Repository: ranger Updated Branches: refs/heads/master a1a989d17 -> f95d9ab6f
RANGER-2026: Update Hbase plugin to handle default namespace Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/f95d9ab6 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/f95d9ab6 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/f95d9ab6 Branch: refs/heads/master Commit: f95d9ab6ffbef5fc27ec69d97d30a3ddbda119c9 Parents: a1a989d Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Sun Mar 18 15:04:11 2018 -0700 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Sun Mar 18 15:04:11 2018 -0700 ---------------------------------------------------------------------- .../hbase/AuthorizationSession.java | 16 ++-- .../hbase/RangerAuthorizationCoprocessor.java | 37 ++++----- .../hbase/RangerHBaseResource.java | 78 ++++++++++++++++++ .../hbase/HBaseRangerAuthorizationTest.java | 4 +- .../authorization/hbase/TestPolicyEngine.java | 87 +++++++++----------- .../src/test/resources/hbase-policies-tag.json | 2 +- .../policyengine/test_policyengine_hbase.json | 70 +++++++++------- 7 files changed, 183 insertions(+), 111 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/f95d9ab6/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java index 1349aef..fb3d0d3 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java @@ -182,15 +182,15 @@ public class AuthorizationSession { // session can be reused so reset its state zapAuthorizationState(); // TODO get this via a factory instead - RangerAccessResourceImpl resource = new RangerAccessResourceImpl(); + RangerAccessResourceImpl resource = new RangerHBaseResource(); // policy engine should deal sensibly with null/empty values, if any if (isNameSpaceOperation() && StringUtils.isNotBlank(_otherInformation)) { - resource.setValue("table", _otherInformation + ":"); + resource.setValue(RangerHBaseResource.KEY_TABLE, _otherInformation + RangerHBaseResource.NAMESPACE_SEPARATOR); } else { - resource.setValue("table", _table); + resource.setValue(RangerHBaseResource.KEY_TABLE, _table); } - resource.setValue("column-family", _columnFamily); - resource.setValue("column", _column); + resource.setValue(RangerHBaseResource.KEY_COLUMN_FAMILY, _columnFamily); + resource.setValue(RangerHBaseResource.KEY_COLUMN, _column); String user = _userUtils.getUserAsString(_user); RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, _access, user, _groups); @@ -338,9 +338,9 @@ public class AuthorizationSession { .add("user", _user == null ? null : _user.getName()) .add("groups", _groups) .add("auditHandler", _auditHandler == null ? null : _auditHandler.getClass().getSimpleName()) - .add("table", _table) - .add("column", _column) - .add("column-family", _columnFamily) + .add(RangerHBaseResource.KEY_TABLE, _table) + .add(RangerHBaseResource.KEY_COLUMN, _column) + .add(RangerHBaseResource.KEY_COLUMN_FAMILY, _columnFamily) .add("resource-matching-scope", _resourceMatchingScope) .toString(); } http://git-wip-us.apache.org/repos/asf/ranger/blob/f95d9ab6/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index d7b4673..8952752 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -114,10 +114,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess private static final Log PERF_HBASEAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("hbaseauth.request"); private static boolean UpdateRangerPoliciesOnGrantRevoke = RangerHadoopConstants.HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE; private static final String GROUP_PREFIX = "@"; - - private static final String WILDCARD = "*"; - private static final String NAMESPACE_SEPARATOR = ":"; - + private RegionCoprocessorEnvironment regionEnv; private Map<InternalScanner, String> scannerOwners = new MapMaker().weakKeys().makeMap(); @@ -1287,7 +1284,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess switch(perm.getType()) { case Global: - tableName = colFamily = qualifier = WILDCARD; + tableName = colFamily = qualifier = RangerHBaseResource.WILDCARD; break; case Table: @@ -1305,12 +1302,12 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess throw new Exception("grant(): namespace/table/columnFamily/columnQualifier not specified"); } - tableName = StringUtil.isEmpty(tableName) ? WILDCARD : tableName; - colFamily = StringUtil.isEmpty(colFamily) ? WILDCARD : colFamily; - qualifier = StringUtil.isEmpty(qualifier) ? WILDCARD : qualifier; + tableName = StringUtil.isEmpty(tableName) ? RangerHBaseResource.WILDCARD : tableName; + colFamily = StringUtil.isEmpty(colFamily) ? RangerHBaseResource.WILDCARD : colFamily; + qualifier = StringUtil.isEmpty(qualifier) ? RangerHBaseResource.WILDCARD : qualifier; if(! StringUtil.isEmpty(nameSpace)) { - tableName = nameSpace + NAMESPACE_SEPARATOR + tableName; + tableName = nameSpace + RangerHBaseResource.NAMESPACE_SEPARATOR + tableName; } User activeUser = getActiveUser(); @@ -1324,9 +1321,9 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } Map<String, String> mapResource = new HashMap<String, String>(); - mapResource.put("table", tableName); - mapResource.put("column-family", colFamily); - mapResource.put("column", qualifier); + mapResource.put(RangerHBaseResource.KEY_TABLE, tableName); + mapResource.put(RangerHBaseResource.KEY_COLUMN_FAMILY, colFamily); + mapResource.put(RangerHBaseResource.KEY_COLUMN, qualifier); GrantRevokeRequest ret = new GrantRevokeRequest(); @@ -1392,7 +1389,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess switch(perm.getType()) { case Global : - tableName = colFamily = qualifier = WILDCARD; + tableName = colFamily = qualifier = RangerHBaseResource.WILDCARD; break; case Table : @@ -1410,12 +1407,12 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess throw new Exception("revoke(): table/columnFamily/columnQualifier not specified"); } - tableName = StringUtil.isEmpty(tableName) ? WILDCARD : tableName; - colFamily = StringUtil.isEmpty(colFamily) ? WILDCARD : colFamily; - qualifier = StringUtil.isEmpty(qualifier) ? WILDCARD : qualifier; + tableName = StringUtil.isEmpty(tableName) ? RangerHBaseResource.WILDCARD : tableName; + colFamily = StringUtil.isEmpty(colFamily) ? RangerHBaseResource.WILDCARD : colFamily; + qualifier = StringUtil.isEmpty(qualifier) ? RangerHBaseResource.WILDCARD : qualifier; if(! StringUtil.isEmpty(nameSpace)) { - tableName = nameSpace + NAMESPACE_SEPARATOR + tableName; + tableName = nameSpace + RangerHBaseResource.NAMESPACE_SEPARATOR + tableName; } User activeUser = getActiveUser(); @@ -1429,9 +1426,9 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } Map<String, String> mapResource = new HashMap<String, String>(); - mapResource.put("table", tableName); - mapResource.put("column-family", colFamily); - mapResource.put("column", qualifier); + mapResource.put(RangerHBaseResource.KEY_TABLE, tableName); + mapResource.put(RangerHBaseResource.KEY_COLUMN_FAMILY, colFamily); + mapResource.put(RangerHBaseResource.KEY_COLUMN, qualifier); GrantRevokeRequest ret = new GrantRevokeRequest(); http://git-wip-us.apache.org/repos/asf/ranger/blob/f95d9ab6/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerHBaseResource.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerHBaseResource.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerHBaseResource.java new file mode 100644 index 0000000..e705d97 --- /dev/null +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerHBaseResource.java @@ -0,0 +1,78 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.hbase; + + +import org.apache.commons.lang.StringUtils; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; + +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + + +public class RangerHBaseResource extends RangerAccessResourceImpl { + public static final String KEY_TABLE = "table"; + public static final String KEY_COLUMN_FAMILY = "column-family"; + public static final String KEY_COLUMN = "column"; + public static final String WILDCARD = "*"; + public static final String NAMESPACE_SEPARATOR = ":"; + public static final String DEFAULT_NAMESPACE = "default" + NAMESPACE_SEPARATOR; + + public RangerHBaseResource() { + } + + public RangerHBaseResource(Map<String, Object> elements) { + super(elements); + setValue(KEY_TABLE, getValue(KEY_TABLE)); + } + + public RangerHBaseResource(Map<String, Object> elements, String ownerUser) { + super(elements, ownerUser); + setValue(KEY_TABLE, getValue(KEY_TABLE)); + } + + @Override + public void setValue(String key, Object value) { + // special handling for tables in 'default' namespace + if (StringUtils.equals(key, KEY_TABLE)) { + if (value != null && value instanceof String) { + String tableName = (String) value; + + if (!tableName.contains(NAMESPACE_SEPARATOR)) { + List<String> tableNames = new ArrayList<>(2); + + tableNames.add(tableName); + tableNames.add(DEFAULT_NAMESPACE + tableName); + + value = tableNames; + } else if (StringUtils.startsWith(tableName, DEFAULT_NAMESPACE)) { + List<String> tableNames = new ArrayList<>(2); + + tableNames.add(tableName.substring(DEFAULT_NAMESPACE.length())); + tableNames.add(tableName); + + value = tableNames; + } + } + } + super.setValue(key, value); + } +} http://git-wip-us.apache.org/repos/asf/ranger/blob/f95d9ab6/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java index 665640f..3840885 100644 --- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java +++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java @@ -106,8 +106,8 @@ public class HBaseRangerAuthorizationTest { Admin admin = conn.getAdmin(); // Create a table - if (!admin.tableExists(TableName.valueOf("temp"))) { - HTableDescriptor tableDescriptor = new HTableDescriptor(TableName.valueOf("temp")); + if (!admin.tableExists(TableName.valueOf("default:temp"))) { + HTableDescriptor tableDescriptor = new HTableDescriptor(TableName.valueOf("default:temp")); // Adding column families to table descriptor tableDescriptor.addFamily(new HColumnDescriptor("colfam1")); http://git-wip-us.apache.org/repos/asf/ranger/blob/f95d9ab6/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java index 9f0e5ac..6efe2e3 100644 --- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java +++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java @@ -21,20 +21,27 @@ package org.apache.ranger.authorization.hbase; import static org.junit.Assert.*; -import static org.mockito.Mockito.*; +import java.io.InputStream; +import java.io.InputStreamReader; import java.lang.reflect.Type; import java.util.List; import org.apache.ranger.authorization.hbase.TestPolicyEngine.PolicyEngineTestCase.TestData; +import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResource; -import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.service.RangerBasePlugin; +import org.apache.ranger.plugin.util.ServicePolicies; import org.junit.AfterClass; import org.junit.BeforeClass; @@ -44,6 +51,7 @@ import com.google.gson.JsonDeserializationContext; import com.google.gson.JsonDeserializer; import com.google.gson.JsonElement; import com.google.gson.JsonParseException; +import org.junit.Test; public class TestPolicyEngine { @@ -65,48 +73,17 @@ public class TestPolicyEngine { public static void tearDownAfterClass() throws Exception { } - /* + @Test public void testPolicyEngine_hbase() { String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase.json" }; runTestsFromResourceFiles(hbaseTestResourceFiles); - - // lets use that policy engine now - AuthorizationSession session = new AuthorizationSession(plugin); - User user = mock(User.class); - when(user.getShortName()).thenReturn("user1"); - when(user.getGroupNames()).thenReturn(new String[] { "users" }); - session.access("read") - .user(user) - .table("finance") - .buildRequest() - .authorize(); - assertTrue(session.isAuthorized()); - try { - session.publishResults(); - } catch (AccessDeniedException e) { - e.printStackTrace(); - fail(e.getMessage()); - } - - when(user.getShortName()).thenReturn("user1"); - when(user.getGroupNames()).thenReturn(new String[] { "users" }); - session.access("write") - .buildRequest() - .authorize(); - assertFalse(session.isAuthorized()); - try { - session.publishResults(); - fail("Should have throw exception on denied request!"); - } catch (AccessDeniedException e) { - } - } private void runTestsFromResourceFiles(String[] resourceNames) { for(String resourceName : resourceNames) { - InputStream inStream = this.getClass().getResourceAsStream(resourceName); + InputStream inStream = this.getClass().getResourceAsStream(resourceName); InputStreamReader reader = new InputStreamReader(inStream); runTests(reader, resourceName); @@ -119,25 +96,35 @@ public class TestPolicyEngine { assertTrue("invalid input: " + testName, testCase != null && testCase.serviceDef != null && testCase.policies != null && testCase.tests != null); - plugin.getPolicyRefresher().getPolicyEngine().setPolicies(testCase.serviceName, testCase.serviceDef, testCase.policies); - boolean justBuildingPolicyEngine = true; - if (justBuildingPolicyEngine) { - return; - } else { - for(TestData test : testCase.tests) { - RangerAccessResult expected = test.result; - RangerAccessResult result = plugin.isAccessAllowed(test.request, null); - - assertNotNull(test.name, result); - assertEquals(test.name, expected.getIsAllowed(), result.getIsAllowed()); - } + ServicePolicies servicePolicies = new ServicePolicies(); + servicePolicies.setServiceName(testCase.serviceName); + servicePolicies.setServiceDef(testCase.serviceDef); + servicePolicies.setPolicies(testCase.policies); + + RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); + + RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions); + + RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler(); + + for(TestData test : testCase.tests) { + RangerAccessResult expected = test.result; + RangerAccessRequest request = test.request; + policyEngine.preProcess(request); + + RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler); + + assertNotNull("result was null! - " + test.name, result); + assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed()); + assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited()); + assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId()); } + } catch(Throwable excp) { excp.printStackTrace(); } } - */ static class PolicyEngineTestCase { public String serviceName; @@ -168,7 +155,9 @@ public class TestPolicyEngine { @Override public RangerAccessResource deserialize(JsonElement jsonObj, Type type, JsonDeserializationContext context) throws JsonParseException { - return gsonBuilder.fromJson(jsonObj, RangerAccessResourceImpl.class); + RangerAccessResourceImpl resource = gsonBuilder.fromJson(jsonObj, RangerHBaseResource.class); + resource.setValue("table", resource.getValue("table")); + return resource; } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/f95d9ab6/hbase-agent/src/test/resources/hbase-policies-tag.json ---------------------------------------------------------------------- diff --git a/hbase-agent/src/test/resources/hbase-policies-tag.json b/hbase-agent/src/test/resources/hbase-policies-tag.json index 61728c8..b22399c 100644 --- a/hbase-agent/src/test/resources/hbase-policies-tag.json +++ b/hbase-agent/src/test/resources/hbase-policies-tag.json @@ -62,7 +62,7 @@ "resourceElements": { "table": { "values": [ - "temp3" + "default:temp3" ], "isExcludes": false, "isRecursive": false http://git-wip-us.apache.org/repos/asf/ranger/blob/f95d9ab6/hbase-agent/src/test/resources/policyengine/test_policyengine_hbase.json ---------------------------------------------------------------------- diff --git a/hbase-agent/src/test/resources/policyengine/test_policyengine_hbase.json b/hbase-agent/src/test/resources/policyengine/test_policyengine_hbase.json index f563c28..f8ae2ea 100644 --- a/hbase-agent/src/test/resources/policyengine/test_policyengine_hbase.json +++ b/hbase-agent/src/test/resources/policyengine/test_policyengine_hbase.json @@ -5,9 +5,9 @@ "name":"hbase", "id":2, "resources":[ - {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Table","description":"HBase Table"}, - {"name":"column-family","level":2,"table":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column-Family","description":"HBase Column-Family"}, - {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"HBase Column","description":"HBase Column"} + {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Table","description":"HBase Table"}, + {"name":"column-family","level":2,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column-Family","description":"HBase Column-Family"}, + {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column","description":"HBase Column"} ], "accessTypes":[ {"name":"read","label":"Read"}, @@ -43,116 +43,124 @@ ], "tests":[ + {"name":"TEST!!! ALLOW 'scan finance restricted-cf;' for finance-admin", + "request":{ + "resource":{"elements":{"table":"default:finance","column-family":"restricted-cf"}}, + "accessType":"read","user":"user1","userGroups":["users","finance-admin"],"requestData":"scan finance restricted-cf" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":2} + } + , {"name":"ALLOW 'scan finance restricted-cf;' for finance", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["read"],"user":"user1","userGroups":["users","finance"],"requestData":"scan finance restricted-cf" + "accessType":"read","user":"user1","userGroups":["users","finance"],"requestData":"scan finance restricted-cf" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'put finance restricted-cf;' for finance", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["write"],"user":"user1","userGroups":["users","finance"],"requestData":"put finance restricted-cf" + "accessType":"write","user":"user1","userGroups":["users","finance"],"requestData":"put finance restricted-cf" }, - "result":{"accessTypeResults":{"write":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"DENY 'create finance restricted-cf;' for finance", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users","finance"],"requestData":"create finance restricted-cf" + "accessType":"create","user":"user1","userGroups":["users","finance"],"requestData":"create finance restricted-cf" }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'grant finance restricted-cf;' for finance", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["admin"],"user":"user1","userGroups":["users","finance"],"requestData":"grant finance restricted-cf" + "accessType":"admin","user":"user1","userGroups":["users","finance"],"requestData":"grant finance restricted-cf" }, - "result":{"accessTypeResults":{"admin":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'scan finance restricted-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["read"],"user":"user1","userGroups":["users"],"requestData":"scan finance restricted-cf" + "accessType":"read","user":"user1","userGroups":["users"],"requestData":"scan finance restricted-cf" }, - "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'put finance restricted-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["write"],"user":"user1","userGroups":["users"],"requestData":"put finance restricted-cf" + "accessType":"write","user":"user1","userGroups":["users"],"requestData":"put finance restricted-cf" }, - "result":{"accessTypeResults":{"write":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'create finance restricted-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create finance restricted-cf" + "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create finance restricted-cf" }, - "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"DENY 'grant finance restricted-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["admin"],"user":"user1","userGroups":["users"],"requestData":"grant finance restricted-cf" + "accessType":"admin","user":"user1","userGroups":["users"],"requestData":"grant finance restricted-cf" }, - "result":{"accessTypeResults":{"admin":{"isAllowed":false,"isAudited":true,"policyId":-1}}} + "result":{"isAudited":true,"isAllowed":false,"policyId":-1} } , {"name":"ALLOW 'scan finance restricted-cf;' for finance-admin", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["read"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"scan finance restricted-cf" + "accessType":"read","user":"user1","userGroups":["users","finance-admin"],"requestData":"scan finance restricted-cf" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'put finance restricted-cf;' for finance-admin", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["write"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"put finance restricted-cf" + "accessType":"write","user":"user1","userGroups":["users","finance-admin"],"requestData":"put finance restricted-cf" }, - "result":{"accessTypeResults":{"write":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'create finance restricted-cf;' for finance-admin", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["create"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"create finance restricted-cf" + "accessType":"create","user":"user1","userGroups":["users","finance-admin"],"requestData":"create finance restricted-cf" }, - "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'grant finance restricted-cf;' for finance-admin", "request":{ "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}}, - "accessTypes":["admin"],"user":"user1","userGroups":["users","finance-admin"],"requestData":"grant finance restricted-cf" + "accessType":"admin","user":"user1","userGroups":["users","finance-admin"],"requestData":"grant finance restricted-cf" }, - "result":{"accessTypeResults":{"admin":{"isAllowed":true,"isAudited":true,"policyId":2}}} + "result":{"isAudited":true,"isAllowed":true,"policyId":2} } , {"name":"ALLOW 'scan finance regular-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"regular-cf"}}, - "accessTypes":["read"],"user":"user1","userGroups":["users"],"requestData":"scan finance regular-cf" + "accessType":"read","user":"user1","userGroups":["users"],"requestData":"scan finance regular-cf" }, - "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":3}}} + "result":{"isAudited":false,"isAllowed":true,"policyId":3} } , {"name":"DENY 'put finance regular-cf;' for user1", "request":{ "resource":{"elements":{"table":"finance","column-family":"regular-cf"}}, - "accessTypes":["write"],"user":"user1","userGroups":["users"],"requestData":"put finance regular-cf" + "accessType":"write","user":"user1","userGroups":["users"],"requestData":"put finance regular-cf" }, - "result":{"accessTypeResults":{"write":{"isAllowed":false,"isAudited":false,"policyId":-1}}} + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} } ] }
