Java Code Examples for org.apache.ranger.plugin.model.RangerPolicy#RangerPolicyItem
The following examples show how to use
org.apache.ranger.plugin.model.RangerPolicy#RangerPolicyItem .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: ServiceRESTUtil.java From ranger with Apache License 2.0 | 6 votes |
|
static private void extractUsersGroupsAndRoles(List<RangerPolicy.RangerPolicyItem> policyItems, Set<String> users, Set<String> groups, Set<String> roles) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceRESTUtil.extractUsersGroupsAndRoles()");
}
if (CollectionUtils.isNotEmpty(policyItems)) {
for (RangerPolicy.RangerPolicyItem policyItem : policyItems) {
if (CollectionUtils.isNotEmpty(policyItem.getUsers())) {
users.addAll(policyItem.getUsers());
}
if (CollectionUtils.isNotEmpty(policyItem.getGroups())) {
groups.addAll(policyItem.getGroups());
}
if (CollectionUtils.isNotEmpty(policyItem.getRoles())) {
roles.addAll(policyItem.getRoles());
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceRESTUtil.extractUsersGroupsAndRoles()");
}
}
Example 2
| Source File: RangerOptimizedPolicyEvaluator.java From ranger with Apache License 2.0 | 6 votes |
|
private void preprocessPolicyItems(List<? extends RangerPolicy.RangerPolicyItem> policyItems) {
if(CollectionUtils.isNotEmpty(policyItems)) {
for (RangerPolicy.RangerPolicyItem item : policyItems) {
delegateAdmin = delegateAdmin || item.getDelegateAdmin();
List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = item.getAccesses();
for(RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
if (policyItemAccess.getIsAllowed()) {
String accessType = policyItemAccess.getType();
accessPerms.add(accessType);
}
}
roles.addAll(item.getRoles());
groups.addAll(item.getGroups());
users.addAll(item.getUsers());
}
}
}
Example 3
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
private void scrubPolicyItems(final Long policyId, final List<? extends RangerPolicy.RangerPolicyItem> policyItems) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.scrubPolicyItems(" + policyId + "): ");
}
for (RangerPolicy.RangerPolicyItem policyItem : policyItems) {
removeNulls(policyItem.getUsers(), policyId, policyItem);
removeNulls(policyItem.getGroups(), policyId, policyItem);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.scrubPolicyItems(" + policyId + "): ");
}
}
Example 4
| Source File: ServiceRESTUtil.java From ranger with Apache License 2.0 | 5 votes |
|
static private boolean addAccesses(RangerPolicy.RangerPolicyItem policyItem, List<RangerPolicy.RangerPolicyItemAccess> accesses) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceRESTUtil.addAccesses()");
}
boolean ret = false;
for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
RangerPolicy.RangerPolicyItemAccess policyItemAccess = null;
String accessType = access.getType();
for (RangerPolicy.RangerPolicyItemAccess itemAccess : policyItem.getAccesses()) {
if (StringUtils.equals(itemAccess.getType(), accessType)) {
policyItemAccess = itemAccess;
break;
}
}
if (policyItemAccess != null) {
if (!policyItemAccess.getIsAllowed()) {
policyItemAccess.setIsAllowed(Boolean.TRUE);
ret = true;
}
} else {
policyItem.getAccesses().add(new RangerPolicy.RangerPolicyItemAccess(accessType, Boolean.TRUE));
ret = true;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceRESTUtil.addAccesses() " + ret);
}
return ret;
}
Example 5
| Source File: RangerBaseService.java From ranger with Apache License 2.0 | 5 votes |
|
private RangerPolicy getDefaultPolicy(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerBaseService.getDefaultPolicy()");
}
RangerPolicy policy = new RangerPolicy();
String policyName=buildPolicyName(resourceHierarchy);
policy.setIsEnabled(true);
policy.setVersion(1L);
policy.setName(policyName);
policy.setService(service.getName());
policy.setDescription("Policy for " + policyName);
policy.setIsAuditEnabled(true);
policy.setResources(createDefaultPolicyResource(resourceHierarchy));
List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
//Create Default policy item for the service user
RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(policy.getResources());
policyItems.add(policyItem);
policy.setPolicyItems(policyItems);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerBaseService.getDefaultPolicy()" + policy);
}
return policy;
}
Example 6
| Source File: ServiceRESTUtil.java From ranger with Apache License 2.0 | 5 votes |
|
static void addPolicyItemForGroup(RangerPolicy.RangerPolicyItem[] items, int typeOfItems, String group, RangerPolicy.RangerPolicyItem policyItem) {
if (items[typeOfItems] == null) {
RangerPolicy.RangerPolicyItem newItem = new RangerPolicy.RangerPolicyItem();
newItem.getGroups().add(group);
items[typeOfItems] = newItem;
}
addAccesses(items[typeOfItems], policyItem.getAccesses());
if (policyItem.getDelegateAdmin()) {
items[typeOfItems].setDelegateAdmin(Boolean.TRUE);
}
}
Example 7
| Source File: ServiceRESTUtil.java From ranger with Apache License 2.0 | 5 votes |
|
static void addPolicyItemForUser(RangerPolicy.RangerPolicyItem[] items, int typeOfItems, String user, RangerPolicy.RangerPolicyItem policyItem) {
if (items[typeOfItems] == null) {
RangerPolicy.RangerPolicyItem newItem = new RangerPolicy.RangerPolicyItem();
newItem.getUsers().add(user);
items[typeOfItems] = newItem;
}
addAccesses(items[typeOfItems], policyItem.getAccesses());
if (policyItem.getDelegateAdmin()) {
items[typeOfItems].setDelegateAdmin(Boolean.TRUE);
}
}
Example 8
| Source File: ServiceRESTUtil.java From ranger with Apache License 2.0 | 5 votes |
|
static private boolean removeUsersGroupsAndRolesFromPolicy(RangerPolicy policy, Set<String> users, Set<String> groups, Set<String> roles) {
boolean policyUpdated = false;
List<RangerPolicy.RangerPolicyItem> policyItems = policy.getPolicyItems();
int numOfItems = policyItems.size();
for(int i = 0; i < numOfItems; i++) {
RangerPolicy.RangerPolicyItem policyItem = policyItems.get(i);
if(CollectionUtils.containsAny(policyItem.getUsers(), users)) {
policyItem.getUsers().removeAll(users);
policyUpdated = true;
}
if(CollectionUtils.containsAny(policyItem.getGroups(), groups)) {
policyItem.getGroups().removeAll(groups);
policyUpdated = true;
}
if(CollectionUtils.containsAny(policyItem.getRoles(), roles)) {
policyItem.getRoles().removeAll(roles);
policyUpdated = true;
}
if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups()) && CollectionUtils.isEmpty(policyItem.getRoles())) {
policyItems.remove(i);
numOfItems--;
i--;
policyUpdated = true;
}
}
return policyUpdated;
}
Example 9
| Source File: ServiceRESTUtil.java From ranger with Apache License 2.0 | 5 votes |
|
static private void combinePolicy(RangerPolicy existingPolicy, RangerPolicy appliedPolicy) {
List<RangerPolicy.RangerPolicyItem> appliedPolicyItems;
// Combine allow policy-items
appliedPolicyItems = appliedPolicy.getPolicyItems();
if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
existingPolicy.getPolicyItems().addAll(appliedPolicyItems);
}
// Combine deny policy-items
appliedPolicyItems = appliedPolicy.getDenyPolicyItems();
if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
existingPolicy.getDenyPolicyItems().addAll(appliedPolicyItems);
}
// Combine allow-exception policy-items
appliedPolicyItems = appliedPolicy.getAllowExceptions();
if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
existingPolicy.getAllowExceptions().addAll(appliedPolicyItems);
}
// Combine deny-exception policy-items
appliedPolicyItems = appliedPolicy.getDenyExceptions();
if (CollectionUtils.isNotEmpty(appliedPolicyItems)) {
existingPolicy.getDenyExceptions().addAll(appliedPolicyItems);
}
}
Example 10
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
private void removeNulls(Collection<String> strings, final Long policyId, final RangerPolicy.RangerPolicyItem policyItem) {
Iterator<String> iterator = strings.iterator();
while (iterator.hasNext()) {
String value = iterator.next();
if (value == null) {
LOG.warn("RangerPolicyRepository.removeNulls: found null user/group in policyItem '" + policyItem + "' in policy " + policyId + "! Removing...");
iterator.remove();
}
}
}
Example 11
| Source File: RangerServiceHdfs.java From ranger with Apache License 2.0 | 5 votes |
|
private RangerPolicy getPolicyForKMSAudit(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServiceHdfs.getPolicyForKMSAudit()");
}
RangerPolicy policy = new RangerPolicy();
policy.setIsEnabled(true);
policy.setVersion(1L);
policy.setName(AUDITTOHDFS_POLICY_NAME);
policy.setService(service.getName());
policy.setDescription("Policy for " + AUDITTOHDFS_POLICY_NAME);
policy.setIsAuditEnabled(true);
policy.setResources(createKMSAuditResource(resourceHierarchy));
List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
//Create policy item for keyadmin
RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
List<String> userKeyAdmin = new ArrayList<String>();
userKeyAdmin.add("keyadmin");
policyItem.setUsers(userKeyAdmin);
policyItem.setAccesses(getAllowedAccesses(policy.getResources()));
policyItem.setDelegateAdmin(false);
policyItems.add(policyItem);
policy.setPolicyItems(policyItems);
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerServiceHdfs.getPolicyForKMSAudit()" + policy);
}
return policy;
}
Example 12
| Source File: TestRangerBasePluginWithPolicies.java From nifi-registry with Apache License 2.0 | 5 votes |
|
@Test
public void testDelegateAdmin() {
final String user1 = "user-1";
final String resourceIdentifier1 = "/resource-1";
RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ"), new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
policy1Item.setDelegateAdmin(true);
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi-registry");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
pluginWithPolicies.setPolicies(servicePolicies);
assertEquals(4, pluginWithPolicies.getAccessPolicies().size());
assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
assertNotNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.READ));
assertNotNull(pluginWithPolicies.getAccessPolicy("/policies" + resourceIdentifier1, RequestAction.WRITE));
}
Example 13
| Source File: TestRangerBasePluginWithPolicies.java From nifi-registry with Apache License 2.0 | 5 votes |
|
@Test
public void testRecursivePolicy() {
final String resourceIdentifier1 = "/resource-1";
RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
resource1.setIsRecursive(true);
final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi-registry");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the policy was skipped
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
}
Example 14
| Source File: RangerPolicyRepository.java From ranger with Apache License 2.0 | 5 votes |
|
private static boolean hasDelegateAdminItems(List<RangerPolicy.RangerPolicyItem> items) {
boolean ret = false;
if (CollectionUtils.isNotEmpty(items)) {
for (RangerPolicy.RangerPolicyItem item : items) {
if(item.getDelegateAdmin()) {
ret = true;
break;
}
}
}
return ret;
}
Example 15
| Source File: TestRangerBasePluginWithPolicies.java From nifi-registry with Apache License 2.0 | 5 votes |
|
@Test
public void testMissingResourceValue() {
final String resourceIdentifier1 = "/resource-1";
RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource();
final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi-registry");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the policy was skipped
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
}
Example 16
| Source File: TestRangerBasePluginWithPolicies.java From nifi-registry with Apache License 2.0 | 5 votes |
|
@Test
public void testDisabledPolicy() {
final String resourceIdentifier1 = "/resource-1";
RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setIsEnabled(false);
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi-registry");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the policy was skipped
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
}
Example 17
| Source File: TestRangerBasePluginWithPolicies.java From nifi-registry with Apache License 2.0 | 4 votes |
|
@Test
public void testPoliciesWithoutUserGroupProvider() {
final String user1 = "user-1";
final String group1 = "group-1";
final String resourceIdentifier1 = "/resource-1";
RangerPolicy.RangerPolicyResource resource1 = new RangerPolicy.RangerPolicyResource(resourceIdentifier1);
final Map<String, RangerPolicy.RangerPolicyResource> policy1Resources = new HashMap<>();
policy1Resources.put(resourceIdentifier1, resource1);
final RangerPolicy.RangerPolicyItem policy1Item = new RangerPolicy.RangerPolicyItem();
policy1Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ")).collect(Collectors.toList()));
policy1Item.setUsers(Stream.of(user1).collect(Collectors.toList()));
final RangerPolicy policy1 = new RangerPolicy();
policy1.setResources(policy1Resources);
policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
final String resourceIdentifier2 = "/resource-2";
RangerPolicy.RangerPolicyResource resource2 = new RangerPolicy.RangerPolicyResource(resourceIdentifier2);
final Map<String, RangerPolicy.RangerPolicyResource> policy2Resources = new HashMap<>();
policy2Resources.put(resourceIdentifier2, resource2);
final RangerPolicy.RangerPolicyItem policy2Item = new RangerPolicy.RangerPolicyItem();
policy2Item.setAccesses(Stream.of(new RangerPolicy.RangerPolicyItemAccess("READ"), new RangerPolicy.RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
policy2Item.setGroups(Stream.of(group1).collect(Collectors.toList()));
final RangerPolicy policy2 = new RangerPolicy();
policy2.setResources(policy2Resources);
policy2.setPolicyItems(Stream.of(policy2Item).collect(Collectors.toList()));
final List<RangerPolicy> policies = new ArrayList<>();
policies.add(policy1);
policies.add(policy2);
final RangerServiceDef serviceDef = new RangerServiceDef();
serviceDef.setName("nifi-registry");
final ServicePolicies servicePolicies = new ServicePolicies();
servicePolicies.setPolicies(policies);
servicePolicies.setServiceDef(serviceDef);
// set all the policies in the plugin
final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi-registry", "nifi-registry");
pluginWithPolicies.setPolicies(servicePolicies);
// ensure the two ranger policies converted into 3 nifi-registry access policies
final Set<AccessPolicy> accessPolicies = pluginWithPolicies.getAccessPolicies();
assertEquals(3, accessPolicies.size());
// resource 1 -> read but no write
assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.READ));
// read
final AccessPolicy readResource1 = pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ);
assertNotNull(readResource1);
assertTrue(accessPolicies.contains(readResource1));
assertTrue(readResource1.equals(pluginWithPolicies.getAccessPolicy(readResource1.getIdentifier())));
assertEquals(1, readResource1.getUsers().size());
assertTrue(readResource1.getUsers().contains(new User.Builder().identifierGenerateFromSeed(user1).identity(user1).build().getIdentifier()));
assertTrue(readResource1.getGroups().isEmpty());
// but no write
assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
// resource 2 -> read and write
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.WRITE));
assertTrue(pluginWithPolicies.doesPolicyExist(resourceIdentifier2, RequestAction.READ));
// read
final AccessPolicy readResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(readResource2);
assertTrue(accessPolicies.contains(readResource2));
assertTrue(readResource2.equals(pluginWithPolicies.getAccessPolicy(readResource2.getIdentifier())));
assertTrue(readResource2.getUsers().isEmpty());
assertEquals(1, readResource2.getGroups().size());
assertTrue(readResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
// and write
final AccessPolicy writeResource2 = pluginWithPolicies.getAccessPolicy(resourceIdentifier2, RequestAction.READ);
assertNotNull(writeResource2);
assertTrue(accessPolicies.contains(writeResource2));
assertTrue(writeResource2.equals(pluginWithPolicies.getAccessPolicy(writeResource2.getIdentifier())));
assertTrue(writeResource2.getUsers().isEmpty());
assertEquals(1, writeResource2.getGroups().size());
assertTrue(writeResource2.getGroups().contains(new Group.Builder().identifierGenerateFromSeed(group1).name(group1).build().getIdentifier()));
// resource 3 -> no read or write
assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.WRITE));
assertFalse(pluginWithPolicies.doesPolicyExist("resource-3", RequestAction.READ));
// no read or write
assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.WRITE));
assertNull(pluginWithPolicies.getAccessPolicy("resource-3", RequestAction.READ));
}
Example 18
| Source File: ServiceRESTUtil.java From ranger with Apache License 2.0 | 4 votes |
|
static public boolean processGrantRequest(RangerPolicy policy, GrantRevokeRequest grantRequest) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceRESTUtil.processGrantRequest()");
}
boolean policyUpdated = false;
// replace all existing privileges for users, groups, and roles
if (grantRequest.getReplaceExistingPermissions()) {
policyUpdated = removeUsersGroupsAndRolesFromPolicy(policy, grantRequest.getUsers(), grantRequest.getGroups(), grantRequest.getRoles());
}
//Build a policy and set up policyItem in it to mimic grant request
RangerPolicy appliedPolicy = new RangerPolicy();
RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
policyItem.getUsers().addAll(grantRequest.getUsers());
policyItem.getGroups().addAll(grantRequest.getGroups());
policyItem.getRoles().addAll(grantRequest.getRoles());
List<RangerPolicy.RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
Set<String> accessTypes = grantRequest.getAccessTypes();
for (String accessType : accessTypes) {
accesses.add(new RangerPolicy.RangerPolicyItemAccess(accessType, true));
}
policyItem.setAccesses(accesses);
appliedPolicy.getPolicyItems().add(policyItem);
processApplyPolicy(policy, appliedPolicy);
policyUpdated = true;
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceRESTUtil.processGrantRequest() : " + policyUpdated);
}
return policyUpdated;
}
Example 19
| Source File: TestServiceUtil.java From ranger with Apache License 2.0 | 4 votes |
|
@Test
public void testToRangerPolicy(){
Date date = new Date();
List<String> userList = new ArrayList<String>();
userList.add("rangerAdmin");
List<String> groupList = new ArrayList<String>();
groupList.add("rangerGroup");
List<String> permObjList = new ArrayList<String>();
permObjList.add("Admin");
Map<String, RangerPolicyResource> resourceMap = new HashMap<String, RangerPolicyResource>();
List<String> valuesList = new ArrayList<String>();
valuesList.add("resource");
RangerPolicyResource rangerPolicyResource = new RangerPolicyResource();
rangerPolicyResource.setIsExcludes(false);
rangerPolicyResource.setIsRecursive(true);
rangerPolicyResource.setValues(valuesList);
resourceMap.put("path", rangerPolicyResource);
List<RangerPolicyItem> rangerPolicyItemList = new ArrayList<RangerPolicy.RangerPolicyItem>();
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setUsers(userList);
rangerPolicyItem.setGroups(groupList);
List<RangerPolicyItemCondition> rangerPolicyItemConditionList = new ArrayList<RangerPolicy.RangerPolicyItemCondition>();
RangerPolicyItemCondition rangerPolicyItemCondition = new RangerPolicyItemCondition();
rangerPolicyItemCondition.setType("ipaddress");
List<String> conditionValueList = new ArrayList<String>();
conditionValueList.add("10.129.35.86");
rangerPolicyItemCondition.setValues(conditionValueList);
rangerPolicyItemConditionList.add(rangerPolicyItemCondition);
rangerPolicyItem.setConditions(rangerPolicyItemConditionList);
rangerPolicyItem.setDelegateAdmin(true);
rangerPolicyItemList.add(rangerPolicyItem);
RangerPolicy expectedRangerPolicy = new RangerPolicy();
expectedRangerPolicy.setId(1L);
expectedRangerPolicy.setName("hdfs");
expectedRangerPolicy.setCreatedBy("rangerAdmin");
expectedRangerPolicy.setCreateTime(date);
expectedRangerPolicy.setDescription("hdfs policy description");
expectedRangerPolicy.setIsAuditEnabled(true);
expectedRangerPolicy.setResources(resourceMap);
expectedRangerPolicy.setPolicyItems(rangerPolicyItemList);
VXPolicy vXPolicy = new VXPolicy();
vXPolicy.setId(1L);
vXPolicy.setCreateDate(date);
vXPolicy.setUpdateDate(date);
vXPolicy.setOwner("rangerAdmin");
vXPolicy.setUpdatedBy("rangerAdmin");
vXPolicy.setPolicyName("hdfs");
vXPolicy.setDescription("hdfs policy description");
vXPolicy.setIsEnabled(true);
vXPolicy.setIsAuditEnabled(true);
vXPolicy.setIsRecursive(true);
vXPolicy.setResourceName("resource");
RangerService service = new RangerService();
service.setId(1L);
service.setName("hdfsService");
service.setType("hdfs");
List<VXPermObj> vXPermObjList = new ArrayList<VXPermObj>();
VXPermObj vXPermObj = new VXPermObj();
vXPermObj.setUserList(userList);
vXPermObj.setGroupList(groupList);
vXPermObj.setPermList(permObjList);
vXPermObj.setIpAddress("10.129.35.86");
vXPermObjList.add(vXPermObj);
vXPolicy.setPermMapList(vXPermObjList);
RangerPolicy actualRangerPolicy = serviceUtil.toRangerPolicy(vXPolicy, service);
Assert.assertNotNull(actualRangerPolicy);
Assert.assertEquals(expectedRangerPolicy.getId(), actualRangerPolicy.getId());
Assert.assertEquals(expectedRangerPolicy.getName(), actualRangerPolicy.getName());
Assert.assertEquals(expectedRangerPolicy.getDescription(), actualRangerPolicy.getDescription());
Assert.assertEquals(expectedRangerPolicy.getCreatedBy(), actualRangerPolicy.getCreatedBy());
Assert.assertTrue(actualRangerPolicy.getIsAuditEnabled());
Assert.assertEquals(expectedRangerPolicy.getResources(), actualRangerPolicy.getResources());
Assert.assertEquals(expectedRangerPolicy.getPolicyItems(), actualRangerPolicy.getPolicyItems());
}
Example 20
| Source File: TestServiceUtil.java From ranger with Apache License 2.0 | 4 votes |
|
@Test
public void testToRangerPolicyForPermGroup(){
RangerPolicyItemCondition rpic = new RangerPolicyItemCondition();
List<String> valuesList = new ArrayList<String>();
valuesList.add("10.129.25.56");
rpic.setType("ipaddress");
rpic.setValues(valuesList);
List<String> usersList = new ArrayList<String>();
usersList.add("rangerAdmin");
List<String> groupList = new ArrayList<String>();
List<RangerPolicyItemCondition> listRPIC = new ArrayList<RangerPolicy.RangerPolicyItemCondition>();
listRPIC.add(rpic);
RangerPolicyItemAccess rpia = new RangerPolicyItemAccess();
rpia.setIsAllowed(true);
rpia.setType("drop");
List<RangerPolicyItemAccess> listRPIA = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
listRPIA.add(rpia);
RangerPolicyItem rangerPolicyItem = new RangerPolicyItem();
rangerPolicyItem.setConditions(listRPIC);
rangerPolicyItem.setAccesses(listRPIA);
rangerPolicyItem.setDelegateAdmin(false);
rangerPolicyItem.setUsers(usersList);
rangerPolicyItem.setGroups(groupList);
List<RangerPolicyItem> listRangerPolicyItem = new ArrayList<RangerPolicy.RangerPolicyItem>();
listRangerPolicyItem.add(rangerPolicyItem);
RangerPolicy expectedRangerPolicy = new RangerPolicy();
expectedRangerPolicy.setId(1L);
expectedRangerPolicy.setName("hive Policy");
expectedRangerPolicy.setService("hive");
expectedRangerPolicy.setDescription("hive policy description");
expectedRangerPolicy.setPolicyItems(listRangerPolicyItem);
VXPermMap vXPermMap = new VXPermMap();
vXPermMap.setId(5L);
vXPermMap.setGroupName("myGroup");
vXPermMap.setPermGroup("permGroup");
vXPermMap.setUserName("rangerAdmin");
vXPermMap.setPermType(12);
vXPermMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
vXPermMap.setIpAddress("10.129.25.56");
List<VXPermMap> vXPermMapList = new ArrayList<VXPermMap>();
vXPermMapList.add(vXPermMap);
VXAuditMap vXAuditMap = new VXAuditMap();
vXAuditMap.setId(1L);
vXAuditMap.setOwner("rangerAdmin");
List<VXAuditMap> vXAuditMapList = new ArrayList<VXAuditMap>();
vXAuditMapList.add(vXAuditMap);
RangerService rangerService = new RangerService();
rangerService.setName("hive");
rangerService.setType("hive");
VXResource resource = new VXResource();
resource.setId(1L);
resource.setUpdateDate(new Date());
resource.setCreateDate(new Date());
resource.setOwner("rangerAdmin");
resource.setUpdatedBy("rangerAdmin");
resource.setPolicyName("hive Policy");
resource.setDescription("hive policy description");
resource.setResourceStatus(RangerCommonEnums.STATUS_ENABLED);
resource.setIsRecursive(1);
resource.setTableType(1);
resource.setColumnType(1);
resource.setPermMapList(vXPermMapList);
RangerPolicy actualRangerPolicy = serviceUtil.toRangerPolicy(resource, rangerService);
Assert.assertNotNull(actualRangerPolicy);
Assert.assertEquals(expectedRangerPolicy.getId(), actualRangerPolicy.getId());
Assert.assertEquals(expectedRangerPolicy.getName(), actualRangerPolicy.getName());
Assert.assertEquals(expectedRangerPolicy.getService(), actualRangerPolicy.getService());
Assert.assertEquals(expectedRangerPolicy.getDescription(), actualRangerPolicy.getDescription());
Assert.assertEquals(expectedRangerPolicy.getPolicyItems(), actualRangerPolicy.getPolicyItems());
}
