ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] ranger git commit: RANGER-1421 - Add tag based authorization tests for the supported components
Date Tue, 18 Apr 2017 09:36:44 GMT
http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
index 64a0a63..57b4eef 100644
--- a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
+++ b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
@@ -49,6 +49,12 @@ import org.junit.Test;
  * d) "dave" can do a select on the table "words" but only if the "count" column is >= 80
  * e) "jane" can do a select on the table "words", but only get a "hash" of the word, and not the word itself.
  * f) "da_test_user" is delegate admin for rangerauthz database.
+ *
+ * In addition we have some TAG based policies created in Atlas and synced into Ranger:
+ *
+ * a) The tag "HiveTableTag" is associated with "select" permission to the "dev" group to the "words" table in the "hivetable" database.
+ * b) The tag "HiveDatabaseTag" is associated with "create" permission to the "dev" group to the "hivetable" database.
+ * c) The tag "HiveColumnTag" is associated with "select" permission to the "frank" user to the "word" column of the "words" table.
  */
 public class HIVERangerAuthorizerTest {
 
@@ -584,128 +590,294 @@ public class HIVERangerAuthorizerTest {
         connection.close();
     }
 
-        @Test
-        public void testCreateDropMacro() throws Exception {
-                String initialUrl = "jdbc:hive2://localhost:" + port;
-                Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
-                Statement statement = connection.createStatement();
-                statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthz2");
+    @Test
+    public void testCreateDropMacro() throws Exception {
+        String initialUrl = "jdbc:hive2://localhost:" + port;
+        Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
+        Statement statement = connection.createStatement();
+        statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthz2");
 
-                statement.close();
-                connection.close();
+        statement.close();
+        connection.close();
 
-                // Load data into HIVE
-                String url = "jdbc:hive2://localhost:" + port + "/rangerauthz2";
-                connection = DriverManager.getConnection(url, "admin", "admin");
-                statement = connection.createStatement();
+        // Load data into HIVE
+        String url = "jdbc:hive2://localhost:" + port + "/rangerauthz2";
+        connection = DriverManager.getConnection(url, "admin", "admin");
+        statement = connection.createStatement();
 
-                statement.execute("create table if not exists rangerauthz2.macro_testing (a INT, b INT)");
-                statement.execute("insert into rangerauthz2.macro_testing (a, b) values (4, 5)");
-                statement.execute("insert into rangerauthz2.macro_testing (a, b) values (3, 5)");
+        statement.execute("create table if not exists rangerauthz2.macro_testing (a INT, b INT)");
+        statement.execute("insert into rangerauthz2.macro_testing (a, b) values (4, 5)");
+        statement.execute("insert into rangerauthz2.macro_testing (a, b) values (3, 5)");
 
-                ResultSet resultSet = statement.executeQuery("SELECT * FROM rangerauthz2.macro_testing where b == '5'");
-                //Verify Table Created And Contains Data
+        ResultSet resultSet = statement.executeQuery("SELECT * FROM rangerauthz2.macro_testing where b == '5'");
+        //Verify Table Created And Contains Data
 
-                if (resultSet.next()) {
-                        Assert.assertEquals(5, resultSet.getInt(2));
-                } else {
-                        Assert.fail("No Resultset Found");
-                }
+        if (resultSet.next()) {
+            Assert.assertEquals(5, resultSet.getInt(2));
+        } else {
+            Assert.fail("No Resultset Found");
+        }
 
-                statement.execute("create temporary macro math_cube(x int) x*x*x");
-                ResultSet resultSet2 = statement.executeQuery("select math_cube(b) from rangerauthz2.macro_testing");
+        statement.execute("create temporary macro math_cube(x int) x*x*x");
+        ResultSet resultSet2 = statement.executeQuery("select math_cube(b) from rangerauthz2.macro_testing");
 
-                if (resultSet2.next()) {
-                        Assert.assertEquals(125, resultSet2.getInt(1));
-                } else {
-                        Assert.fail("Macro Not Created Properly");
-                }
+        if (resultSet2.next()) {
+            Assert.assertEquals(125, resultSet2.getInt(1));
+        } else {
+            Assert.fail("Macro Not Created Properly");
+        }
 
-                statement.execute("drop temporary macro math_cube");
+        statement.execute("drop temporary macro math_cube");
 
-                try{
-                        statement.executeQuery("select math_cube(b) from rangerauthz2.macro_testing");
-                        Assert.fail("macro deleted already");
-                }
-                catch(SQLException ex){
-                        //expected
-                }
+        try{
+            statement.executeQuery("select math_cube(b) from rangerauthz2.macro_testing");
+            Assert.fail("macro deleted already");
+        }
+        catch(SQLException ex){
+            //expected
+        }
 
-                statement.execute("DROP TABLE rangerauthz2.macro_testing");
-                statement.execute("DROP DATABASE rangerauthz2");
+        statement.execute("DROP TABLE rangerauthz2.macro_testing");
+        statement.execute("DROP DATABASE rangerauthz2");
 
-                statement.close();
-                connection.close();
+        statement.close();
+        connection.close();
+    }
+
+    @Test
+    public void testCreateDropFunction() throws Exception {
+        String initialUrl = "jdbc:hive2://localhost:" + port;
+        Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
+        Statement statement = connection.createStatement();
+
+        statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthz3");
+        statement.close();
+        connection.close();
+
+        String url = "jdbc:hive2://localhost:" + port + "/rangerauthz3";
+        connection = DriverManager.getConnection(url, "admin", "admin");
+        statement = connection.createStatement();
+        statement.execute("CREATE TABLE if not exists rangerauthz3.function_testing (a DOUBLE, b DOUBLE)");
+        statement.execute("insert into rangerauthz3.function_testing (a, b) values (4.54845, 5.5487)");
+        ResultSet resultSet2 = statement.executeQuery("select round(b) from rangerauthz3.function_testing");
+
+        if (resultSet2.next()) {
+            Assert.assertEquals(6, resultSet2.getInt(1));
+        } else {
+            Assert.fail("No Resultset Found");
+        }
+
+        statement.execute("DROP TABLE rangerauthz3.function_testing");
+        statement.execute("DROP DATABASE rangerauthz3");
+
+        statement.close();
+        connection.close();
+    }
+
+    @Test
+    public void testGrantrevoke() throws Exception {
+        String initialUrl = "jdbc:hive2://localhost:" + port;
+        Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
+        Statement statement = connection.createStatement();
+        statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthzx");
+        statement.execute("use rangerauthzx");
+        statement.execute("CREATE TABLE rangerauthzx.tbl1 (a INT, b INT)");
+        statement.close();
+        connection.close();
+
+        String url = "jdbc:hive2://localhost:" + port;
+        connection = DriverManager.getConnection(url, "dave", "dave");
+        statement = connection.createStatement();
+        try{
+            statement.execute("use rangerauthzx");
+            statement.execute("grant select ON TABLE rangerauthzx.tbl1 to USER jane with grant option");
+            Assert.fail("access should not have been granted");
+        }
+        catch(SQLException ex){
+            //expected
         }
 
-        @Test
-        public void testCreateDropFunction() throws Exception {
-                String initialUrl = "jdbc:hive2://localhost:" + port;
-                Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
+        connection = DriverManager.getConnection(url, "da_test_user", "da_test_user");
+        statement = connection.createStatement();
+        try{
+            statement.execute("use rangerauthzx");
+            statement.execute("grant select ON TABLE rangerauthzx.tbl1 to USER jane with grant option");
+        }
+        catch(SQLException ex){
+            Assert.fail("access should have been granted to da_test_user");
+        }
+        statement.close();
+        connection.close();
+
+        connection = DriverManager.getConnection(url, "admin", "admin");
+        statement = connection.createStatement();
+        statement.execute("DROP TABLE rangerauthzx.tbl1");
+    }
+
+    @Test
+    public void testTagBasedPolicyForTable() throws Exception {
+
+        String url = "jdbc:hive2://localhost:" + port;
+
+        // Create a database as "admin"
+        Connection connection = DriverManager.getConnection(url, "admin", "admin");
+        Statement statement = connection.createStatement();
+
+        statement.execute("CREATE DATABASE hivetable");
+
+        statement.close();
+        connection.close();
+
+        // Create a "words" table in "hivetable"
+        final String tableUrl = "jdbc:hive2://localhost:" + port + "/hivetable";
+        connection = DriverManager.getConnection(tableUrl, "admin", "admin");
+        statement = connection.createStatement();
+        statement.execute("CREATE TABLE WORDS (word STRING, count INT)");
+        statement.execute("CREATE TABLE WORDS2 (word STRING, count INT)");
+
+        statement.close();
+        connection.close();
+
+        // Now try to read it as the "public" group
+        UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] {"dev"});
+        ugi.doAs(new PrivilegedExceptionAction<Void>() {
+            public Void run() throws Exception {
+                Connection connection = DriverManager.getConnection(tableUrl, "alice", "alice");
                 Statement statement = connection.createStatement();
 
-                statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthz3");
+                // "words" should work
+                ResultSet resultSet = statement.executeQuery("SELECT * FROM words");
+                Assert.assertNotNull(resultSet);
+
                 statement.close();
-                connection.close();
 
-                String url = "jdbc:hive2://localhost:" + port + "/rangerauthz3";
-                connection = DriverManager.getConnection(url, "admin", "admin");
                 statement = connection.createStatement();
-                statement.execute("CREATE TABLE if not exists rangerauthz3.function_testing (a DOUBLE, b DOUBLE)");
-                statement.execute("insert into rangerauthz3.function_testing (a, b) values (4.54845, 5.5487)");
-                ResultSet resultSet2 = statement.executeQuery("select round(b) from rangerauthz3.function_testing");
-
-                if (resultSet2.next()) {
-                        Assert.assertEquals(6, resultSet2.getInt(1));
-                } else {
-                        Assert.fail("No Resultset Found");
+                try {
+                    // "words2" should not
+                    statement.executeQuery("SELECT * FROM words2");
+                    Assert.fail("Failure expected on an unauthorized call");
+                } catch (SQLException ex) {
+                    // expected
                 }
 
-                statement.execute("DROP TABLE rangerauthz3.function_testing");
-                statement.execute("DROP DATABASE rangerauthz3");
-
                 statement.close();
                 connection.close();
-        }
+                return null;
+            }
+        });
+
+        // Drop the table and database as "admin"
+        connection = DriverManager.getConnection(tableUrl, "admin", "admin");
+        statement = connection.createStatement();
+
+        statement.execute("drop TABLE words");
+        statement.execute("drop TABLE words2");
+        statement.execute("drop DATABASE hivetable");
+
+        statement.close();
+        connection.close();
+    }
 
-        @Test
-        public void testGrantrevoke() throws Exception {
-                String initialUrl = "jdbc:hive2://localhost:" + port;
-                Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
+    @Test
+    public void testTagBasedPolicyForDatabase() throws Exception {
+
+        final String url = "jdbc:hive2://localhost:" + port;
+
+        UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] {"dev"});
+        ugi.doAs(new PrivilegedExceptionAction<Void>() {
+            public Void run() throws Exception {
+                // Create a database
+                Connection connection = DriverManager.getConnection(url, "alice", "alice");
                 Statement statement = connection.createStatement();
-                statement.execute("CREATE DATABASE IF NOT EXISTS rangerauthzx");
-                statement.execute("use rangerauthzx");
-                statement.execute("CREATE TABLE rangerauthzx.tbl1 (a INT, b INT)");
+
+                statement.execute("CREATE DATABASE hivetable");
                 statement.close();
-                connection.close();
 
-                String url = "jdbc:hive2://localhost:" + port;
-                connection = DriverManager.getConnection(url, "dave", "dave");
                 statement = connection.createStatement();
-                try{
-                statement.execute("use rangerauthzx");
-                statement.execute("grant select ON TABLE rangerauthzx.tbl1 to USER jane with grant option");
-                Assert.fail("access should not have been granted");
-                }
-                catch(SQLException ex){
-                        //expected
+                try {
+                    // "hivetable2" should not be allowed to be created by the "dev" group
+                    statement.execute("CREATE DATABASE hivetable2");
+                    Assert.fail("Failure expected on an unauthorized call");
+                } catch (SQLException ex) {
+                    // expected
                 }
 
-                connection = DriverManager.getConnection(url, "da_test_user", "da_test_user");
-                statement = connection.createStatement();
-                try{
-                statement.execute("use rangerauthzx");
-                statement.execute("grant select ON TABLE rangerauthzx.tbl1 to USER jane with grant option");
-                }
-                catch(SQLException ex){
-                        Assert.fail("access should have been granted to da_test_user");
+                statement.close();
+                connection.close();
+                return null;
+            }
+        });
+
+        // Drop the database as "admin"
+        Connection connection = DriverManager.getConnection(url, "admin", "admin");
+        Statement statement = connection.createStatement();
+
+        statement.execute("drop DATABASE hivetable");
+
+        statement.close();
+        connection.close();
+    }
+
+    @Test
+    public void testTagBasedPolicyForColumn() throws Exception {
+
+        String url = "jdbc:hive2://localhost:" + port;
+
+        // Create a database as "admin"
+        Connection connection = DriverManager.getConnection(url, "admin", "admin");
+        Statement statement = connection.createStatement();
+
+        statement.execute("CREATE DATABASE hivetable");
+
+        statement.close();
+        connection.close();
+
+        // Create a "words" table in "hivetable"
+        final String tableUrl = "jdbc:hive2://localhost:" + port + "/hivetable";
+        connection = DriverManager.getConnection(tableUrl, "admin", "admin");
+        statement = connection.createStatement();
+        statement.execute("CREATE TABLE WORDS (word STRING, count INT)");
+        statement.execute("CREATE TABLE WORDS2 (word STRING, count INT)");
+
+        statement.close();
+        connection.close();
+
+        // Now try to read it as the user "frank"
+        UserGroupInformation ugi = UserGroupInformation.createUserForTesting("frank", new String[] {"unknown"});
+        ugi.doAs(new PrivilegedExceptionAction<Void>() {
+            public Void run() throws Exception {
+                Connection connection = DriverManager.getConnection(tableUrl, "frank", "frank");
+
+                // we can select "word" from "words"
+                Statement statement = connection.createStatement();
+                ResultSet resultSet = statement.executeQuery("SELECT word FROM words");
+                Assert.assertNotNull(resultSet);
+                statement.close();
+
+                try {
+                    // we can't select "word" from "words2" as "frank"
+                    statement.executeQuery("SELECT word FROM words2");
+                    Assert.fail("Failure expected on an unauthorized call");
+                } catch (SQLException ex) {
+                    // expected
                 }
+
                 statement.close();
                 connection.close();
+                return null;
+            }
+        });
 
-                connection = DriverManager.getConnection(url, "admin", "admin");
-                statement = connection.createStatement();
-                statement.execute("DROP TABLE rangerauthzx.tbl1");
-        }
+        // Drop the table and database as "admin"
+        connection = DriverManager.getConnection(tableUrl, "admin", "admin");
+        statement = connection.createStatement();
+
+        statement.execute("drop TABLE words");
+        statement.execute("drop TABLE words2");
+        statement.execute("drop DATABASE hivetable");
+
+        statement.close();
+        connection.close();
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerAdminClientImpl.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerAdminClientImpl.java b/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerAdminClientImpl.java
index 8b48dd8..e1c30d0 100644
--- a/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerAdminClientImpl.java
+++ b/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerAdminClientImpl.java
@@ -38,6 +38,7 @@ import com.google.gson.GsonBuilder;
 public class RangerAdminClientImpl implements RangerAdminClient {
     private static final Logger LOG = LoggerFactory.getLogger(RangerAdminClientImpl.class);
     private final static String cacheFilename = "hive-policies.json";
+    private final static String tagFilename = "hive-policies-tag.json";
     private Gson gson;
 
     public void init(String serviceName, String appId, String configPropertyPrefix) {
@@ -72,8 +73,15 @@ public class RangerAdminClientImpl implements RangerAdminClient {
     }
 
     public ServiceTags getServiceTagsIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception {
-        return null;
+        String basedir = System.getProperty("basedir");
+        if (basedir == null) {
+            basedir = new File(".").getCanonicalPath();
+        }
+
+        java.nio.file.Path cachePath = FileSystems.getDefault().getPath(basedir, "/src/test/resources/" + tagFilename);
+        byte[] cacheBytes = Files.readAllBytes(cachePath);
 
+        return gson.fromJson(new String(cacheBytes), ServiceTags.class);
     }
 
     public List<String> getTagTypes(String tagTypePattern) throws Exception {

http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/hive-agent/src/test/resources/hive-policies-tag.json
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/resources/hive-policies-tag.json b/hive-agent/src/test/resources/hive-policies-tag.json
new file mode 100644
index 0000000..27b15c5
--- /dev/null
+++ b/hive-agent/src/test/resources/hive-policies-tag.json
@@ -0,0 +1,108 @@
+{
+  "op": "add_or_update",
+  "serviceName": "cl1_hive",
+  "tagVersion": 8,
+  "tagDefinitions": {},
+  "tags": {
+    "5": {
+      "type": "HiveTableTag",
+      "owner": 0,
+      "attributes": {},
+      "id": 5,
+      "isEnabled": true,
+      "version": 1
+    },
+    "6": {
+      "type": "HiveDatabaseTag",
+      "owner": 0,
+      "attributes": {},
+      "id": 6,
+      "isEnabled": true,
+      "version": 1
+    },
+    "7": {
+      "type": "HiveColumnTag",
+      "owner": 0,
+      "attributes": {},
+      "id": 7,
+      "isEnabled": true,
+      "version": 1
+    }
+  },
+  "serviceResources": [
+    {
+      "resourceElements": {
+        "database": {
+          "values": [
+            "hivetable"
+          ],
+          "isExcludes": false,
+          "isRecursive": false
+        },
+        "table": {
+          "values": [
+            "words"
+          ],
+          "isExcludes": false,
+          "isRecursive": false
+        }
+      },
+      "id": 5,
+      "isEnabled": true,
+      "version": 14
+    },
+    {
+      "resourceElements": {
+        "database": {
+          "values": [
+            "hivetable"
+          ],
+          "isExcludes": false,
+          "isRecursive": false
+        }
+      },
+      "id": 6,
+      "isEnabled": true,
+      "version": 14
+    },
+    {
+      "resourceElements": {
+        "database": {
+          "values": [
+            "hivetable"
+          ],
+          "isExcludes": false,
+          "isRecursive": false
+        },
+        "column": {
+          "values": [
+            "word"
+          ],
+          "isExcludes": false,
+          "isRecursive": false
+        },
+        "table": {
+          "values": [
+            "words"
+          ],
+          "isExcludes": false,
+          "isRecursive": false
+        }
+      },
+      "id": 7,
+      "isEnabled": true,
+      "version": 14
+    }
+  ],
+  "resourceToTagIds": {
+    "5": [
+      5
+    ],
+    "6": [
+      6
+    ],
+    "7": [
+      7
+    ]
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/hive-agent/src/test/resources/hive-policies.json
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/resources/hive-policies.json b/hive-agent/src/test/resources/hive-policies.json
index dd71424..2b568dc 100644
--- a/hive-agent/src/test/resources/hive-policies.json
+++ b/hive-agent/src/test/resources/hive-policies.json
@@ -1,18 +1,19 @@
 {
-  "serviceName": "HIVETest",
-  "serviceId": 2,
-  "policyVersion": 11,
-  "policyUpdateTime": "20160915-12:47:25.000-+0100",
+  "serviceName": "cl1_hive",
+  "serviceId": 8,
+  "policyVersion": 19,
+  "policyUpdateTime": "20170221-13:11:59.000-+0000",
   "policies": [
     {
-      "service": "HIVETest",
-      "name": "all - database, table, column",
+      "service": "cl1_hive",
+      "name": "WordsPolicy",
       "policyType": 0,
+      "description": "",
       "isAuditEnabled": true,
       "resources": {
         "database": {
           "values": [
-            "*"
+            "rangerauthz"
           ],
           "isExcludes": false,
           "isRecursive": false
@@ -26,7 +27,7 @@
         },
         "table": {
           "values": [
-            "*"
+            "words"
           ],
           "isExcludes": false,
           "isRecursive": false
@@ -42,48 +43,38 @@
             {
               "type": "update",
               "isAllowed": true
-            },
-            {
-              "type": "create",
-              "isAllowed": true
-            },
-            {
-              "type": "drop",
-              "isAllowed": true
-            },
-            {
-              "type": "alter",
-              "isAllowed": true
-            },
-            {
-              "type": "index",
-              "isAllowed": true
-            },
-            {
-              "type": "lock",
-              "isAllowed": true
-            },
+            }
+          ],
+          "users": [
+            "bob"
+          ],
+          "groups": [],
+          "conditions": [],
+          "delegateAdmin": false
+        },
+        {
+          "accesses": [
             {
-              "type": "all",
+              "type": "select",
               "isAllowed": true
             }
           ],
           "users": [
-            "admin"
+            "dave"
           ],
           "groups": [],
           "conditions": [],
-          "delegateAdmin": true
+          "delegateAdmin": false
         },
         {
           "accesses": [
             {
-              "type": "create",
+              "type": "select",
               "isAllowed": true
             }
           ],
           "users": [
-            "bob"
+            "jane"
           ],
           "groups": [],
           "conditions": [],
@@ -95,19 +86,20 @@
       "denyExceptions": [],
       "dataMaskPolicyItems": [],
       "rowFilterPolicyItems": [],
-      "id": 8,
+      "id": 23,
       "isEnabled": true,
-      "version": 2
+      "version": 3
     },
-     {
-      "service": "HIVETest",
-      "name": "Delagate admin-allowed on rangerauthzx",
+    {
+      "service": "cl1_hive",
+      "name": "AllPolicy",
       "policyType": 0,
+      "description": "",
       "isAuditEnabled": true,
       "resources": {
         "database": {
           "values": [
-            "rangerauthzx"
+            "*"
           ],
           "isExcludes": false,
           "isRecursive": false
@@ -131,78 +123,17 @@
         {
           "accesses": [
             {
-              "type": "select",
-              "isAllowed": true
-            },
-            {
-              "type": "update",
-              "isAllowed": true
-            },
-            {
               "type": "create",
               "isAllowed": true
-            },
-            {
-              "type": "drop",
-              "isAllowed": true
-            },
-            {
-              "type": "alter",
-              "isAllowed": true
-            },
-            {
-              "type": "index",
-              "isAllowed": true
-            },
-            {
-              "type": "lock",
-              "isAllowed": true
-            },
-            {
-              "type": "all",
-              "isAllowed": true
             }
           ],
           "users": [
-            "da_test_user"
+            "bob"
           ],
           "groups": [],
           "conditions": [],
-          "delegateAdmin": true
-        }
-      ],
-      "denyPolicyItems": [],
-      "allowExceptions": [],
-      "denyExceptions": [],
-      "dataMaskPolicyItems": [],
-      "rowFilterPolicyItems": [],
-      "id": 8,
-      "isEnabled": true,
-      "version": 2
-    }
-    ,
-    {
-      "service": "HIVETest",
-      "name": "all - database, udf",
-      "policyType": 0,
-      "isAuditEnabled": true,
-      "resources": {
-        "database": {
-          "values": [
-            "*"
-          ],
-          "isExcludes": false,
-          "isRecursive": false
+          "delegateAdmin": false
         },
-        "udf": {
-          "values": [
-            "*"
-          ],
-          "isExcludes": false,
-          "isRecursive": false
-        }
-      },
-      "policyItems": [
         {
           "accesses": [
             {
@@ -243,7 +174,7 @@
           ],
           "groups": [],
           "conditions": [],
-          "delegateAdmin": true
+          "delegateAdmin": false
         }
       ],
       "denyPolicyItems": [],
@@ -251,14 +182,15 @@
       "denyExceptions": [],
       "dataMaskPolicyItems": [],
       "rowFilterPolicyItems": [],
-      "id": 9,
+      "id": 24,
       "isEnabled": true,
-      "version": 1
+      "version": 2
     },
     {
-      "service": "HIVETest",
-      "name": "SelectUpdateAllWords",
+      "service": "cl1_hive",
+      "name": "CountWordsPolicy",
       "policyType": 0,
+      "description": "",
       "isAuditEnabled": true,
       "resources": {
         "database": {
@@ -270,7 +202,7 @@
         },
         "column": {
           "values": [
-            "*"
+            "count"
           ],
           "isExcludes": false,
           "isRecursive": false
@@ -289,31 +221,12 @@
             {
               "type": "select",
               "isAllowed": true
-            },
-            {
-              "type": "update",
-              "isAllowed": true
             }
           ],
-          "users": [
-            "bob"
-          ],
-          "groups": [],
-          "conditions": [],
-          "delegateAdmin": false
-        },
-        {
-          "accesses": [
-            {
-              "type": "select",
-              "isAllowed": true
-            }
-          ],
-          "users": [
-            "dave",
-            "jane"
+          "users": [],
+          "groups": [
+            "IT"
           ],
-          "groups": [],
           "conditions": [],
           "delegateAdmin": false
         }
@@ -323,14 +236,15 @@
       "denyExceptions": [],
       "dataMaskPolicyItems": [],
       "rowFilterPolicyItems": [],
-      "id": 10,
+      "id": 25,
       "isEnabled": true,
-      "version": 3
+      "version": 1
     },
     {
-      "service": "HIVETest",
-      "name": "SelectCountWords",
+      "service": "cl1_hive",
+      "name": "TmpSelectPolicy",
       "policyType": 0,
+      "description": "",
       "isAuditEnabled": true,
       "resources": {
         "database": {
@@ -342,14 +256,14 @@
         },
         "column": {
           "values": [
-            "count"
+            "*"
           ],
           "isExcludes": false,
           "isRecursive": false
         },
         "table": {
           "values": [
-            "words"
+            "*_tmp_*"
           ],
           "isExcludes": false,
           "isRecursive": false
@@ -363,6 +277,20 @@
               "isAllowed": true
             }
           ],
+          "users": [
+            "bob"
+          ],
+          "groups": [],
+          "conditions": [],
+          "delegateAdmin": false
+        },
+        {
+          "accesses": [
+            {
+              "type": "select",
+              "isAllowed": true
+            }
+          ],
           "users": [],
           "groups": [
             "IT"
@@ -376,40 +304,42 @@
       "denyExceptions": [],
       "dataMaskPolicyItems": [],
       "rowFilterPolicyItems": [],
-      "id": 11,
+      "id": 26,
       "isEnabled": true,
-      "version": 1
+      "version": 2
     },
     {
-      "service": "HIVETest",
-      "name": "TmpUpdatePolicy",
-      "policyType": 0,
+      "service": "cl1_hive",
+      "name": "DavePolicy",
+      "policyType": 2,
+      "description": "",
       "isAuditEnabled": true,
       "resources": {
         "database": {
           "values": [
-            "*"
-          ],
-          "isExcludes": false,
-          "isRecursive": false
-        },
-        "column": {
-          "values": [
-            "*"
+            "rangerauthz"
           ],
           "isExcludes": false,
           "isRecursive": false
         },
         "table": {
           "values": [
-            "*_tmp_*"
+            "words"
           ],
           "isExcludes": false,
           "isRecursive": false
         }
       },
-      "policyItems": [
+      "policyItems": [],
+      "denyPolicyItems": [],
+      "allowExceptions": [],
+      "denyExceptions": [],
+      "dataMaskPolicyItems": [],
+      "rowFilterPolicyItems": [
         {
+          "rowFilterInfo": {
+            "filterExpr": "count \u003e\u003d \u002780\u0027"
+          },
           "accesses": [
             {
               "type": "select",
@@ -417,28 +347,22 @@
             }
           ],
           "users": [
-            "bob"
-          ],
-          "groups": [
-            "IT"
+            "dave"
           ],
+          "groups": [],
           "conditions": [],
           "delegateAdmin": false
         }
       ],
-      "denyPolicyItems": [],
-      "allowExceptions": [],
-      "denyExceptions": [],
-      "dataMaskPolicyItems": [],
-      "rowFilterPolicyItems": [],
-      "id": 12,
+      "id": 27,
       "isEnabled": true,
       "version": 1
     },
     {
-      "service": "HIVETest",
-      "name": "DaveFilter",
-      "policyType": 2,
+      "service": "cl1_hive",
+      "name": "JanePolicy",
+      "policyType": 1,
+      "description": "",
       "isAuditEnabled": true,
       "resources": {
         "database": {
@@ -448,6 +372,13 @@
           "isExcludes": false,
           "isRecursive": false
         },
+        "column": {
+          "values": [
+            "word"
+          ],
+          "isExcludes": false,
+          "isRecursive": false
+        },
         "table": {
           "values": [
             "words"
@@ -460,11 +391,12 @@
       "denyPolicyItems": [],
       "allowExceptions": [],
       "denyExceptions": [],
-      "dataMaskPolicyItems": [],
-      "rowFilterPolicyItems": [
+      "dataMaskPolicyItems": [
         {
-          "rowFilterInfo": {
-            "filterExpr": "count \u003e\u003d \u002780\u0027"
+          "dataMaskInfo": {
+            "dataMaskType": "MASK_HASH",
+            "conditionExpr": "",
+            "valueExpr": ""
           },
           "accesses": [
             {
@@ -473,72 +405,98 @@
             }
           ],
           "users": [
-            "dave"
+            "jane"
           ],
           "groups": [],
           "conditions": [],
           "delegateAdmin": false
         }
       ],
-      "id": 13,
+      "rowFilterPolicyItems": [],
+      "id": 28,
       "isEnabled": true,
-      "version": 1
+      "version": 2
     },
     {
-      "service": "HIVETest",
-      "name": "JaneWordMask",
-      "policyType": 1,
+      "service": "cl1_hive",
+      "name": "Delagate admin-allowed on rangerauthzx",
+      "policyType": 0,
       "isAuditEnabled": true,
       "resources": {
         "database": {
           "values": [
-            "rangerauthz"
+            "rangerauthzx"
           ],
           "isExcludes": false,
           "isRecursive": false
         },
         "column": {
           "values": [
-            "word"
+            "*"
           ],
           "isExcludes": false,
           "isRecursive": false
         },
         "table": {
           "values": [
-            "words"
+            "*"
           ],
           "isExcludes": false,
           "isRecursive": false
         }
       },
-      "policyItems": [],
-      "denyPolicyItems": [],
-      "allowExceptions": [],
-      "denyExceptions": [],
-      "dataMaskPolicyItems": [
+      "policyItems": [
         {
-          "dataMaskInfo": {
-            "dataMaskType": "MASK_HASH"
-          },
           "accesses": [
             {
               "type": "select",
               "isAllowed": true
+            },
+            {
+              "type": "update",
+              "isAllowed": true
+            },
+            {
+              "type": "create",
+              "isAllowed": true
+            },
+            {
+              "type": "drop",
+              "isAllowed": true
+            },
+            {
+              "type": "alter",
+              "isAllowed": true
+            },
+            {
+              "type": "index",
+              "isAllowed": true
+            },
+            {
+              "type": "lock",
+              "isAllowed": true
+            },
+            {
+              "type": "all",
+              "isAllowed": true
             }
           ],
           "users": [
-            "jane"
+            "da_test_user"
           ],
           "groups": [],
           "conditions": [],
-          "delegateAdmin": false
+          "delegateAdmin": true
         }
       ],
+      "denyPolicyItems": [],
+      "allowExceptions": [],
+      "denyExceptions": [],
+      "dataMaskPolicyItems": [],
       "rowFilterPolicyItems": [],
-      "id": 14,
+      "id": 8,
       "isEnabled": true,
-      "version": 1
+      "version": 2
     }
   ],
   "serviceDef": {
@@ -750,7 +708,7 @@
         {
           "itemId": 1,
           "name": "MASK",
-          "label": "Mask",
+          "label": "Redact",
           "description": "Replace lowercase with \u0027x\u0027, uppercase with \u0027X\u0027, digits with \u00270\u0027",
           "transformer": "mask({col})",
           "dataMaskOptions": {}
@@ -782,58 +740,18 @@
         {
           "itemId": 5,
           "name": "MASK_NULL",
-          "label": "NULL",
+          "label": "Nullify",
           "description": "Replace with NULL",
           "dataMaskOptions": {}
         },
         {
           "itemId": 6,
           "name": "MASK_NONE",
-          "label": "No masking",
+          "label": "Unmasked (retain original value)",
           "description": "No masking",
           "dataMaskOptions": {}
         },
         {
-          "itemId": 7,
-          "name": "MASK_DATE_DAY",
-          "label": "Date: mask day",
-          "description": "Date: mask day",
-          "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, 1, -1, -1)",
-          "dataMaskOptions": {}
-        },
-        {
-          "itemId": 8,
-          "name": "MASK_DATE_MONTH",
-          "label": "Date: mask month",
-          "description": "Date: mask month",
-          "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, -1, 0, -1)",
-          "dataMaskOptions": {}
-        },
-        {
-          "itemId": 9,
-          "name": "MASK_DATE_YEAR",
-          "label": "Date: mask year",
-          "description": "Date: mask year",
-          "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, -1, -1, 0)",
-          "dataMaskOptions": {}
-        },
-        {
-          "itemId": 10,
-          "name": "MASK_DATE_SHOW_DAY",
-          "label": "Date: show only day",
-          "description": "Date: show only day",
-          "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, -1, 0, 0)",
-          "dataMaskOptions": {}
-        },
-        {
-          "itemId": 11,
-          "name": "MASK_DATE_SHOW_MONTH",
-          "label": "Date: show only month",
-          "description": "Date: show only month",
-          "transformer": "mask({col}, \u0027x\u0027, \u0027x\u0027, \u0027x\u0027, -1, \u00271\u0027, 1, -1, 0)",
-          "dataMaskOptions": {}
-        },
-        {
           "itemId": 12,
           "name": "MASK_DATE_SHOW_YEAR",
           "label": "Date: show only year",
@@ -978,8 +896,844 @@
     "id": 3,
     "guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c",
     "isEnabled": true,
-    "createTime": "20160914-11:19:33.000-+0100",
-    "updateTime": "20160914-11:19:33.000-+0100",
-    "version": 1
+    "createTime": "20170217-11:41:32.000-+0000",
+    "updateTime": "20170217-11:42:12.000-+0000",
+    "version": 2
+  },
+  "auditMode": "audit-default",
+  "tagPolicies": {
+    "serviceName": "KafkaTagService",
+    "serviceId": 5,
+    "policyVersion": 12,
+    "policyUpdateTime": "20170221-13:11:59.000-+0000",
+    "policies": [
+      {
+        "service": "KafkaTagService",
+        "name": "EXPIRES_ON",
+        "policyType": 0,
+        "description": "Policy for data with EXPIRES_ON tag",
+        "isAuditEnabled": true,
+        "resources": {
+          "tag": {
+            "values": [
+              "EXPIRES_ON"
+            ],
+            "isExcludes": false,
+            "isRecursive": false
+          }
+        },
+        "policyItems": [],
+        "denyPolicyItems": [
+          {
+            "accesses": [
+              {
+                "type": "hdfs:read",
+                "isAllowed": true
+              },
+              {
+                "type": "hdfs:write",
+                "isAllowed": true
+              },
+              {
+                "type": "hdfs:execute",
+                "isAllowed": true
+              },
+              {
+                "type": "hbase:read",
+                "isAllowed": true
+              },
+              {
+                "type": "hbase:write",
+                "isAllowed": true
+              },
+              {
+                "type": "hbase:create",
+                "isAllowed": true
+              },
+              {
+                "type": "hbase:admin",
+                "isAllowed": true
+              },
+              {
+                "type": "hive:select",
+                "isAllowed": true
+              },
+              {
+                "type": "hive:update",
+                "isAllowed": true
+              },
+              {
+                "type": "hive:create",
+                "isAllowed": true
+              },
+              {
+                "type": "hive:drop",
+                "isAllowed": true
+              },
+              {
+                "type": "hive:alter",
+                "isAllowed": true
+              },
+              {
+                "type": "hive:index",
+                "isAllowed": true
+              },
+              {
+                "type": "hive:lock",
+                "isAllowed": true
+              },
+              {
+                "type": "hive:all",
+                "isAllowed": true
+              },
+              {
+                "type": "yarn:submit-app",
+                "isAllowed": true
+              },
+              {
+                "type": "yarn:admin-queue",
+                "isAllowed": true
+              },
+              {
+                "type": "knox:allow",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:submitTopology",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:fileUpload",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:fileDownload",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:killTopology",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:rebalance",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:activate",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:deactivate",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:getTopologyConf",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:getTopology",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:getUserTopology",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:getTopologyInfo",
+                "isAllowed": true
+              },
+              {
+                "type": "storm:uploadNewCredentials",
+                "isAllowed": true
+              },
+              {
+                "type": "kms:create",
+                "isAllowed": true
+              },
+              {
+                "type": "kms:delete",
+                "isAllowed": true
+              },
+              {
+                "type": "kms:rollover",
+                "isAllowed": true
+              },
+              {
+                "type": "kms:setkeymaterial",
+                "isAllowed": true
+              },
+              {
+                "type": "kms:get",
+                "isAllowed": true
+              },
+              {
+                "type": "kms:getkeys",
+                "isAllowed": true
+              },
+              {
+                "type": "kms:getmetadata",
+                "isAllowed": true
+              },
+              {
+                "type": "kms:generateeek",
+                "isAllowed": true
+              },
+              {
+                "type": "kms:decrypteek",
+                "isAllowed": true
+              },
+              {
+                "type": "solr:query",
+                "isAllowed": true
+              },
+              {
+                "type": "solr:update",
+                "isAllowed": true
+              },
+              {
+                "type": "solr:others",
+                "isAllowed": true
+              },
+              {
+                "type": "solr:solr_admin",
+                "isAllowed": true
+              },
+              {
+                "type": "kafka:publish",
+                "isAllowed": true
+              },
+              {
+                "type": "kafka:consume",
+                "isAllowed": true
+              },
+              {
+                "type": "kafka:configure",
+                "isAllowed": true
+              },
+              {
+                "type": "kafka:describe",
+                "isAllowed": true
+              },
+              {
+                "type": "kafka:create",
+                "isAllowed": true
+              },
+              {
+                "type": "kafka:delete",
+                "isAllowed": true
+              },
+              {
+                "type": "kafka:kafka_admin",
+                "isAllowed": true
+              },
+              {
+                "type": "atlas:read",
+                "isAllowed": true
+              },
+              {
+                "type": "atlas:create",
+                "isAllowed": true
+              },
+              {
+                "type": "atlas:update",
+                "isAllowed": true
+              },
+              {
+                "type": "atlas:delete",
+                "isAllowed": true
+              },
+              {
+                "type": "atlas:all",
+                "isAllowed": true
+              }
+            ],
+            "users": [],
+            "groups": [
+              "public"
+            ],
+            "conditions": [
+              {
+                "type": "accessed-after-expiry",
+                "values": [
+                  "yes"
+                ]
+              }
+            ],
+            "delegateAdmin": false
+          }
+        ],
+        "allowExceptions": [],
+        "denyExceptions": [],
+        "dataMaskPolicyItems": [],
+        "rowFilterPolicyItems": [],
+        "id": 10,
+        "isEnabled": true,
+        "version": 1
+      },
+      {
+        "service": "KafkaTagService",
+        "name": "HiveTableTagPolicy",
+        "policyType": 0,
+        "description": "",
+        "isAuditEnabled": true,
+        "resources": {
+          "tag": {
+            "values": [
+              "HiveTableTag"
+            ],
+            "isExcludes": false,
+            "isRecursive": false
+          }
+        },
+        "policyItems": [
+          {
+            "accesses": [
+              {
+                "type": "hive:select",
+                "isAllowed": true
+              }
+            ],
+            "users": [],
+            "groups": [
+              "dev"
+            ],
+            "conditions": [],
+            "delegateAdmin": false
+          }
+        ],
+        "denyPolicyItems": [],
+        "allowExceptions": [],
+        "denyExceptions": [],
+        "dataMaskPolicyItems": [],
+        "rowFilterPolicyItems": [],
+        "id": 29,
+        "isEnabled": true,
+        "version": 1
+      },
+      {
+        "service": "KafkaTagService",
+        "name": "HiveDatabaseTagPolicy",
+        "policyType": 0,
+        "description": "",
+        "isAuditEnabled": true,
+        "resources": {
+          "tag": {
+            "values": [
+              "HiveDatabaseTag"
+            ],
+            "isExcludes": false,
+            "isRecursive": false
+          }
+        },
+        "policyItems": [
+          {
+            "accesses": [
+              {
+                "type": "hive:create",
+                "isAllowed": true
+              }
+            ],
+            "users": [],
+            "groups": [
+              "dev"
+            ],
+            "conditions": [],
+            "delegateAdmin": false
+          }
+        ],
+        "denyPolicyItems": [],
+        "allowExceptions": [],
+        "denyExceptions": [],
+        "dataMaskPolicyItems": [],
+        "rowFilterPolicyItems": [],
+        "id": 30,
+        "isEnabled": true,
+        "version": 1
+      },
+      {
+        "service": "KafkaTagService",
+        "name": "HiveColumnTagPolicy",
+        "policyType": 0,
+        "description": "",
+        "isAuditEnabled": true,
+        "resources": {
+          "tag": {
+            "values": [
+              "HiveColumnTag"
+            ],
+            "isExcludes": false,
+            "isRecursive": false
+          }
+        },
+        "policyItems": [
+          {
+            "accesses": [
+              {
+                "type": "hive:select",
+                "isAllowed": true
+              }
+            ],
+            "users": [
+              "frank"
+            ],
+            "groups": [],
+            "conditions": [],
+            "delegateAdmin": false
+          }
+        ],
+        "denyPolicyItems": [],
+        "allowExceptions": [],
+        "denyExceptions": [],
+        "dataMaskPolicyItems": [],
+        "rowFilterPolicyItems": [],
+        "id": 31,
+        "isEnabled": true,
+        "version": 1
+      }
+    ],
+    "serviceDef": {
+      "name": "tag",
+      "implClass": "org.apache.ranger.services.tag.RangerServiceTag",
+      "label": "TAG",
+      "description": "TAG Service Definition",
+      "options": {
+        "ui.pages": "tag-based-policies"
+      },
+      "configs": [],
+      "resources": [
+        {
+          "itemId": 1,
+          "name": "tag",
+          "type": "string",
+          "level": 1,
+          "mandatory": true,
+          "lookupSupported": true,
+          "recursiveSupported": false,
+          "excludesSupported": false,
+          "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+          "matcherOptions": {
+            "wildCard": "false",
+            "ignoreCase": "false"
+          },
+          "validationRegEx": "",
+          "validationMessage": "",
+          "uiHint": "{ \"singleValue\":true }",
+          "label": "TAG",
+          "description": "TAG"
+        }
+      ],
+      "accessTypes": [
+        {
+          "itemId": 1002,
+          "name": "hdfs:read",
+          "label": "Read",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 1003,
+          "name": "hdfs:write",
+          "label": "Write",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 1004,
+          "name": "hdfs:execute",
+          "label": "Execute",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 2003,
+          "name": "hbase:read",
+          "label": "Read",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 2004,
+          "name": "hbase:write",
+          "label": "Write",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 2005,
+          "name": "hbase:create",
+          "label": "Create",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 2006,
+          "name": "hbase:admin",
+          "label": "Admin",
+          "impliedGrants": [
+            "hbase:read",
+            "hbase:write",
+            "hbase:create"
+          ]
+        },
+        {
+          "itemId": 3004,
+          "name": "hive:select",
+          "label": "select",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 3005,
+          "name": "hive:update",
+          "label": "update",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 3006,
+          "name": "hive:create",
+          "label": "Create",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 3007,
+          "name": "hive:drop",
+          "label": "Drop",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 3008,
+          "name": "hive:alter",
+          "label": "Alter",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 3009,
+          "name": "hive:index",
+          "label": "Index",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 3010,
+          "name": "hive:lock",
+          "label": "Lock",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 3011,
+          "name": "hive:all",
+          "label": "All",
+          "impliedGrants": [
+            "hive:select",
+            "hive:update",
+            "hive:create",
+            "hive:drop",
+            "hive:alter",
+            "hive:index",
+            "hive:lock"
+          ]
+        },
+        {
+          "itemId": 4005,
+          "name": "yarn:submit-app",
+          "label": "submit-app",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 4006,
+          "name": "yarn:admin-queue",
+          "label": "admin-queue",
+          "impliedGrants": [
+            "yarn:submit-app"
+          ]
+        },
+        {
+          "itemId": 5006,
+          "name": "knox:allow",
+          "label": "Allow",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6007,
+          "name": "storm:submitTopology",
+          "label": "Submit Topology",
+          "impliedGrants": [
+            "storm:fileUpload",
+            "storm:fileDownload"
+          ]
+        },
+        {
+          "itemId": 6008,
+          "name": "storm:fileUpload",
+          "label": "File Upload",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6011,
+          "name": "storm:fileDownload",
+          "label": "File Download",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6012,
+          "name": "storm:killTopology",
+          "label": "Kill Topology",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6013,
+          "name": "storm:rebalance",
+          "label": "Rebalance",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6014,
+          "name": "storm:activate",
+          "label": "Activate",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6015,
+          "name": "storm:deactivate",
+          "label": "Deactivate",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6016,
+          "name": "storm:getTopologyConf",
+          "label": "Get Topology Conf",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6017,
+          "name": "storm:getTopology",
+          "label": "Get Topology",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6018,
+          "name": "storm:getUserTopology",
+          "label": "Get User Topology",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6019,
+          "name": "storm:getTopologyInfo",
+          "label": "Get Topology Info",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 6020,
+          "name": "storm:uploadNewCredentials",
+          "label": "Upload New Credential",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 7008,
+          "name": "kms:create",
+          "label": "Create",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 7009,
+          "name": "kms:delete",
+          "label": "Delete",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 7010,
+          "name": "kms:rollover",
+          "label": "Rollover",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 7011,
+          "name": "kms:setkeymaterial",
+          "label": "Set Key Material",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 7012,
+          "name": "kms:get",
+          "label": "Get",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 7013,
+          "name": "kms:getkeys",
+          "label": "Get Keys",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 7014,
+          "name": "kms:getmetadata",
+          "label": "Get Metadata",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 7015,
+          "name": "kms:generateeek",
+          "label": "Generate EEK",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 7016,
+          "name": "kms:decrypteek",
+          "label": "Decrypt EEK",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 8108,
+          "name": "solr:query",
+          "label": "Query",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 8208,
+          "name": "solr:update",
+          "label": "Update",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 8308,
+          "name": "solr:others",
+          "label": "Others",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 8908,
+          "name": "solr:solr_admin",
+          "label": "Solr Admin",
+          "impliedGrants": [
+            "solr:query",
+            "solr:update",
+            "solr:others"
+          ]
+        },
+        {
+          "itemId": 9010,
+          "name": "kafka:publish",
+          "label": "Publish",
+          "impliedGrants": [
+            "kafka:describe"
+          ]
+        },
+        {
+          "itemId": 9011,
+          "name": "kafka:consume",
+          "label": "Consume",
+          "impliedGrants": [
+            "kafka:describe"
+          ]
+        },
+        {
+          "itemId": 9014,
+          "name": "kafka:configure",
+          "label": "Configure",
+          "impliedGrants": [
+            "kafka:describe"
+          ]
+        },
+        {
+          "itemId": 9015,
+          "name": "kafka:describe",
+          "label": "Describe",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 9017,
+          "name": "kafka:create",
+          "label": "Create",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 9018,
+          "name": "kafka:delete",
+          "label": "Delete",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 9016,
+          "name": "kafka:kafka_admin",
+          "label": "Kafka Admin",
+          "impliedGrants": [
+            "kafka:publish",
+            "kafka:consume",
+            "kafka:configure",
+            "kafka:describe",
+            "kafka:create",
+            "kafka:delete"
+          ]
+        },
+        {
+          "itemId": 11012,
+          "name": "atlas:read",
+          "label": "read",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 11013,
+          "name": "atlas:create",
+          "label": "create",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 11014,
+          "name": "atlas:update",
+          "label": "update",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 11015,
+          "name": "atlas:delete",
+          "label": "delete",
+          "impliedGrants": []
+        },
+        {
+          "itemId": 11016,
+          "name": "atlas:all",
+          "label": "All",
+          "impliedGrants": [
+            "atlas:read",
+            "atlas:create",
+            "atlas:update",
+            "atlas:delete"
+          ]
+        }
+      ],
+      "policyConditions": [
+        {
+          "itemId": 1,
+          "name": "accessed-after-expiry",
+          "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
+          "evaluatorOptions": {
+            "scriptTemplate": "ctx.isAccessedAfter(\u0027expiry_date\u0027);"
+          },
+          "uiHint": "{ \"singleValue\":true }",
+          "label": "Accessed after expiry_date (yes/no)?",
+          "description": "Accessed after expiry_date? (yes/no)"
+        }
+      ],
+      "contextEnrichers": [
+        {
+          "itemId": 1,
+          "name": "TagEnricher",
+          "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
+          "enricherOptions": {
+            "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever",
+            "tagRefresherPollingInterval": "60000"
+          }
+        }
+      ],
+      "enums": [],
+      "dataMaskDef": {
+        "maskTypes": [],
+        "accessTypes": [],
+        "resources": []
+      },
+      "rowFilterDef": {
+        "accessTypes": [],
+        "resources": []
+      },
+      "id": 100,
+      "guid": "0d047248-baff-4cf9-8e9e-d5d377284b2e",
+      "isEnabled": true,
+      "createTime": "20170217-11:41:33.000-+0000",
+      "updateTime": "20170217-11:41:35.000-+0000",
+      "version": 11
+    },
+    "auditMode": "audit-default"
   }
-}
\ No newline at end of file
+}

http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/hive-agent/src/test/resources/ranger-hive-security.xml
----------------------------------------------------------------------
diff --git a/hive-agent/src/test/resources/ranger-hive-security.xml b/hive-agent/src/test/resources/ranger-hive-security.xml
index 46fd28e..43489a8 100644
--- a/hive-agent/src/test/resources/ranger-hive-security.xml
+++ b/hive-agent/src/test/resources/ranger-hive-security.xml
@@ -20,7 +20,7 @@
 
 	<property>
 		<name>ranger.plugin.hive.service.name</name>
-		<value>HIVETest</value>
+		<value>cl1_hive</value>
 		<description>
 			Name of the Ranger service containing policies for this SampleApp instance
 		</description>

http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
index cef9f12..2b0da34 100644
--- a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
@@ -60,7 +60,7 @@ import kafka.utils.ZkUtils;
  * 
  * Policies available from admin via:
  * 
- * http://localhost:6080/service/plugins/policies/download/KafkaTest
+ * http://localhost:6080/service/plugins/policies/download/cl1_kafka
  * 
  * Clients and services authenticate to Kafka using the SASL SSL protocol as part of this test.
  */

http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
index 898c785..f68a164 100644
--- a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
@@ -59,10 +59,14 @@ import kafka.utils.ZkUtils;
  * 
  *  - The "IT" group can do anything
  *  - The "public" group can only "read/describe" on the "test" topic, not "write".
+ *
+ * In addition we have a TAG based policy, which grants "read/describe" access to the "public" group to the "messages" topic (which is associated
+ * with the tag called "MessagesTag". A "kafka_topic" entity was created in Apache Atlas + then associated with the "MessagesTag". This was
+ * then imported into Ranger using the TagSyncService. The policies were then downloaded locally and saved for testing off-line.
  * 
  * Policies available from admin via:
  * 
- * http://localhost:6080/service/plugins/policies/download/KafkaTest
+ * http://localhost:6080/service/plugins/policies/download/cl1_kafka
  */
 public class KafkaRangerAuthorizerTest {
     
@@ -302,4 +306,68 @@ public class KafkaRangerAuthorizerTest {
         
         producer.close();
     }
+
+    // The "public" group can read from "messages"
+    @Test
+    public void testAuthorizedReadUsingTagPolicy() throws Exception {
+        // Create the Producer
+        Properties producerProps = new Properties();
+        producerProps.put("bootstrap.servers", "localhost:" + port);
+        producerProps.put("acks", "all");
+        producerProps.put("key.serializer", "org.apache.kafka.common.serialization.StringSerializer");
+        producerProps.put("value.serializer", "org.apache.kafka.common.serialization.StringSerializer");
+        producerProps.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL");
+        producerProps.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
+        producerProps.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, serviceKeystorePath);
+        producerProps.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "sspass");
+        producerProps.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, "skpass");
+        producerProps.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, truststorePath);
+        producerProps.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "security");
+
+        final Producer<String, String> producer = new KafkaProducer<>(producerProps);
+
+        // Create the Consumer
+        Properties consumerProps = new Properties();
+        consumerProps.put("bootstrap.servers", "localhost:" + port);
+        consumerProps.put("group.id", "test");
+        consumerProps.put("enable.auto.commit", "true");
+        consumerProps.put("auto.offset.reset", "earliest");
+        consumerProps.put("auto.commit.interval.ms", "1000");
+        consumerProps.put("session.timeout.ms", "30000");
+        consumerProps.put("key.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
+        consumerProps.put("value.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
+        consumerProps.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL");
+        consumerProps.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, "JKS");
+        consumerProps.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, clientKeystorePath);
+        consumerProps.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "cspass");
+        consumerProps.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, "ckpass");
+        consumerProps.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, truststorePath);
+        consumerProps.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "security");
+
+        final KafkaConsumer<String, String> consumer = new KafkaConsumer<>(consumerProps);
+        consumer.subscribe(Arrays.asList("messages"));
+
+        // Send a message
+        producer.send(new ProducerRecord<String, String>("messages", "somekey", "somevalue"));
+        producer.flush();
+
+        // Poll until we consume it
+
+        ConsumerRecord<String, String> record = null;
+        for (int i = 0; i < 1000; i++) {
+            ConsumerRecords<String, String> records = consumer.poll(100);
+            if (records.count() > 0) {
+                record = records.iterator().next();
+                break;
+            }
+            Thread.sleep(1000);
+        }
+
+        Assert.assertNotNull(record);
+        Assert.assertEquals("somevalue", record.value());
+
+        producer.close();
+        consumer.close();
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/RangerAdminClientImpl.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/RangerAdminClientImpl.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/RangerAdminClientImpl.java
index 26dc151..9ed94ff 100644
--- a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/RangerAdminClientImpl.java
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/RangerAdminClientImpl.java
@@ -38,6 +38,7 @@ import com.google.gson.GsonBuilder;
 public class RangerAdminClientImpl implements RangerAdminClient {
     private static final Logger LOG = LoggerFactory.getLogger(RangerAdminClientImpl.class);
     private final static String cacheFilename = "kafka-policies.json";
+    private final static String tagFilename = "kafka-policies-tag.json";
     private Gson gson;
 
     public void init(String serviceName, String appId, String configPropertyPrefix) {
@@ -72,8 +73,15 @@ public class RangerAdminClientImpl implements RangerAdminClient {
     }
 
     public ServiceTags getServiceTagsIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception {
-        return null;
-        
+        String basedir = System.getProperty("basedir");
+        if (basedir == null) {
+            basedir = new File(".").getCanonicalPath();
+        }
+
+        java.nio.file.Path cachePath = FileSystems.getDefault().getPath(basedir, "/src/test/resources/" + tagFilename);
+        byte[] cacheBytes = Files.readAllBytes(cachePath);
+
+        return gson.fromJson(new String(cacheBytes), ServiceTags.class);
     }
 
     public List<String> getTagTypes(String tagTypePattern) throws Exception {

http://git-wip-us.apache.org/repos/asf/ranger/blob/a4592939/plugin-kafka/src/test/resources/kafka-policies-tag.json
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/resources/kafka-policies-tag.json b/plugin-kafka/src/test/resources/kafka-policies-tag.json
new file mode 100644
index 0000000..c85e133
--- /dev/null
+++ b/plugin-kafka/src/test/resources/kafka-policies-tag.json
@@ -0,0 +1,37 @@
+{
+  "op": "add_or_update",
+  "serviceName": "cl1_kafka",
+  "tagVersion": 2,
+  "tagDefinitions": {},
+  "tags": {
+    "3": {
+      "type": "MessagesTag",
+      "owner": 0,
+      "attributes": {},
+      "id": 3,
+      "isEnabled": true,
+      "version": 1
+    }
+  },
+  "serviceResources": [
+    {
+      "resourceElements": {
+        "topic": {
+          "values": [
+            "messages"
+          ],
+          "isExcludes": false,
+          "isRecursive": true
+        }
+      },
+      "id": 3,
+      "isEnabled": true,
+      "version": 2
+    }
+  ],
+  "resourceToTagIds": {
+    "3": [
+      3
+    ]
+  }
+}
\ No newline at end of file


Mime
View raw message