Repository: ranger Updated Branches: refs/heads/master af6b8c4f3 -> 9da43c7e0
RANGER-1966: Policy engine initialization does not create context enrichers in some cases Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/9da43c7e Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/9da43c7e Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/9da43c7e Branch: refs/heads/master Commit: 9da43c7e07ba5eaba31cfd7a4bf4727f9021395c Parents: af6b8c4 Author: Abhay Kulkarni <[email protected]> Authored: Tue Jan 30 12:00:15 2018 -0800 Committer: Abhay Kulkarni <[email protected]> Committed: Tue Jan 30 12:00:15 2018 -0800 ---------------------------------------------------------------------- .../policyengine/RangerPolicyRepository.java | 32 +- .../plugin/policyengine/TestPolicyEngine.java | 7 + .../test_policyengine_tag_hive_mask.json | 496 +++++++++++++++++++ 3 files changed, 533 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/9da43c7e/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index a66eca3..23d1efa 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -673,7 +673,8 @@ class RangerPolicyRepository { this.rowFilterPolicyEvaluators = Collections.unmodifiableList(rowFilterPolicyEvaluators); List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>(); - if (CollectionUtils.isNotEmpty(this.policyEvaluators)) { + if (CollectionUtils.isNotEmpty(this.policyEvaluators) || CollectionUtils.isNotEmpty(this.dataMaskPolicyEvaluators) + || CollectionUtils.isNotEmpty(this.rowFilterPolicyEvaluators)) { if (CollectionUtils.isNotEmpty(serviceDef.getContextEnrichers())) { for (RangerServiceDef.RangerContextEnricherDef enricherDef : serviceDef.getContextEnrichers()) { if (enricherDef == null) { @@ -716,7 +717,7 @@ class RangerPolicyRepository { LOG.debug("dataMask policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder()); } - LOG.debug("rowFilter policy evaluation order: " + this.dataMaskPolicyEvaluators.size() + " policies"); + LOG.debug("rowFilter policy evaluation order: " + this.rowFilterPolicyEvaluators.size() + " policies"); order = 0; for(RangerPolicyEvaluator policyEvaluator : this.rowFilterPolicyEvaluators) { RangerPolicy policy = policyEvaluator.getPolicy(); @@ -898,6 +899,32 @@ class RangerPolicyRepository { } } } + sb.append("} "); + + sb.append("dataMaskPolicyEvaluators={"); + + if (this.dataMaskPolicyEvaluators != null) { + for (RangerPolicyEvaluator policyEvaluator : dataMaskPolicyEvaluators) { + if (policyEvaluator != null) { + sb.append(policyEvaluator).append(" "); + } + } + } + sb.append("} "); + + sb.append("rowFilterPolicyEvaluators={"); + + if (this.rowFilterPolicyEvaluators != null) { + for (RangerPolicyEvaluator policyEvaluator : rowFilterPolicyEvaluators) { + if (policyEvaluator != null) { + sb.append(policyEvaluator).append(" "); + } + } + } + sb.append("} "); + + sb.append("contextEnrichers={"); + if (contextEnrichers != null) { for (RangerContextEnricher contextEnricher : contextEnrichers) { if (contextEnricher != null) { @@ -905,6 +932,7 @@ class RangerPolicyRepository { } } } + sb.append("} "); sb.append("} "); http://git-wip-us.apache.org/repos/asf/ranger/blob/9da43c7e/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index b476ed7..bcd1577 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -289,6 +289,13 @@ public class TestPolicyEngine { } @Test + public void testPolicyEngine_hiveTagMasking() { + String[] resourceFiles = {"/policyengine/test_policyengine_tag_hive_mask.json"}; + + runTestsFromResourceFiles(resourceFiles); + } + + @Test public void testPolicyEngine_owner() { String[] resourceFiles = {"/policyengine/test_policyengine_owner.json"}; http://git-wip-us.apache.org/repos/asf/ranger/blob/9da43c7e/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json new file mode 100644 index 0000000..a97bd2b --- /dev/null +++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json @@ -0,0 +1,496 @@ +{ + "serviceName": "hivedev", + "serviceDef": { + "name": "hive", + "id": 3, + "resources": [ + { + "name": "database", + "level": 1, + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Database", + "description": "Hive Database" + }, + { + "name": "table", + "level": 2, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Table", + "description": "Hive Table" + }, + { + "name": "udf", + "level": 2, + "parent": "database", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive UDF", + "description": "Hive UDF" + }, + { + "name": "column", + "level": 3, + "parent": "table", + "mandatory": true, + "lookupSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": true, + "ignoreCase": true + }, + "label": "Hive Column", + "description": "Hive Column" + } + ], + "accessTypes": [ + { + "name": "select", + "label": "Select" + }, + { + "name": "update", + "label": "Update" + }, + { + "name": "create", + "label": "Create" + }, + { + "name": "grant", + "label": "Grant" + }, + { + "name": "drop", + "label": "Drop" + }, + { + "name": "alter", + "label": "Alter" + }, + { + "name": "index", + "label": "Index" + }, + { + "name": "lock", + "label": "Lock" + }, + { + "name": "all", + "label": "All", + "impliedGrants": [ + "select", + "update", + "create", + "grant", + "drop", + "alter", + "index", + "lock" + ] + } + ], + "dataMaskDef": { + "maskTypes": [ + { + "itemId": 1, + "name": "MASK", + "label": "Mask", + "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'" + }, + { + "itemId": 2, + "name": "SHUFFLE", + "label": "Shuffle", + "description": "Randomly shuffle the contents" + }, + { + "itemId": 10, + "name": "NULL", + "label": "NULL", + "description": "Replace with NULL" + } + + ], + "accessTypes":[ + {"name":"select","label":"Select"} + ], + "resources":[ + {"name":"database","matcherOptions":{"wildCard":false}}, + {"name":"table","matcherOptions":{"wildCard":false}}, + {"name":"column","matcherOptions":{"wildCard":false}} + ] + }, + "rowFilterDef": { + "accessTypes":[ + {"name":"select","label":"Select"} + ], + "resources":[ + {"name":"database","matcherOptions":{"wildCard":false}}, + {"name":"table","matcherOptions":{"wildCard":false}} + ] + } + }, + "policies": [ + { + "id": 101, + "name": "db=*: audit-all-access", + "isEnabled": true, + "isAuditEnabled": true, + "resources": { + "database": { + "values": [ + "*" + ] + }, + "table": { + "values": [ + "*" + ] + }, + "column": { + "values": [ + "*" + ] + } + }, + "policyItems": [ + { + "accesses": [ + { + "type": "all", + "isAllowed": true + } + ], + "users": [ + "hive", + "user1", + "user2" + ], + "groups": [ + "public" + ], + "delegateAdmin": false + } + ] + }, + { + "id": 102, + "name": "db=*, udf=*: audit-all-access", + "isEnabled": true, + "isAuditEnabled": true, + "resources": { + "database": { + "values": [ + "*" + ] + }, + "udf": { + "values": [ + "*" + ] + } + }, + "policyItems": [ + { + "accesses": [ + { + "type": "all", + "isAllowed": true + } + ], + "users": [ + "hive", + "user1", + "user2" + ], + "groups": [ + "public" + ], + "delegateAdmin": false + } + ] + } + ], + "tagPolicyInfo": { + "serviceName": "tagdev", + "serviceDef": { + "name": "tag", + "id": 100, + "resources": [ + { + "itemId": 1, + "name": "tag", + "type": "string", + "level": 1, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": false, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { + "wildCard": false, + "ignoreCase": false + }, + "validationRegEx": "", + "validationMessage": "", + "uiHint": "", + "label": "TAG", + "description": "TAG" + } + ], + "accessTypes": [ + { + "itemId": 1, + "name": "hive:select", + "label": "hive:select" + }, + { + "itemId": 2, + "name": "hive:update", + "label": "hive:update" + }, + { + "itemId": 3, + "name": "hive:create", + "label": "hive:create" + }, + { + "itemId": 4, + "name": "hive:grant", + "label": "hive:grant" + }, + { + "itemId": 5, + "name": "hive:drop", + "label": "hive:drop" + }, + { + "itemId": 6, + "name": "hive:alter", + "label": "hive:alter" + }, + { + "itemId": 7, + "name": "hive:index", + "label": "hive:index" + }, + { + "itemId": 8, + "name": "hive:lock", + "label": "hive:lock" + }, + { + "itemId": 9, + "name": "hive:all", + "label": "hive:all", + "impliedGrants": [ + "hive:select", + "hive:update", + "hive:create", + "hive:grant", + "hive:drop", + "hive:alter", + "hive:index", + "hive:lock" + ] + } + ], + "dataMaskDef": { + "maskTypes": [ + { + "itemId": 1, + "name": "MASK", + "label": "Mask", + "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'" + }, + { + "itemId": 2, + "name": "SHUFFLE", + "label": "Shuffle", + "description": "Randomly shuffle the contents" + }, + { + "itemId": 10, + "name": "NULL", + "label": "NULL", + "description": "Replace with NULL" + } + + ], + "accessTypes":[ + {"name":"hive:select","label":"hive:Select"} + ], + "resources":[ + {"name":"tag","matcherOptions":{"wildCard":false}} + ] + }, + "rowFilterDef": { + "accessTypes":[ + {"name":"hive:select","label":"hive:Select"} + ], + "resources":[ + {"name":"tag","matcherOptions":{"wildCard":false}} + ] + }, + "contextEnrichers": [ + ], + "policyConditions": [ + { + "itemId": 1, + "name": "expression", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", + "evaluatorOptions": { + "engineName": "JavaScript", + "ui.isMultiline": "true" + }, + "label": "Enter boolean expression", + "description": "Boolean expression" + }, + { + "itemId": 2, + "name": "enforce-expiry", + "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", + "evaluatorOptions": { + "scriptTemplate": "ctx.isAccessedAfter('expiry_date');" + }, + "label": "Deny access after expiry_date?", + "description": "Deny access after expiry_date? (yes/no)" + } + ] + }, + "tagPolicies": [ + { + "id": 1, + "name": "RESTRICTED_TAG_POLICY", + "isEnabled": true, + "isAuditEnabled": true, + "policyType": 1, + "resources": { + "tag": { + "values": [ + "RESTRICTED" + ], + "isRecursive": false + } + }, + "dataMaskPolicyItems": [ + { + "accesses": [ + { + "type": "select", + "isAllowed": true + } + ], + "users": [ + "user1" + ], + "groups": [], + "delegateAdmin": false, + "dataMaskInfo": { + "dataMaskType": "MASK" + } + }, + { + "accesses": [ + { + "type": "select", + "isAllowed": true + } + ], + "users": [ + "user2" + ], + "groups": [], + "delegateAdmin": false, + "dataMaskInfo": { + "dataMaskType": "SHUFFLE" + } + } + ] + } + ] + }, + "tests": [ + { + "name": "'select ssn from employee.personal;' for user1 - maskType=MASK", + "request": { + "resource": { + "elements": { + "database": "employee", + "table": "personal", + "column": "ssn" + } + }, + "accessType": "select", + "user": "user1", + "userGroups": [], + "requestData": "select ssn from employee.personal;' for user1", + "context": { + "TAGS": "[{\"type\":\"RESTRICTED\"}]" + } + }, + "dataMaskResult":{"additionalInfo":{"maskType":"MASK","maskCondition":null,"maskValue":null},"policyId":1} + }, + { + "name": "'select ssn from employee.personal;' for user2 - maskType=SHUFFLE", + "request": { + "resource": { + "elements": { + "database": "employee", + "table": "personal", + "column": "ssn" + } + }, + "accessType": "select", + "user": "user2", + "userGroups": [], + "requestData": "select ssn from employee.personal;' for user2", + "context": { + "TAGS": "[{\"type\":\"RESTRICTED\"}]" + } + }, + "dataMaskResult":{"additionalInfo":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null},"policyId":1} + }, + { + "name": "'select ssn from employee.personal;' for hive - maskType=NONE", + "request": { + "resource": { + "elements": { + "database": "employee", + "table": "personal", + "column": "ssn" + } + }, + "accessType": "select", + "user": "hive", + "userGroups": [], + "requestData": "select ssn from employee.personal;' for hive", + "context": { + "TAGS": "[{\"type\":\"RESTRICTED\"}]" + } + }, + "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1} + } + ] +} +
