ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ab...@apache.org
Subject ranger git commit: RANGER-1966: Policy engine initialization does not create context enrichers in some cases
Date Tue, 30 Jan 2018 20:19:00 GMT
Repository: ranger
Updated Branches:
  refs/heads/master af6b8c4f3 -> 9da43c7e0


RANGER-1966: Policy engine initialization does not create context enrichers in some cases


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/9da43c7e
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/9da43c7e
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/9da43c7e

Branch: refs/heads/master
Commit: 9da43c7e07ba5eaba31cfd7a4bf4727f9021395c
Parents: af6b8c4
Author: Abhay Kulkarni <akulkarni@hortonworks.com>
Authored: Tue Jan 30 12:00:15 2018 -0800
Committer: Abhay Kulkarni <akulkarni@hortonworks.com>
Committed: Tue Jan 30 12:00:15 2018 -0800

----------------------------------------------------------------------
 .../policyengine/RangerPolicyRepository.java    |  32 +-
 .../plugin/policyengine/TestPolicyEngine.java   |   7 +
 .../test_policyengine_tag_hive_mask.json        | 496 +++++++++++++++++++
 3 files changed, 533 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/9da43c7e/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index a66eca3..23d1efa 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -673,7 +673,8 @@ class RangerPolicyRepository {
         this.rowFilterPolicyEvaluators = Collections.unmodifiableList(rowFilterPolicyEvaluators);
 
         List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>();
-        if (CollectionUtils.isNotEmpty(this.policyEvaluators)) {
+        if (CollectionUtils.isNotEmpty(this.policyEvaluators) || CollectionUtils.isNotEmpty(this.dataMaskPolicyEvaluators)
+                || CollectionUtils.isNotEmpty(this.rowFilterPolicyEvaluators)) {
             if (CollectionUtils.isNotEmpty(serviceDef.getContextEnrichers())) {
                 for (RangerServiceDef.RangerContextEnricherDef enricherDef : serviceDef.getContextEnrichers())
{
                     if (enricherDef == null) {
@@ -716,7 +717,7 @@ class RangerPolicyRepository {
                 LOG.debug("dataMask policy evaluation order: #" + (++order) + " - policy
id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder());
             }
 
-            LOG.debug("rowFilter policy evaluation order: " + this.dataMaskPolicyEvaluators.size()
+ " policies");
+            LOG.debug("rowFilter policy evaluation order: " + this.rowFilterPolicyEvaluators.size()
+ " policies");
             order = 0;
             for(RangerPolicyEvaluator policyEvaluator : this.rowFilterPolicyEvaluators) {
                 RangerPolicy policy = policyEvaluator.getPolicy();
@@ -898,6 +899,32 @@ class RangerPolicyRepository {
                 }
             }
         }
+        sb.append("} ");
+
+        sb.append("dataMaskPolicyEvaluators={");
+
+        if (this.dataMaskPolicyEvaluators != null) {
+            for (RangerPolicyEvaluator policyEvaluator : dataMaskPolicyEvaluators) {
+                if (policyEvaluator != null) {
+                    sb.append(policyEvaluator).append(" ");
+                }
+            }
+        }
+        sb.append("} ");
+
+        sb.append("rowFilterPolicyEvaluators={");
+
+        if (this.rowFilterPolicyEvaluators != null) {
+            for (RangerPolicyEvaluator policyEvaluator : rowFilterPolicyEvaluators) {
+                if (policyEvaluator != null) {
+                    sb.append(policyEvaluator).append(" ");
+                }
+            }
+        }
+        sb.append("} ");
+
+        sb.append("contextEnrichers={");
+
         if (contextEnrichers != null) {
             for (RangerContextEnricher contextEnricher : contextEnrichers) {
                 if (contextEnricher != null) {
@@ -905,6 +932,7 @@ class RangerPolicyRepository {
                 }
             }
         }
+        sb.append("} ");
 
         sb.append("} ");
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/9da43c7e/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index b476ed7..bcd1577 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -289,6 +289,13 @@ public class TestPolicyEngine {
 	}
 
 	@Test
+	public void testPolicyEngine_hiveTagMasking() {
+		String[] resourceFiles = {"/policyengine/test_policyengine_tag_hive_mask.json"};
+
+		runTestsFromResourceFiles(resourceFiles);
+	}
+
+	@Test
 	public void testPolicyEngine_owner() {
 		String[] resourceFiles = {"/policyengine/test_policyengine_owner.json"};
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/9da43c7e/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
new file mode 100644
index 0000000..a97bd2b
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_mask.json
@@ -0,0 +1,496 @@
+{
+  "serviceName": "hivedev",
+  "serviceDef": {
+    "name": "hive",
+    "id": 3,
+    "resources": [
+      {
+        "name": "database",
+        "level": 1,
+        "mandatory": true,
+        "lookupSupported": true,
+        "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+        "matcherOptions": {
+          "wildCard": true,
+          "ignoreCase": true
+        },
+        "label": "Hive Database",
+        "description": "Hive Database"
+      },
+      {
+        "name": "table",
+        "level": 2,
+        "parent": "database",
+        "mandatory": true,
+        "lookupSupported": true,
+        "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+        "matcherOptions": {
+          "wildCard": true,
+          "ignoreCase": true
+        },
+        "label": "Hive Table",
+        "description": "Hive Table"
+      },
+      {
+        "name": "udf",
+        "level": 2,
+        "parent": "database",
+        "mandatory": true,
+        "lookupSupported": true,
+        "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+        "matcherOptions": {
+          "wildCard": true,
+          "ignoreCase": true
+        },
+        "label": "Hive UDF",
+        "description": "Hive UDF"
+      },
+      {
+        "name": "column",
+        "level": 3,
+        "parent": "table",
+        "mandatory": true,
+        "lookupSupported": true,
+        "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+        "matcherOptions": {
+          "wildCard": true,
+          "ignoreCase": true
+        },
+        "label": "Hive Column",
+        "description": "Hive Column"
+      }
+    ],
+    "accessTypes": [
+      {
+        "name": "select",
+        "label": "Select"
+      },
+      {
+        "name": "update",
+        "label": "Update"
+      },
+      {
+        "name": "create",
+        "label": "Create"
+      },
+      {
+        "name": "grant",
+        "label": "Grant"
+      },
+      {
+        "name": "drop",
+        "label": "Drop"
+      },
+      {
+        "name": "alter",
+        "label": "Alter"
+      },
+      {
+        "name": "index",
+        "label": "Index"
+      },
+      {
+        "name": "lock",
+        "label": "Lock"
+      },
+      {
+        "name": "all",
+        "label": "All",
+        "impliedGrants": [
+          "select",
+          "update",
+          "create",
+          "grant",
+          "drop",
+          "alter",
+          "index",
+          "lock"
+        ]
+      }
+    ],
+    "dataMaskDef": {
+      "maskTypes": [
+        {
+          "itemId": 1,
+          "name": "MASK",
+          "label": "Mask",
+          "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'"
+        },
+        {
+          "itemId": 2,
+          "name": "SHUFFLE",
+          "label": "Shuffle",
+          "description": "Randomly shuffle the contents"
+        },
+        {
+          "itemId": 10,
+          "name": "NULL",
+          "label": "NULL",
+          "description": "Replace with NULL"
+        }
+
+      ],
+      "accessTypes":[
+        {"name":"select","label":"Select"}
+      ],
+      "resources":[
+        {"name":"database","matcherOptions":{"wildCard":false}},
+        {"name":"table","matcherOptions":{"wildCard":false}},
+        {"name":"column","matcherOptions":{"wildCard":false}}
+      ]
+    },
+    "rowFilterDef": {
+      "accessTypes":[
+        {"name":"select","label":"Select"}
+      ],
+      "resources":[
+        {"name":"database","matcherOptions":{"wildCard":false}},
+        {"name":"table","matcherOptions":{"wildCard":false}}
+      ]
+    }
+  },
+  "policies": [
+    {
+      "id": 101,
+      "name": "db=*: audit-all-access",
+      "isEnabled": true,
+      "isAuditEnabled": true,
+      "resources": {
+        "database": {
+          "values": [
+            "*"
+          ]
+        },
+        "table": {
+          "values": [
+            "*"
+          ]
+        },
+        "column": {
+          "values": [
+            "*"
+          ]
+        }
+      },
+      "policyItems": [
+        {
+          "accesses": [
+            {
+              "type": "all",
+              "isAllowed": true
+            }
+          ],
+          "users": [
+            "hive",
+            "user1",
+            "user2"
+          ],
+          "groups": [
+            "public"
+          ],
+          "delegateAdmin": false
+        }
+      ]
+    },
+    {
+      "id": 102,
+      "name": "db=*, udf=*: audit-all-access",
+      "isEnabled": true,
+      "isAuditEnabled": true,
+      "resources": {
+        "database": {
+          "values": [
+            "*"
+          ]
+        },
+        "udf": {
+          "values": [
+            "*"
+          ]
+        }
+      },
+      "policyItems": [
+        {
+          "accesses": [
+            {
+              "type": "all",
+              "isAllowed": true
+            }
+          ],
+          "users": [
+            "hive",
+            "user1",
+            "user2"
+          ],
+          "groups": [
+            "public"
+          ],
+          "delegateAdmin": false
+        }
+      ]
+    }
+  ],
+  "tagPolicyInfo": {
+    "serviceName": "tagdev",
+    "serviceDef": {
+      "name": "tag",
+      "id": 100,
+      "resources": [
+        {
+          "itemId": 1,
+          "name": "tag",
+          "type": "string",
+          "level": 1,
+          "parent": "",
+          "mandatory": true,
+          "lookupSupported": true,
+          "recursiveSupported": false,
+          "excludesSupported": false,
+          "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+          "matcherOptions": {
+            "wildCard": false,
+            "ignoreCase": false
+          },
+          "validationRegEx": "",
+          "validationMessage": "",
+          "uiHint": "",
+          "label": "TAG",
+          "description": "TAG"
+        }
+      ],
+      "accessTypes": [
+        {
+          "itemId": 1,
+          "name": "hive:select",
+          "label": "hive:select"
+        },
+        {
+          "itemId": 2,
+          "name": "hive:update",
+          "label": "hive:update"
+        },
+        {
+          "itemId": 3,
+          "name": "hive:create",
+          "label": "hive:create"
+        },
+        {
+          "itemId": 4,
+          "name": "hive:grant",
+          "label": "hive:grant"
+        },
+        {
+          "itemId": 5,
+          "name": "hive:drop",
+          "label": "hive:drop"
+        },
+        {
+          "itemId": 6,
+          "name": "hive:alter",
+          "label": "hive:alter"
+        },
+        {
+          "itemId": 7,
+          "name": "hive:index",
+          "label": "hive:index"
+        },
+        {
+          "itemId": 8,
+          "name": "hive:lock",
+          "label": "hive:lock"
+        },
+        {
+          "itemId": 9,
+          "name": "hive:all",
+          "label": "hive:all",
+          "impliedGrants": [
+            "hive:select",
+            "hive:update",
+            "hive:create",
+            "hive:grant",
+            "hive:drop",
+            "hive:alter",
+            "hive:index",
+            "hive:lock"
+          ]
+        }
+      ],
+      "dataMaskDef": {
+        "maskTypes": [
+          {
+            "itemId": 1,
+            "name": "MASK",
+            "label": "Mask",
+            "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'"
+          },
+          {
+            "itemId": 2,
+            "name": "SHUFFLE",
+            "label": "Shuffle",
+            "description": "Randomly shuffle the contents"
+          },
+          {
+            "itemId": 10,
+            "name": "NULL",
+            "label": "NULL",
+            "description": "Replace with NULL"
+          }
+
+        ],
+        "accessTypes":[
+          {"name":"hive:select","label":"hive:Select"}
+        ],
+        "resources":[
+          {"name":"tag","matcherOptions":{"wildCard":false}}
+        ]
+      },
+      "rowFilterDef": {
+        "accessTypes":[
+          {"name":"hive:select","label":"hive:Select"}
+        ],
+        "resources":[
+          {"name":"tag","matcherOptions":{"wildCard":false}}
+        ]
+      },
+      "contextEnrichers": [
+      ],
+      "policyConditions": [
+        {
+          "itemId": 1,
+          "name": "expression",
+          "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+          "evaluatorOptions": {
+            "engineName": "JavaScript",
+            "ui.isMultiline": "true"
+          },
+          "label": "Enter boolean expression",
+          "description": "Boolean expression"
+        },
+        {
+          "itemId": 2,
+          "name": "enforce-expiry",
+          "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
+          "evaluatorOptions": {
+            "scriptTemplate": "ctx.isAccessedAfter('expiry_date');"
+          },
+          "label": "Deny access after expiry_date?",
+          "description": "Deny access after expiry_date? (yes/no)"
+        }
+      ]
+    },
+    "tagPolicies": [
+      {
+        "id": 1,
+        "name": "RESTRICTED_TAG_POLICY",
+        "isEnabled": true,
+        "isAuditEnabled": true,
+        "policyType": 1,
+        "resources": {
+          "tag": {
+            "values": [
+              "RESTRICTED"
+            ],
+            "isRecursive": false
+          }
+        },
+        "dataMaskPolicyItems": [
+          {
+            "accesses": [
+              {
+                "type": "select",
+                "isAllowed": true
+              }
+            ],
+            "users": [
+              "user1"
+            ],
+            "groups": [],
+            "delegateAdmin": false,
+            "dataMaskInfo": {
+              "dataMaskType": "MASK"
+            }
+          },
+          {
+            "accesses": [
+              {
+                "type": "select",
+                "isAllowed": true
+              }
+            ],
+            "users": [
+              "user2"
+            ],
+            "groups": [],
+            "delegateAdmin": false,
+            "dataMaskInfo": {
+              "dataMaskType": "SHUFFLE"
+            }
+          }
+        ]
+      }
+    ]
+  },
+  "tests": [
+    {
+      "name": "'select ssn from employee.personal;' for user1 - maskType=MASK",
+      "request": {
+        "resource": {
+          "elements": {
+            "database": "employee",
+            "table": "personal",
+            "column": "ssn"
+          }
+        },
+        "accessType": "select",
+        "user": "user1",
+        "userGroups": [],
+        "requestData": "select ssn from employee.personal;' for user1",
+        "context": {
+          "TAGS": "[{\"type\":\"RESTRICTED\"}]"
+        }
+      },
+      "dataMaskResult":{"additionalInfo":{"maskType":"MASK","maskCondition":null,"maskValue":null},"policyId":1}
+    },
+    {
+      "name": "'select ssn from employee.personal;' for user2 - maskType=SHUFFLE",
+      "request": {
+        "resource": {
+          "elements": {
+            "database": "employee",
+            "table": "personal",
+            "column": "ssn"
+          }
+        },
+        "accessType": "select",
+        "user": "user2",
+        "userGroups": [],
+        "requestData": "select ssn from employee.personal;' for user2",
+        "context": {
+          "TAGS": "[{\"type\":\"RESTRICTED\"}]"
+        }
+      },
+      "dataMaskResult":{"additionalInfo":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null},"policyId":1}
+    },
+    {
+      "name": "'select ssn from employee.personal;' for hive - maskType=NONE",
+      "request": {
+        "resource": {
+          "elements": {
+            "database": "employee",
+            "table": "personal",
+            "column": "ssn"
+          }
+        },
+        "accessType": "select",
+        "user": "hive",
+        "userGroups": [],
+        "requestData": "select ssn from employee.personal;' for hive",
+        "context": {
+          "TAGS": "[{\"type\":\"RESTRICTED\"}]"
+        }
+      },
+      "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1}
+    }
+  ]
+}
+


Mime
View raw message