ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject incubator-ranger git commit: RANGER-203: AccessRequest updated to support multiple accessTypes (like [read, execute]).
Date Mon, 05 Jan 2015 21:59:10 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/stack 3106b1122 -> 29747dcd6


RANGER-203: AccessRequest updated to support multiple accessTypes (like
[read, execute]).

Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/29747dcd
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/29747dcd
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/29747dcd

Branch: refs/heads/stack
Commit: 29747dcd6eedb117ccfcdb18835a2d6eda3ddeff
Parents: 3106b11
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Mon Jan 5 13:58:58 2015 -0800
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Mon Jan 5 13:58:58 2015 -0800

----------------------------------------------------------------------
 .../policyengine/RangerAccessRequest.java       |   6 +-
 .../policyengine/RangerAccessRequestImpl.java   |  34 ++-
 .../plugin/policyengine/RangerAccessResult.java | 275 +++++++++++++------
 .../plugin/policyengine/RangerPolicyEngine.java |   4 -
 .../policyengine/RangerPolicyEngineImpl.java    |  40 +--
 .../RangerDefaultPolicyEvaluator.java           |  33 ++-
 .../policyengine/test_policyengine_01.json      | 108 ++++----
 7 files changed, 316 insertions(+), 184 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
index 5082947..fc4d954 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
@@ -19,18 +19,18 @@
 
 package org.apache.ranger.plugin.policyengine;
 
-import java.util.Collection;
 import java.util.Date;
 import java.util.Map;
+import java.util.Set;
 
 public interface RangerAccessRequest {
 	RangerResource getResource();
 
-	String getAccessType();
+	Set<String> getAccessTypes();
 
 	String getUser();
 
-	Collection<String> getUserGroups();
+	Set<String> getUserGroups();
 
 	Date getAccessTime();
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index 8e215da..f428c6a 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -1,20 +1,17 @@
 package org.apache.ranger.plugin.policyengine;
 
-import java.util.Collection;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
-
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import java.util.Set;
 
 
 public class RangerAccessRequestImpl implements RangerAccessRequest {
 	private RangerResource      resource        = null;
-	private String              accessType      = null;
+	private Set<String>         accessTypes     = null;
 	private String              user            = null;
-	private Collection<String>  userGroups      = null;
+	private Set<String>         userGroups      = null;
 	private Date                accessTime      = null;
 	private String              clientIPAddress = null;
 	private String              clientType      = null;
@@ -28,9 +25,9 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 		this(null, null, null, null);
 	}
 
-	public RangerAccessRequestImpl(RangerResource resource, String accessType, String user,
Collection<String> userGroups) {
+	public RangerAccessRequestImpl(RangerResource resource, Set<String> accessTypes, String
user, Set<String> userGroups) {
 		setResource(resource);
-		setAccessType(accessType);
+		setAccessTypes(accessTypes);
 		setUser(user);
 		setUserGroups(userGroups);
 
@@ -50,8 +47,8 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 	}
 
 	@Override
-	public String getAccessType() {
-		return accessType;
+	public Set<String> getAccessTypes() {
+		return accessTypes;
 	}
 
 	@Override
@@ -60,7 +57,7 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 	}
 
 	@Override
-	public Collection<String> getUserGroups() {
+	public Set<String> getUserGroups() {
 		return userGroups;
 	}
 
@@ -104,15 +101,15 @@ public class RangerAccessRequestImpl implements RangerAccessRequest
{
 		this.resource = resource;
 	}
 
-	public void setAccessType(String accessType) {
-		this.accessType = accessType;
+	public void setAccessTypes(Set<String> accessTypes) {
+		this.accessTypes = (accessTypes == null) ? new HashSet<String>() : accessTypes;
 	}
 
 	public void setUser(String user) {
 		this.user = user;
 	}
 
-	public void setUserGroups(Collection<String> userGroups) {
+	public void setUserGroups(Set<String> userGroups) {
 		this.userGroups = (userGroups == null) ? new HashSet<String>() : userGroups;
 	}
 
@@ -157,7 +154,14 @@ public class RangerAccessRequestImpl implements RangerAccessRequest {
 		sb.append("RangerAccessRequestImpl={");
 
 		sb.append("resource={").append(resource).append("} ");
-		sb.append("accessType={").append(accessType).append("} ");
+
+		sb.append("accessTypes={");
+		if(accessTypes != null) {
+			for(String accessType : accessTypes) {
+				sb.append(accessType).append(" ");
+			}
+		}
+
 		sb.append("user={").append(user).append("} ");
 
 		sb.append("userGroups={");

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index 8fa766f..5d7db60 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -19,104 +19,108 @@
 
 package org.apache.ranger.plugin.policyengine;
 
+import java.util.HashMap;
+import java.util.Map;
+
 import org.apache.commons.lang.ObjectUtils;
 import org.apache.commons.lang.StringUtils;
 
 
 public class RangerAccessResult {
-	public enum Result { ALLOWED, DENIED };
-
-	private Result  result    = null;
-	private boolean isAudited = false;
-	private boolean isFinal   = false;
-	private long    policyId  = -1;
-	private String  reason    = null;
+	public enum Result { ALLOWED, DENIED, PARTIALLY_ALLOWED };
 
+	private Map<String, ResultDetail> accessTypeResults = null;
 
 	public RangerAccessResult() {
-		this(Result.DENIED, false, false, -1, null);
+		this(null);
 	}
 
-	public RangerAccessResult(Result result, boolean isAudited, boolean isFinal) {
-		this(result, isAudited, isFinal, -1, null);
-	}
-
-	public RangerAccessResult(Result result, boolean isAudited, boolean isFinal, long policyId,
String reason) {
-		this.result    = result;
-		this.isAudited = isAudited;
-		this.isFinal   = isFinal;
-		this.policyId  = policyId;
-		this.reason    = reason;
+	public RangerAccessResult(Map<String, ResultDetail> accessTypeResults) {
+		setAccessTypeResults(accessTypeResults);
 	}
 
 	/**
-	 * @return the result
+	 * @return the accessTypeResults
 	 */
-	public Result getResult() {
-		return result;
+	public Map<String, ResultDetail> getAccessTypeResults() {
+		return accessTypeResults;
 	}
 
 	/**
 	 * @param result the result to set
 	 */
-	public void setResult(Result result) {
-		this.result = result;
-	}
-
-	/**
-	 * @return the isAudited
-	 */
-	public boolean isAudited() {
-		return isAudited;
+	public void setAccessTypeResults(Map<String, ResultDetail> accessTypeResults) {
+		this.accessTypeResults = accessTypeResults == null ? new HashMap<String, ResultDetail>()
: accessTypeResults;
 	}
 
 	/**
-	 * @param isAudited the isAudited to set
+	 * @param accessType the accessType
+	 * @return the accessTypeResult
 	 */
-	public void setAudited(boolean isAudited) {
-		this.isAudited = isAudited;
+	public ResultDetail getAccessTypeResult(String accessType) {
+		return accessTypeResults == null ? null : accessTypeResults.get(accessType);
 	}
 
 	/**
-	 * @return the isFinal
+	 * @param accessType the accessType
+	 * @param result the result to set
 	 */
-	public boolean isFinal() {
-		return isFinal;
-	}
+	public void setAccessTypeResult(String accessType, ResultDetail result) {
+		if(accessTypeResults == null) {
+			accessTypeResults = new HashMap<String, ResultDetail>();
+		}
 
-	/**
-	 * @param isFinal the isFinal to set
-	 */
-	public void setFinal(boolean isFinal) {
-		this.isFinal = isFinal;
+		accessTypeResults.put(accessType, result);
 	}
 
-	/**
-	 * @return the policyId
-	 */
-	public long getPolicyId() {
-		return policyId;
-	}
+	public boolean isAllAllowedAndAudited() {
+		boolean ret = true;
+
+		if(accessTypeResults != null) {
+			for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) {
+				ResultDetail result = e.getValue();
+				
+				ret = result.isAllowed && result.isAudited;
+				
+				if(! ret) {
+					break;
+				}
+			}
+		}
 
-	/**
-	 * @param policyId the policyId to set
-	 */
-	public void setPolicyId(long policyId) {
-		this.policyId = policyId;
+		return ret;
 	}
 
 	/**
-	 * @return the reason
+	 * @return the overall result
 	 */
-	public String getReason() {
-		return reason;
-	}
+	public Result getResult() {
+		Result ret = Result.ALLOWED;
+
+		if(accessTypeResults != null) {
+			int numAllowed = 0;
+			int numDenied  = 0;
+
+			for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) {
+				ResultDetail result = e.getValue();
+				
+				if(result.isAllowed) {
+					numAllowed++;
+				} else {
+					numDenied++;
+				}
+			}
+			
+			if(numAllowed == accessTypeResults.size()) {
+				ret = Result.ALLOWED;
+			} else if(numDenied == accessTypeResults.size()) {
+				ret = Result.DENIED;
+			} else {
+				ret = Result.PARTIALLY_ALLOWED;
+			}
+		}
 
-	/**
-	 * @param reason the reason to set
-	 */
-	public void setReason(String reason) {
-		this.reason = reason;
+		return ret;
 	}
 
 	@Override
@@ -126,14 +130,8 @@ public class RangerAccessResult {
 		if(obj != null && (obj instanceof RangerAccessResult)) {
 			RangerAccessResult other = (RangerAccessResult)obj;
 
-			ret = (this == other);
-
-			if(! ret) {
-				ret = this.isAudited == other.isAudited &&
-					  this.policyId == other.policyId &&
-					  StringUtils.equals(this.reason, other.reason) &&
-					  ObjectUtils.equals(this.result, other.result);
-			}
+			ret = (this == other) ||
+				   ObjectUtils.equals(accessTypeResults, other.accessTypeResults);
 		}
 
 		return ret;
@@ -143,10 +141,7 @@ public class RangerAccessResult {
 	public int hashCode() {
 		int ret = 7;
 
-		ret = 31 * ret + (isAudited ? 1 : 0);
-		ret = 31 * ret + (int)policyId;
-		ret = 31 * ret + (reason == null ? 0 : reason.hashCode());
-		ret = 31 * ret + (result == null ? 0 : result.hashCode());
+		ret = 31 * ret + (accessTypeResults == null ? 0 : accessTypeResults.hashCode()); // TODO:
review
 
 		return ret;
 	}
@@ -163,14 +158,136 @@ public class RangerAccessResult {
 	public StringBuilder toString(StringBuilder sb) {
 		sb.append("RangerAccessResult={");
 
-		sb.append("result={").append(result).append("} ");
-		sb.append("isAudited={").append(isAudited).append("} ");
-		sb.append("isFinal={").append(isFinal).append("} ");
-		sb.append("policyId={").append(policyId).append("} ");
-		sb.append("reason={").append(reason).append("} ");
+		sb.append("accessTypeResults={");
+		if(accessTypeResults != null) {
+			for(Map.Entry<String, ResultDetail> e : accessTypeResults.entrySet()) {
+				sb.append(e.getKey()).append("={").append(e.getValue()).append("} ");
+			}
+		}
+		sb.append("} ");
 
 		sb.append("}");
 
 		return sb;
 	}
+
+	public static class ResultDetail {
+		private boolean isAllowed;
+		private boolean isAudited;
+		private long    policyId;
+		private String  reason;
+
+		public ResultDetail() {
+			setIsAllowed(false);
+			setIsAudited(false);
+			setPolicyId(-1);
+			setReason(null);
+		}
+
+		/**
+		 * @return the isAllowed
+		 */
+		public boolean isAllowed() {
+			return isAllowed;
+		}
+
+		/**
+		 * @param isAllowed the isAllowed to set
+		 */
+		public void setIsAllowed(boolean isAllowed) {
+			this.isAllowed = isAllowed;
+		}
+
+		/**
+		 * @return the isAudited
+		 */
+		public boolean isAudited() {
+			return isAudited;
+		}
+
+		/**
+		 * @param isAudited the isAudited to set
+		 */
+		public void setIsAudited(boolean isAudited) {
+			this.isAudited = isAudited;
+		}
+
+		/**
+		 * @return the policyId
+		 */
+		public long getPolicyId() {
+			return policyId;
+		}
+
+		/**
+		 * @param policyId the policyId to set
+		 */
+		public void setPolicyId(long policyId) {
+			this.policyId = policyId;
+		}
+
+		/**
+		 * @return the reason
+		 */
+		public String getReason() {
+			return reason;
+		}
+
+		/**
+		 * @param reason the reason to set
+		 */
+		public void setReason(String reason) {
+			this.reason = reason;
+		}
+
+		@Override
+		public boolean equals(Object obj) {
+			boolean ret = false;
+
+			if(obj != null && (obj instanceof ResultDetail)) {
+				ResultDetail other = (ResultDetail)obj;
+
+				ret = (this == other);
+
+				if(! ret) {
+					ret = this.isAllowed == other.isAllowed &&
+						  this.isAudited == other.isAudited &&
+						  this.policyId == other.policyId &&
+						  StringUtils.equals(this.reason, other.reason);
+				}
+			}
+
+			return ret;
+		}
+
+		@Override
+		public int hashCode() {
+			int ret = 7;
+
+			ret = 31 * ret + (isAllowed ? 1 : 0);
+			ret = 31 * ret + (isAudited ? 1 : 0);
+			ret = 31 * ret + (int)policyId;
+			ret = 31 * ret + (reason == null ? 0 : reason.hashCode());
+
+			return ret;
+		}
+
+		@Override
+		public String toString( ) {
+			StringBuilder sb = new StringBuilder();
+
+			toString(sb);
+
+			return sb.toString();
+		}
+
+		public StringBuilder toString(StringBuilder sb) {
+			sb.append("isAllowed={").append(isAllowed).append("} ");
+			sb.append("isAudited={").append(isAudited).append("} ");
+			sb.append("policyId={").append(policyId).append("} ");
+			sb.append("reason={").append(reason).append("} ");
+
+			return sb;
+		}
+	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 271e190..fd48ca1 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -30,8 +30,4 @@ public interface RangerPolicyEngine {
 	RangerAccessResult isAccessAllowed(RangerAccessRequest request);
 
 	List<RangerAccessResult> isAccessAllowed(List<RangerAccessRequest> requests);
-
-	void auditAccess(RangerAccessResult result);
-
-	void auditAccess(List<RangerAccessResult> results);
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index e63effd..1f4b2a2 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -29,7 +29,6 @@ import org.apache.ranger.plugin.manager.ServiceManager;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult.Result;
 import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator;
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
 
@@ -60,10 +59,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			List<RangerPolicyEvaluator> evaluators = new ArrayList<RangerPolicyEvaluator>();
 
 			for(RangerPolicy policy : policies) {
-				RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef);
-
-				if(evaluator != null) {
-					evaluators.add(evaluator);
+				if(policy.getIsEnabled()) {
+					RangerPolicyEvaluator evaluator = getPolicyEvaluator(policy, serviceDef);
+	
+					if(evaluator != null) {
+						evaluators.add(evaluator);
+					}
 				}
 			}
 			
@@ -87,11 +88,15 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 
 		List<RangerPolicyEvaluator> evaluators = policyEvaluators;
 
-		if(request != null && evaluators != null) {
+		if(request != null && request.getAccessTypes() != null && evaluators !=
null) {
+			for(String accessType : request.getAccessTypes()) {
+				ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail());
+			}
+
 			for(RangerPolicyEvaluator evaluator : evaluators) {
 				evaluator.evaluate(request, ret);
-
-				if(ret.isFinal()) {
+				
+				if(ret.isAllAllowedAndAudited()) {
 					break;
 				}
 			}
@@ -127,17 +132,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 		return ret;
 	}
 
-	@Override
-	public void auditAccess(RangerAccessResult result) {
-		// TODO Auto-generated method stub
-		
-	}
-
-	@Override
-	public void auditAccess(List<RangerAccessResult> results) {
-		// TODO Auto-generated method stub
-		
-	}
 
 	public void init(String svcName) throws Exception {
 		if(LOG.isDebugEnabled()) {
@@ -184,12 +178,20 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 	}
 
 	private RangerPolicyEvaluator getPolicyEvaluator(RangerPolicy policy, RangerServiceDef serviceDef)
{
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.getPolicyEvaluator(" + policy + "," + serviceDef
+ ")");
+		}
+
 		RangerPolicyEvaluator ret = null;
 
 		ret = new RangerDefaultPolicyEvaluator(); // TODO: configurable evaluator class?
 
 		ret.init(policy, serviceDef);
 
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.getPolicyEvaluator(" + policy + "," + serviceDef
+ "): " + ret);
+		}
+
 		return ret;
 	}
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 2d0f300..05fd334 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -86,30 +86,43 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 
 		RangerPolicy policy = getPolicy();
 
-		if(policy != null && policy.getIsEnabled() && request != null &&
result != null && !result.isFinal()) {
+		if(policy != null && request != null && result != null) {
 			if(matchResource(request.getResource())) {
 				for(RangerPolicyItem policyItem : policy.getPolicyItems()) {
-					RangerPolicyItemAccess access = getAccess(policyItem, request.getAccessType());
+					for(String accessType : request.getAccessTypes()) {
+						RangerPolicyItemAccess access = getAccess(policyItem, accessType);
 
-					if(access != null) {
-						if(! result.isAudited() && policy.getIsAuditEnabled()) {
-							result.setAudited(true);
+						if(access == null) {
+							continue;
+						}
+
+						RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType);
+						
+						if(accessResult.isAllowed() && accessResult.isAudited()) {
+							continue;
+						}
+
+						if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
+							accessResult.setIsAudited(true);
 						}
 
 						if(matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) {
 							if(matchCustomConditions(policyItem, request)) {
-								if(result.getResult() != Result.ALLOWED && access.getIsAllowed()) {
-									result.setResult(Result.ALLOWED);
-									result.setPolicyId(policy.getId());
+								if(!accessResult.isAllowed() && access.getIsAllowed()) {
+									accessResult.setIsAllowed(true);
+									accessResult.setPolicyId(policy.getId());
 								}
 							}
 						}
 
-						if(result.getResult() == Result.ALLOWED && result.isAudited()) {
-							result.setFinal(true);
+						if(result.isAllAllowedAndAudited()) {
 							break;
 						}
 					}
+
+					if(result.isAllAllowedAndAudited()) {
+						break;
+					}
 				}
 			}
 		}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29747dcd/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
index 7388bbd..d9c224c 100644
--- a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
+++ b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
@@ -41,217 +41,217 @@
     {"name":"'use default;' as user1 ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessType":"select","user":"user1","userGroups":["users"],"requestData":"use default"
+      "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"use default"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'use default;' as user2 ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessType":"select","user":"user2","userGroups":["users"],"requestData":"use default"
+      "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"use default"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'use default;' as user3 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessType":"select","user":"user3","userGroups":["users"],"requestData":"use default"
+      "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"use default"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'use default;' as user3, group1 ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessType":"select","user":"user3","userGroups":["users", "group1"],"requestData":"use
default"
+      "accessTypes":["select"],"user":"user3","userGroups":["users", "group1"],"requestData":"use
default"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'use default;' as user3, group2 ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessType":"select","user":"user3","userGroups":["users", "group2"],"requestData":"use
default"
+      "accessTypes":["select"],"user":"user3","userGroups":["users", "group2"],"requestData":"use
default"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'use default;' as user3, group3 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessType":"select","user":"user3","userGroups":["users", "group3"],"requestData":"use
default"
+      "accessTypes":["select"],"user":"user3","userGroups":["users", "group3"],"requestData":"use
default"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'use finance;' as user3, group3 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"finance"}},
-      "accessType":"select","user":"user1","userGroups":["users"],"requestData":"use finance"
+      "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"use finance"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'select col1 from default.testtable;' as user1 ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
-      "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1
from default.testtable"
+      "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select
col1 from default.testtable"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'select col1 from default.testtable;' as user2 ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
-      "accessType":"select","user":"user2","userGroups":["users"],"requestData":"select col1
from default.testtable"
+      "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"select
col1 from default.testtable"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'select col1 from default.testtable;' as user3 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
-      "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1
from default.testtable"
+      "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select
col1 from default.testtable"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'select col1 from default.testtable;' as user3, group1 ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
-      "accessType":"select","user":"user3","userGroups":["users","group1"],"requestData":"select
col1 from default.testtable"
+      "accessTypes":["select"],"user":"user3","userGroups":["users","group1"],"requestData":"select
col1 from default.testtable"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'select col1 from default.testtable;' as user3, group2 ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
-      "accessType":"select","user":"user3","userGroups":["users","group2"],"requestData":"select
col1 from default.testtable"
+      "accessTypes":["select"],"user":"user3","userGroups":["users","group2"],"requestData":"select
col1 from default.testtable"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'select col1 from default.testtable;' as user3, group3 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable","column":"col1"}},
-      "accessType":"select","user":"user3","userGroups":["users","group3"],"requestData":"select
col1 from default.testtable"
+      "accessTypes":["select"],"user":"user3","userGroups":["users","group3"],"requestData":"select
col1 from default.testtable"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'select col1 from default.table1;' as user1 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"table1","column":"col1"}},
-      "accessType":"select","user":"user1","userGroups":["users"],"requestData":"select col1
from default.table1"
+      "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"select
col1 from default.table1"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'create table default.testtable1;' as user1 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable1"}},
-      "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table
default.testtable1"
+      "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create
table default.testtable1"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'create table default.testtable1;' as user1, group1 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable1"}},
-      "accessType":"create","user":"user1","userGroups":["users","group1"],"requestData":"create
table default.testtable1"
+      "accessTypes":["create"],"user":"user1","userGroups":["users","group1"],"requestData":"create
table default.testtable1"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'create table default.testtable1;' as admin ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable1"}},
-      "accessType":"create","user":"admin","userGroups":["users"],"requestData":"create table
default.testtable1"
+      "accessTypes":["create"],"user":"admin","userGroups":["users"],"requestData":"create
table default.testtable1"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'create table default.testtable1;' as user1, admin ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable1"}},
-      "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create
table default.testtable1"
+      "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create
table default.testtable1"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"create":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
      ,
     {"name":"'drop table default.testtable1;' as user1 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable1"}},
-      "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table
default.testtable1"
+      "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table
default.testtable1"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'drop table default.testtable1;' as user1, group1 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable1"}},
-      "accessType":"drop","user":"user1","userGroups":["users","group1"],"requestData":"drop
table default.testtable1"
+      "accessTypes":["drop"],"user":"user1","userGroups":["users","group1"],"requestData":"drop
table default.testtable1"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'drop table default.testtable1;' as admin ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable1"}},
-      "accessType":"drop","user":"admin","userGroups":["users"],"requestData":"drop table
default.testtable1"
+      "accessTypes":["drop"],"user":"admin","userGroups":["users"],"requestData":"drop table
default.testtable1"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'drop table default.testtable1;' as user1, admin ==> ALLOWED",
      "request":{
       "resource":{"elements":{"database":"default","table":"testtable1"}},
-      "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop
table default.testtable1"
+      "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop
table default.testtable1"
      },
-     "result":{"result":"ALLOWED","isAudited":true,"policyId":2}
+     "result":{"accessTypeResults":{"drop":{"isAllowed":true,"isAudited":true,"policyId":2}}}
     }
     ,
     {"name":"'create table default.table1;' as user1 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"table1"}},
-      "accessType":"create","user":"user1","userGroups":["users"],"requestData":"create table
default.testtable1"
+      "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create
table default.testtable1"
      },
-     "result":{"result":"DENIED","isAudited":false,"policyId":-1}
+     "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
     }
     ,
     {"name":"'create table default.table1;' as user1, admin ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"table1"}},
-      "accessType":"create","user":"user1","userGroups":["users","admin"],"requestData":"create
table default.testtable1"
+      "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create
table default.testtable1"
      },
-     "result":{"result":"DENIED","isAudited":false,"policyId":-1}
+     "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
     }
     ,
     {"name":"'drop table default.table1;' as user1 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"table1"}},
-      "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop table
default.testtable1"
+      "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table
default.testtable1"
      },
-     "result":{"result":"DENIED","isAudited":false,"policyId":-1}
+     "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
     }
     ,
     {"name":"'drop table default.table1;' as user1, admin ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"table1"}},
-      "accessType":"drop","user":"user1","userGroups":["users","admin"],"requestData":"drop
table default.testtable1"
+      "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop
table default.testtable1"
      },
-     "result":{"result":"DENIED","isAudited":false,"policyId":-1}
+     "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
     }
     ,
     {"name":"'select col1 from default.table1;' as user3 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default","table":"table1","column":"col1"}},
-      "accessType":"select","user":"user3","userGroups":["users"],"requestData":"select col1
from default.table1"
+      "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"select
col1 from default.table1"
      },
-     "result":{"result":"DENIED","isAudited":true,"policyId":-1}
+     "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
   ]
 }


Mime
View raw message