ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject incubator-ranger git commit: RANGER-889: Policy engine API to find list of users/groups having access to a resource
Date Thu, 24 Mar 2016 06:41:37 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/master 31c2b030c -> e5ca0fe51


RANGER-889: Policy engine API to find list of users/groups having access to a resource

(cherry picked from commit 3bfc2e12c1ad825fedc4e339ae988d840d03b8ae)


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e5ca0fe5
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e5ca0fe5
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e5ca0fe5

Branch: refs/heads/master
Commit: e5ca0fe51390c48d4a5f67ca46db9ecd53b41c0a
Parents: 31c2b03
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Mon Mar 21 10:16:43 2016 -0700
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Wed Mar 23 23:28:31 2016 -0700

----------------------------------------------------------------------
 .../plugin/policyengine/RangerPolicyEngine.java |   3 +-
 .../policyengine/RangerPolicyEngineImpl.java    |  43 ++++++-
 .../policyengine/RangerResourceAccessInfo.java  | 116 +++++++++++++++++++
 .../RangerAbstractPolicyItemEvaluator.java      |   2 +
 .../RangerDefaultPolicyEvaluator.java           |  87 +++++++++++++-
 .../policyevaluator/RangerPolicyEvaluator.java  |   4 +
 .../RangerPolicyItemEvaluator.java              |   2 +
 .../ranger/plugin/service/RangerBasePlugin.java |  12 ++
 .../plugin/policyengine/TestPolicyEngine.java   |  22 +++-
 .../test_policyengine_resource_access_info.json | 106 +++++++++++++++++
 10 files changed, 391 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 64870d9..d19e3d0 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -61,8 +61,9 @@ public interface RangerPolicyEngine {
 
 	List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String
accessType);
 
+	RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request);
+
 	boolean preCleanup();
 
 	void cleanup();
-
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 9e817d7..51cab80 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -448,6 +448,47 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 		return ret;
 	}
 
+	@Override
+	public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.getResourceAccessInfo(" + request + ")");
+		}
+
+		RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request);
+
+		List<RangerPolicyEvaluator> tagPolicyEvaluators = tagPolicyRepository == null ? null
: tagPolicyRepository.getPolicyEvaluators();
+		List<RangerPolicyEvaluator> resPolicyEvaluators = policyRepository.getPolicyEvaluators();
+
+		if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) {
+			List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
+
+			if(CollectionUtils.isNotEmpty(tags)) {
+				for (RangerTag tag : tags) {
+					RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(),
request);
+
+					for (RangerPolicyEvaluator evaluator : tagPolicyEvaluators) {
+						evaluator.getResourceAccessInfo(tagEvalRequest, ret);
+					}
+				}
+			}
+		}
+
+		if(CollectionUtils.isNotEmpty(resPolicyEvaluators)) {
+			for (RangerPolicyEvaluator evaluator : resPolicyEvaluators) {
+				evaluator.getResourceAccessInfo(request, ret);
+			}
+		}
+
+		ret.getAllowedUsers().removeAll(ret.getDeniedUsers());
+		ret.getAllowedGroups().removeAll(ret.getDeniedGroups());
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.getResourceAccessInfo(" + request + "): " + ret);
+		}
+
+		return ret;
+	}
+
 	protected RangerAccessResult isAccessAllowedNoAudit(RangerAccessRequest request) {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")");
@@ -513,7 +554,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ",
" + result + ")");
 		}
 
-		List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators();
+		List<RangerPolicyEvaluator> evaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators();
 
 		if (CollectionUtils.isNotEmpty(evaluators)) {
 			List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java
new file mode 100644
index 0000000..44ec854
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceAccessInfo.java
@@ -0,0 +1,116 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import java.util.HashSet;
+import java.util.Set;
+
+public class RangerResourceAccessInfo {
+    final private RangerAccessRequest request;
+    final private Set<String>         allowedUsers;
+    final private Set<String>         allowedGroups;
+    final private Set<String>         deniedUsers;
+    final private Set<String>         deniedGroups;
+
+
+    public RangerResourceAccessInfo(RangerAccessRequest request) {
+        this.request       = request;
+        this.allowedUsers  = new HashSet<String>();
+        this.allowedGroups = new HashSet<String>();
+        this.deniedUsers   = new HashSet<String>();
+        this.deniedGroups  = new HashSet<String>();
+    }
+
+    public RangerResourceAccessInfo(RangerResourceAccessInfo other) {
+        this.request       = other.request;
+        this.allowedUsers  = other.allowedUsers == null ? new HashSet<String>() : new
HashSet<String>(other.allowedUsers);
+        this.allowedGroups = other.allowedGroups == null ? new HashSet<String>() :
new HashSet<String>(other.allowedGroups);
+        this.deniedUsers   = other.deniedUsers == null ? new HashSet<String>() : new
HashSet<String>(other.deniedUsers);
+        this.deniedGroups  = other.deniedGroups == null ? new HashSet<String>() : new
HashSet<String>(other.deniedGroups);
+    }
+
+    public RangerAccessRequest getRequest() {
+        return request;
+    }
+
+    public Set<String> getAllowedUsers() {
+        return allowedUsers;
+    }
+
+    public Set<String> getAllowedGroups() {
+        return allowedGroups;
+    }
+
+    public Set<String> getDeniedUsers() {
+        return deniedUsers;
+    }
+
+    public Set<String> getDeniedGroups() {
+        return deniedGroups;
+    }
+
+    @Override
+    public String toString( ) {
+        StringBuilder sb = new StringBuilder();
+
+        toString(sb);
+
+        return sb.toString();
+    }
+
+    public StringBuilder toString(StringBuilder sb) {
+        sb.append("RangerResourceAccessInfo={");
+
+        sb.append("request={");
+        if(request != null) {
+            sb.append(request.toString());
+        }
+        sb.append("} ");
+
+        sb.append("allowedUsers={");
+        for(String user : allowedUsers) {
+            sb.append(user).append(" ");
+        }
+        sb.append("} ");
+
+        sb.append("allowedGroups={");
+        for(String group : allowedGroups) {
+            sb.append(group).append(" ");
+        }
+        sb.append("} ");
+
+        sb.append("deniedUsers={");
+        for(String user : deniedUsers) {
+            sb.append(user).append(" ");
+        }
+        sb.append("} ");
+
+        sb.append("deniedGroups={");
+        for(String group : deniedGroups) {
+            sb.append(group).append(" ");
+        }
+        sb.append("} ");
+
+        sb.append("}");
+
+        return sb;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
index 514884f..7a082dd 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
@@ -21,6 +21,7 @@ package org.apache.ranger.plugin.policyevaluator;
 
 import java.util.Collections;
 import java.util.List;
+import java.util.Set;
 
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.logging.Log;
@@ -31,6 +32,7 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
 
 
 public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyItemEvaluator
{

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 2ce3a54..c48fb72 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -44,6 +44,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResource;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerDataMaskResult;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
 import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 import org.apache.ranger.plugin.util.RangerPerfTracer;
@@ -170,10 +171,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
             }
 
             if (!result.getIsAccessDetermined()) {
-
                 // Attempt resource matching only if there may be a matchable policyItem
                 if (hasMatchablePolicyItem(request)) {
-
                     // Try Match only if it was not attempted as part of evaluating Audit
requirement
                     if (!isResourceMatchAttempted) {
                         isResourceMatch = isMatch(request.getResource());
@@ -357,6 +356,90 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 		return ret;
 	}
 
+	@Override
+	public void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAccessInfo
result) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ",
" + result + ")");
+		}
+
+		final boolean isResourceMatch          = isMatch(request.getResource());
+		final boolean attemptResourceHeadMatch = request.isAccessTypeAny() || request.getResourceMatchingScope()
== RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS;
+		final boolean isResourceHeadMatch      = (!isResourceMatch && attemptResourceHeadMatch)
? matchResourceHead(request.getResource()) : false;
+
+		if(isResourceMatch || isResourceHeadMatch) {
+			if (CollectionUtils.isNotEmpty(allowEvaluators)) {
+				Set<String> users = new HashSet<String>();
+				Set<String> groups = new HashSet<String>();
+
+				getResourceAccessInfo(request, allowEvaluators, users, groups);
+
+				if (CollectionUtils.isNotEmpty(allowExceptionEvaluators)) {
+					Set<String> exceptionUsers = new HashSet<String>();
+					Set<String> exceptionGroups = new HashSet<String>();
+
+					getResourceAccessInfo(request, allowExceptionEvaluators, exceptionUsers, exceptionGroups);
+
+					users.removeAll(exceptionUsers);
+					groups.removeAll(exceptionGroups);
+				}
+
+				result.getAllowedUsers().addAll(users);
+				result.getAllowedGroups().addAll(groups);
+			}
+		}
+
+		if(isResourceMatch) {
+			if(CollectionUtils.isNotEmpty(denyEvaluators)) {
+				Set<String> users  = new HashSet<String>();
+				Set<String> groups = new HashSet<String>();
+
+				getResourceAccessInfo(request, denyEvaluators, users, groups);
+
+				if(CollectionUtils.isNotEmpty(denyExceptionEvaluators)) {
+					Set<String> exceptionUsers  = new HashSet<String>();
+					Set<String> exceptionGroups = new HashSet<String>();
+
+					getResourceAccessInfo(request, denyExceptionEvaluators, exceptionUsers, exceptionGroups);
+
+					users.removeAll(exceptionUsers);
+					groups.removeAll(exceptionGroups);
+				}
+
+				result.getDeniedUsers().addAll(users);
+				result.getDeniedGroups().addAll(groups);
+			}
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ",
" + result + ")");
+		}
+	}
+
+
+	private void getResourceAccessInfo(RangerAccessRequest request, List<? extends RangerPolicyItemEvaluator>
policyItems, Set<String> users, Set<String> groups) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ",
" + policyItems + ", " + users + ", " + groups + ")");
+		}
+
+		if (CollectionUtils.isNotEmpty(policyItems)) {
+			for (RangerPolicyItemEvaluator policyItemEvaluator : policyItems) {
+				if (policyItemEvaluator.matchAccessType(request.getAccessType()) && policyItemEvaluator.matchCustomConditions(request))
{
+					if (CollectionUtils.isNotEmpty(policyItemEvaluator.getPolicyItem().getUsers())) {
+						users.addAll(policyItemEvaluator.getPolicyItem().getUsers());
+					}
+
+					if (CollectionUtils.isNotEmpty(policyItemEvaluator.getPolicyItem().getGroups())) {
+						groups.addAll(policyItemEvaluator.getPolicyItem().getGroups());
+					}
+				}
+			}
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerDefaultPolicyEvaluator.getResourceAccessInfo(" + request + ",
" + policyItems + ", " + users + ", " + groups + ")");
+		}
+	}
+
 
 	protected boolean matchResourceHead(RangerAccessResource resource) {
 		if(LOG.isDebugEnabled()) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 3c73082..25812a4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -31,6 +31,8 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
 import org.apache.ranger.plugin.policyengine.RangerDataMaskResult;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
+
 
 public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> {
 	public static final String EVALUATOR_TYPE_AUTO   = "auto";
@@ -66,4 +68,6 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator>
 	boolean isAccessAllowed(RangerAccessResource resource, String user, Set<String> userGroups,
String accessType);
 
 	boolean isAccessAllowed(Map<String, RangerPolicyResource> resources, String user,
Set<String> userGroups, String accessType);
+
+	void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAccessInfo result);
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
index 9ac2f93..53f6df6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
@@ -24,6 +24,8 @@ import java.util.Set;
 import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
 
 public interface RangerPolicyItemEvaluator extends Comparable<RangerPolicyItemEvaluator>
{
 	public static final int POLICY_ITEM_TYPE_ALLOW            = 0;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index be54d36..1ec88d5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -182,6 +182,18 @@ public class RangerBasePlugin {
 		return null;
 	}
 
+	public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) {
+		RangerPolicyEngine policyEngine = this.policyEngine;
+
+		if(policyEngine != null) {
+			policyEngine.preProcess(request);
+
+			return policyEngine.getResourceAccessInfo(request);
+		}
+
+		return null;
+	}
+
 	public RangerAccessResult createAccessResult(RangerAccessRequest request) {
 		RangerPolicyEngine policyEngine = this.policyEngine;
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index cd81836..05cbcde 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -181,6 +181,13 @@ public class TestPolicyEngine {
 	}
 
 	@Test
+	public void testPolicyEngine_resourceAccessInfo() {
+		String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_resource_access_info.json"
};
+
+		runTestsFromResourceFiles(conditionsTestResourceFiles);
+	}
+
+	@Test
 	public void testPolicyEngine_geo() {
 		String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_geo.json" };
 
@@ -238,7 +245,6 @@ public class TestPolicyEngine {
 		RangerAccessRequest request = null;
 
 		for(TestData test : testCase.tests) {
-
 			if (test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_TAGS) ||
 					test.request.getContext().containsKey(RangerAccessRequestUtil.KEY_CONTEXT_REQUESTED_RESOURCES))
{
 				// Create a new AccessRequest
@@ -332,6 +338,17 @@ public class TestPolicyEngine {
 				assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
 				assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
 			}
+
+			if(test.resourceAccessInfo != null) {
+				RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo);
+				RangerResourceAccessInfo result   = policyEngine.getResourceAccessInfo(test.request);
+
+				assertNotNull("result was null! - " + test.name, result);
+				assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers());
+				assertEquals("allowedGroups mismatched! - " + test.name, expected.getAllowedGroups(),
result.getAllowedGroups());
+				assertEquals("deniedUsers mismatched! - " + test.name, expected.getDeniedUsers(), result.getDeniedUsers());
+				assertEquals("deniedGroups mismatched! - " + test.name, expected.getDeniedGroups(), result.getDeniedGroups());
+			}
 		}
 	}
 
@@ -339,7 +356,7 @@ public class TestPolicyEngine {
 		public String             serviceName;
 		public RangerServiceDef   serviceDef;
 		public List<RangerPolicy> policies;
-		public TagPolicyInfo	tagPolicyInfo;
+		public TagPolicyInfo	  tagPolicyInfo;
 		public List<TestData>     tests;
 		
 		class TestData {
@@ -347,6 +364,7 @@ public class TestPolicyEngine {
 			public RangerAccessRequest request;
 			public RangerAccessResult  result;
 			public RangerDataMaskResult dataMaskResult;
+			public RangerResourceAccessInfo resourceAccessInfo;
 		}
 
 		class TagPolicyInfo {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e5ca0fe5/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json
b/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json
new file mode 100644
index 0000000..04d5236
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_resource_access_info.json
@@ -0,0 +1,106 @@
+{
+  "serviceName":"hivedev",
+
+  "serviceDef":{
+    "name":"hive",
+    "id":3,
+    "resources":[
+      {"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive Database","description":"Hive Database"},
+      {"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive Table","description":"Hive Table"},
+      {"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"},
+      {"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true,
"ignoreCase":true},"label":"Hive Column","description":"Hive Column"}
+    ],
+    "accessTypes":[
+      {"name":"select","label":"Select"},
+      {"name":"update","label":"Update"},
+      {"name":"create","label":"Create"},
+      {"name":"drop","label":"Drop"},
+      {"name":"alter","label":"Alter"},
+      {"name":"index","label":"Index"},
+      {"name":"lock","label":"Lock"},
+      {"name":"all","label":"All"}
+    ],
+    "options": {
+      "enableDenyAndExceptionsInPolicies":"true"
+    }
+  },
+
+  "policies":[
+    {"id":1,"name":"db=default: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+     "resources":{"database":{"values":["default"]},"table":{"values":["*"]},"column":{"values":["*"]}},
+     "policyItems":[
+       {"accesses":[],"users":[],"groups":["public"],"delegateAdmin":false}
+     ]
+    }
+    ,
+    {"id":2,"name":"db=default; table=test*; column=*","isEnabled":true,"isAuditEnabled":true,
+     "resources":{"database":{"values":["default"]},"table":{"values":["test*"]},"column":{"values":["*"]}},
+     "policyItems":[
+       {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false}
+       ,
+       {"accesses":[{"type":"create","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["admin"],"groups":["admin"],"delegateAdmin":true}
+     ]
+    }
+    ,
+    {"id":3,"name":"db=db1; table=tbl*; column=*","isEnabled":true,"isAuditEnabled":true,
+     "resources":{"database":{"values":["db1"]},"table":{"values":["tbl*"]},"column":{"values":["*"]}},
+     "policyItems":[
+       {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user2"],"groups":["group1","group2"],"delegateAdmin":false}
+     ],
+      "denyPolicyItems":[
+        {"accesses":[{"type":"select","isAllowed":true}],"users":["user3"],"groups":["group3"],"delegateAdmin":false}
+      ]
+    }
+  ],
+
+  "tests":[
+    {"name":"use default;",
+     "request":{
+      "resource":{"elements":{"database":"default"}},
+      "accessType":"","requestData":"use default"
+     },
+     "resourceAccessInfo":{"allowedUsers":["admin", "user1", "user2"],"allowedGroups":["admin",
"group1", "group2"]}
+    }
+  ,
+    {"name":"select default.testtbl1",
+      "request":{
+        "resource":{"elements":{"database":"default", "table":"testtbl1"}},
+        "accessType":"select","requestData":"select default.testtbl1"
+      },
+      "resourceAccessInfo":{"allowedUsers":["user1", "user2"],"allowedGroups":["group1",
"group2"]}
+    }
+    ,
+    {"name":"create default.testtbl1",
+     "request":{
+      "resource":{"elements":{"database":"default", "table":"testtbl1"}},
+      "accessType":"create","requestData":"create default.testtbl1"
+     },
+      "resourceAccessInfo":{"allowedUsers":["admin"],"allowedGroups":["admin"]}
+    }
+    ,
+    {"name":"select db1.tbl1",
+      "request":{
+        "resource":{"elements":{"database":"db1", "table":"tbl1"}},
+        "accessType":"select","requestData":"select db1.tbl1"
+      },
+      "resourceAccessInfo":{"allowedUsers":["user1", "user2"],"allowedGroups":["group1",
"group2"],"deniedUsers":["user3"],"deniedGroups":["group3"]}
+    }
+    ,
+    {"name":"insert db1.tbl1",
+      "request":{
+        "resource":{"elements":{"database":"db1", "table":"tb1"}},
+        "accessType":"insert","requestData":"insert db1.tbl1"
+      },
+      "resourceAccessInfo":{"allowedUsers":[],"allowedGroups":[]}
+    }
+    ,
+    {"name":"select db2.tbl1",
+      "request":{
+        "resource":{"elements":{"database":"db2", "table":"tb1"}},
+        "accessType":"create","requestData":"select db2.tbl1"
+      },
+      "resourceAccessInfo":{"allowedUsers":[],"allowedGroups":[]}
+    }
+  ]
+}
+


Mime
View raw message