ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject incubator-ranger git commit: Added tests for geo location data where IP addresses are provided as long integers, combined long and dot format tests together
Date Fri, 04 Sep 2015 04:31:19 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/tag-policy 7f8e0605a -> 03083e74d


Added tests for geo location data where IP addresses are provided as long integers, combined
long and dot format tests together

Signed-off-by: Madhan Neethiraj <madhan@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/03083e74
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/03083e74
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/03083e74

Branch: refs/heads/tag-policy
Commit: 03083e74ded843060f385d119875e8ee9eb8ddc1
Parents: 7f8e060
Author: Abhay Kulkarni <akulkarni@hortonworks.com>
Authored: Wed Sep 2 16:07:24 2015 -0700
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Thu Sep 3 21:24:13 2015 -0700

----------------------------------------------------------------------
 .../RangerAbstractGeolocationProvider.java      |  25 +--
 .../plugin/geo/RangerGeolocationData.java       |  11 +-
 .../main/resources/etc/ranger/geo/geo_long.txt  |  29 +++
 .../plugin/policyengine/TestPolicyEngine.java   |   7 +
 .../policyengine/test_policyengine_geo.json     | 212 +++++++++++++++++++
 .../policyengine/test_policyengine_hdfs.json    |   2 +-
 6 files changed, 255 insertions(+), 31 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractGeolocationProvider.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractGeolocationProvider.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractGeolocationProvider.java
index 3f52001..e98fe04 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractGeolocationProvider.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractGeolocationProvider.java
@@ -39,7 +39,6 @@ public abstract class RangerAbstractGeolocationProvider extends RangerAbstractCo
 
 	private static final Log LOG = LogFactory.getLog(RangerAbstractGeolocationProvider.class);
 
-	public static final String ENRICHER_OPTION_GEOLOCATION_SOURCE_LOADER_OPTIONS = "geolocation.source.loader.options";
 	public static final String ENRICHER_OPTION_GEOLOCATION_META_PREFIX = "geolocation.meta.prefix";
 
 	public static final String KEY_CONTEXT_GEOLOCATION_PREFIX = "LOCATION_";
@@ -63,30 +62,8 @@ public abstract class RangerAbstractGeolocationProvider extends RangerAbstractCo
 
 		String geoSourceLoader = getGeoSourceLoader();
 
-		String geoSourceLoaderOptions = getOption(ENRICHER_OPTION_GEOLOCATION_SOURCE_LOADER_OPTIONS);
-		if (StringUtils.isBlank(geoSourceLoaderOptions)) {
-			geoSourceLoaderOptions = "{}";
-		}
-
-		Map<String, String> context = null;
 		GeolocationStore geoStore = null;
-
-
-		try {
-			Gson gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
-					.setPrettyPrinting()
-					.create();
-
-			Type mapType = new TypeToken<Map<String, String>>() {}.getType();
-			context = gsonBuilder.fromJson(geoSourceLoaderOptions, mapType);
-
-		} catch (JsonSyntaxException exception) {
-			LOG.error("RangerAbstractGeolocationProvider.init() - Cannot initialize geolocation.source.loader.options
map, valueString=" +
-					geoSourceLoaderOptions + ", exception=" + exception);
-		} catch (JsonParseException exception) {
-			LOG.error("RangerAbstractGeolocationProvider.init() - Cannot initilize geolocation.source.loader.options
map, valueString=" +
-					geoSourceLoaderOptions + ", exception=" + exception);
-		}
+		Map<String, String> context = enricherDef.getEnricherOptions();
 
 		if (context != null) {
 			try {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationData.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationData.java
b/agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationData.java
index 9cc1a3f..6f1f3f3 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationData.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationData.java
@@ -46,13 +46,12 @@ public class RangerGeolocationData implements Comparable<RangerGeolocationData>,
 			if (RangerGeolocationData.validateAsIP(startAddress, useDotFormat) && RangerGeolocationData.validateAsIP(endAddress,
useDotFormat)) {
 
 				long startIP, endIP;
-				if (useDotFormat) {
-					startIP = RangerGeolocationData.ipAddressToLong(startAddress);
-					endIP = RangerGeolocationData.ipAddressToLong(endAddress);
-				} else {
-					startIP = Long.valueOf(startAddress);
-					endIP = Long.valueOf(endAddress);
+				if (!useDotFormat) {
+					startAddress = RangerGeolocationData.unsignedIntToIPAddress(Long.valueOf(startAddress));
+					endAddress = RangerGeolocationData.unsignedIntToIPAddress(Long.valueOf(endAddress));
 				}
+				startIP = RangerGeolocationData.ipAddressToLong(startAddress);
+				endIP = RangerGeolocationData.ipAddressToLong(endAddress);
 
 				if ((endIP - startIP) >= 0) {
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/main/resources/etc/ranger/geo/geo_long.txt
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/etc/ranger/geo/geo_long.txt b/agents-common/src/main/resources/etc/ranger/geo/geo_long.txt
new file mode 100644
index 0000000..f0cf287
--- /dev/null
+++ b/agents-common/src/main/resources/etc/ranger/geo/geo_long.txt
@@ -0,0 +1,29 @@
+# This is a sample geolocation data format used by Ranger
+# If a line contains '#' as a first-nonblank character then it is considered a comment line
+# First non-comment line in the file must be metadata line; metadata line contains '!' as
first character
+# Format of metadata and data lines is strictly Comma-Separated-Values. Spaces are not allowed
to surround commas.
+# Only IP-4 address values in dot-notation are supported.
+#
+FROM_IP,TO_IP,COUNTRY_CODE,COUNTRY_NAME,STATE,CITY,ZIP,LAT,LONG
+167772415,167772928,US,United States,CA
+335570020,335570029,US,United States,MT
+335570000,335570009,CA,Canada
+335570030,335570039,BR,Brazil
+335569990,335569993,IN,India
+335570040,335570049,NG,Nigeria
+335570010,335570014,AUS,Austalia
+335569994,335569999,AN,Angola
+335570015,335570019,UK,United Kingdom
+3229639681,3229639755,FR,France
+16777216,16777471,AU,Australia,Queensland,Brisbane
+16777472,16778239,CN,China,Fujian,Fuzhou,
+16778240,16778495,AU,Australia,Victoria,Melbourne,
+16778496,16779263,AU,Australia,-,-,
+16779264,16781311,CN,China,Guangdong,Guangzhou,
+4294967040,4294967295,CN,China,Guangdong,Guangzhou,
+16781312,16785407,JP,Japan,Tokyo,Tokyo,
+16785408,16793599,CN,China,Guangdong,Guangzhou,
+16793600,16797695,JP,Japan,Hiroshima,Hiroshima,
+16797696,16798719,JP,Japan,Tokyo,Tokyo,
+2154128740,2154128895,US,United States,Minnesota,Minneapolis
+#16797696,16798719,JP,Japan,Tokyo,Tokyo

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index a6d0812..3a7448f 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -179,6 +179,13 @@ public class TestPolicyEngine {
 		runTestsFromResourceFiles(conditionsTestResourceFiles);
 	}
 
+	@Test
+	public void testPolicyEngine_geo() {
+		String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_geo.json" };
+
+		runTestsFromResourceFiles(conditionsTestResourceFiles);
+	}
+
 	private void runTestsFromResourceFiles(String[] resourceNames) {
 		for(String resourceName : resourceNames) {
 			InputStream       inStream = this.getClass().getResourceAsStream(resourceName);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/test/resources/policyengine/test_policyengine_geo.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_geo.json b/agents-common/src/test/resources/policyengine/test_policyengine_geo.json
new file mode 100644
index 0000000..eab1223
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_geo.json
@@ -0,0 +1,212 @@
+{
+  "serviceName":"hdfsdev",
+
+  "serviceDef":{
+    "name":"hdfs",
+    "id":1,
+    "resources":[
+    {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Resource Path","description":"HDFS file or directory path"}
+    ],
+    "accessTypes":[
+      {"name":"read","label":"Read"},
+      {"name":"write","label":"Write"},
+      {"name":"execute","label":"Execute"}
+    ],
+    "contextEnrichers":
+    [
+      {
+        "itemId":1,
+        "name" : "GeolocationEnricher_format_long",
+        "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider",
+        "enricherOptions" : {
+          "FilePath":"/etc/ranger/geo/geo_long.txt", "ForceRead":"false", "IPInDotFormat":"false"
+          ,"geolocation.meta.prefix": "FORMAT_LONG_"
+        }
+      },
+      {
+        "itemId":2,
+        "name" : "GeolocationEnricher_format_dot",
+        "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider",
+        "enricherOptions" : {
+          "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true"
+        ,"geolocation.meta.prefix": "FORMAT_DOT_"
+        }
+      }
+    ],
+    "policyConditions": [
+      {
+        "itemId":1,
+        "name":"ScriptConditionEvaluator",
+        "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+        "evaluatorOptions" : {"engineName":"JavaScript"},
+        "label":"Script",
+        "description": "Script to execute"
+      }
+    ]
+  },
+
+  "policies":[
+    {"id":1,"name":"audit-all-access under /finance/restricted/","isEnabled":true,"isAuditEnabled":true,
+     "resources":{"path":{"values":["/finance/restricted/"],"isRecursive":true}},
+     "policyItems":[
+       {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
+     ]
+    }
+    ,
+    {"id":2,"name":"allow-read-to-all under /public/","isEnabled":true,"isAuditEnabled":false,
+     "resources":{"path":{"values":["/public/*"],"isRecursive":true}},
+     "policyItems":[
+       {"accesses":[{"type":"read","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+     ]
+    }
+    ,
+    {"id":3,"name":"allow-read-to-finance under /finance/restricted","isEnabled":true,"isAuditEnabled":true,
+     "resources":{"path":{"values":["/finance/restricted"],"isRecursive":true}},
+     "policyItems":[
+       {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false,
+         "conditions":[{
+           "type":"ScriptConditionEvaluator",
+           "values":["var country_code_format_long = ctx.getRequestContextAttribute('LOCATION_FORMAT_LONG_COUNTRY_CODE');
var country_code_format_dot = ctx.getRequestContextAttribute('LOCATION_FORMAT_DOT_COUNTRY_CODE');ctx.result
= (!!country_code_format_long && !!country_code_format_dot && (country_code_format_long
== country_code_format_dot));"]
+         }]}
+     ]
+    }
+  ],
+
+  "tests":[
+    {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance; valid clientIPAddress",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+      "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db",
+       "clientIPAddress":"255.255.255.255"
+     },
+     "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+    }
+    ,
+    {"name":"DENY 'read /finance/restricted/sales.db' for g=finance; invalid clientIPAddress",
+      "request":{
+        "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+        "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db",
+        "clientIPAddress":"128.101.101.99"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+    }
+  ,
+    {"name":"ALLOW 'read /finance/restricted/sales.db' for g=finance; no clientIPAddress",
+      "request":{
+        "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+        "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/sales.db"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+    }
+  ,
+    {"name":"ALLOW 'read /finance/restricted/hr/payroll.db' for g=finance",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}},
+      "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/hr/payroll.db",
+       "clientIPAddress":"128.101.101.101"
+
+     },
+     "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+    }
+    ,
+    {"name":"DENY 'read /operations/visitors.db' for g=finance",
+     "request":{
+      "resource":{"elements":{"path":"/operations/visitors.db"}},
+      "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /operations/visitors.db",
+       "clientIPAddress":"128.101.101.99"
+     },
+     "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+    }
+    ,
+    {"name":"ALLOW 'read /public/technology/blogs.db' for g=finance",
+     "request":{
+      "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+      "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /public/technology/blogs.db"
+     },
+     "result":{"isAudited":false,"isAllowed":true,"policyId":2}
+    }
+    ,
+
+    {"name":"DENY 'read /finance/restricted/sales.db' for g=hr",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+      "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/sales.db"
+     },
+     "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+    }
+    ,
+    {"name":"FALSE 'read /finance/restricted/hr/payroll.db' for g=hr",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}},
+      "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /finance/restricted/hr/payroll.db"
+     },
+     "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+    }
+    ,
+    {"name":"DENY 'read /operations/visitors.db' for g=hr",
+     "request":{
+      "resource":{"elements":{"path":"/operations/visitors.db"}},
+      "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /operations/visitors.db"
+     },
+     "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+    }
+    ,
+    {"name":"ALLOW 'read /public/technology/blogs.db' for g=hr",
+     "request":{
+      "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+      "accessType":"read","user":"user1","userGroups":["hr"],"requestData":"read /public/technology/blogs.db"
+     },
+     "result":{"isAudited":false,"isAllowed":true,"policyId":2}
+    }
+    ,
+
+    {"name":"DENY 'read /finance/restricted/sales.db' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/sales.db"}},
+      "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/sales.db"
+     },
+     "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+    }
+    ,
+    {"name":"DENY 'read /finance/restricted/hr/payroll.db' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/finance/restricted/hr/payroll.db"}},
+      "accessType":"read","user":"user1","userGroups":[],"requestData":"read /finance/restricted/hr/payroll.db"
+     },
+     "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+    }
+    ,
+    {"name":"DENY 'read /operations/visitors.db' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/operations/visitors.db"}},
+      "accessType":"read","user":"user1","userGroups":[],"requestData":"read /operations/visitors.db"
+     },
+     "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+    }
+    ,
+    {"name":"ALLOW 'read /public/technology/blogs.db' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+      "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db"
+     },
+     "result":{"isAudited":false,"isAllowed":true,"policyId":2}
+    }
+    ,
+    {"name":"ALLOW 'read /public/technology' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+      "accessType":"read","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db"
+     },
+     "result":{"isAudited":false,"isAllowed":true,"policyId":2}
+    }
+    ,
+    {"name":"ALLOW 'read /public/technology' for u=user1",
+     "request":{
+      "resource":{"elements":{"path":"/public/technology/blogs.db"}},
+      "accessType":"execute","user":"user1","userGroups":[],"requestData":"read /public/technology/blogs.db"
+     },
+     "result":{"isAudited":false,"isAllowed":true,"policyId":2}
+    }
+  ]
+}
+

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/03083e74/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index db92668..a7f355c 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -19,7 +19,7 @@
         "name" : "GeolocationEnricher",
         "enricher" : "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider",
         "enricherOptions" : {
-          "geolocation.source.loader.options": "{'FilePath':'/etc/ranger/geo/geo.txt', 'ForceRead':'false',
'IPInDotFormat':'true' }"
+          "FilePath":"/etc/ranger/geo/geo.txt", "ForceRead":"false", "IPInDotFormat":"true"
           ,"geolocation.meta.prefix": "TEST_"
         }
       }


Mime
View raw message