ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [1/2] incubator-ranger git commit: RANGER-203: policy evaluation updated to handle "any" access requirement, currently used in Hive.
Date Thu, 08 Jan 2015 08:55:08 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/stack 1f458f00f -> 7d00538b3


RANGER-203: policy evaluation updated to handle "any" access requirement, currently used in
Hive.


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e8b58a91
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e8b58a91
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e8b58a91

Branch: refs/heads/stack
Commit: e8b58a91306be000894f6f4a7b0d98bdd5e3b6fb
Parents: bd8c234
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Thu Jan 8 00:53:58 2015 -0800
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Thu Jan 8 00:53:58 2015 -0800

----------------------------------------------------------------------
 .../ranger/plugin/model/RangerPolicy.java       |  80 +++++++--
 .../ranger/plugin/model/RangerService.java      |  11 +-
 .../ranger/plugin/model/RangerServiceDef.java   | 101 +++++++++--
 .../plugin/policyengine/RangerAccessResult.java |  14 +-
 .../plugin/policyengine/RangerPolicyEngine.java |   1 +
 .../policyengine/RangerPolicyEngineImpl.java    |  28 +--
 .../RangerDefaultPolicyEvaluator.java           | 176 ++++++++-----------
 .../RangerAbstractResourceMatcher.java          |  60 ++++++-
 .../RangerDefaultResourceMatcher.java           |  40 +----
 .../RangerPathResourceMatcher.java              |  41 +----
 .../resourcematcher/RangerResourceMatcher.java  |   5 +-
 .../service-defs/ranger-servicedef-hbase.json   |   3 +-
 .../policyengine/test_policyengine_01.json      |  46 ++---
 13 files changed, 370 insertions(+), 236 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index bab79a1..2457ae1 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -170,7 +170,15 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 	 * @param configs the resources to set
 	 */
 	public void setResources(Map<String, RangerPolicyResource> resources) {
-		this.resources = new HashMap<String, RangerPolicyResource>();
+		if(this.resources == null) {
+			this.resources = new HashMap<String, RangerPolicyResource>();
+		}
+
+		if(this.resources == resources) {
+			return;
+		}
+
+		this.resources.clear();
 
 		if(resources != null) {
 			for(Map.Entry<String, RangerPolicyResource> e : resources.entrySet()) {
@@ -190,7 +198,15 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 	 * @param policyItems the policyItems to set
 	 */
 	public void setPolicyItems(List<RangerPolicyItem> policyItems) {
-		this.policyItems = new ArrayList<RangerPolicyItem>();
+		if(this.policyItems == null) {
+			this.policyItems = new ArrayList<RangerPolicyItem>();
+		}
+
+		if(this.policyItems == policyItems) {
+			return;
+		}
+
+		this.policyItems.clear();
 
 		if(policyItems != null) {
 			for(RangerPolicyItem policyItem : policyItems) {
@@ -258,10 +274,7 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 		}
 
 		public RangerPolicyResource(String value, Boolean isExcludes, Boolean isRecursive) {
-			List<String> values = new ArrayList<String>();
-			values.add(value);
-
-			setValues(values);
+			setValue(value);
 			setIsExcludes(isExcludes);
 			setIsRecursive(isRecursive);
 		}
@@ -283,7 +296,15 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 		 * @param values the values to set
 		 */
 		public void setValues(List<String> values) {
-			this.values = new ArrayList<String>();
+			if(this.values == null) {
+				this.values = new ArrayList<String>();
+			}
+
+			if(this.values == values) {
+				return;
+			}
+
+			this.values.clear();
 
 			if(values != null) {
 				for(String value : values) {
@@ -293,6 +314,19 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 		}
 
 		/**
+		 * @param value the value to set
+		 */
+		public void setValue(String value) {
+			if(this.values == null) {
+				this.values = new ArrayList<String>();
+			}
+
+			this.values.clear();
+
+			this.values.add(value);
+		}
+
+		/**
 		 * @return the isExcludes
 		 */
 		public Boolean getIsExcludes() {
@@ -377,7 +411,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 		 * @param accesses the accesses to set
 		 */
 		public void setAccesses(List<RangerPolicyItemAccess> accesses) {
-			this.accesses = new ArrayList<RangerPolicyItemAccess>();
+			if(this.accesses == null) {
+				this.accesses = new ArrayList<RangerPolicyItemAccess>();
+			}
+
+			if(this.accesses == accesses) {
+				return;
+			}
 
 			if(accesses != null) {
 				for(RangerPolicyItemAccess access : accesses) {
@@ -395,7 +435,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 		 * @param users the users to set
 		 */
 		public void setUsers(List<String> users) {
-			this.users = new ArrayList<String>();
+			if(this.users == null) {
+				this.users = new ArrayList<String>();
+			}
+
+			if(this.users == users) {
+				return;
+			}
 
 			if(users != null) {
 				for(String user : users) {
@@ -413,7 +459,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 		 * @param groups the groups to set
 		 */
 		public void setGroups(List<String> groups) {
-			this.groups = new ArrayList<String>();
+			if(this.groups == null) {
+				this.groups = new ArrayList<String>();
+			}
+
+			if(this.groups == groups) {
+				return;
+			}
 
 			if(groups != null) {
 				for(String group : groups) {
@@ -431,7 +483,13 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 		 * @param conditions the conditions to set
 		 */
 		public void setConditions(List<RangerPolicyItemCondition> conditions) {
-			this.conditions = new ArrayList<RangerPolicyItemCondition>();
+			if(this.conditions == null) {
+				this.conditions = new ArrayList<RangerPolicyItemCondition>();
+			}
+
+			if(this.conditions == conditions) {
+				return;
+			}
 
 			if(conditions != null) {
 				for(RangerPolicyItemCondition condition : conditions) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
index 65de02a..2f8d5e5 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
@@ -46,7 +46,6 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri
 	private String              name        = null;
 	private String              description = null;
 	private Boolean             isEnabled   = null;
-	@JsonDeserialize(using = CustomizedMapDeserializer.class)
 	private Map<String, String> configs     = null;
 
 
@@ -151,7 +150,15 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri
 	 * @param configs the configs to set
 	 */
 	public void setConfigs(Map<String, String> configs) {
-		this.configs = new HashMap<String, String>();
+		if(this.configs == null) {
+			this.configs = new HashMap<String, String>();
+		}
+
+		if(this.configs == configs) {
+			return;
+		}
+		
+		this.configs.clear();
 
 		if(configs != null) {
 			for(Map.Entry<String, String> e : configs.entrySet()) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
index 4bc50c7..0be4a8b 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
@@ -20,6 +20,7 @@
 package org.apache.ranger.plugin.model;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 
 import javax.xml.bind.annotation.XmlAccessType;
@@ -178,7 +179,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements
java.io.S
 	 * @param configs the configs to set
 	 */
 	public void setConfigs(List<RangerServiceConfigDef> configs) {
-		this.configs = new ArrayList<RangerServiceConfigDef>();
+		if(this.configs == null) {
+			this.configs = new ArrayList<RangerServiceConfigDef>();
+		} else 
+
+		if(this.configs == configs) {
+			return;
+		}
+
+		this.configs.clear();
 
 		if(configs != null) {
 			for(RangerServiceConfigDef config : configs) {
@@ -198,7 +207,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements
java.io.S
 	 * @param resources the resources to set
 	 */
 	public void setResources(List<RangerResourceDef> resources) {
-		this.resources = new ArrayList<RangerResourceDef>();
+		if(this.resources == null) {
+			this.resources = new ArrayList<RangerResourceDef>();
+		}
+
+		if(this.resources == resources) {
+			return;
+		}
+
+		this.resources.clear();
 
 		if(resources != null) {
 			for(RangerResourceDef resource : resources) {
@@ -218,7 +235,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements
java.io.S
 	 * @param accessTypes the accessTypes to set
 	 */
 	public void setAccessTypes(List<RangerAccessTypeDef> accessTypes) {
-		this.accessTypes = new ArrayList<RangerAccessTypeDef>();
+		if(this.accessTypes == null) {
+			this.accessTypes = new ArrayList<RangerAccessTypeDef>();
+		}
+
+		if(this.accessTypes == accessTypes) {
+			return;
+		}
+
+		this.accessTypes.clear();
 
 		if(accessTypes != null) {
 			for(RangerAccessTypeDef accessType : accessTypes) {
@@ -238,7 +263,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements
java.io.S
 	 * @param policyConditions the policyConditions to set
 	 */
 	public void setPolicyConditions(List<RangerPolicyConditionDef> policyConditions) {
-		this.policyConditions = new ArrayList<RangerPolicyConditionDef>();
+		if(this.policyConditions == null) {
+			this.policyConditions = new ArrayList<RangerPolicyConditionDef>();
+		}
+
+		if(this.policyConditions == policyConditions) {
+			return;
+		}
+
+		this.policyConditions.clear();
 
 		if(policyConditions != null) {
 			for(RangerPolicyConditionDef policyCondition : policyConditions) {
@@ -258,7 +291,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements
java.io.S
 	 * @param enums the enums to set
 	 */
 	public void setEnums(List<RangerEnumDef> enums) {
-		this.enums = new ArrayList<RangerEnumDef>();
+		if(this.enums == null) {
+			this.enums = new ArrayList<RangerEnumDef>();
+		}
+
+		if(this.enums == enums) {
+			return;
+		}
+
+		this.enums.clear();
 
 		if(enums != null) {
 			for(RangerEnumDef enum1 : enums) {
@@ -387,7 +428,15 @@ public class RangerServiceDef extends RangerBaseModelObject implements
java.io.S
 		 * @param elements the elements to set
 		 */
 		public void setElements(List<RangerEnumElementDef> elements) {
-			this.elements = new ArrayList<RangerEnumElementDef>();
+			if(this.elements == null) {
+				this.elements = new ArrayList<RangerEnumElementDef>();
+			}
+
+			if(this.elements == elements) {
+				return;
+			}
+
+			this.elements.clear();
 
 			if(elements != null) {
 				for(RangerEnumElementDef element : elements) {
@@ -974,19 +1023,21 @@ public class RangerServiceDef extends RangerBaseModelObject implements
java.io.S
 	public static class RangerAccessTypeDef implements java.io.Serializable {
 		private static final long serialVersionUID = 1L;
 
-		private String name       = null;
-		private String label      = null;
-		private String rbKeyLabel = null;
+		private String             name       = null;
+		private String             label      = null;
+		private String             rbKeyLabel = null;
+		private Collection<String> impliedAccessTypes = null;
 
 
 		public RangerAccessTypeDef() {
-			this(null, null, null);
+			this(null, null, null, null);
 		}
 
-		public RangerAccessTypeDef(String name, String label, String rbKeyLabel) {
+		public RangerAccessTypeDef(String name, String label, String rbKeyLabel, Collection<String>
impliedAccessTypes) {
 			setName(name);
 			setLabel(label);
 			setRbKeyLabel(rbKeyLabel);
+			setImpliedAccessTypes(impliedAccessTypes);
 		}
 
 		/**
@@ -1031,6 +1082,34 @@ public class RangerServiceDef extends RangerBaseModelObject implements
java.io.S
 			this.rbKeyLabel = rbKeyLabel;
 		}
 
+		/**
+		 * @return the impliedAccessTypes
+		 */
+		public Collection<String> getImpliedAccessTypes() {
+			return impliedAccessTypes;
+		}
+
+		/**
+		 * @param impliedAccessTypes the impliedAccessTypes to set
+		 */
+		public void setImpliedAccessTypes(Collection<String> impliedAccessTypes) {
+			if(this.impliedAccessTypes == null) {
+				this.impliedAccessTypes = new ArrayList<String>();
+			}
+
+			if(this.impliedAccessTypes == impliedAccessTypes) {
+				return;
+			}
+
+			this.impliedAccessTypes.clear();
+
+			if(impliedAccessTypes != null) {
+				for(String impliedAccessType : impliedAccessTypes) {
+					this.impliedAccessTypes.add(impliedAccessType);
+				}
+			}
+		}
+
 		@Override
 		public String toString( ) {
 			StringBuilder sb = new StringBuilder();

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
index a5a1ef3..57094a4 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
@@ -58,7 +58,19 @@ public class RangerAccessResult {
 	 * @return the accessTypeResult
 	 */
 	public ResultDetail getAccessTypeResult(String accessType) {
-		return accessTypeResults == null ? null : accessTypeResults.get(accessType);
+		if(accessTypeResults == null) {
+			accessTypeResults = new HashMap<String, ResultDetail>();
+		}
+		
+		ResultDetail ret = accessTypeResults.get(accessType);
+		
+		if(ret == null) {
+			ret = new ResultDetail();
+			
+			accessTypeResults.put(accessType, ret);
+		}
+
+		return ret;
 	}
 
 	/**

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 565f2c4..0f70b09 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -28,6 +28,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
 
 public interface RangerPolicyEngine {
 	public static final String GROUP_PUBLIC   = "public";
+	public static final String ACCESS_ANY     = "any";
 	public static final long   UNKNOWN_POLICY = -1;
 
 	void setPolicies(String serviceName, RangerServiceDef serviceDef, List<RangerPolicy>
policies);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 0016c15..4b26c27 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -24,10 +24,10 @@ import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult.ResultDetail;
@@ -348,18 +348,24 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 
 		RangerAccessResult ret = new RangerAccessResult();
 
-		List<RangerPolicyEvaluator> evaluators = policyEvaluators;
-
-		if(request != null && request.getAccessTypes() != null && evaluators !=
null) {
-			for(String accessType : request.getAccessTypes()) {
-				ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail());
+		if(request != null) {
+			if(CollectionUtils.isEmpty(request.getAccessTypes())) {
+				ret.setAccessTypeResult(RangerPolicyEngine.ACCESS_ANY, new RangerAccessResult.ResultDetail());
+			} else {
+				for(String accessType : request.getAccessTypes()) {
+					ret.setAccessTypeResult(accessType, new RangerAccessResult.ResultDetail());
+				}
 			}
 
-			for(RangerPolicyEvaluator evaluator : evaluators) {
-				evaluator.evaluate(request, ret);
-				
-				if(ret.isAllAllowedAndAudited()) {
-					break;
+			List<RangerPolicyEvaluator> evaluators = policyEvaluators;
+
+			if(evaluators != null) {
+				for(RangerPolicyEvaluator evaluator : evaluators) {
+					evaluator.evaluate(request, ret);
+
+					if(ret.isAllAllowedAndAudited()) {
+						break;
+					}
 				}
 			}
 		}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 99c45d3..ee2503f 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -23,8 +23,8 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
-import java.util.Map;
 
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -45,7 +45,7 @@ import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
 public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator {
 	private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyEvaluator.class);
 
-	private List<ResourceDefMatcher> matchers = null;
+	private List<RangerResourceMatcher> matchers = null;
 
 	@Override
 	public void init(RangerPolicy policy, RangerServiceDef serviceDef) {
@@ -55,20 +55,19 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 
 		super.init(policy, serviceDef);
 
-		this.matchers = new ArrayList<ResourceDefMatcher>();
+		this.matchers = new ArrayList<RangerResourceMatcher>();
 
-		if(policy != null && policy.getResources() != null) {
-			for(Map.Entry<String, RangerPolicyResource> e : policy.getResources().entrySet())
{
-				String               resourceName   = e.getKey();
-				RangerPolicyResource policyResource = e.getValue();
-				RangerResourceDef    resourceDef    = getResourceDef(resourceName);
+		if(policy != null && policy.getResources() != null && serviceDef != null)
{
+			for(RangerResourceDef resourceDef : serviceDef.getResources()) {
+				String               resourceName   = resourceDef.getName();
+				RangerPolicyResource policyResource = policy.getResources().get(resourceName);
 
 				RangerResourceMatcher matcher = createResourceMatcher(resourceDef, policyResource);
 
 				if(matcher != null) {
-					matchers.add(new ResourceDefMatcher(resourceDef, matcher));
+					matchers.add(matcher);
 				} else {
-					// TODO: ERROR: no matcher found for resourceName
+					LOG.error("failed to find matcher for resource " + resourceName);
 				}
 			}
 		}
@@ -89,34 +88,74 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 		if(policy != null && request != null && result != null) {
 			if(matchResource(request.getResource())) {
 				for(RangerPolicyItem policyItem : policy.getPolicyItems()) {
-					for(String accessType : request.getAccessTypes()) {
-						RangerPolicyItemAccess access = getAccess(policyItem, accessType);
+					
+					// if no access is requested, grant if ***any*** access is available
+					if(CollectionUtils.isEmpty(request.getAccessTypes())) {
+						RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(RangerPolicyEngine.ACCESS_ANY);
 
-						if(access == null) {
+						if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
+							accessResult.setIsAudited(true);
+						}
+						
+						if(! matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) {
 							continue;
 						}
 
-						RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType);
-						
-						if(accessResult.isAllowed() && accessResult.isAudited()) {
+						if(! matchCustomConditions(policyItem, request)) {
 							continue;
 						}
 
-						if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
-							accessResult.setIsAudited(true);
+						if(CollectionUtils.isEmpty(policyItem.getAccesses())) {
+							continue;
 						}
 
-						if(matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) {
-							if(matchCustomConditions(policyItem, request)) {
-								if(!accessResult.isAllowed() && access.getIsAllowed()) {
-									accessResult.setIsAllowed(true);
-									accessResult.setPolicyId(policy.getId());
-								}
+						for(RangerPolicyItemAccess access : policyItem.getAccesses()) {
+							if(!accessResult.isAllowed() && access.getIsAllowed()) {
+								accessResult.setIsAllowed(true);
+								accessResult.setPolicyId(policy.getId());
+
+								break;
 							}
 						}
+					} else {
+						if(! matchUserGroup(policyItem, request.getUser(), request.getUserGroups())) {
+							continue;
+						}
+
+						if(! matchCustomConditions(policyItem, request)) {
+							continue;
+						}
+
+						for(String accessType : request.getAccessTypes()) {
+							RangerAccessResult.ResultDetail accessResult = result.getAccessTypeResult(accessType);
 
-						if(result.isAllAllowedAndAudited()) {
-							break;
+							if(CollectionUtils.isEmpty(policyItem.getAccesses())) {
+								if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
+									accessResult.setIsAudited(true);
+								}
+
+								continue;
+							}
+							
+							RangerPolicyItemAccess access = getAccess(policyItem, accessType);
+							
+							if(access == null) {
+								continue;
+							}
+
+
+							if(accessResult.isAllowed() && accessResult.isAudited()) {
+								continue;
+							}
+	
+							if(!accessResult.isAudited() && policy.getIsAuditEnabled()) {
+								accessResult.setIsAudited(true);
+							}
+	
+							if(!accessResult.isAllowed() && access.getIsAllowed()) {
+								accessResult.setIsAllowed(true);
+								accessResult.setPolicyId(policy.getId());
+							}
 						}
 					}
 
@@ -142,13 +181,11 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 		if(matchers != null && !matchers.isEmpty()) {
 			ret = true;
 
-			for(ResourceDefMatcher matcher : matchers) {
-				 String resourceName  = matcher.getResourceName();
+			for(RangerResourceMatcher matcher : matchers) {
+				 String resourceName  = matcher.getResourceDef().getName();
 				 String resourceValue = resource.getValue(resourceName);
 
-				 if(resourceValue != null) {
-					 ret = matcher.isMatch(resourceValue);
-				 }
+				 ret = matcher.isMatch(resourceValue);
 
 				 if(! ret) {
 					 break;
@@ -229,32 +266,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 		return ret;
 	}
 
-	protected RangerResourceDef getResourceDef(String resourceName) {
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceDef(" + resourceName + ")");
-		}
-
-		RangerResourceDef ret = null;
-
-		RangerServiceDef serviceDef = getServiceDef();
-
-		if(serviceDef != null && resourceName != null) {
-			for(RangerResourceDef resourceDef : serviceDef.getResources()) {
-				if(StringUtils.equalsIgnoreCase(resourceName, resourceDef.getName())) {
-					ret = resourceDef;
-
-					break;
-				}
-			}
-		}
-
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceDef(" + resourceName + "): "
+ ret);
-		}
-
-		return ret;
-	}
-
 	protected RangerResourceMatcher createResourceMatcher(RangerResourceDef resourceDef, RangerPolicyResource
resource) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerDefaultPolicyEvaluator.createResourceMatcher(" + resourceDef +
", " + resource + ")");
@@ -286,7 +297,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 		}
 
 		if(ret != null) {
-			ret.init(resource,  options);
+			ret.init(resourceDef, resource,  options);
 		}
 
 		if(LOG.isDebugEnabled()) {
@@ -303,10 +314,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 
 		sb.append("matchers={");
 		if(matchers != null) {
-			for(ResourceDefMatcher matcher : matchers) {
-				sb.append("{");
-				matcher.toString(sb);
-				sb.append("} ");
+			for(RangerResourceMatcher matcher : matchers) {
+				sb.append("{").append(matcher).append("} ");
 			}
 		}
 		sb.append("} ");
@@ -315,47 +324,4 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 
 		return sb;
 	}
-	
-	class ResourceDefMatcher {
-		RangerResourceDef     resourceDef     = null;
-		RangerResourceMatcher resourceMatcher = null;
-
-		ResourceDefMatcher(RangerResourceDef resourceDef, RangerResourceMatcher resourceMatcher)
{
-			this.resourceDef     = resourceDef;
-			this.resourceMatcher = resourceMatcher;
-		}
-		
-		String getResourceName() {
-			return resourceDef.getName();
-		}
-
-		boolean isMatch(String value) {
-			return resourceMatcher.isMatch(value);
-		}
-
-		boolean isMatch(Collection<String> values) {
-			boolean ret = false;
-
-			if(values == null || values.isEmpty()) {
-				ret = resourceMatcher.isMatch(null);
-			} else {
-				for(String value : values) {
-					ret = resourceMatcher.isMatch(value);
-
-					if(! ret) {
-						break;
-					}
-				}
-			}
-
-			return ret;
-		}
-
-		public StringBuilder toString(StringBuilder sb) {
-			sb.append("resourceDef={").append(resourceDef).append("} ");
-			sb.append("resourceMatcher={").append(resourceMatcher).append("} ");
-
-			return sb;
-		}
-	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index 68ff85a..e194e54 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -19,36 +19,47 @@
 
 package org.apache.ranger.plugin.resourcematcher;
 
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 
 
 public abstract class RangerAbstractResourceMatcher implements RangerResourceMatcher {
 	private static final Log LOG = LogFactory.getLog(RangerAbstractResourceMatcher.class);
 
+	public final String WILDCARD_PATTERN = ".*";
+
 	public final String OPTIONS_SEP        = ";";
 	public final String OPTION_NV_SEP      = "=";
 	public final String OPTION_IGNORE_CASE = "ignoreCase";
 	public final String OPTION_WILD_CARD   = "wildCard";
 
+	private RangerResourceDef    resourceDef    = null;
 	private RangerPolicyResource policyResource = null;
 	private String               optionsString  = null;
 	private Map<String, String>  options        = null;
 
-	protected boolean optIgnoreCase    = false;
-	protected boolean optWildCard      = false;
+	protected boolean      optIgnoreCase = false;
+	protected boolean      optWildCard   = false;
+
+	protected List<String> policyValues     = null;
+	protected boolean      policyIsExcludes = false;
+	protected boolean      isMatchAny       = false;
 
 	@Override
-	public void init(RangerPolicyResource policyResource, String optionsString) {
+	public void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String
optionsString) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerAbstractResourceMatcher.init(" + policyResource + ", " + optionsString
+ ")");
+			LOG.debug("==> RangerAbstractResourceMatcher.init(" + resourceDef + ", " + policyResource
+ ", " + optionsString + ")");
 		}
 
+		this.resourceDef    = resourceDef;
 		this.policyResource = policyResource;
 		this.optionsString  = optionsString;
 
@@ -76,12 +87,46 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
 		optIgnoreCase = getBooleanOption(OPTION_IGNORE_CASE, true);
 		optWildCard   = getBooleanOption(OPTION_WILD_CARD, true);
 
+		policyValues     = new ArrayList<String>();
+		policyIsExcludes = policyResource == null ? false : policyResource.getIsExcludes();
+
+		if(policyResource != null && policyResource.getValues() != null) {
+			for(String policyValue : policyResource.getValues()) {
+				if(policyValue == null) {
+					continue;
+				}
+
+				if(optIgnoreCase) {
+					policyValue = policyValue.toLowerCase();
+				}
+
+				if(optWildCard) {
+					policyValue = getWildCardPattern(policyValue);
+				}
+
+				if(policyValue.equals(WILDCARD_PATTERN)) {
+					isMatchAny = true;
+				}
+
+				policyValues.add(policyValue);
+			}
+		}
+
+		if(policyValues.isEmpty()) {
+			isMatchAny = true;
+		}
+
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerAbstractResourceMatcher.init(" + policyResource + ", " + optionsString
+ ")");
+			LOG.debug("<== RangerAbstractResourceMatcher.init(" + resourceDef + ", " + policyResource
+ ", " + optionsString + ")");
 		}
 	}
 
 	@Override
+	public RangerResourceDef getResourceDef() {
+		return resourceDef;
+	}
+
+	@Override
 	public RangerPolicyResource getPolicyResource() {
 		return policyResource;
 	}
@@ -149,6 +194,11 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
 	public StringBuilder toString(StringBuilder sb) {
 		sb.append("RangerAbstractResourceMatcher={");
 
+		sb.append("resourceDef={");
+		if(resourceDef != null) {
+			resourceDef.toString(sb);
+		}
+		sb.append("} ");
 		sb.append("policyResource={");
 		if(policyResource != null) {
 			policyResource.toString(sb);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
index af413ff..13500dc 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
@@ -19,56 +19,28 @@
 
 package org.apache.ranger.plugin.resourcematcher;
 
-import java.util.ArrayList;
-import java.util.List;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 
 
 public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher {
 	private static final Log LOG = LogFactory.getLog(RangerDefaultResourceMatcher.class);
 
-	private List<String> policyValues     = null;
-	private boolean      policyIsExcludes = false;
 
 	@Override
-	public void init(RangerPolicyResource policyResource, String optionsString) {
+	public void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String
optionsString) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerDefaultResourceMatcher.init(" + policyResource + ", " + optionsString
+ ")");
+			LOG.debug("==> RangerDefaultResourceMatcher.init(" + resourceDef + ", " + policyResource
+ ", " + optionsString + ")");
 		}
 
-		super.init(policyResource,  optionsString);
-
-		policyValues     = new ArrayList<String>();
-		policyIsExcludes = false;
-
-		if(policyResource != null) {
-			policyIsExcludes = policyResource.getIsExcludes();
-
-			if(policyResource.getValues() != null) {
-				for(String policyValue : policyResource.getValues()) {
-					if(policyValue == null) {
-						continue;
-					}
-
-					if(optIgnoreCase) {
-						policyValue = policyValue.toLowerCase();
-					}
-
-					if(optWildCard) {
-						policyValue = getWildCardPattern(policyValue);
-					}
-
-					policyValues.add(policyValue);
-				}
-			}
-		}
+		super.init(resourceDef, policyResource,  optionsString);
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultResourceMatcher.init(" + policyResource + ", " + optionsString
+ ")");
+			LOG.debug("<== RangerDefaultResourceMatcher.init(" + resourceDef + ", " + policyResource
+ ", " + optionsString + ")");
 		}
 	}
 
@@ -92,6 +64,8 @@ public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher
 					break;
 				}
 			}
+		} else {
+			ret = isMatchAny;
 		}
 
 		if(policyIsExcludes) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index d5c2f6f..79f68c0 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -19,56 +19,31 @@
 
 package org.apache.ranger.plugin.resourcematcher;
 
-import java.util.ArrayList;
-import java.util.List;
-
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 
 
 public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher {
 	private static final Log LOG = LogFactory.getLog(RangerPathResourceMatcher.class);
 
-	private List<String> policyValues      = null;
-	private boolean      policyIsExcludes  = false;
-	private boolean      policyIsRecursive = false;
+	private boolean policyIsRecursive = false;
 
 	@Override
-	public void init(RangerPolicyResource policyResource, String optionsString) {
+	public void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String
optionsString) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerPathResourceMatcher.init(" + policyResource + ", " + optionsString
+ ")");
+			LOG.debug("==> RangerPathResourceMatcher.init(" + resourceDef + ", " + policyResource
+ ", " + optionsString + ")");
 		}
 
-		super.init(policyResource,  optionsString);
-
-		policyValues      = new ArrayList<String>();
-		policyIsExcludes  = false;
-		policyIsRecursive = false;
-
-		if(policyResource != null) {
-			policyIsExcludes  = policyResource.getIsExcludes();
-			policyIsRecursive = policyResource.getIsRecursive();
-
-			if(policyResource.getValues() != null) {
-				for(String policyValue : policyResource.getValues()) {
-					if(policyValue == null) {
-						continue;
-					}
-	
-					if(optIgnoreCase) {
-						policyValue = policyValue.toLowerCase();
-					}
+		super.init(resourceDef, policyResource,  optionsString);
 
-					policyValues.add(policyValue);
-				}
-			}
-		}
+		policyIsRecursive = policyResource == null ? false : policyResource.getIsRecursive();
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPathResourceMatcher.init(" + policyResource + ", " + optionsString
+ ")");
+			LOG.debug("<== RangerPathResourceMatcher.init(" + resourceDef + ", " + policyResource
+ ", " + optionsString + ")");
 		}
 	}
 
@@ -96,6 +71,8 @@ public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher
{
 					break;
 				}
 			}
+		} else {
+			ret = isMatchAny;
 		}
 
 		if(policyIsExcludes) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
index 3c9b687..c750cd8 100644
--- a/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
+++ b/plugin-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
@@ -20,9 +20,12 @@
 package org.apache.ranger.plugin.resourcematcher;
 
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 
 public interface RangerResourceMatcher {
-	void init(RangerPolicyResource policyResource, String optionsString);
+	void init(RangerResourceDef resourceDef, RangerPolicyResource policyResource, String optionsString);
+
+	RangerResourceDef getResourceDef();
 
 	RangerPolicyResource getPolicyResource();
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json
index 04127bb..696f5a9 100644
--- a/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json
+++ b/plugin-common/src/main/resources/service-defs/ranger-servicedef-hbase.json
@@ -41,7 +41,8 @@
   [
     {"name":"read","label":"Read"},
 	{"name":"write","label":"Write"},
-	{"name":"create","label":"Create"}
+	{"name":"create","label":"Create"},
+	{"name":"admin","label":"Admin","impliedAccessTypes":["read","write","create"]}
   ],
   "policyConditions":
   [

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e8b58a91/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
----------------------------------------------------------------------
diff --git a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
index a63d24a..ef45c84 100644
--- a/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
+++ b/plugin-common/src/test/resources/policyengine/test_policyengine_01.json
@@ -26,7 +26,7 @@
     {"id":1,"name":"audit-all-select","isEnabled":true,"isAuditEnabled":true,
      "resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
      "policyItems":[
-       {"accesses":[{"type":"select","isAllowed":false}],"users":[],"groups":["public"],"delegateAdmin":false}
+       {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
      ]
     }
     ,
@@ -41,60 +41,60 @@
   ],
 
   "tests":[
-    {"name":"'use default;' as user1 ==> ALLOWED",
+    {"name":"'use default;' as user1 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"use default"
+      "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use default"
      },
-     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
+     "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
-    {"name":"'use default;' as user2 ==> ALLOWED",
+    {"name":"'use default;' as user2 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessTypes":["select"],"user":"user2","userGroups":["users"],"requestData":"use default"
+      "accessTypes":[],"user":"user2","userGroups":["users"],"requestData":"use default"
      },
-     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
+     "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'use default;' as user3 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessTypes":["select"],"user":"user3","userGroups":["users"],"requestData":"use default"
+      "accessTypes":[],"user":"user3","userGroups":["users"],"requestData":"use default"
      },
-     "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+     "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
-    {"name":"'use default;' as user3, group1 ==> ALLOWED",
+    {"name":"'use default;' as user3, group1 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessTypes":["select"],"user":"user3","userGroups":["users", "group1"],"requestData":"use
default"
+      "accessTypes":[],"user":"user3","userGroups":["users", "group1"],"requestData":"use
default"
      },
-     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
+     "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
-    {"name":"'use default;' as user3, group2 ==> ALLOWED",
+    {"name":"'use default;' as user3, group2 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessTypes":["select"],"user":"user3","userGroups":["users", "group2"],"requestData":"use
default"
+      "accessTypes":[],"user":"user3","userGroups":["users", "group2"],"requestData":"use
default"
      },
-     "result":{"accessTypeResults":{"select":{"isAllowed":true,"isAudited":true,"policyId":2}}}
+     "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'use default;' as user3, group3 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"default"}},
-      "accessTypes":["select"],"user":"user3","userGroups":["users", "group3"],"requestData":"use
default"
+      "accessTypes":[],"user":"user3","userGroups":["users", "group3"],"requestData":"use
default"
      },
-     "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+     "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'use finance;' as user3, group3 ==> DENIED",
      "request":{
       "resource":{"elements":{"database":"finance"}},
-      "accessTypes":["select"],"user":"user1","userGroups":["users"],"requestData":"use finance"
+      "accessTypes":[],"user":"user1","userGroups":["users"],"requestData":"use finance"
      },
-     "result":{"accessTypeResults":{"select":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
+     "result":{"accessTypeResults":{"any":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'select col1 from default.testtable;' as user1 ==> ALLOWED",
@@ -222,7 +222,7 @@
       "resource":{"elements":{"database":"default","table":"table1"}},
       "accessTypes":["create"],"user":"user1","userGroups":["users"],"requestData":"create
table default.testtable1"
      },
-     "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+     "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'create table default.table1;' as user1, admin ==> DENIED",
@@ -230,7 +230,7 @@
       "resource":{"elements":{"database":"default","table":"table1"}},
       "accessTypes":["create"],"user":"user1","userGroups":["users","admin"],"requestData":"create
table default.testtable1"
      },
-     "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+     "result":{"accessTypeResults":{"create":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'drop table default.table1;' as user1 ==> DENIED",
@@ -238,7 +238,7 @@
       "resource":{"elements":{"database":"default","table":"table1"}},
       "accessTypes":["drop"],"user":"user1","userGroups":["users"],"requestData":"drop table
default.testtable1"
      },
-     "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+     "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'drop table default.table1;' as user1, admin ==> DENIED",
@@ -246,7 +246,7 @@
       "resource":{"elements":{"database":"default","table":"table1"}},
       "accessTypes":["drop"],"user":"user1","userGroups":["users","admin"],"requestData":"drop
table default.testtable1"
      },
-     "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":false,"policyId":-1}}}
+     "result":{"accessTypeResults":{"drop":{"isAllowed":false,"isAudited":true,"policyId":-1}}}
     }
     ,
     {"name":"'select col1 from default.table1;' as user3 ==> DENIED",


Mime
View raw message