ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ab...@apache.org
Subject [3/3] ranger git commit: RANGER-1321:Provide a mechanism to create service-specific default policies
Date Wed, 15 Mar 2017 00:34:35 GMT
RANGER-1321:Provide a mechanism to create service-specific default policies


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/c9e94357
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/c9e94357
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/c9e94357

Branch: refs/heads/ranger-0.7
Commit: c9e94357028234db1b1ff9be57ecf13ae29f5d87
Parents: 959ba7f
Author: Abhay Kulkarni <akulkarni@hortonworks.com>
Authored: Mon Mar 13 19:44:29 2017 -0700
Committer: Abhay Kulkarni <akulkarni@hortonworks.com>
Committed: Tue Mar 14 17:10:44 2017 -0700

----------------------------------------------------------------------
 .../plugin/service/RangerBaseService.java       | 203 +++++++++-
 .../ranger/services/tag/RangerServiceTag.java   |  82 +++-
 .../hadoop/RangerHdfsAuthorizer.java            |   8 +-
 .../ranger/services/hdfs/RangerServiceHdfs.java |  47 +++
 .../services/atlas/RangerServiceAtlas.java      |  31 ++
 .../services/kafka/RangerServiceKafka.java      |  39 +-
 .../ranger/services/kms/RangerServiceKMS.java   | 103 ++++-
 .../yarn/authorizer/RangerYarnAuthorizer.java   |   8 +-
 .../ranger/services/yarn/RangerServiceYarn.java |  46 +++
 .../org/apache/ranger/biz/ServiceDBStore.java   | 399 +++----------------
 .../apache/ranger/biz/TestServiceDBStore.java   | 171 +-------
 11 files changed, 606 insertions(+), 531 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
index debaa83..9955051 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
@@ -19,21 +19,44 @@
 
 package org.apache.ranger.plugin.service;
 
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
+import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
 
 
 public abstract class RangerBaseService {
-	private RangerServiceDef serviceDef;
-	private RangerService    service;
-	
+	private static final Log LOG = LogFactory.getLog(RangerBaseService.class);
+
+	protected static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal";
+	protected static final String ADMIN_USER_KEYTAB    = "ranger.admin.kerberos.keytab";
+	protected static final String LOOKUP_PRINCIPAL     = "ranger.lookup.kerberos.principal";
+	protected static final String LOOKUP_KEYTAB        = "ranger.lookup.kerberos.keytab";
+	protected static final String RANGER_AUTH_TYPE     = "hadoop.security.authentication";
+
+	protected static final String KERBEROS_TYPE        = "kerberos";
+
+	protected RangerServiceDef serviceDef;
+	protected RangerService    service;
+
 	protected Map<String, String>   configs;
 	protected String 			    serviceName;
 	protected String 				serviceType;
-	
 
 	public void init(RangerServiceDef serviceDef, RangerService service) {
 		this.serviceDef    = serviceDef;
@@ -84,8 +107,172 @@ public abstract class RangerBaseService {
 	public abstract Map<String, Object> validateConfig() throws Exception;
 	
 	public abstract List<String> lookupResource(ResourceLookupContext context) throws Exception;
-	
-	
-	
-	
+
+	public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerBaseService.getDefaultRangerPolicies() ");
+		}
+		List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
+
+		try {
+			// we need to create one policy for each resource hierarchy
+			RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
+			for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) {
+				RangerPolicy policy = getDefaultPolicy(aHierarchy);
+				if (policy != null) {
+					ret.add(policy);
+				}
+			}
+		} catch (Exception e) {
+			LOG.error("Error getting default polcies for Service: " + service.getName(), e);
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerBaseService.getDefaultRangerPolicies(): " + ret);
+		}
+		return ret;
+	}
+
+	public List<RangerPolicy.RangerPolicyItemAccess> getAndAllowAllAccesses() {
+		List<RangerPolicy.RangerPolicyItemAccess> ret = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+
+		for (RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
+			RangerPolicy.RangerPolicyItemAccess access = new RangerPolicy.RangerPolicyItemAccess();
+			access.setType(accessTypeDef.getName());
+			access.setIsAllowed(true);
+			ret.add(access);
+		}
+		return ret;
+	}
+
+	private RangerPolicy getDefaultPolicy(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception {
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerBaseService.getDefaultPolicy()");
+		}
+
+		RangerPolicy policy = new RangerPolicy();
+
+		String policyName=buildPolicyName(resourceHierarchy);
+
+		policy.setIsEnabled(true);
+		policy.setVersion(1L);
+		policy.setName(policyName);
+		policy.setService(service.getName());
+		policy.setDescription("Policy for " + policyName);
+		policy.setIsAuditEnabled(true);
+		policy.setResources(createDefaultPolicyResource(resourceHierarchy));
+
+		List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<RangerPolicy.RangerPolicyItem>();
+		//Create Default policy item for the service user
+		RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem();
+		policyItems.add(policyItem);
+		policy.setPolicyItems(policyItems);
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerBaseService.getDefaultPolicy()" + policy);
+		}
+
+		return policy;
+	}
+
+	private RangerPolicy.RangerPolicyItem createDefaultPolicyItem() throws Exception {
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerBaseService.createDefaultPolicyItem()");
+		}
+
+		RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
+
+		policyItem.setUsers(getUserList());
+		policyItem.setAccesses(getAndAllowAllAccesses());
+		policyItem.setDelegateAdmin(true);
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerBaseService.createDefaultPolicyItem(): " + policyItem );
+		}
+		return policyItem;
+	}
+
+	private Map<String, RangerPolicy.RangerPolicyResource> createDefaultPolicyResource(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) throws Exception {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerBaseService.createDefaultPolicyResource()");
+		}
+		Map<String, RangerPolicy.RangerPolicyResource> resourceMap = new HashMap<>();
+
+		for (RangerServiceDef.RangerResourceDef resourceDef : resourceHierarchy) {
+			RangerPolicy.RangerPolicyResource polRes = new RangerPolicy.RangerPolicyResource();
+
+			polRes.setIsExcludes(false);
+			polRes.setIsRecursive(resourceDef.getRecursiveSupported());
+			polRes.setValue(RangerAbstractResourceMatcher.WILDCARD_ASTERISK);
+
+			resourceMap.put(resourceDef.getName(), polRes);
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerBaseService.createDefaultPolicyResource():" + resourceMap);
+		}
+		return resourceMap;
+	}
+
+	private String buildPolicyName(List<RangerServiceDef.RangerResourceDef> resourceHierarchy) {
+		String ret = "all";
+		if (CollectionUtils.isNotEmpty(resourceHierarchy)) {
+			int resourceDefCount = 0;
+			for (RangerServiceDef.RangerResourceDef resourceDef : resourceHierarchy) {
+				if (resourceDefCount > 0) {
+					ret += ", ";
+				} else {
+					ret += " - ";
+				}
+				ret += resourceDef.getName();
+				resourceDefCount++;
+			}
+			ret = ret.trim();
+		}
+		return ret;
+	}
+
+	private List<String> getUserList() {
+		List<String> ret = new ArrayList<>();
+		Map<String, String> serviceConfig =  service.getConfigs();
+		if (serviceConfig != null ) {
+			ret.add(serviceConfig.get("username"));
+			String defaultUsers = serviceConfig.get("default.policy.users");
+			if (!StringUtils.isEmpty(defaultUsers)) {
+				List<String> defaultUserList = new ArrayList<>(Arrays.asList(StringUtils.split(defaultUsers,",")));
+				if (!defaultUserList.isEmpty()) {
+					ret.addAll(defaultUserList);
+				}
+			}
+		}
+		String authType = RangerConfiguration.getInstance().get(RANGER_AUTH_TYPE,"simple");
+		String lookupPrincipal = RangerConfiguration.getInstance().get(LOOKUP_PRINCIPAL);
+		String lookupKeytab = RangerConfiguration.getInstance().get(LOOKUP_KEYTAB);
+
+		String lookUpUser = getLookupUser(authType, lookupPrincipal, lookupKeytab);
+
+		if (StringUtils.isNotBlank(lookUpUser)) {
+			ret.add(lookUpUser);
+		}
+
+		return ret;
+	}
+
+	protected String getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) {
+		String lookupUser = null;
+		if(!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)){
+			if(SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
+				KerberosName krbName = new KerberosName(lookupPrincipal);
+				try {
+					lookupUser = krbName.getShortName();
+				} catch (IOException e) {
+					LOG.error("Unknown lookup user", e);
+				}
+			}
+		}
+		return lookupUser;
+	}
+
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java b/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
index d3085d4..05d3a9b 100644
--- a/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
+++ b/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java
@@ -19,12 +19,11 @@
 
 package org.apache.ranger.services.tag;
 
-import java.util.*;
-
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.service.RangerBaseService;
@@ -33,11 +32,20 @@ import org.apache.ranger.plugin.store.TagStore;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import java.util.ArrayList;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.List;
+
+import static org.apache.ranger.plugin.policyengine.RangerPolicyEngine.GROUP_PUBLIC;
+
 public class RangerServiceTag extends RangerBaseService {
 
 	private static final Log LOG = LogFactory.getLog(RangerServiceTag.class);
 
 	public static final String TAG_RESOURCE_NAME = "tag";
+	public static final String RANGER_TAG_NAME_EXPIRES_ON = "EXPIRES_ON";
+	public static final String RANGER_TAG_EXPIRY_CONDITION_NAME = "accessed-after-expiry";
 
 	private TagStore tagStore = null;
 
@@ -118,4 +126,74 @@ public class RangerServiceTag extends RangerBaseService {
 
 		return ret;
 	}
+
+	@Override
+	public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerServiceTag.getDefaultRangerPolicies() ");
+		}
+
+		List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
+
+		boolean isConditionDefFound = false;
+
+		List<RangerServiceDef.RangerPolicyConditionDef> policyConditionDefs = serviceDef.getPolicyConditions();
+
+		if (CollectionUtils.isNotEmpty(policyConditionDefs)) {
+			for (RangerServiceDef.RangerPolicyConditionDef conditionDef : policyConditionDefs) {
+				if (conditionDef.getName().equals(RANGER_TAG_EXPIRY_CONDITION_NAME)) {
+					isConditionDefFound = true;
+					break;
+				}
+			}
+		}
+
+		if (isConditionDefFound) {
+
+			ret = super.getDefaultRangerPolicies();
+
+			String tagResourceName = serviceDef.getResources().get(0).getName();
+
+			for (RangerPolicy defaultPolicy : ret) {
+
+				RangerPolicy.RangerPolicyResource tagPolicyResource = defaultPolicy.getResources().get(tagResourceName);
+
+				if (tagPolicyResource != null) {
+
+					String value = RANGER_TAG_NAME_EXPIRES_ON;
+
+					tagPolicyResource.setValue(value);
+					defaultPolicy.setDescription("Policy for data with " + value + " tag");
+
+					List<RangerPolicy.RangerPolicyItem> defaultPolicyItems = defaultPolicy.getPolicyItems();
+
+					for (RangerPolicy.RangerPolicyItem defaultPolicyItem : defaultPolicyItems) {
+
+						List<String> groups = new ArrayList<String>();
+						groups.add(GROUP_PUBLIC);
+						defaultPolicyItem.setGroups(groups);
+
+						List<RangerPolicy.RangerPolicyItemCondition> policyItemConditions = new ArrayList<RangerPolicy.RangerPolicyItemCondition>();
+						List<String> values = new ArrayList<String>();
+						values.add("yes");
+						RangerPolicy.RangerPolicyItemCondition policyItemCondition = new RangerPolicy.RangerPolicyItemCondition(RANGER_TAG_EXPIRY_CONDITION_NAME, values);
+						policyItemConditions.add(policyItemCondition);
+
+						defaultPolicyItem.setConditions(policyItemConditions);
+						defaultPolicyItem.setDelegateAdmin(Boolean.FALSE);
+					}
+
+					defaultPolicy.setDenyPolicyItems(defaultPolicyItems);
+					defaultPolicy.setPolicyItems(null);
+				}
+			}
+		} else {
+			LOG.error("RangerServiceTag.getDefaultRangerPolicies() - Cannot create default TAG policy: Cannot get tagPolicyConditionDef with name=" + RANGER_TAG_EXPIRY_CONDITION_NAME);
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerServiceTag.getDefaultRangerPolicies() : " + ret);
+		}
+		return ret;
+	}
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 324551d..460c692 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -64,7 +64,9 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
 	public static final String KEY_BASE_FILENAME = "BASE_FILENAME";
 	public static final String DEFAULT_FILENAME_EXTENSION_SEPARATOR = ".";
 
-	public static final String RANGER_FILENAME_EXTENSION_SEPARATOR_PROP = "ranger.plugin.hdfs.filename.extension.separator";
+    public static final String KEY_RESOURCE_PATH = "path";
+
+    public static final String RANGER_FILENAME_EXTENSION_SEPARATOR_PROP = "ranger.plugin.hdfs.filename.extension.separator";
 
 	private static final Log LOG = LogFactory.getLog(RangerHdfsAuthorizer.class);
 
@@ -500,11 +502,9 @@ class RangerHdfsPlugin extends RangerBasePlugin {
 }
 
 class RangerHdfsResource extends RangerAccessResourceImpl {
-	private static final String KEY_PATH = "path";
-
 
 	public RangerHdfsResource(String path, String owner) {
-		super.setValue(KEY_PATH, path);
+		super.setValue(RangerHdfsAuthorizer.KEY_RESOURCE_PATH, path);
 		super.setOwnerUser(owner);
 	}
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
index bc12da9..c269648 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
@@ -23,9 +23,14 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer;
 import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
+import org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher;
 import org.apache.ranger.plugin.service.RangerBaseService;
 import org.apache.ranger.plugin.service.ResourceLookupContext;
 import org.apache.ranger.services.hdfs.client.HdfsResourceMgr;
@@ -95,6 +100,48 @@ public class RangerServiceHdfs extends RangerBaseService {
 		
 		return ret;
 	}
+
+	@Override
+	public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerServiceHdfs.getDefaultRangerPolicies() ");
+		}
+
+		List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+
+		String pathResourceName = RangerHdfsAuthorizer.KEY_RESOURCE_PATH;
+
+		for (RangerPolicy defaultPolicy : ret) {
+			RangerPolicy.RangerPolicyResource pathPolicyResource = defaultPolicy.getResources().get(pathResourceName);
+			if (pathPolicyResource != null) {
+				List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
+				RangerServiceDef.RangerResourceDef pathResourceDef = null;
+				for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
+					if (resourceDef.getName().equals(pathResourceName)) {
+						pathResourceDef = resourceDef;
+						break;
+					}
+				}
+				if (pathResourceDef != null) {
+					String pathSeparator = pathResourceDef.getMatcherOptions().get(RangerPathResourceMatcher.OPTION_PATH_SEPARATOR);
+					if (StringUtils.isBlank(pathSeparator)) {
+						pathSeparator = Character.toString(RangerPathResourceMatcher.DEFAULT_PATH_SEPARATOR_CHAR);
+					}
+					String value = pathSeparator + RangerAbstractResourceMatcher.WILDCARD_ASTERISK;
+					pathPolicyResource.setValue(value);
+				} else {
+					LOG.warn("No resourceDef found in HDFS service-definition for '" + pathResourceName + "'");
+				}
+			} else {
+				LOG.warn("No '" + pathResourceName + "' found in default policy");
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerServiceHdfs.getDefaultRangerPolicies() : " + ret);
+		}
+		return ret;
+	}
 }
 
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
----------------------------------------------------------------------
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
index d2b60bd..fe97874 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -22,8 +22,11 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.service.RangerBaseService;
@@ -85,4 +88,32 @@ public class RangerServiceAtlas extends RangerBaseService {
 		}
 		return ret;
 	}
+
+    @Override
+    public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("==> RangerServiceAtlas.getDefaultRangerPolicies() ");
+        }
+
+        List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+
+        for (RangerPolicy defaultPolicy : ret) {
+            for (RangerPolicy.RangerPolicyItem defaultPolicyItem : defaultPolicy.getPolicyItems()) {
+                List<String> users = defaultPolicyItem.getUsers();
+
+                String atlasAdminUser = service.getConfigs().get("atlas.admin.user");
+                if (StringUtils.isBlank(atlasAdminUser)) {
+                    atlasAdminUser = "admin";
+                }
+
+                users.add(atlasAdminUser);
+                defaultPolicyItem.setUsers(users);
+            }
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("<== RangerServiceAtlas.getDefaultRangerPolicies() ");
+        }
+        return ret;
+    }
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
index 86e97bc..b7bbe98 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
@@ -23,6 +23,9 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.service.RangerBaseService;
@@ -32,6 +35,8 @@ import org.apache.ranger.services.kafka.client.ServiceKafkaConnectionMgr;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import static org.apache.ranger.plugin.policyengine.RangerPolicyEngine.GROUP_PUBLIC;
+
 public class RangerServiceKafka extends RangerBaseService {
 	private static final Log LOG = LogFactory.getLog(RangerServiceKafka.class);
 
@@ -76,7 +81,7 @@ public class RangerServiceKafka extends RangerBaseService {
 			LOG.debug("==> RangerServiceKafka.lookupResource(" + serviceName + ")");
 		}
 
-		if(configs != null) {
+		if (configs != null) {
 			ServiceKafkaClient serviceKafkaClient = ServiceKafkaConnectionMgr.getKafkaClient(serviceName, configs);
 
 			ret = serviceKafkaClient.getResources(context);
@@ -88,4 +93,36 @@ public class RangerServiceKafka extends RangerBaseService {
 
 		return ret;
 	}
+
+	@Override
+	public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerServiceKafka.getDefaultRangerPolicies() ");
+		}
+
+		List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+
+		String authType = RangerConfiguration.getInstance().get(RANGER_AUTH_TYPE,"simple");
+
+		if (StringUtils.equalsIgnoreCase(authType, KERBEROS_TYPE)) {
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("Auth type is " + KERBEROS_TYPE);
+			}
+		} else {
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("Auth type is " + authType);
+			}
+			for (RangerPolicy defaultPolicy : ret) {
+				for (RangerPolicy.RangerPolicyItem defaultPolicyItem : defaultPolicy.getPolicyItems()) {
+					defaultPolicyItem.getGroups().add(GROUP_PUBLIC);
+				}
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerServiceKafka.getDefaultRangerPolicies() ");
+		}
+		return ret;
+	}
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
index 7657099..cd368e4 100644
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
@@ -22,6 +22,8 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.service.RangerBaseService;
@@ -33,7 +35,11 @@ import org.apache.commons.logging.LogFactory;
 public class RangerServiceKMS extends RangerBaseService {
 
 	private static final Log LOG = LogFactory.getLog(RangerServiceKMS.class);
-	
+
+	public static final String ACCESS_TYPE_DECRYPT_EEK    = "decrypteek";
+	public static final String ACCESS_TYPE_GENERATE_EEK   = "generateeek";
+	public static final String ACCESS_TYPE_GET_METADATA   = "getmetadata";
+
 	public RangerServiceKMS() {
 		super();
 	}
@@ -86,5 +92,100 @@ public class RangerServiceKMS extends RangerBaseService {
 		}
 		return ret;
 	}
+
+	@Override
+	public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerServiceKMS.getDefaultRangerPolicies() ");
+		}
+
+		List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+
+		String adminPrincipal = RangerConfiguration.getInstance().get(ADMIN_USER_PRINCIPAL);
+		String adminKeytab = RangerConfiguration.getInstance().get(ADMIN_USER_KEYTAB);
+		String authType = RangerConfiguration.getInstance().get(RANGER_AUTH_TYPE,"simple");
+
+		String adminUser = getLookupUser(authType, adminPrincipal, adminKeytab);
+
+		// Add default policies for HDFS & HIVE users.
+		List<RangerServiceDef.RangerAccessTypeDef> hdfsAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
+		List<RangerServiceDef.RangerAccessTypeDef> hiveAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
+
+		for(RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
+			if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
+				hdfsAccessTypeDefs.add(accessTypeDef);
+				hiveAccessTypeDefs.add(accessTypeDef);
+			} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) {
+				hdfsAccessTypeDefs.add(accessTypeDef);
+			} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
+				hiveAccessTypeDefs.add(accessTypeDef);
+			}
+		}
+
+		for (RangerPolicy defaultPolicy : ret) {
+
+			List<RangerPolicy.RangerPolicyItem> policyItems = defaultPolicy.getPolicyItems();
+			for (RangerPolicy.RangerPolicyItem item : policyItems) {
+				List<String> users = item.getUsers();
+				users.add(adminUser);
+				item.setUsers(users);
+			}
+
+			String hdfsUser = RangerConfiguration.getInstance().get("ranger.kms.service.user.hdfs", "hdfs");
+			if (hdfsUser != null && !hdfsUser.isEmpty()) {
+				LOG.info("Creating default KMS policy item for " + hdfsUser);
+				List<String> users = new ArrayList<String>();
+				users.add(hdfsUser);
+				RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(hdfsAccessTypeDefs, users);
+				policyItems.add(policyItem);
+			}
+
+
+			String hiveUser = RangerConfiguration.getInstance().get("ranger.kms.service.user.hive", "hive");
+
+			if (hiveUser != null && !hiveUser.isEmpty()) {
+				LOG.info("Creating default KMS policy item for " + hiveUser);
+				List<String> users = new ArrayList<String>();
+				users.add(hiveUser);
+				RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(hiveAccessTypeDefs, users);
+				policyItems.add(policyItem);
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerServiceKMS.getDefaultRangerPolicies() : " + ret);
+		}
+
+		return ret;
+	}
+
+	private RangerPolicy.RangerPolicyItem createDefaultPolicyItem(List<RangerServiceDef.RangerAccessTypeDef> accessTypeDefs, List<String> users) throws Exception {
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerServiceTag.createDefaultPolicyItem()");
+		}
+
+		RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
+
+		policyItem.setUsers(users);
+
+		List<RangerPolicy.RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+
+		for (RangerServiceDef.RangerAccessTypeDef accessTypeDef : accessTypeDefs) {
+			RangerPolicy.RangerPolicyItemAccess access = new RangerPolicy.RangerPolicyItemAccess();
+			access.setType(accessTypeDef.getName());
+			access.setIsAllowed(true);
+			accesses.add(access);
+		}
+
+		policyItem.setAccesses(accesses);
+		policyItem.setDelegateAdmin(true);
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerServiceTag.createDefaultPolicyItem(): " + policyItem );
+		}
+		return policyItem;
+	}
 }
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
index 470c711..2338ba1 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
@@ -50,7 +50,9 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
 	public static final String ACCESS_TYPE_SUBMIT_APP  = "submit-app";
 	public static final String ACCESS_TYPE_ADMIN       = "admin";
 
-	private static boolean yarnAuthEnabled = RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT;
+    public static final String KEY_RESOURCE_QUEUE = "queue";
+
+    private static boolean yarnAuthEnabled = RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT;
 
 	private static final Log LOG = LogFactory.getLog(RangerYarnAuthorizer.class);
 
@@ -260,10 +262,8 @@ class RangerYarnPlugin extends RangerBasePlugin {
 }
 
 class RangerYarnResource extends RangerAccessResourceImpl {
-	private static final String KEY_QUEUE = "queue";
-
 	public RangerYarnResource(PrivilegedEntity entity) {
-		setValue(KEY_QUEUE, entity != null ? entity.getName() : null);
+		setValue(RangerYarnAuthorizer.KEY_RESOURCE_QUEUE, entity != null ? entity.getName() : null);
 	}
 }
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
----------------------------------------------------------------------
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
index 69f2bc3..5d429ae 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/RangerServiceYarn.java
@@ -22,8 +22,13 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer;
+import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
+import org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher;
 import org.apache.ranger.plugin.service.RangerBaseService;
 import org.apache.ranger.plugin.service.ResourceLookupContext;
 import org.apache.ranger.services.yarn.client.YarnResourceMgr;
@@ -86,5 +91,46 @@ public class RangerServiceYarn extends RangerBaseService {
 		}
 		return ret;
 	}
+
+	public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerServiceYarn.getDefaultRangerPolicies() ");
+		}
+
+		List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+
+		String queueResourceName = RangerYarnAuthorizer.KEY_RESOURCE_QUEUE;
+
+		for (RangerPolicy defaultPolicy : ret) {
+			RangerPolicy.RangerPolicyResource queuePolicyResource = defaultPolicy.getResources().get(queueResourceName);
+			if (queuePolicyResource != null) {
+				List<RangerServiceDef.RangerResourceDef> resourceDefs = serviceDef.getResources();
+				RangerServiceDef.RangerResourceDef queueResourceDef = null;
+				for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
+					if (resourceDef.getName().equals(queueResourceName)) {
+						queueResourceDef = resourceDef;
+						break;
+					}
+				}
+				if (queueResourceDef != null) {
+					String pathSeparator = queueResourceDef.getMatcherOptions().get(RangerPathResourceMatcher.OPTION_PATH_SEPARATOR);
+					if (StringUtils.isBlank(pathSeparator)) {
+						pathSeparator = ".";
+					}
+					String value = pathSeparator + RangerAbstractResourceMatcher.WILDCARD_ASTERISK;
+					queuePolicyResource.setValue(value);
+				} else {
+					LOG.warn("No resourceDef found in YARN service-definition for '" + queueResourceName + "'");
+				}
+			} else {
+				LOG.warn("No '" + queueResourceName + "' found in default policy");
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerServiceYarn.getDefaultRangerPolicies() : " + ret);
+		}
+		return ret;
+	}
 }
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index dcee0cd..f171bb4 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -49,8 +49,6 @@ import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.security.SecureClientLogin;
-import org.apache.hadoop.security.authentication.util.KerberosName;
 import org.apache.ranger.audit.provider.MiscUtil;
 import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
 import org.apache.ranger.common.AppConstants;
@@ -60,11 +58,11 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
+import org.apache.ranger.plugin.service.RangerBaseService;
 import org.apache.ranger.plugin.util.PasswordUtils;
 import org.apache.ranger.common.JSONUtil;
 import org.apache.ranger.common.PropertiesUtil;
 import org.apache.ranger.common.RESTErrorUtil;
-import org.apache.ranger.common.RangerConstants;
 import org.apache.ranger.common.RangerFactory;
 import org.apache.ranger.common.RangerServicePoliciesCache;
 import org.apache.ranger.common.RangerVersionInfo;
@@ -188,18 +186,9 @@ import com.google.gson.Gson;
 @Component
 public class ServiceDBStore extends AbstractServiceStore {
 	private static final Log LOG = LogFactory.getLog(ServiceDBStore.class);
-	public static final String RANGER_TAG_EXPIRY_CONDITION_NAME = "accessed-after-expiry";
-	private static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal";
-    private static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab";
-	private static final String LOOKUP_PRINCIPAL = "ranger.lookup.kerberos.principal";
-	private static final String LOOKUP_KEYTAB = "ranger.lookup.kerberos.keytab";
-	static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
-	private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user";
-	
-	private static final String KERBEROS_TYPE = "kerberos";
-	
+
 	private static final String POLICY_ALLOW_EXCLUDE = "Policy Allow:Exclude";
-	private static final String POLICY_ALLOW_INCLUDE = "Policy Allow:Include";
+	//private static final String POLICY_ALLOW_INCLUDE = "Policy Allow:Include";
 	private static final String POLICY_DENY_EXCLUDE = "Policy Deny:Exclude";
 	private static final String POLICY_DENY_INCLUDE = "Policy Deny:Include";
 	
@@ -208,8 +197,10 @@ public class ServiceDBStore extends AbstractServiceStore {
 	private static final String USER_NAME = "Exported by";
 	private static final String RANGER_VERSION = "Ranger apache version";
 	private static final String TIMESTAMP = "Export time";
-	
-	static {
+
+	private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user";
+
+    static {
 		try {
 			LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName();
 		} catch (UnknownHostException e) {
@@ -269,6 +260,9 @@ public class ServiceDBStore extends AbstractServiceStore {
     @Autowired
     JSONUtil jsonUtil;
 
+	@Autowired
+	ServiceMgr serviceMgr;
+
 	private static volatile boolean legacyServiceDefsInitDone = false;
 	private Boolean populateExistingBaseFields = false;
 	
@@ -1430,7 +1424,10 @@ public class ServiceDBStore extends AbstractServiceStore {
 			xConfMap.setServiceId(xCreatedService.getId());
 			xConfMap.setConfigkey(configKey);
 			xConfMap.setConfigvalue(configValue);
-			xConfMap = xConfMapDao.create(xConfMap);
+			xConfMapDao.create(xConfMap);
+		}
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("vXUser:[" + vXUser + "]");
 		}
 		RangerService createdService = svcService.getPopulatedViewObject(xCreatedService);
 
@@ -1445,7 +1442,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 		bizUtil.createTrxLog(trxLogList);
 
 		if (createDefaultPolicy) {
-			createDefaultPolicies(xCreatedService, vXUser);
+			createDefaultPolicies(createdService);
 		}
 
 		return createdService;
@@ -1595,9 +1592,11 @@ public class ServiceDBStore extends AbstractServiceStore {
 			xConfMap.setServiceId(service.getId());
 			xConfMap.setConfigkey(configKey);
 			xConfMap.setConfigvalue(configValue);
-			xConfMap = xConfMapDao.create(xConfMap);
+			xConfMapDao.create(xConfMap);
+		}
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("vXUser:[" + vXUser + "]");
 		}
-
 		RangerService updService = svcService.getPopulatedViewObject(xUpdService);
 		dataHistService.createObjectDataHistory(updService, RangerDataHistService.ACTION_UPDATE);
 		bizUtil.createTrxLog(trxLogList);
@@ -2447,341 +2446,47 @@ public class ServiceDBStore extends AbstractServiceStore {
 		return ret;
 	}
 
-	void createDefaultPolicies(XXService createdService, VXUser vXUser) throws Exception {
-		RangerServiceDef serviceDef = getServiceDef(createdService.getType());
-
-		if (serviceDef.getName().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) {
-			createDefaultTagPolicy(createdService);
-		} else {
-			// we need to create one policy for each resource hierarchy
-			RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
-			for (List<RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) {
-				RangerPolicy policy = new RangerPolicy();
-				createDefaultPolicy(policy, createdService, vXUser, aHierarchy);
-				policy = createPolicy(policy);
-			}
-		}
-	}
-
-	private void createDefaultTagPolicy(XXService createdService) throws Exception {
-		if (LOG.isDebugEnabled()) {
-			LOG.debug("==> ServiceDBStore.createDefaultTagPolicy() ");
-		}
-
-		String tagResourceDefName = null;
-		boolean isConditionDefFound = false;
-
-		RangerServiceDef tagServiceDef = getServiceDef(createdService.getType());
-		List<RangerResourceDef> tagResourceDef = tagServiceDef.getResources();
-		if (tagResourceDef != null && tagResourceDef.size() > 0) {
-			// Assumption : First (and perhaps the only) resourceDef is the name of the tag resource
-			RangerResourceDef theTagResourceDef = tagResourceDef.get(0);
-			tagResourceDefName = theTagResourceDef.getName();
-		} else {
-			LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy: Cannot get tagResourceDef Name.");
-		}
-
-		List<RangerPolicyConditionDef> policyConditionDefs = tagServiceDef.getPolicyConditions();
-
-		if (CollectionUtils.isNotEmpty(policyConditionDefs)) {
-			for (RangerPolicyConditionDef conditionDef : policyConditionDefs) {
-				if (conditionDef.getName().equals(RANGER_TAG_EXPIRY_CONDITION_NAME)) {
-					isConditionDefFound = true;
-					break;
-				}
-			}
-		}
-		if (!isConditionDefFound) {
-			LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy: Cannot get tagPolicyConditionDef with name=" + RANGER_TAG_EXPIRY_CONDITION_NAME);
-		}
-
-		if (tagResourceDefName != null && isConditionDefFound) {
-
-			String tagType = "EXPIRES_ON";
-
-			String policyName = tagType;
-
-			RangerPolicy policy = new RangerPolicy();
-
-			policy.setIsEnabled(true);
-			policy.setVersion(1L);
-			policy.setName(StringUtils.trim(policyName));
-			policy.setService(createdService.getName());
-			policy.setDescription("Policy for data with " + tagType + " tag");
-			policy.setIsAuditEnabled(true);
-
-			Map<String, RangerPolicyResource> resourceMap = new HashMap<String, RangerPolicyResource>();
-
-			RangerPolicyResource polRes = new RangerPolicyResource();
-			polRes.setIsExcludes(false);
-			polRes.setIsRecursive(false);
-			polRes.setValue(tagType);
-			resourceMap.put(tagResourceDefName, polRes);
-
-			policy.setResources(resourceMap);
-
-			List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
-
-			RangerPolicyItem policyItem = new RangerPolicyItem();
-
-			List<String> groups = new ArrayList<String>();
-			groups.add(RangerConstants.GROUP_PUBLIC);
-			policyItem.setGroups(groups);
+	void createDefaultPolicies(RangerService createdService) throws Exception {
 
-			List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
-			List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
-			for (XXAccessTypeDef accessTypeDef : accessTypeDefs) {
-				RangerPolicyItemAccess access = new RangerPolicyItemAccess();
-				access.setType(accessTypeDef.getName());
-				access.setIsAllowed(true);
-				accesses.add(access);
-			}
-			policyItem.setAccesses(accesses);
-
-			List<RangerPolicyItemCondition> policyItemConditions = new ArrayList<RangerPolicyItemCondition>();
-			List<String> values = new ArrayList<String>();
-			values.add("yes");
-			RangerPolicyItemCondition policyItemCondition = new RangerPolicyItemCondition(RANGER_TAG_EXPIRY_CONDITION_NAME, values);
-			policyItemConditions.add(policyItemCondition);
-
-			policyItem.setConditions(policyItemConditions);
-			policyItem.setDelegateAdmin(Boolean.FALSE);
-
-			policyItems.add(policyItem);
-
-			policy.setDenyPolicyItems(policyItems);
-
-			policy = createPolicy(policy);
-		} else {
-			LOG.error("ServiceDBStore.createService() - Cannot create default TAG policy, tagResourceDefName=" + tagResourceDefName +
-					", tagPolicyConditionName=" + RANGER_TAG_EXPIRY_CONDITION_NAME);
-		}
-
-		if (LOG.isDebugEnabled()) {
-			LOG.debug("<== ServiceDBStore.createDefaultTagPolicy()");
-		}
-	}
-
-	private String buildPolicyName(List<RangerResourceDef> resourceHierarchy) {
-		String ret = "all";
-		if (CollectionUtils.isNotEmpty(resourceHierarchy)) {
-			int resourceDefCount = 0;
-			for (RangerResourceDef resourceDef : resourceHierarchy) {
-				if (resourceDefCount > 0) {
-					ret += ", ";
-				} else {
-					ret += " - ";
-				}
-				ret += resourceDef.getName();
-				resourceDefCount++;
-			}
-		}
-		return ret;
-	}
+		RangerBaseService svc = serviceMgr.getRangerServiceByService(createdService, this);
 
-	void createDefaultPolicy(RangerPolicy policy, XXService createdService, VXUser vXUser, List<RangerResourceDef> resourceHierarchy) throws Exception {
+		List<String> serviceCheckUsers = getServiceCheckUsers(createdService);
 
-		String policyName=buildPolicyName(resourceHierarchy);
+		List<RangerPolicy.RangerPolicyItemAccess> allAccesses = svc.getAndAllowAllAccesses();
 
-		policy.setIsEnabled(true);
-		policy.setVersion(1L);
-		policy.setName(StringUtils.trim(policyName));
-		policy.setService(createdService.getName());
-		policy.setDescription("Policy for " + policyName);
-		policy.setIsAuditEnabled(true);
+		for (RangerPolicy defaultPolicy : svc.getDefaultRangerPolicies()) {
 
-		policy.setResources(createDefaultPolicyResource(resourceHierarchy));
+			if (CollectionUtils.isNotEmpty(serviceCheckUsers)
+			&& StringUtils.equalsIgnoreCase(defaultPolicy.getService(), createdService.getName())) {
 
-		if (vXUser != null) {
-			List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
-			List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
-			//Create Default policy item for the service user
-			RangerPolicyItem policyItem = createDefaultPolicyItem(createdService, vXUser, accessTypeDefs);
-			policyItems.add(policyItem);
-			// For KMS add default policies for HDFS & HIVE users.
-			XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(createdService.getType());
-			if (xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
-				List<XXAccessTypeDef> hdfsAccessTypeDefs = new ArrayList<XXAccessTypeDef>();
-				List<XXAccessTypeDef> hiveAccessTypeDefs = new ArrayList<XXAccessTypeDef>();
-				for(XXAccessTypeDef accessTypeDef : accessTypeDefs) {
-					if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
-						hdfsAccessTypeDefs.add(accessTypeDef);
-						hiveAccessTypeDefs.add(accessTypeDef);
-					} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) {
-						hdfsAccessTypeDefs.add(accessTypeDef);
-					} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
-						hiveAccessTypeDefs.add(accessTypeDef);
-					}
-				}
+				RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
 
-				String hdfsUser = PropertiesUtil.getProperty("ranger.kms.service.user.hdfs", "hdfs");
-				if (hdfsUser != null && !hdfsUser.isEmpty()) {
-					XXUser xxUser = daoMgr.getXXUser().findByUserName(hdfsUser);
-					if (xxUser != null) {
-						vXUser = xUserService.populateViewBean(xxUser);
-					} else {
-						vXUser = xUserMgr.createServiceConfigUser(hdfsUser);
-					}
-					if (vXUser != null) {
-						LOG.info("Creating default KMS policy item for " + hdfsUser);
-						policyItem = createDefaultPolicyItem(createdService, vXUser, hdfsAccessTypeDefs);
-						policyItems.add(policyItem);
-					}
-				}
+				policyItem.setUsers(serviceCheckUsers);
+				policyItem.setAccesses(allAccesses);
+				policyItem.setDelegateAdmin(true);
 
-				String hiveUser = PropertiesUtil.getProperty("ranger.kms.service.user.hive", "hive");
-				if (hiveUser != null && !hiveUser.isEmpty()) {
-					XXUser xxUser = daoMgr.getXXUser().findByUserName(hiveUser);
-					if (xxUser != null) {
-						vXUser = xUserService.populateViewBean(xxUser);
-					} else {
-						vXUser = xUserMgr.createServiceConfigUser(hiveUser);
-					}
-					if (vXUser != null) {
-						LOG.info("Creating default KMS policy item for " + hiveUser);
-						policyItem = createDefaultPolicyItem(createdService, vXUser, hiveAccessTypeDefs);
-						policyItems.add(policyItem);
-					}
-				}
+				defaultPolicy.getPolicyItems().add(policyItem);
 			}
-			policy.setPolicyItems(policyItems);
+			createPolicy(defaultPolicy);
 		}
 	}
 
-	private RangerPolicyItem createDefaultPolicyItem(XXService createdService, VXUser vXUser, List<XXAccessTypeDef> accessTypeDefs) throws Exception {
-		String adminPrincipal = PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL);
-		String adminKeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB);
-		String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE,"simple");
-		String lookupPrincipal = PropertiesUtil.getProperty(LOOKUP_PRINCIPAL);
-		String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
-
-		RangerPolicyItem policyItem = new RangerPolicyItem();
-
-		List<String> users = new ArrayList<String>();
-		users.add(vXUser.getName());
-		VXUser vXLookupUser = getLookupUser(authType, lookupPrincipal, lookupKeytab);
-
-		XXService xService = daoMgr.getXXService().findByName(createdService.getName());
-		XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(xService.getType());
-		if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)){
-			VXUser vXAdminUser = getLookupUser(authType, adminPrincipal, adminKeytab);
-			if(vXAdminUser != null){
-				users.add(vXAdminUser.getName());
-			}	
-		}else if(vXLookupUser != null){
-			users.add(vXLookupUser.getName());
-		}else{
-			// do nothing
-		}
-
-		if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.ATLAS_IMPL_CLASS_NAME)){
-			VXUser vXUserAdmin = chkAdminUserExists("admin");
-			if(vXUserAdmin != null){
-				users.add(vXUserAdmin.getName());
-			}
-		}
-
-		RangerService rangerService = getServiceByName(createdService.getName());
-		if (rangerService != null){
-			Map<String, String> map = rangerService.getConfigs();
-			if (map != null && map.containsKey(AMBARI_SERVICE_CHECK_USER)){
-				String userNames = map.get(AMBARI_SERVICE_CHECK_USER);
-				String[] userList = userNames.split(",");
-				if(userList != null){
-					for (String userName : userList) {
-						if(!StringUtils.isEmpty(userName)){
-							XXUser xxUser = daoMgr.getXXUser().findByUserName(userName);
-							if (xxUser != null) {
-								vXUser = xUserService.populateViewBean(xxUser);
-							} else {
-								vXUser = xUserMgr.createServiceConfigUser(userName);
-								LOG.info("Creating Ambari Service Check User : "+vXUser.getName());
-							}
-							if(vXUser != null){
-								users.add(vXUser.getName());
-							}
-						}
-					}
-				}
-			}
-		}
-		policyItem.setUsers(users);
-
-		List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
-		for(XXAccessTypeDef accessTypeDef : accessTypeDefs) {
-			RangerPolicyItemAccess access = new RangerPolicyItemAccess();
-			access.setType(accessTypeDef.getName());
-			access.setIsAllowed(true);
-			accesses.add(access);
-		}
-		policyItem.setAccesses(accesses);
-
-		policyItem.setDelegateAdmin(true);
-		return policyItem;
-	}
+	List<String> getServiceCheckUsers(RangerService createdService) {
+		List<String> ret = new ArrayList<String>();
 
-	private VXUser chkAdminUserExists(String adminUser) {
-		VXUser vXUser = null;
-		if(!StringUtils.isEmpty(adminUser)){
-			XXUser xxUser = daoMgr.getXXUser().findByUserName(adminUser);
-			if (xxUser != null) {
-				vXUser = xUserService.populateViewBean(xxUser);
-			}
-		}
-		return vXUser;
-	}
+		Map<String, String> serviceConfig = createdService.getConfigs();
 
-	private VXUser getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) {
-		VXUser vXUser = null;
-		if(!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)){
-			if(SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
-				KerberosName krbName = new KerberosName(lookupPrincipal);
-				String lookupUser=null;
-				try {
-					lookupUser = krbName.getShortName();
-				} catch (IOException e) {
-					throw restErrorUtil.createRESTException("Please provide proper value of lookup user principal : "+ lookupPrincipal, MessageEnums.INVALID_INPUT_DATA);
-				}
-				
-				if(LOG.isDebugEnabled()){
-					LOG.debug("Checking for Lookup User : "+lookupUser);
-				}
-				if(!StringUtils.isEmpty(lookupUser)){
-					XXUser xxUser = daoMgr.getXXUser().findByUserName(lookupUser);
-					if (xxUser != null) {
-						vXUser = xUserService.populateViewBean(xxUser);
-					} else {
-						vXUser = xUserMgr.createServiceConfigUser(lookupUser);
-						LOG.info("Creating Lookup User : "+vXUser.getName());
-					}
+		if (serviceConfig.containsKey(AMBARI_SERVICE_CHECK_USER)) {
+			String userNames = serviceConfig.get(AMBARI_SERVICE_CHECK_USER);
+			String[] userList = userNames.split(",");
+			for (String userName : userList) {
+				if (!StringUtils.isEmpty(userName)) {
+					ret.add(userName);
 				}
 			}
 		}
-		return vXUser;
-	}
-
 
-	Map<String, RangerPolicyResource> createDefaultPolicyResource(List<RangerResourceDef> resourceHierarchy) throws Exception {
-		Map<String, RangerPolicyResource> resourceMap = new HashMap<>();
-
-		for (RangerResourceDef resourceDef : resourceHierarchy) {
-			RangerPolicyResource polRes = new RangerPolicyResource();
-			polRes.setIsExcludes(false);
-			polRes.setIsRecursive(false);
-
-			String value = "*";
-			if("path".equalsIgnoreCase(resourceDef.getName())) {
-				value = "/*";
-			}
-
-			if(resourceDef.getRecursiveSupported()) {
-				polRes.setIsRecursive(Boolean.TRUE);
-			}
-
-			polRes.setValue(value);
-			resourceMap.put(resourceDef.getName(), polRes);
-		}
-		return resourceMap;
+		return ret;
 	}
 
 	private Map<String, String> validateRequiredConfigParams(RangerService service, Map<String, String> configs) {
@@ -2932,10 +2637,12 @@ public class ServiceDBStore extends AbstractServiceStore {
 		List<String> users = policyItem.getUsers();
 		for(int i = 0; i < users.size(); i++) {
 			String user = users.get(i);
-
+			if (StringUtils.isBlank(user)) {
+				continue;
+			}
 			XXUser xUser = daoMgr.getXXUser().findByUserName(user);
 			if(xUser == null) {
-				throw new Exception(user + ": user does not exist. policy='"+  policy.getName() + "' service='"+ policy.getService() + "'");
+				throw new Exception(user + ": user does not exist. policy='"+  policy.getName() + "' service='"+ policy.getService() + "' user='" + user +"'");
 			}
 			XXPolicyItemUserPerm xUserPerm = new XXPolicyItemUserPerm();
 			xUserPerm = (XXPolicyItemUserPerm) rangerAuditFields.populateAuditFields(xUserPerm, xPolicyItem);
@@ -2948,10 +2655,12 @@ public class ServiceDBStore extends AbstractServiceStore {
 		List<String> groups = policyItem.getGroups();
 		for(int i = 0; i < groups.size(); i++) {
 			String group = groups.get(i);
-
+			if (StringUtils.isBlank(group)) {
+				continue;
+			}
 			XXGroup xGrp = daoMgr.getXXGroup().findByGroupName(group);
 			if(xGrp == null) {
-				throw new Exception(group + ": group does not exist. policy='"+  policy.getName() + "' service='"+ policy.getService() + "'");
+				throw new Exception(group + ": group does not exist. policy='"+  policy.getName() + "' service='"+ policy.getService() + "' group='" + group + "'");
 			}
 			XXPolicyItemGroupPerm xGrpPerm = new XXPolicyItemGroupPerm();
 			xGrpPerm = (XXPolicyItemGroupPerm) rangerAuditFields.populateAuditFields(xGrpPerm, xPolicyItem);
@@ -2991,7 +2700,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 		if(CollectionUtils.isNotEmpty(policyItems)) {
 			for (int itemOrder = 0; itemOrder < policyItems.size(); itemOrder++) {
 				RangerPolicyItem policyItem = policyItems.get(itemOrder);
-				XXPolicyItem xPolicyItem = createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef, itemOrder, policyItemType);
+				createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef, itemOrder, policyItemType);
 			}
 		}
 	}
@@ -3019,7 +2728,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 					xxDataMaskInfo.setConditionExpr(dataMaskInfo.getConditionExpr());
 					xxDataMaskInfo.setValueExpr(dataMaskInfo.getValueExpr());
 
-					xxDataMaskInfo = daoMgr.getXXPolicyItemDataMaskInfo().create(xxDataMaskInfo);
+					daoMgr.getXXPolicyItemDataMaskInfo().create(xxDataMaskInfo);
 				}
 			}
 		}
@@ -3755,6 +3464,10 @@ public class ServiceDBStore extends AbstractServiceStore {
 
 	private void writeBookForPolicyItems(RangerPolicy policy, RangerPolicyItem policyItem,
 			RangerDataMaskPolicyItem dataMaskPolicyItem, RangerRowFilterPolicyItem rowFilterPolicyItem, Row row, String policyConditonType) {
+		if (LOG.isDebugEnabled()) {
+			// To avoid PMD violation
+			LOG.debug("policyConditonType:[" + policyConditonType + "]");
+		}
 		List<String> groups = new ArrayList<String>();
 		List<String> users = new ArrayList<String>();
 		String groupNames = "";

http://git-wip-us.apache.org/repos/asf/ranger/blob/c9e94357/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
index 2b773da..cf3485e 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
@@ -45,7 +45,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumElementDef;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef;
-import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+//import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
 import org.apache.ranger.plugin.store.PList;
 import org.apache.ranger.plugin.store.ServicePredicateUtil;
 import org.apache.ranger.plugin.util.SearchFilter;
@@ -137,22 +137,6 @@ public class TestServiceDBStore {
 				.getCurrentUserSession();
 		currentUserSession.setUserAdmin(true);
 	}
-	
-	private XXAccessTypeDef rangerKmsAccessTypes(String accessTypeName, int itemId) {
-		XXAccessTypeDef accessTypeDefObj = new XXAccessTypeDef();
-		accessTypeDefObj.setAddedByUserId(Id);
-		accessTypeDefObj.setCreateTime(new Date());
-		accessTypeDefObj.setDefid(Long.valueOf(itemId));
-		accessTypeDefObj.setId(Long.valueOf(itemId));
-		accessTypeDefObj.setItemId(Long.valueOf(itemId));
-		accessTypeDefObj.setLabel(accessTypeName);
-		accessTypeDefObj.setName(accessTypeName);
-		accessTypeDefObj.setOrder(null);
-		accessTypeDefObj.setRbkeylabel(null);
-		accessTypeDefObj.setUpdatedByUserId(Id);
-		accessTypeDefObj.setUpdateTime(new Date());
-		return accessTypeDefObj;
-	}
 
 	private RangerServiceDef rangerServiceDef() {
 		List<RangerServiceConfigDef> configs = new ArrayList<RangerServiceConfigDef>();
@@ -222,28 +206,6 @@ public class TestServiceDBStore {
 
 		return rangerService;
 	}
-	
-	private RangerService rangerKMSService() {
-		Map<String, String> configs = new HashMap<String, String>();
-		configs.put("username", "servicemgr");
-		configs.put("password", "servicemgr");
-		configs.put("provider", "kmsurl");
-		
-		RangerService rangerService = new RangerService();
-		rangerService.setId(Id);
-		rangerService.setConfigs(configs);
-		rangerService.setCreateTime(new Date());
-		rangerService.setDescription("service kms policy");
-		rangerService.setGuid("1427365526516_835_1");
-		rangerService.setIsEnabled(true);
-		rangerService.setName("KMS_1");
-		rangerService.setPolicyUpdateTime(new Date());
-		rangerService.setType("7");
-		rangerService.setUpdatedBy("Admin");
-		rangerService.setUpdateTime(new Date());
-		
-		return rangerService;
-	}
 
 	private RangerPolicy rangerPolicy() {
 		List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
@@ -1234,10 +1196,10 @@ public class TestServiceDBStore {
 
 		ServiceDBStore spy = Mockito.spy(serviceDBStore);
 
-		Mockito.doNothing().when(spy).createDefaultPolicies(xService, vXUser);
+		Mockito.doNothing().when(spy).createDefaultPolicies(rangerService);
 
 		spy.createService(rangerService);
-		
+
 		Mockito.verify(daoManager, Mockito.atLeast(1)).getXXService();
 		Mockito.verify(daoManager).getXXServiceConfigMap();
 	}
@@ -2676,131 +2638,4 @@ public class TestServiceDBStore {
 		Assert.assertNotNull(policyList);
 		Mockito.verify(daoManager).getXXPolicy();
 	}
-	
-	@Test
-	public void test41createKMSService() throws Exception {
-		XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
-		XXPolicy xPolicy = Mockito.mock(XXPolicy.class);
-		XXPolicyDao xPolicyDao = Mockito.mock(XXPolicyDao.class);
-		XXAccessTypeDefDao xAccessTypeDefDao = Mockito
-				.mock(XXAccessTypeDefDao.class);
-		XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
-		XXServiceConfigMapDao xServiceConfigMapDao = Mockito
-				.mock(XXServiceConfigMapDao.class);
-		XXUserDao xUserDao = Mockito.mock(XXUserDao.class);
-		XXServiceConfigDefDao xServiceConfigDefDao = Mockito
-				.mock(XXServiceConfigDefDao.class);
-		XXService xService = Mockito.mock(XXService.class);
-		XXUser xUser = Mockito.mock(XXUser.class);
-		XXServiceDef xServiceDef = Mockito.mock(XXServiceDef.class);
-		Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
-		Mockito.when(xServiceDefDao.findByName("KMS_1")).thenReturn(
-				xServiceDef);
-		Mockito.when(xService.getName()).thenReturn(
-				"KMS_1");
-		Mockito.when(xServiceDao.findByName("KMS_1")).thenReturn(
-				xService);
-		Mockito.when(!bizUtil.hasAccess(xService, null)).thenReturn(true);
-
-		RangerService rangerService = rangerKMSService();
-		VXUser vXUser = null;
-		String userName = "servicemgr";
-		Mockito.when(xService.getType()).thenReturn(Long.valueOf(rangerService.getType()));
-		Mockito.when(xServiceDefDao.getById(Long.valueOf(rangerService.getType()))).thenReturn(xServiceDef);
-		Mockito.when(xServiceDef.getImplclassname()).thenReturn(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME);
-		List<XXServiceConfigDef> svcConfDefList = new ArrayList<XXServiceConfigDef>();
-		XXServiceConfigDef serviceConfigDefObj = new XXServiceConfigDef();
-		serviceConfigDefObj.setId(Id);
-		serviceConfigDefObj.setType("7");
-		svcConfDefList.add(serviceConfigDefObj);
-		Mockito.when(daoManager.getXXServiceConfigDef()).thenReturn(
-				xServiceConfigDefDao);
-		Mockito.when(xServiceConfigDefDao.findByServiceDefName(userName))
-		.thenReturn(svcConfDefList);
-
-		Mockito.when(svcService.create(rangerService)).thenReturn(rangerService);
-
-		Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
-		Mockito.when(xServiceDao.getById(rangerService.getId())).thenReturn(
-				xService);
-		Mockito.when(daoManager.getXXServiceConfigMap()).thenReturn(
-				xServiceConfigMapDao);
-
-		Mockito.when(stringUtil.getValidUserName(userName))
-		.thenReturn(userName);
-		Mockito.when(daoManager.getXXUser()).thenReturn(xUserDao);
-		Mockito.when(xUserDao.findByUserName(userName)).thenReturn(xUser);
-
-		Mockito.when(xUserService.populateViewBean(xUser)).thenReturn(vXUser);
-		Mockito.when(xUserMgr.createServiceConfigUser(userName)).thenReturn(vXUser);
-		VXUser vXUserHdfs = new VXUser();
-		vXUserHdfs.setName("hdfs");
-		vXUserHdfs.setPassword("hdfs");
-		Mockito.when(xUserMgr.createServiceConfigUser("hdfs")).thenReturn(vXUserHdfs);
-		VXUser vXUserHive = new VXUser();
-		vXUserHive.setName("hive");
-		vXUserHive.setPassword("hive");
-		Mockito.when(xUserMgr.createServiceConfigUser("hive")).thenReturn(vXUserHive);
-
-		XXServiceConfigMap xConfMap = new XXServiceConfigMap();
-		Mockito.when(rangerAuditFields.populateAuditFields(xConfMap, xService))
-		.thenReturn(xService);
-
-		Mockito.when(svcService.getPopulatedViewObject(xService)).thenReturn(
-				rangerService);
-
-		Mockito.when(
-				rangerAuditFields.populateAuditFields(
-						Mockito.isA(XXServiceConfigMap.class),
-						Mockito.isA(XXService.class))).thenReturn(xConfMap);
-
-		Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao);
-
-		Mockito.when(xPolicyDao.getById(Id)).thenReturn(xPolicy);
-
-
-		List<XXAccessTypeDef> accessTypeDefList = new ArrayList<XXAccessTypeDef>();
-		accessTypeDefList.add(rangerKmsAccessTypes("getmetadata", 7));
-		accessTypeDefList.add(rangerKmsAccessTypes("generateeek", 8));
-		accessTypeDefList.add(rangerKmsAccessTypes("decrypteek", 9));
-
-		RangerServiceDef ran = new RangerServiceDef();
-		ran.setName("KMS Test");
-		Mockito.when(serviceDefService.read(1L)).thenReturn(ran);
-		Long serviceDefId = ran.getId();
-
-		ServiceDBStore spy = Mockito.spy(serviceDBStore);
-
-		Mockito.when(daoManager.getXXAccessTypeDef()).thenReturn(
-				xAccessTypeDefDao);
-		Mockito.when(xAccessTypeDefDao.findByServiceDefId(serviceDefId))
-		.thenReturn(accessTypeDefList);
-		Mockito.when(spy.getServiceByName("KMS_1")).thenReturn(
-				rangerService);
-		Mockito.doNothing().when(spy).createDefaultPolicies(xService, vXUser);
-
-		RangerPolicy policy = new RangerPolicy();
-		RangerResourceDef resourceDef = new RangerResourceDef();
-		resourceDef.setItemId(Id);
-		resourceDef.setName("keyname");
-		resourceDef.setType("string");
-		resourceDef.setType("string");
-		resourceDef.setLabel("Key Name");
-		resourceDef.setDescription("Key Name");
-
-		List<RangerResourceDef> resourceHierarchy = new ArrayList<RangerResourceDef>();
-		resourceHierarchy.addAll(resourceHierarchy);
-
-		spy.createService(rangerService);
-		vXUser = new VXUser();
-		vXUser.setName(userName);
-		vXUser.setPassword(userName);
-		
-		spy.createDefaultPolicy(policy, xService, vXUser, resourceHierarchy);
-
-		Mockito.verify(daoManager, Mockito.atLeast(1)).getXXService();
-		Mockito.verify(daoManager).getXXServiceConfigMap();
-		//Assert.assertNull(policy);
-		Assert.assertEquals(3, policy.getPolicyItems().size());
-	}
 }


Mime
View raw message