (!ret) { + break; + } + } + } else { + ret = matcher.isMatchAny(); + } + } else { + ret = CollectionUtils.isEmpty(values); + } + + if(! ret) { + break; + } + } + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("isMatch(): keysMatch=false. resourceKeys=" + resourceKeys + "; policyKeys=" + policyKeys); + } + } + } + + RangerPerfTracer.log(perf); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyResourceMatcher.isMatch(" + resources + ", " + evalContext + "): " + ret); + } + return ret; } @@ -406,91 +535,81 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM if (LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyResourceMatcher.getMatchType(" + resource + evalContext + ")"); } - MatchType ret = MatchType.NONE; - int policyKeysSize = policyResources == null ? 0 : policyResources.size(); - int resourceKeysSize = resource == null || resource.getKeys() == null ? 0 : resource.getKeys().size(); - if (policyKeysSize == 0 && resourceKeysSize == 0) { - ret = MatchType.SELF; - } else { - List<RangerResourceDef> hierarchy = getMatchingHierarchy(resource); - if (CollectionUtils.isNotEmpty(hierarchy)) { - int lastNonAnyMatcherIndex = 0; - /* - * For hive resource policy: - * lastNonAnyMatcherIndex will be set to - * 0 : if all matchers in policy are '*'; such as database=*, table=*, column=* - * 1 : database=hr, table=*, column=* - * 2 : database=<any>, table=employee, column=* - * 3 : database=<any>, table=<any>, column=ssn - */ - int matchersSize = 0; + RangerPerfTracer perf = null; - for (RangerResourceDef resourceDef : hierarchy) { - RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName()); - if (matcher != null) { - matchersSize++; - if (!matcher.isMatchAny()) { - lastNonAnyMatcherIndex = matchersSize; + if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_RESOURCE_MATCHER_MATCH_LOG, "RangerDefaultPolicyResourceMatcher.getMatchType()"); + } + + if (resource != null && policyResources != null) { + int resourceKeysSize = resource.getKeys() == null ? 0 : resource.getKeys().size(); + + if (policyResources.size() == 0 && resourceKeysSize == 0) { + ret = MatchType.SELF; + } else { + List<RangerResourceDef> hierarchy = getMatchingHierarchy(resource); + if (CollectionUtils.isNotEmpty(hierarchy)) { + + int lastNonAnyMatcherIndex = -1; + int matchersSize = 0; + + for (RangerResourceDef resourceDef : hierarchy) { + RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName()); + if (matcher != null) { + if (!matcher.isMatchAny()) { + lastNonAnyMatcherIndex = matchersSize; + } + matchersSize++; + } else { + break; } } - } - if (resourceKeysSize == 0 && lastNonAnyMatcherIndex == 0) { - ret = MatchType.SELF; - } else if (lastNonAnyMatcherIndex == 0) { - ret = MatchType.ANCESTOR; - } else if (resourceKeysSize == 0) { - ret = MatchType.DESCENDANT; - } else { - int index = 0; + int lastMatchedMatcherIndex = -1; + for (RangerResourceDef resourceDef : hierarchy) { - String resourceName = resourceDef.getName(); - RangerResourceMatcher matcher = getResourceMatcher(resourceName); - String resourceValue = resource.getValue(resourceName); + RangerResourceMatcher matcher = getResourceMatcher(resourceDef.getName()); + String resourceValue = resource.getValue(resourceDef.getName()); - if (resourceValue != null) { - if (matcher != null) { - index++; + if (matcher != null) { + if (resourceValue != null) { if (matcher.isMatch(resourceValue, evalContext)) { - ret = index == resourceKeysSize && matcher.isMatchAny() ? MatchType.ANCESTOR : MatchType.SELF; + ret = MatchType.SELF; + lastMatchedMatcherIndex++; } else { ret = MatchType.NONE; break; } } else { - // More resource-levels than matchers - ret = MatchType.ANCESTOR; + // More matchers than resource-values + ret = MatchType.DESCENDANT; + + if (lastMatchedMatcherIndex >= lastNonAnyMatcherIndex) { + ret = MatchType.ANCESTOR; + if (lastMatchedMatcherIndex == lastNonAnyMatcherIndex && lastMatchedMatcherIndex == -1) { + // For degenerate case : resourceKeysSize == 0 and all matchers are of type Any + ret = MatchType.SELF; + } + } break; } } else { - if (matcher != null) { - // More matchers than resource-levels - if (index >= lastNonAnyMatcherIndex) { - // All AnyMatch matchers after this - ret = MatchType.ANCESTOR; - } else { - ret = MatchType.DESCENDANT; - } - } else { - // Common part of several possible hierarchies matched - if (resourceKeysSize > index) { - ret = MatchType.ANCESTOR; - } + if (resourceValue != null) { + // More resource-values than matchers + ret = MatchType.ANCESTOR; } break; } } - if (ret == MatchType.SELF && resourceKeysSize > matchersSize) { - ret = MatchType.ANCESTOR; - } } } - } + RangerPerfTracer.log(perf); + if (LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultPolicyResourceMatcher.getMatchType(" + resource + evalContext + "): " + ret); } @@ -519,15 +638,18 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } } } - } + } else { + ret = false; + } return ret; } + private List<RangerResourceDef> getMatchingHierarchy(Set<String> resourceKeys) { List<RangerResourceDef> ret = null; - if (CollectionUtils.isNotEmpty(resourceKeys)) { - Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper == null ? Collections.EMPTY_SET : serviceDefHelper.getResourceHierarchies(policyType, resourceKeys); + if (CollectionUtils.isNotEmpty(resourceKeys) && serviceDefHelper != null) { + Set<List<RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(policyType, resourceKeys); // pick the shortest hierarchy for (List<RangerResourceDef> resourceHierarchy : resourceHierarchies) { @@ -554,25 +676,26 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM final List<RangerResourceDef> ret; - Set<String> policyResourcesKeySet = policyResources == null ? Collections.EMPTY_SET : policyResources.keySet(); + Set<String> policyResourcesKeySet = policyResources.keySet(); + Set<String> resourceKeySet = resource.getKeys(); - if (resource != null && resource.getKeys() != null) { + if (CollectionUtils.isNotEmpty(resourceKeySet)) { List<RangerResourceDef> aValidHierarchy = null; if (validResourceHierarchy != null && serviceDefHelper != null) { - if (serviceDefHelper.hierarchyHasAllResources(validResourceHierarchy, resource.getKeys())) { + if (serviceDefHelper.hierarchyHasAllResources(validResourceHierarchy, resourceKeySet)) { aValidHierarchy = validResourceHierarchy; } } else { - if (policyResourcesKeySet.containsAll(resource.getKeys())) { + if (policyResourcesKeySet.containsAll(resourceKeySet)) { aValidHierarchy = getMatchingHierarchy(policyResourcesKeySet); - } else if (resource.getKeys().containsAll(policyResourcesKeySet)) { - aValidHierarchy = getMatchingHierarchy(resource.getKeys()); + } else if (resourceKeySet.containsAll(policyResourcesKeySet)) { + aValidHierarchy = getMatchingHierarchy(resourceKeySet); } } ret = isHierarchyValidForResources(aValidHierarchy, resource.getAsMap()) ? aValidHierarchy : null; } else { - ret = getMatchingHierarchy(policyResourcesKeySet); + ret = validResourceHierarchy != null ? validResourceHierarchy : getMatchingHierarchy(policyResourcesKeySet); } if (LOG.isDebugEnabled()) { @@ -585,10 +708,6 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM private boolean isMatch(final MatchScope scope, final MatchType matchType) { final boolean ret; switch (scope) { - case SELF_OR_ANCESTOR_OR_DESCENDANT: { - ret = matchType != MatchType.NONE; - break; - } case SELF: { ret = matchType == MatchType.SELF; break; @@ -609,39 +728,12 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM ret = matchType == MatchType.ANCESTOR; break; } - default: + default: { ret = matchType != MatchType.NONE; break; - } - return ret; - } - - @Override - public String toString() { - StringBuilder sb = new StringBuilder(); - - toString(sb); - - return sb.toString(); - } - - @Override - public StringBuilder toString(StringBuilder sb) { - sb.append("RangerDefaultPolicyResourceMatcher={"); - - sb.append("isInitialized=").append(isInitialized).append(", "); - - sb.append("matchers={"); - if(allMatchers != null) { - for(RangerResourceMatcher matcher : allMatchers.values()) { - sb.append("{").append(matcher).append("} "); } } - sb.append("} "); - - sb.append("}"); - - return sb; + return ret; } private static RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDef, RangerPolicyResource resource) { http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java index b8e7fd4..4696d84 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java @@ -29,7 +29,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; public interface RangerPolicyResourceMatcher { - enum MatchScope { SELF_OR_ANCESTOR_OR_DESCENDANT, SELF, SELF_OR_DESCENDANT, SELF_OR_ANCESTOR, DESCENDANT, ANCESTOR }; + enum MatchScope { SELF, SELF_OR_DESCENDANT, SELF_OR_ANCESTOR, DESCENDANT, ANCESTOR, ANY }; enum MatchType { NONE, SELF, DESCENDANT, ANCESTOR }; void setServiceDef(RangerServiceDef serviceDef); http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java index 34a8777..acd599a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java @@ -205,7 +205,7 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat String policyValue = policyValues.get(0); if(isMatchAny) { - ret = StringUtils.containsOnly(resource, WILDCARD_ASTERISK); + ret = StringUtils.isEmpty(resource) || StringUtils.containsOnly(resource, WILDCARD_ASTERISK); } else { ret = optIgnoreCase ? StringUtils.equalsIgnoreCase(resource, policyValue) : StringUtils.equals(resource, policyValue); } http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java index 584e88e..b0c1085 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java @@ -71,8 +71,8 @@ public class TestRangerServiceDefHelper { RangerResourceDef Database = createResourceDef("Database", ""); RangerResourceDef UDF = createResourceDef("UDF", "Database"); RangerResourceDef Table = createResourceDef("Table", "Database"); - RangerResourceDef Column = createResourceDef("Column", "Table"); - RangerResourceDef Table_Attribute = createResourceDef("Table-Attribute", "Table"); + RangerResourceDef Column = createResourceDef("Column", "Table", true); + RangerResourceDef Table_Attribute = createResourceDef("Table-Attribute", "Table", true); // order of resources in list sould not matter List<RangerResourceDef> resourceDefs = Lists.newArrayList(Column, Database, Table, Table_Attribute, UDF); // stuff this into a service-def @@ -127,12 +127,12 @@ public class TestRangerServiceDefHelper { * Check that helper corrects reports back all of the hierarchies: levels in it and their order. */ RangerResourceDef database = createResourceDef("database", ""); - RangerResourceDef tableSpace = createResourceDef("table-space", "database"); + RangerResourceDef tableSpace = createResourceDef("table-space", "database", true); RangerResourceDef table = createResourceDef("table", "database"); - RangerResourceDef column = createResourceDef("column", "table"); + RangerResourceDef column = createResourceDef("column", "table", true); RangerResourceDef namespace = createResourceDef("namespace", ""); - RangerResourceDef function = createResourceDef("function", "namespace"); - RangerResourceDef Package = createResourceDef("package", "namespace"); + RangerResourceDef function = createResourceDef("function", "namespace", true); + RangerResourceDef Package = createResourceDef("package", "namespace", true); List<RangerResourceDef> resourceDefs = Lists.newArrayList(database, tableSpace, table, column, namespace, function, Package); when(_serviceDef.getResources()).thenReturn(resourceDefs); _helper = new RangerServiceDefHelper(_serviceDef); @@ -172,8 +172,8 @@ public class TestRangerServiceDefHelper { RangerResourceDef database = createResourceDef("database", ""); RangerResourceDef server = createResourceDef("server", ""); RangerResourceDef namespace = createResourceDef("namespace", ""); - RangerResourceDef function = createResourceDef("function", "namespace"); - RangerResourceDef Package = createResourceDef("package", "namespace"); + RangerResourceDef function = createResourceDef("function", "namespace", true); + RangerResourceDef Package = createResourceDef("package", "namespace", true); List<RangerResourceDef> resourceDefs = Lists.newArrayList(database, server, namespace, function, Package); when(_serviceDef.getResources()).thenReturn(resourceDefs); _helper = new RangerServiceDefHelper(_serviceDef); http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java index 58bb351..85ea679 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyDb.java @@ -31,6 +31,7 @@ import java.util.Set; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.TestPolicyDb.PolicyDbTestCase.TestData; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.util.ServicePolicies; @@ -43,36 +44,67 @@ import com.google.gson.GsonBuilder; public class TestPolicyDb { static Gson gsonBuilder; + static RangerServiceDef hdfsServiceDef; + static RangerServiceDef hiveServiceDef; + static RangerServiceDef hbaseServiceDef; + static RangerServiceDef tagServiceDef; @BeforeClass public static void setUpBeforeClass() throws Exception { gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") .setPrettyPrinting() .create(); + initializeServiceDefs(); } + private static void initializeServiceDefs() { + hdfsServiceDef = readServiceDef("hdfs"); + hiveServiceDef = readServiceDef("hive"); + hbaseServiceDef = readServiceDef("hbase"); + tagServiceDef = readServiceDef("tag"); + } + + private static RangerServiceDef readServiceDef(String name) { + InputStream inStream = TestPolicyDb.class.getResourceAsStream("/admin/service-defs/test-" + name + "-servicedef.json"); + InputStreamReader reader = new InputStreamReader(inStream); + return gsonBuilder.fromJson(reader, RangerServiceDef.class); + + } + @AfterClass public static void tearDownAfterClass() throws Exception { } @Test public void testPolicyDb_hdfs() { + String[] hdfsTestResourceFiles = { "/policyengine/test_policydb_hdfs.json" }; - runTestsFromResourceFiles(hdfsTestResourceFiles); + runTestsFromResourceFiles(hdfsTestResourceFiles, hdfsServiceDef); } - private void runTestsFromResourceFiles(String[] resourceNames) { + @Test + public void testPolicyDb_hive() { + String[] hiveTestResourceFiles = { "/policyengine/test_policydb_hive.json" }; + + runTestsFromResourceFiles(hiveTestResourceFiles, hiveServiceDef); + } + + private void runTestsFromResourceFiles(String[] resourceNames, RangerServiceDef serviceDef) { for(String resourceName : resourceNames) { InputStream inStream = this.getClass().getResourceAsStream(resourceName); InputStreamReader reader = new InputStreamReader(inStream); - runTests(reader, resourceName); + runTests(reader, resourceName, serviceDef); } } - private void runTests(InputStreamReader reader, String testName) { + private void runTests(InputStreamReader reader, String testName, RangerServiceDef serviceDef) { PolicyDbTestCase testCase = gsonBuilder.fromJson(reader, PolicyDbTestCase.class); + if (serviceDef != null) { + // Override serviceDef in the json test-file with a global service-def + testCase.servicePolicies.setServiceDef(serviceDef); + } assertTrue("invalid input: " + testName, testCase != null && testCase.servicePolicies != null && testCase.tests != null && testCase.servicePolicies.getPolicies() != null); http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java index 7d2519c..1755233 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java @@ -50,12 +50,31 @@ import com.google.gson.GsonBuilder; public class TestDefaultPolicyResourceMatcher { static Gson gsonBuilder; + static RangerServiceDef hdfsServiceDef; + static RangerServiceDef hiveServiceDef; + static RangerServiceDef hbaseServiceDef; + static RangerServiceDef tagServiceDef; + @BeforeClass public static void setUpBeforeClass() throws Exception { gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") .setPrettyPrinting() .registerTypeAdapter(RangerAccessResource.class, new TestDefaultPolicyResourceMatcher.RangerResourceDeserializer()) .create(); + initializeServiceDefs(); + } + + private static void initializeServiceDefs() { + hdfsServiceDef = readServiceDef("hdfs"); + hiveServiceDef = readServiceDef("hive"); + hbaseServiceDef = readServiceDef("hbase"); + tagServiceDef = readServiceDef("tag"); + } + + private static RangerServiceDef readServiceDef(String name) { + InputStream inStream = TestDefaultPolicyResourceMatcher.class.getResourceAsStream("/admin/service-defs/test-" + name + "-servicedef.json"); + InputStreamReader reader = new InputStreamReader(inStream); + return gsonBuilder.fromJson(reader, RangerServiceDef.class); } @AfterClass @@ -74,23 +93,30 @@ public class TestDefaultPolicyResourceMatcher { public void testDefaultPolicyResourceMatcher() throws Exception { String[] tests = { "/resourcematcher/test_defaultpolicyresourcematcher.json" }; - runTestsFromResourceFiles(tests); + runTestsFromResourceFiles(tests, null); } - private void runTestsFromResourceFiles(String[] resourceNames) throws Exception { - for(String resourceName : resourceNames) { - InputStream inStream = this.getClass().getResourceAsStream(resourceName); - InputStreamReader reader = new InputStreamReader(inStream); + @Test + public void testDefaultPolicyResourceMatcher_ResourceSpecific() throws Exception { + String[] tests = { "/resourcematcher/test_defaultpolicyresourcematcher.json" }; - runTests(reader); - } + runTestsFromResourceFiles(tests, hiveServiceDef); } - private void runTests(InputStreamReader reader) throws Exception { + private void runTestsFromResourceFiles(String[] resourceNames, RangerServiceDef serviceDef) throws Exception { + for (String resourceName : resourceNames) { + InputStream inStream = this.getClass().getResourceAsStream(resourceName); + InputStreamReader reader = new InputStreamReader(inStream); + + runTests(reader, serviceDef); + } + } + + private void runTests(InputStreamReader reader, RangerServiceDef serviceDef) throws Exception { DefaultPolicyResourceMatcherTestCases testCases = gsonBuilder.fromJson(reader, DefaultPolicyResourceMatcherTestCases.class); for (DefaultPolicyResourceMatcherTestCases.TestCase testCase : testCases.testCases) { - runTest(testCase, testCases.serviceDef); + runTest(testCase, serviceDef == null ? testCases.serviceDef : serviceDef); } } private void runTest(DefaultPolicyResourceMatcherTestCases.TestCase testCase, RangerServiceDef serviceDef) throws Exception { @@ -120,7 +146,7 @@ public class TestDefaultPolicyResourceMatcher { } else if (StringUtils.equalsIgnoreCase(oneTest.type, "ancestorMatch")) { scope = RangerPolicyResourceMatcher.MatchScope.ANCESTOR; } else if (StringUtils.equalsIgnoreCase(oneTest.type, "anyMatch")) { - scope = RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR_OR_DESCENDANT; + scope = RangerPolicyResourceMatcher.MatchScope.ANY; } else { continue; } http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java index f6732eb..93daf3b 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java @@ -52,12 +52,31 @@ import com.google.gson.GsonBuilder; public class TestDefaultPolicyResourceMatcherForPolicy { static Gson gsonBuilder; + static RangerServiceDef hdfsServiceDef; + static RangerServiceDef hiveServiceDef; + static RangerServiceDef hbaseServiceDef; + static RangerServiceDef tagServiceDef; + @BeforeClass public static void setUpBeforeClass() throws Exception { gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z") .setPrettyPrinting() .registerTypeAdapter(RangerAccessResource.class, new TestDefaultPolicyResourceMatcherForPolicy.RangerResourceDeserializer()) .create(); + initializeServiceDefs(); + } + + private static void initializeServiceDefs() { + hdfsServiceDef = readServiceDef("hdfs"); + hiveServiceDef = readServiceDef("hive"); + hbaseServiceDef = readServiceDef("hbase"); + tagServiceDef = readServiceDef("tag"); + } + + private static RangerServiceDef readServiceDef(String name) { + InputStream inStream = TestDefaultPolicyResourceMatcherForPolicy.class.getResourceAsStream("/admin/service-defs/test-" + name + "-servicedef.json"); + InputStreamReader reader = new InputStreamReader(inStream); + return gsonBuilder.fromJson(reader, RangerServiceDef.class); } @AfterClass @@ -73,28 +92,40 @@ public class TestDefaultPolicyResourceMatcherForPolicy { } @Test - public void testDefaultPolicyResourceMatcherForPolicy() throws Exception { - String[] tests = { "/resourcematcher/test_defaultpolicyresourcematcher_for_resource_specific_policy.json", - "/resourcematcher/test_defaultpolicyresourcematcher_for_hdfs_policy.json", - "/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json"}; + public void testDefaultPolicyResourceMatcherForHdfs() throws Exception { + String[] tests = { "/resourcematcher/test_defaultpolicyresourcematcher_for_hdfs_policy.json" }; + + runTestsFromResourceFiles(tests, null); + } + + @Test + public void testDefaultPolicyResourceMatcherForHive() throws Exception { + String[] tests = {"/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json"}; + + runTestsFromResourceFiles(tests, null); + } + + @Test + public void testDefaultPolicyResourceMatcherForHive_ResourceSpecific() throws Exception { + String[] tests = {"/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json"}; - runTestsFromResourceFiles(tests); + runTestsFromResourceFiles(tests, hiveServiceDef); } - private void runTestsFromResourceFiles(String[] resourceNames) throws Exception { + private void runTestsFromResourceFiles(String[] resourceNames, RangerServiceDef serviceDef) throws Exception { for(String resourceName : resourceNames) { - InputStream inStream = this.getClass().getResourceAsStream(resourceName); - InputStreamReader reader = new InputStreamReader(inStream, Charset.defaultCharset()); + InputStream inStream = this.getClass().getResourceAsStream(resourceName); + InputStreamReader reader = new InputStreamReader(inStream, Charset.defaultCharset()); - runTests(reader); + runTests(reader, serviceDef); } } - private void runTests(InputStreamReader reader) throws Exception { + private void runTests(InputStreamReader reader, RangerServiceDef serviceDef) throws Exception { DefaultPolicyResourceMatcherTestCases testCases = gsonBuilder.fromJson(reader, DefaultPolicyResourceMatcherTestCases.class); for (DefaultPolicyResourceMatcherTestCases.TestCase testCase : testCases.testCases) { - runTest(testCase, testCases.serviceDef); + runTest(testCase, serviceDef == null ? testCases.serviceDef : serviceDef); } } private void runTest(DefaultPolicyResourceMatcherTestCases.TestCase testCase, RangerServiceDef serviceDef) throws Exception { @@ -124,7 +155,7 @@ public class TestDefaultPolicyResourceMatcherForPolicy { } else if (StringUtils.equalsIgnoreCase(oneTest.type, "ancestorMatch")) { scope = RangerPolicyResourceMatcher.MatchScope.ANCESTOR; } else if (StringUtils.equalsIgnoreCase(oneTest.type, "anyMatch")) { - scope = RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR_OR_DESCENDANT; + scope = RangerPolicyResourceMatcher.MatchScope.ANY; } else { continue; } http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json new file mode 100644 index 0000000..71fae66 --- /dev/null +++ b/agents-common/src/test/resources/admin/service-defs/test-hbase-servicedef.json @@ -0,0 +1,241 @@ +{ + "id":2, + "name": "hbase", + "implClass": "org.apache.ranger.services.hbase.RangerServiceHBase", + "label": "HBase", + "description": "HBase", + "guid": "d6cea1f0-2509-4791-8fc1-7b092399ba3b", + "resources": + [ + { + "itemId": 1, + "name": "table", + "type": "string", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":false }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "HBase Table", + "description": "HBase Table" + }, + + { + "itemId": 2, + "name": "column-family", + "type": "string", + "level": 20, + "parent": "table", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":false }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "HBase Column-family", + "description": "HBase Column-family" + }, + + { + "itemId": 3, + "name": "column", + "type": "string", + "level": 30, + "parent": "column-family", + "mandatory": true, + "lookupSupported": false, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":false }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "HBase Column", + "description": "HBase Column" + } + ], + + "accessTypes": + [ + { + "itemId": 1, + "name": "read", + "label": "Read" + }, + + { + "itemId": 2, + "name": "write", + "label": "Write" + }, + + { + "itemId": 3, + "name": "create", + "label": "Create" + }, + + { + "itemId": 4, + "name": "admin", + "label": "Admin", + "impliedGrants": + [ + "read", + "write", + "create" + ] + } + ], + + "configs": + [ + { + "itemId": 1, + "name": "username", + "type": "string", + "subType": "", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Username" + }, + + { + "itemId": 2, + "name": "password", + "type": "password", + "subType": "", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Password" + }, + + { + "itemId": 3, + "name": "hadoop.security.authentication", + "type": "enum", + "subType": "authnType", + "mandatory": true, + "defaultValue": "simple", + "validationRegEx":"", + "validationMessage": "", + "uiHint":"" + }, + + { + "itemId": 4, + "name": "hbase.master.kerberos.principal", + "type": "string", + "subType": "", + "mandatory": false, + "defaultValue": "" + }, + + { + "itemId": 5, + "name": "hbase.security.authentication", + "type": "enum", + "subType": "authnType", + "mandatory": true, + "defaultValue": "simple", + "validationRegEx":"", + "validationMessage": "", + "uiHint":"" + }, + + { + "itemId": 6, + "name": "hbase.zookeeper.property.clientPort", + "type": "int", + "subType": "", + "mandatory": true, + "defaultValue": "2181", + "validationRegEx":"", + "validationMessage": "", + "uiHint":"" + }, + + { + "itemId": 7, + "name": "hbase.zookeeper.quorum", + "type": "string", + "subType": "", + "mandatory": true, + "defaultValue": "", + "validationRegEx":"", + "validationMessage": "" + }, + + { + "itemId": 8, + "name": "zookeeper.znode.parent", + "type": "string", + "subType": "", + "mandatory": true, + "defaultValue": "/hbase", + "validationRegEx":"", + "validationMessage": "", + "uiHint":"" + }, + + { + "itemId": 9, + "name": "commonNameForCertificate", + "type": "string", + "subType": "", + "mandatory": false, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Common Name for Certificate" + } + ], + + "enums": + [ + { + "itemId": 1, + "name": "authnType", + "elements": + [ + { + "itemId": 1, + "name": "simple", + "label": "Simple" + }, + + { + "itemId": 2, + "name": "kerberos", + "label": "Kerberos" + } + ], + + "defaultIndex": 0 + } + ], + + "contextEnrichers": + [ + + ], + + "policyConditions": + [ + + ] +} http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/admin/service-defs/test-hdfs-servicedef.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/admin/service-defs/test-hdfs-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-hdfs-servicedef.json new file mode 100755 index 0000000..2a21ea9 --- /dev/null +++ b/agents-common/src/test/resources/admin/service-defs/test-hdfs-servicedef.json @@ -0,0 +1,286 @@ +{ + "id":1, + "name": "hdfs", + "implClass": "org.apache.ranger.services.hdfs.RangerServiceHdfs", + "label": "HDFS Repository", + "description": "HDFS Repository", + "guid": "0d047247-bafe-4cf8-8e9b-d5d377284b2d", + "resources": + [ + { + "itemId": 1, + "name": "path", + "type": "path", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": true, + "excludesSupported": false, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":false }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Resource Path", + "description": "HDFS file or directory path" + } + ], + + "accessTypes": + [ + { + "itemId": 1, + "name": "read", + "label": "Read" + }, + + { + "itemId": 2, + "name": "write", + "label": "Write" + }, + + { + "itemId": 3, + "name": "execute", + "label": "Execute" + } + ], + + "configs": + [ + { + "itemId": 1, + "name": "username", + "type": "string", + "subType": "", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Username" + }, + + { + "itemId": 2, + "name": "password", + "type": "password", + "subType": "", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Password" + }, + + { + "itemId": 3, + "name": "fs.default.name", + "type": "string", + "subType": "", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Namenode URL" + }, + + { + "itemId": 4, + "name": "hadoop.security.authorization", + "type": "bool", + "subType": "YesTrue:NoFalse", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Authorization Enabled", + "defaultValue": "false" + }, + + { + "itemId": 5, + "name": "hadoop.security.authentication", + "type": "enum", + "subType": "authnType", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Authentication Type", + "defaultValue": "simple" + }, + + { + "itemId": 6, + "name": "hadoop.security.auth_to_local", + "type": "string", + "subType": "", + "mandatory": false, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"" + }, + + { + "itemId": 7, + "name": "dfs.datanode.kerberos.principal", + "type": "string", + "subType": "", + "mandatory": false, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"" + }, + + { + "itemId": 8, + "name": "dfs.namenode.kerberos.principal", + "type": "string", + "subType": "", + "mandatory": false, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"" + }, + + { + "itemId": 9, + "name": "dfs.secondary.namenode.kerberos.principal", + "type": "string", + "subType": "", + "mandatory": false, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"" + }, + + { + "itemId": 10, + "name": "hadoop.rpc.protection", + "type": "enum", + "subType": "rpcProtection", + "mandatory": false, + "label": "RPC Protection Type", + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "defaultValue": "authentication" + }, + + { + "itemId": 11, + "name": "commonNameForCertificate", + "type": "string", + "subType": "", + "mandatory": false, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Common Name for Certificate" + } + ], + + "enums": + [ + { + "itemId": 1, + "name": "authnType", + "elements": + [ + { + "itemId": 1, + "name": "simple", + "label": "Simple" + }, + + { + "itemId": 2, + "name": "kerberos", + "label": "Kerberos" + } + ], + + "defaultIndex": 0 + }, + + { + "itemId": 2, + "name": "rpcProtection", + "elements": + [ + { + "itemId": 1, + "name": "authentication", + "label": "Authentication" + }, + + { + "itemId": 2, + "name": "integrity", + "label": "Integrity" + }, + + { + "itemId": 3, + "name": "privacy", + "label": "Privacy" + } + ], + + "defaultIndex": 0 + } + ], + + "contextEnrichers": + [ + { + "itemId":1, + "name" : "GeolocationEnricher_format_long", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", + "enricherOptions" : { + "FilePath":"/etc/ranger/geo/geo_long.txt", "ForceRead":"false", "IPInDotFormat":"false" + ,"geolocation.meta.prefix": "FORMAT_LONG_" + } + }, + { + "itemId":2, + "name" : "GeolocationEnricher_format_dot", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", + "enricherOptions" : { + "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true" + ,"geolocation.meta.prefix": "FORMAT_DOT_" + } + } + , + { + "itemId":1, + "name" : "GeolocationEnricher", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", + "enricherOptions" : { + "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true" + ,"geolocation.meta.prefix": "TEST_" + } + } + ], + + "policyConditions": + [ + { + "itemId":1, + "name":"ScriptConditionEvaluator", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", + "evaluatorOptions" : {"engineName":"JavaScript"}, + "label":"Script", + "description": "Script to execute" + } + , + { "itemId": 2, + "name":"country", + "evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcher", + "evaluatorOptions":{"CONTEXT_NAME":"country"} + } + + ] +} http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/admin/service-defs/test-hive-servicedef.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/admin/service-defs/test-hive-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-hive-servicedef.json index 53b1926..32d92b0 100644 --- a/agents-common/src/test/resources/admin/service-defs/test-hive-servicedef.json +++ b/agents-common/src/test/resources/admin/service-defs/test-hive-servicedef.json @@ -1,226 +1,457 @@ { - "id":3, - "name": "hive", - "implClass": "org.apache.ranger.services.hive.RangerServiceHive", - "label": "Hive Server2", - "description": "Hive Server2", - "guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c", - "resources": - [ - { - "itemId": 1, - "name": "database", - "type": "string", - "level": 10, - "parent": "", - "mandatory": true, - "lookupSupported": true, - "recursiveSupported": false, - "excludesSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard":true, "ignoreCase":true }, - "validationRegEx":"", - "validationMessage": "", - "uiHint":"", - "label": "Hive Database", - "description": "Hive Database" - }, - - { - "itemId": 2, - "name": "table", - "type": "string", - "level": 20, - "parent": "database", - "mandatory": true, - "lookupSupported": true, - "recursiveSupported": false, - "excludesSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard":true, "ignoreCase":true }, - "validationRegEx":"", - "validationMessage": "", - "uiHint":"", - "label": "Hive Table", - "description": "Hive Table" - }, - - { - "itemId": 3, - "name": "udf", - "type": "string", - "level": 20, - "parent": "database", - "mandatory": true, - "lookupSupported": true, - "recursiveSupported": false, - "excludesSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard":true, "ignoreCase":true }, - "validationRegEx":"", - "validationMessage": "", - "uiHint":"", - "label": "Hive UDF", - "description": "Hive UDF" - }, - - { - "itemId": 4, - "name": "column", - "type": "string", - "level": 30, - "parent": "table", - "mandatory": true, - "lookupSupported": true, - "recursiveSupported": false, - "excludesSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard":true, "ignoreCase":true }, - "validationRegEx":"", - "validationMessage": "", - "uiHint":"", - "label": "Hive Column", - "description": "Hive Column" - } - ], - - "accessTypes": - [ - { - "itemId": 1, - "name": "select", - "label": "select" - }, - - { - "itemId": 2, - "name": "update", - "label": "update" - }, - - { - "itemId": 3, - "name": "create", - "label": "Create" - }, - - { - "itemId": 4, - "name": "drop", - "label": "Drop" - }, - - { - "itemId": 5, - "name": "alter", - "label": "Alter" - }, - - { - "itemId": 6, - "name": "index", - "label": "Index" - }, - - { - "itemId": 7, - "name": "lock", - "label": "Lock" - }, - - { - "itemId": 8, - "name": "all", - "label": "All", - "impliedGrants": - [ - "select", - "update", - "create", - "drop", - "alter", - "index", - "lock" - ] - } - ], - - "configs": - [ - { - "itemId": 1, - "name": "username", - "type": "string", - "mandatory": true, - "validationRegEx":"", - "validationMessage": "", - "uiHint":"", - "label": "Username" - }, - - { - "itemId": 2, - "name": "password", - "type": "password", - "mandatory": true, - "validationRegEx":"", - "validationMessage": "", - "uiHint":"", - "label": "Password" - }, - - { - "itemId": 3, - "name": "jdbc.driverClassName", - "type": "string", - "mandatory": true, - "validationRegEx":"", - "validationMessage": "", - "uiHint":"", - "defaultValue": "org.apache.hive.jdbc.HiveDriver" - }, - - { - "itemId": 4, - "name": "jdbc.url", - "type": "string", - "mandatory": true, - "defaultValue": "", - "validationRegEx":"", - "validationMessage": "", - "uiHint":"" - }, - - { - "itemId": 5, - "name": "commonNameForCertificate", - "type": "string", - "mandatory": false, - "validationRegEx":"", - "validationMessage": "", - "uiHint":"", - "label": "Common Name for Certificate" - } - ], - - "enums": - [ - - ], - - "contextEnrichers": - [ - ], - - "policyConditions": - [ - { - "itemId":1, - "name":"not-accessed-together", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesNotAccessedTogetherCondition", - "evaluatorOptions" : {}, - "label":"Not Accessed Together?", - "description": "List of Hive resources" - } - ] + "id":3, + "name": "hive", + "implClass": "org.apache.ranger.services.hive.RangerServiceHive", + "label": "Hive Server2", + "description": "Hive Server2", + "guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c", + "resources": + [ + { + "itemId": 1, + "name": "database", + "type": "string", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":true }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Hive Database", + "description": "Hive Database", + "accessTypeRestrictions":["select", "update", "create", "drop", "alter", "lock"], + "isValidLeaf": true + }, + + { + "itemId": 2, + "name": "table", + "type": "string", + "level": 20, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":true }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Hive Table", + "description": "Hive Table", + "accessTypeRestrictions":["select", "update", "create", "drop", "alter", "index", "lock"], + "isValidLeaf": true + }, + + { + "itemId": 3, + "name": "udf", + "type": "string", + "level": 20, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":true }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Hive UDF", + "description": "Hive UDF", + "accessTypeRestrictions":["select", "update", "create", "drop", "alter"], + "isValidLeaf": true + }, + + { + "itemId": 4, + "name": "column", + "type": "string", + "level": 30, + "parent": "table", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":true }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Hive Column", + "description": "Hive Column", + "accessTypeRestrictions":["select", "update", "alter", "lock"], + "isValidLeaf": true + }, + + { + "itemId": 5, + "name": "url", + "type": "string", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": false, + "recursiveSupported": true, + "excludesSupported": false, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":false }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "URL", + "description": "URL", + "accessTypeRestrictions":["read", "write"], + "isValidLeaf": true + } + ], + + "accessTypes": + [ + { + "itemId": 1, + "name": "select", + "label": "select" + }, + + { + "itemId": 2, + "name": "update", + "label": "update" + }, + + { + "itemId": 3, + "name": "create", + "label": "Create" + }, + + { + "itemId": 4, + "name": "drop", + "label": "Drop" + }, + + { + "itemId": 5, + "name": "alter", + "label": "Alter" + }, + + { + "itemId": 6, + "name": "index", + "label": "Index" + }, + + { + "itemId": 7, + "name": "lock", + "label": "Lock" + }, + + { + "itemId": 8, + "name": "all", + "label": "All", + "impliedGrants": + [ + "select", + "update", + "create", + "drop", + "alter", + "index", + "lock", + "read", + "write" + ] + }, + + { + "itemId": 9, + "name": "read", + "label": "Read" + }, + + { + "itemId": 10, + "name": "write", + "label": "Write" + } + ], + + "configs": + [ + { + "itemId": 1, + "name": "username", + "type": "string", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Username" + }, + + { + "itemId": 2, + "name": "password", + "type": "password", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Password" + }, + + { + "itemId": 3, + "name": "jdbc.driverClassName", + "type": "string", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "defaultValue": "org.apache.hive.jdbc.HiveDriver" + }, + + { + "itemId": 4, + "name": "jdbc.url", + "type": "string", + "mandatory": true, + "defaultValue": "", + "validationRegEx":"", + "validationMessage": "", + "uiHint":"" + }, + + { + "itemId": 5, + "name": "commonNameForCertificate", + "type": "string", + "mandatory": false, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Common Name for Certificate" + } + ], + + "enums": + [ + + ], + + "contextEnrichers": + [ + { + "itemId":1, + "name" : "GeolocationEnricher_format_long", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", + "enricherOptions" : { + "FilePath":"/etc/ranger/geo/geo_long.txt", "ForceRead":"false", "IPInDotFormat":"false" + ,"geolocation.meta.prefix": "FORMAT_LONG_" + } + }, + { + "itemId":2, + "name" : "GeolocationEnricher_format_dot", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", + "enricherOptions" : { + "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true" + ,"geolocation.meta.prefix": "FORMAT_DOT_" + } + } + ], + + "policyConditions": + [ + { + "itemId":1, + "name":"ScriptConditionEvaluator", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", + "evaluatorOptions" : {"engineName":"JavaScript"}, + "label":"Script", + "description": "Script to execute" + } + , + { "itemId": 2, + "name":"country", + "evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcher", + "evaluatorOptions":{"CONTEXT_NAME":"country"} + } + , + { + "itemId":3, + "name":"not-accessed-together", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesNotAccessedTogetherCondition", + "evaluatorOptions" : {}, + "label":"Not Accessed Together?", + "description": "List of Hive resources" + } + , + { + "itemId":4, + "name":"accessed-together", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesAccessedTogetherCondition", + "evaluatorOptions" : {"ui.isMultiline":"false" }, + "label":"Accessed Together?", + "description": "List of Hive resources" + } + ], + "dataMaskDef": { + "accessTypes": [ + { + "name": "select" + } + ], + "resources": [ + { + "itemId": 1, + "name": "database", + "type": "string", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "matcherOptions": { + "wildCard": "false" + }, + "uiHint":"{ \"singleValue\":true }", + "isValidLeaf": false + }, + { + "itemId": 2, + "name": "table", + "type": "string", + "level": 20, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "matcherOptions": { + "wildCard": "false" + }, + "uiHint":"{ \"singleValue\":true }", + "isValidLeaf": false + }, + { + "itemId": 4, + "name": "column", + "type": "string", + "level": 30, + "parent": "table", + "mandatory": true, + "lookupSupported": true, + "matcherOptions": { + "wildCard": "false" + }, + "uiHint":"{ \"singleValue\":true }", + "isValidLeaf": true + } + ], + "maskTypes": [ + { + "itemId": 1, + "name": "MASK", + "label": "Redact", + "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'", + "transformer": "mask({col})", + "dataMaskOptions": { + } + }, + { + "itemId": 2, + "name": "MASK_SHOW_LAST_4", + "label": "Partial mask: show last 4", + "description": "Show last 4 characters; replace rest with 'x'", + "transformer": "mask_show_last_n({col}, 4, 'x', 'x', 'x', -1, '1')" + }, + { + "itemId": 3, + "name": "MASK_SHOW_FIRST_4", + "label": "Partial mask: show first 4", + "description": "Show first 4 characters; replace rest with 'x'", + "transformer": "mask_show_first_n({col}, 4, 'x', 'x', 'x', -1, '1')" + }, + { + "itemId": 4, + "name": "MASK_HASH", + "label": "Hash", + "description": "Hash the value", + "transformer": "mask_hash({col})" + }, + { + "itemId": 5, + "name": "MASK_NULL", + "label": "Nullify", + "description": "Replace with NULL" + }, + { + "itemId": 6, + "name": "MASK_NONE", + "label": "Unmasked (retain original value)", + "description": "No masking" + }, + { + "itemId": 12, + "name": "MASK_DATE_SHOW_YEAR", + "label": "Date: show only year", + "description": "Date: show only year", + "transformer": "mask({col}, 'x', 'x', 'x', -1, '1', 1, 0, -1)" + }, + { + "itemId": 13, + "name": "CUSTOM", + "label": "Custom", + "description": "Custom" + } + ] + }, + "rowFilterDef": { + "accessTypes": [ + { + "name": "select" + } + ], + "resources": [ + { + "itemId": 1, + "name": "database", + "type": "string", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "matcherOptions": { + "wildCard": "false" + }, + "uiHint": "{ \"singleValue\":true }", + "isValidLeaf": false + }, + { + "itemId": 2, + "name": "table", + "type": "string", + "level": 20, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "matcherOptions": { + "wildCard": "false" + }, + "uiHint": "{ \"singleValue\":true }", + "isValidLeaf": true + } + ] + } } + http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/admin/service-defs/test-tag-servicedef.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/admin/service-defs/test-tag-servicedef.json b/agents-common/src/test/resources/admin/service-defs/test-tag-servicedef.json new file mode 100644 index 0000000..c17b750 --- /dev/null +++ b/agents-common/src/test/resources/admin/service-defs/test-tag-servicedef.json @@ -0,0 +1,82 @@ +{ + "id":100, + "name": "tag", + "implClass": "org.apache.ranger.services.tag.RangerServiceTag", + "label": "TAG", + "description": "TAG Service Definition", + "guid": "0d047248-baff-4cf9-8e9e-d5d377284b2e", + "options": + { + "ui.pages":"tag-based-policies" + }, + "resources": + [ + { + "itemId":1, + "name": "tag", + "type": "string", + "level": 1, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": false, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":false, "ignoreCase":false }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"{ \"singleValue\":true }", + "label": "TAG", + "description": "TAG" + } + ], + + "accessTypes": + [ + + ], + + "configs": + [ + + ], + + "enums": + [ + + ], + + "contextEnrichers": + [ + { + "itemId": 1, + "name" : "TagEnricher", + "enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", + "enricherOptions" : { + "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever", + "tagRefresherPollingInterval": 60000 + } + } + ], + + "policyConditions": + [ + { + "itemId":1, + "name":"accessed-after-expiry", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", + "evaluatorOptions" : { "scriptTemplate":"ctx.isAccessedAfter('expiry_date');" }, + "uiHint": "{ \"singleValue\":true }", + "label":"Accessed after expiry_date (yes/no)?", + "description": "Accessed after expiry_date? (yes/no)" + }, + { + "itemId":2, + "name":"expression", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", + "evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"}, + "label":"Enter boolean expression", + "description": "Boolean expression" + } + ] +} http://git-wip-us.apache.org/repos/asf/ranger/blob/2a1406df/agents-common/src/test/resources/log4j.xml ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/log4j.xml b/agents-common/src/test/resources/log4j.xml index d863cf1..558e27b 100644 --- a/agents-common/src/test/resources/log4j.xml +++ b/agents-common/src/test/resources/log4j.xml @@ -26,9 +26,8 @@ </layout> </appender> - <!-- - <appender name="ranger_perf_appender" class="org.apache.log4j.DailyRollingFileAppender"> - <param name="file" value="./ranger_admin_perf.log" /> + <appender name="ranger_perf_appender" class="org.apache.log4j.ConsoleAppender"> + <param name="target" value="System.err" /> <param name="datePattern" value="'.'yyyy-MM-dd" /> <param name="append" value="true" /> <layout class="org.apache.log4j.PatternLayout"> @@ -36,6 +35,7 @@ </layout> </appender> + <!-- <logger name="org.apache.ranger.perf.policyengine" additivity="false"> <level value="debug" /> <appender-ref ref="ranger_perf_appender" /> @@ -51,6 +51,11 @@ <appender-ref ref="ranger_perf_appender" /> </logger> + <logger name="org.apache.ranger.perf.policyresourcematcher" additivity="false"> + <level value="debug" /> + <appender-ref ref="ranger_perf_appender" /> + </logger> + <logger name="org.apache.ranger.perf.contextenricher" additivity="false"> <level value="debug" /> <appender-ref ref="ranger_perf_appender" /> @@ -70,7 +75,12 @@ <level value="debug" /> <appender-ref ref="ranger_perf_appender" /> </logger> - --> + --> + + <logger name="org.apache.ranger.perf.policyresourcematcher" additivity="false"> + <level value="debug" /> + <appender-ref ref="ranger_perf_appender" /> + </logger> <root> <level value="warn" />
