ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject incubator-ranger git commit: RANGER-203: added tests for HDFS access requests.
Date Fri, 09 Jan 2015 17:59:56 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/stack 82400d2b6 -> ee9ecde98


RANGER-203: added tests for HDFS access requests.

Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ee9ecde9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ee9ecde9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ee9ecde9

Branch: refs/heads/stack
Commit: ee9ecde98fc38be97ea100cd5227b945e7ed0f57
Parents: 82400d2
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Fri Jan 9 09:59:36 2015 -0800
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Fri Jan 9 09:59:36 2015 -0800

----------------------------------------------------------------------
 .../RangerPathResourceMatcher.java              |  12 +-
 .../service-defs/ranger-servicedef-hdfs.json    |   4 +-
 .../plugin/policyengine/TestPolicyEngine.java   |  30 ++--
 .../policyengine/test_policyengine_hdfs.json    | 140 +++++++++++++++++++
 4 files changed, 173 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index 79f68c0..2cf3a68 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -62,9 +62,17 @@ public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher
{
 
 			for(String policyValue : policyValues) {
 				if(policyIsRecursive) {
-					ret = optWildCard ? isRecursiveWildCardMatch(resource, policyValue) : StringUtils.startsWith(resource,
policyValue);
+					ret = StringUtils.startsWith(resource, policyValue);
+					
+					if(! ret && optWildCard) {
+						ret = isRecursiveWildCardMatch(resource, policyValue) ;
+					}
 				} else {
-					ret = optWildCard ? FilenameUtils.wildcardMatch(resource, policyValue) : StringUtils.equals(resource,
policyValue);
+					ret = StringUtils.equals(resource, policyValue);
+					
+					if(! ret && optWildCard) {
+						ret = FilenameUtils.wildcardMatch(resource, policyValue);
+					}
 				}
 
 				if(ret) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json
index b2431c7..907b6d3 100644
--- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json
+++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hdfs.json
@@ -34,13 +34,13 @@
   [
     {"name":"username","type":"string","mandatory":true,"label":"Username"},
 	{"name":"password","type":"password","mandatory":true,"label":"Password"},
-	{"name":"hadoop.security.authorization","type":"bool","mandatory":true,"defaultValue":"false"},
+	{"name":"hadoop.security.authorization","type":"bool","subType":"TrueFalse","mandatory":true,"defaultValue":"false"},
 	{"name":"hadoop.security.authentication","type":"enum","subType":"authnType","mandatory":true,"defaultValue":"simple"},
 	{"name":"hadoop.security.auth_to_local","type":"string","mandatory":false},
 	{"name":"dfs.datanode.kerberos.principal","type":"string","mandatory":false},
 	{"name":"dfs.namenode.kerberos.principal","type":"string","mandatory":false},
 	{"name":"dfs.secondary.namenode.kerberos.principal","type":"string","mandatory":false},
-	{"name":"hadoop.rpc.protection","type":"rpcProtection","mandatory":false,"defaultValue":"authentication"},
+	{"name":"hadoop.rpc.protection","type":"enum","subType":"rpcProtection","mandatory":false,"defaultValue":"authentication"},
 	{"name":"certificate.cn","type":"string","mandatory":false,"label":"Common Name for Certificate"}
   ],
   "resources":

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 553a0d7..811c873 100644
--- a/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/plugin-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -61,24 +61,36 @@ public class TestPolicyEngine {
 	}
 
 	@Test
+	public void testPolicyEngine_hdfs() {
+		String[] hdfsTestResourceFiles = { "/policyengine/test_policyengine_hdfs.json" };
+
+		runTestsFromResourceFiles(hdfsTestResourceFiles);
+	}
+
+	@Test
 	public void testPolicyEngine_hive() {
-		String            filename = "/policyengine/test_policyengine_hive.json";
-		InputStream       inStream = this.getClass().getResourceAsStream(filename);
-		InputStreamReader reader   = new InputStreamReader(inStream);
+		String[] hiveTestResourceFiles = { "/policyengine/test_policyengine_hive.json" };
 
-		runTests(reader, filename);
+		runTestsFromResourceFiles(hiveTestResourceFiles);
 	}
 
 	@Test
 	public void testPolicyEngine_hbase() {
-		String            filename = "/policyengine/test_policyengine_hbase.json";
-		InputStream       inStream = this.getClass().getResourceAsStream(filename);
-		InputStreamReader reader   = new InputStreamReader(inStream);
+		String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase.json" };
 
-		runTests(reader, filename);
+		runTestsFromResourceFiles(hbaseTestResourceFiles);
+	}
+
+	private void runTestsFromResourceFiles(String[] resourceNames) {
+		for(String resourceName : resourceNames) {
+			InputStream       inStream = this.getClass().getResourceAsStream(resourceName);
+			InputStreamReader reader   = new InputStreamReader(inStream);
+
+			runTests(reader, resourceName);
+		}
 	}
 
-	public void runTests(InputStreamReader reader, String testName) {
+	private void runTests(InputStreamReader reader, String testName) {
 		try {
 			PolicyEngineTestCase testCase = gsonBuilder.fromJson(reader, PolicyEngineTestCase.class);
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ee9ecde9/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
new file mode 100644
index 0000000..b9afd8b
--- /dev/null
+++ b/plugin-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -0,0 +1,140 @@
+{
+  "serviceName":"hdfsdev",
+
+  "serviceDef":{
+    "name":"hdfs",
+    "id":1,
+    "resources":[
+    {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true","label":"Resource
Path","description":"HDFS file or directory path"}
+    ],
+    "accessTypes":[
+      {"name":"read","label":"Read"},
+      {"name":"write","label":"Write"},
+      {"name":"execute","label":"Execute"}
+    ]
+  },
+
+  "policies":[
+    {"id":1,"name":"audit-all-access under /finance/restricted/","isEnabled":true,"isAuditEnabled":true,
+     "resources":{"path":{"values":["/finance/restricted/"],"isRecursive":true}},
+     "policyItems":[
+       {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
+     ]
+    }
+    ,
+    {"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false,
+     "resources":{"path":{"values":["/public/"],"isRecursive":true}},
+     "policyItems":[
+       {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+     ]
+    }
+    ,
+    {"id":3,"name":"allow-read-to-finance under /finance/restricted","isEnabled":true,"isAuditEnabled":true,
+     "resources":{"path":{"values":["/finance/restricted"],"isRecursive":true}},
+     "policyItems":[
+       {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false}
+     ]
+    }
+  ],
+
+  "tests":[
+    {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read
/finance/restricted/sales.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":3}}}
+    }
+    ,
+    {"name":"ALLOW 'read /finance/restricted/hr/payroll.db' for g=finance",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read
/finance/restricted/hr/payroll.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":true,"policyId":3}}}
+    }
+    ,
+    {"name":"DENY 'read /operations/visitors.db' for g=finance",
+     "request":{
+      "resource":{"elements":{"path":"/operations/visitors.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read
/operations/visitors.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+    }
+    ,
+    {"name":"ALLOW 'read /public/technology/blogs.db' for g=finance",
+     "request":{
+      "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":["finance"],"requestData":"read
/public/technology/blogs.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}}
+    }
+    ,
+
+    {"name":"DENY 'read /finance/restricted/sales.db' for g=hr",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+    }
+    ,
+    {"name":"FALSE 'read /finance/restricted/hr/payroll.db' for g=hr",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+    }
+    ,
+    {"name":"DENY 'read /operations/visitors.db' for g=hr",
+     "request":{
+      "resource":{"elements":{"path":"/operations/visitors.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+    }
+    ,
+    {"name":"ALLOW 'read /public/technology/blogs.db' for g=hr",
+     "request":{
+      "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}}
+    }
+    ,
+
+    {"name":"DENY 'read /finance/restricted/sales.db' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+    }
+    ,
+    {"name":"DENY 'read /finance/restricted/hr/payroll.db' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+    }
+    ,
+    {"name":"DENY 'read /operations/visitors.db' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/operations/visitors.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /operations/visitors.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+    }
+    ,
+    {"name":"ALLOW 'read /public/technology/blogs.db' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+      "accessTypes":["read"],"user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db"
+     },
+     "result":{"accessTypeResults":{"read":{"isAllowed":true,"isAudited":false,"policyId":2}}}
+    }
+  ]
+}
+


Mime
View raw message