ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ab...@apache.org
Subject [1/2] ranger git commit: RANGER-2061: Add policy engine support to get summary user and group ACLs for a resource
Date Mon, 09 Apr 2018 21:51:52 GMT
Repository: ranger
Updated Branches:
  refs/heads/master c8f67ce7c -> 3b510f8c0


http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
new file mode 100644
index 0000000..e92a2e6
--- /dev/null
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
@@ -0,0 +1,211 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import static org.junit.Assert.*;
+
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.lang.reflect.Type;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import com.google.gson.JsonDeserializationContext;
+import com.google.gson.JsonDeserializer;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonParseException;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.util.ServicePolicies;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+
+public class TestPolicyACLs {
+	private static Gson gsonBuilder;
+
+	@BeforeClass
+	public static void setUpBeforeClass() throws Exception {
+		gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
+				.setPrettyPrinting()
+				.registerTypeAdapter(RangerAccessResource.class, new RangerResourceDeserializer())
+				.create();
+
+	}
+
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+	}
+
+	@Before
+	public void setUp() throws Exception {
+	}
+
+	@After
+	public void tearDown() throws Exception {
+	}
+
+	@Test
+	public void testResourceMatcher_default() throws Exception {
+		String[] tests = { "/policyengine/test_aclprovider_default.json" };
+
+		runTestsFromResourceFiles(tests);
+	}
+
+	private void runTestsFromResourceFiles(String[] resourceNames) throws Exception {
+		for(String resourceName : resourceNames) {
+			InputStream       inStream = this.getClass().getResourceAsStream(resourceName);
+			InputStreamReader reader   = new InputStreamReader(inStream);
+
+			runTests(reader, resourceName);
+		}
+	}
+
+	private void runTests(InputStreamReader reader, String testName) throws Exception {
+		PolicyACLsTests testCases = gsonBuilder.fromJson(reader, PolicyACLsTests.class);
+
+		assertTrue("invalid input: " + testName, testCases != null && testCases.testCases != null);
+
+		for(PolicyACLsTests.TestCase testCase : testCases.testCases) {
+			RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
+			RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl("test-policy-acls", testCase.servicePolicies, policyEngineOptions);
+
+			for(PolicyACLsTests.TestCase.OneTest oneTest : testCase.tests) {
+				if(oneTest == null) {
+					continue;
+				}
+				RangerAccessRequestImpl request = new RangerAccessRequestImpl(oneTest.resource, RangerPolicyEngine.ANY_ACCESS, null, null);
+				policyEngine.preProcess(request);
+				RangerResourceACLs acls = policyEngine.getResourceACLs(request);
+
+				boolean userACLsMatched = true, groupACLsMatched = true;
+
+				if (MapUtils.isNotEmpty(acls.getUserACLs()) && MapUtils.isNotEmpty(oneTest.userPermissions)) {
+
+					for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry :
+							acls.getUserACLs().entrySet()) {
+						String userName = entry.getKey();
+						Map<String, RangerResourceACLs.AccessResult> expected = oneTest.userPermissions.get(userName);
+						if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
+							// Compare
+							for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
+								if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
+									continue;
+								}
+								RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
+								if (expectedResult == null) {
+									userACLsMatched = false;
+									break;
+								} else if (!expectedResult.equals(privilege.getValue())) {
+									userACLsMatched = false;
+									break;
+								}
+							}
+						} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))){
+							Set<String> privileges = entry.getValue().keySet();
+							if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
+								userACLsMatched = true;
+							} else {
+								userACLsMatched = false;
+							}
+							break;
+						}
+						if (!userACLsMatched) {
+							break;
+						}
+					}
+				} else if (!(MapUtils.isEmpty(acls.getUserACLs()) && MapUtils.isEmpty(oneTest.userPermissions))) {
+					userACLsMatched = false;
+				}
+
+				if (MapUtils.isNotEmpty(acls.getGroupACLs()) && MapUtils.isNotEmpty(oneTest.groupPermissions)) {
+					for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry :
+							acls.getGroupACLs().entrySet()) {
+						String groupName = entry.getKey();
+						Map<String, RangerResourceACLs.AccessResult> expected = oneTest.groupPermissions.get(groupName);
+						if (MapUtils.isNotEmpty(entry.getValue()) && MapUtils.isNotEmpty(expected)) {
+							// Compare
+							for (Map.Entry<String, RangerResourceACLs.AccessResult> privilege : entry.getValue().entrySet()) {
+								if (StringUtils.equals(RangerPolicyEngine.ADMIN_ACCESS, privilege.getKey())) {
+									continue;
+								}
+								RangerResourceACLs.AccessResult expectedResult = expected.get(privilege.getKey());
+								if (expectedResult == null) {
+									groupACLsMatched = false;
+									break;
+								} else if (!expectedResult.equals(privilege.getValue())) {
+									groupACLsMatched = false;
+									break;
+								}
+							}
+						} else if (!(MapUtils.isEmpty(entry.getValue()) && MapUtils.isEmpty(expected))){
+							Set<String> privileges = entry.getValue().keySet();
+							if (privileges.size() == 1 && privileges.contains(RangerPolicyEngine.ADMIN_ACCESS)) {
+								groupACLsMatched = true;
+							} else {
+								groupACLsMatched = false;
+							}
+							break;
+						}
+						if (!groupACLsMatched) {
+							break;
+						}
+					}
+				} else if (!(MapUtils.isEmpty(acls.getGroupACLs()) && MapUtils.isEmpty(oneTest.groupPermissions))) {
+					groupACLsMatched = false;
+				}
+
+				assertTrue("getResourceACLs() failed! " + testCase.name + ":" + oneTest.name, userACLsMatched && groupACLsMatched);
+			}
+		}
+	}
+
+	static class PolicyACLsTests {
+		List<TestCase> testCases;
+
+		class TestCase {
+			String               name;
+			ServicePolicies      servicePolicies;
+			List<OneTest>        tests;
+
+			class OneTest {
+				String               name;
+				RangerAccessResource   resource;
+				Map<String, Map<String, RangerResourceACLs.AccessResult>> userPermissions;
+				Map<String, Map<String, RangerResourceACLs.AccessResult>> groupPermissions;
+			}
+		}
+	}
+
+	static class RangerResourceDeserializer implements JsonDeserializer<RangerAccessResource> {
+		@Override
+		public RangerAccessResource deserialize(JsonElement jsonObj, Type type,
+		                                        JsonDeserializationContext context) throws JsonParseException {
+			return gsonBuilder.fromJson(jsonObj, RangerAccessResourceImpl.class);
+		}
+	}
+}
+

http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 325626a..4ed9a6f 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -366,6 +366,7 @@ public class TestPolicyEngine {
 		RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
 
 		policyEngineOptions.disableTagPolicyEvaluation = false;
+		policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false;
 
 		boolean useForwardedIPAddress = RangerConfiguration.getInstance().getBoolean("ranger.plugin.hive.use.x-forwarded-for.ipaddress", false);
 		String trustedProxyAddressString = RangerConfiguration.getInstance().get("ranger.plugin.hive.trusted.proxy.ipaddresses");
@@ -376,8 +377,16 @@ public class TestPolicyEngine {
 			}
 		}
 		RangerPolicyEngine policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
+
 		policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
 		policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
+
+		policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
+		RangerPolicyEngine policyEngineForResourceAccessInfo = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
+
+		policyEngineForResourceAccessInfo.setUseForwardedIPAddress(useForwardedIPAddress);
+		policyEngineForResourceAccessInfo.setTrustedProxyAddresses(trustedProxyAddresses);
+
 		long requestCount = 0L;
 
 		RangerAccessRequest request = null;
@@ -489,8 +498,9 @@ public class TestPolicyEngine {
 			}
 
 			if(test.resourceAccessInfo != null) {
+
 				RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo);
-				RangerResourceAccessInfo result   = policyEngine.getResourceAccessInfo(test.request);
+				RangerResourceAccessInfo result   = policyEngineForResourceAccessInfo.getResourceAccessInfo(test.request);
 
 				assertNotNull("result was null! - " + test.name, result);
 				assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers());
@@ -617,6 +627,9 @@ public class TestPolicyEngine {
 			RangerAccessRequestImpl ret = gsonBuilder.fromJson(jsonObj, RangerAccessRequestImpl.class);
 
 			ret.setAccessType(ret.getAccessType()); // to force computation of isAccessTypeAny and isAccessTypeDelegatedAdmin
+			if (ret.getAccessTime() == null) {
+				ret.setAccessTime(new Date());
+			}
 
 			return ret;
 		}

http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/resources/log4j.xml
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/log4j.xml b/agents-common/src/test/resources/log4j.xml
index 926f47c..d1a6f1c 100644
--- a/agents-common/src/test/resources/log4j.xml
+++ b/agents-common/src/test/resources/log4j.xml
@@ -34,8 +34,17 @@
             <param name="ConversionPattern" value="%d [%t] %m%n" />
         </layout>
     </appender>
-
     <!--
+    <logger name="org.apache.ranger.perf.policyengine.getResourceACLs" additivity="false">
+        <level value="debug" />
+        <appender-ref ref="ranger_perf_appender" />
+    </logger>
+
+    <logger name="org.apache.ranger.perf.policy.init.ACLSummary" additivity="false">
+        <level value="debug" />
+        <appender-ref ref="ranger_perf_appender" />
+    </logger>
+
     <logger name="org.apache.ranger.perf.policyengine" additivity="false">
         <level value="debug" />
         <appender-ref ref="ranger_perf_appender" />
@@ -75,13 +84,12 @@
         <level value="debug" />
         <appender-ref ref="ranger_perf_appender" />
     </logger>
-        -->
 
     <logger name="org.apache.ranger.perf.policyresourcematcher" additivity="false">
-        <level value="warn" />
+        <level value="debug" />
         <appender-ref ref="ranger_perf_appender" />
     </logger>
-
+        -->
     <root>
         <level value="warn" />
         <appender-ref ref="console" />

http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/resources/policyengine/ACLResourceTags.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/ACLResourceTags.json b/agents-common/src/test/resources/policyengine/ACLResourceTags.json
new file mode 100644
index 0000000..711190c
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/ACLResourceTags.json
@@ -0,0 +1,207 @@
+{
+    "op":"add_or_update",
+    "tagModel":"resource_private",
+    "serviceName": "cl1_hive",
+    "tagDefinitions": {
+      "1": {
+        "name": "EXPIRES_ON",
+        "attributeDefs": [ { "name": "expiry_date", "type": "datetime" } ],
+        "id": 1,
+        "guid": "tagdefinition-expires-on-guid"
+      },
+      "2": {
+        "name": "PII",
+        "attributeDefs": [ { "name": "expiry", "type": "datetime" } ],
+        "id": 2,
+        "guid": "tagdefinition-pii-guid"
+      },
+      "3": {
+        "name": "PII-FINAL",
+        "attributeDefs": [ { "name": "expiry", "type": "datetime" } ],
+        "id": 3,
+        "guid": "tagdefinition-pii-final-guid"
+      },
+      "4": {
+        "name": "RESTRICTED",
+        "attributeDefs": [ { "name": "activation_date", "type": "datetime" } ],
+        "id": 4,
+        "guid": "tagdefinition-restricted-guid"
+      },
+      "5": {
+        "name": "RESTRICTED-FINAL",
+        "attributeDefs": [ { "name": "activation_date", "type": "datetime" } ],
+        "id": 5,
+        "guid": "tagdefinition-restricted-final-guid"
+      }
+    },
+    "tags": {
+      "1": {
+        "type": "EXPIRES_ON",
+        "attributes": { "expiry_date": "2026/06/15" },
+        "id": 1,
+        "guid": "tag-expires-on-1-guid"
+      },
+      "2": {
+        "type": "EXPIRES_ON",
+        "attributes": { "expiry_date": "2015/08/10" },
+        "id": 2,
+        "guid": "tag-expires-on-2-guid"
+      },
+      "3": {
+        "type": "RESTRICTED",
+        "attributes": { "activation_date": "2015/08/10", "score": "2" },
+        "id": 3,
+        "guid": "tag-restricted-3-guid"
+      },
+      "4": {
+        "type": "RESTRICTED-FINAL",
+        "attributes": { "activation_date": "2026/06/15" },
+        "id": 4,
+        "guid": "tag-restricted-final-4-guid"
+      },
+      "5": {
+        "type": "PII",
+        "attributes": { "expiry": "2026/06/15" },
+        "id": 5,
+        "guid": "tag-pii-5-guid"
+      },
+      "6": {
+        "type": "PII-FINAL",
+        "attributes": { "expiry": "2026/06/15" },
+        "id": 6,
+        "guid": "tag-pii-final-6-guid"
+      }
+    },
+    "serviceResources": [
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "ssn" ] }
+        },
+        "id": 1,
+        "guid": "employee.personal.ssn-guid"
+     },
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "id" ] }
+        },
+        "id": 2,
+        "guid": "employee.personal.id-guid"
+     },
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "city" ] }
+        },
+        "id": 3,
+        "guid": "employee.personal.city-guid"
+     },
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "address" ] }
+        },
+        "id": 4,
+        "guid": "employee.personal.address-guid"
+     },
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "salary" ] }
+        },
+        "id": 5,
+        "guid": "employee.personal.salary-guid"
+     },
+      {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "emp-number" ] }
+        },
+        "id": 6,
+        "guid": "employee.personal.emp-number-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "employee" ] },
+          "table": { "values": [ "personal" ] },
+          "column": { "values": [ "name" ] }
+        },
+        "id": 7,
+        "guid": "employee.personal.name-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "nodb" ] }
+        },
+        "id": 8,
+        "guid": "nodb-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "nodb" ] },
+          "table": { "values": [ "table1" ] }
+        },
+        "id": 9,
+        "guid": "nodb.table1-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "nodb" ] },
+          "table": { "values": [ "table1" ] },
+          "column": { "values": [ "name" ] }
+        },
+        "id": 10,
+        "guid": "nodb.table1.name-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "finance" ] },
+          "table": { "values": [ "sales" ] }
+        },
+        "id": 11,
+        "guid": "finance.sales-guid"
+     },
+     {
+        "serviceName": "cl1_hive",
+        "resourceElements": {
+          "database": { "values": [ "finance" ] },
+          "table": { "values": [ "sales" ] },
+          "column": { "values": [ "invoice_id" ] }
+        },
+        "id": 12,
+        "guid": "finance.sales.invoice_id-guid"
+     }
+    ],
+    "resourceToTagIds": {
+      "1": [ 1 ],
+      "2": [ 2 ],
+      "3": [ 3 ],
+      "4": [ 4 ],
+      "5": [ 2 ],
+      "6": [ 2 ],
+      "8": [ 6 ],
+      "9": [ 5 ],
+      "10": [ 6 ],
+      "11": [ 6 ],
+      "12": [ 5 ]
+    }
+}
+

http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_aclprovider_default.json b/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
new file mode 100644
index 0000000..b4c4def
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_aclprovider_default.json
@@ -0,0 +1,586 @@
+{
+  "testCases": [
+    {
+      "name": "Test-ACL-Provider",
+
+      "servicePolicies": {
+        "serviceName": "hivedev",
+        "serviceDef": {
+          "name": "hive", "id": 3,
+          "resources": [
+            { "name": "database", "level": 1, "mandatory": true, "lookupSupported": true,
+              "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+              "matcherOptions": { "wildCard": true, "ignoreCase": true },
+              "label": "Hive Database", "description": "Hive Database"
+            },
+            {
+              "name": "table", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true,
+              "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+              "matcherOptions": { "wildCard": true, "ignoreCase": true },
+              "label": "Hive Table", "description": "Hive Table"
+            },
+            {
+              "name": "udf", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true,
+              "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+              "matcherOptions": { "wildCard": true, "ignoreCase": true },
+              "label": "Hive UDF", "description": "Hive UDF"
+            },
+            {
+              "name": "column", "level": 3, "parent": "table", "mandatory": true, "lookupSupported": true,
+              "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+              "matcherOptions": { "wildCard": true, "ignoreCase": true },
+              "label": "Hive Column", "description": "Hive Column"
+            }
+          ],
+          "accessTypes": [
+            { "name": "select", "label": "Select" },
+            { "name": "update", "label": "Update" },
+            { "name": "create", "label": "Create" },
+            { "name": "drop", "label": "Drop" },
+            { "name": "alter", "label": "Alter" },
+            { "name": "index", "label": "Index" },
+            { "name": "lock", "label": "Lock" },
+            { "name": "all", "label": "All" }
+          ],
+          "policyConditions":[
+            { "itemId": 1, "name": "ip-range",
+              "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", "evaluatorOptions": { },
+              "label": "IP Address Range", "description": "IP Address Range"
+            }
+          ]
+        },
+        "policies": [
+          {
+            "id": 1, "name": "db=default: audit-all-access", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "default" ] },
+              "table": { "values": [ "*" ] },
+              "column": { "values": [ "*" ] }
+            },
+            "policyItems": [
+              { "accesses": [], "users": [], "groups": [ "public" ], "delegateAdmin": false }
+            ]
+          },
+          {
+            "id": 2, "name": "db=default; table=test1,test2; column=column1", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "default" ] },
+              "table": { "values": [ "test1", "test2" ] },
+              "column": { "values": [ "column1" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user1", "user2" ], "groups": [ "group1", "group2" ],
+                "delegateAdmin": false
+              },
+              { "accesses": [ { "type": "create", "isAllowed": true }, { "type": "drop", "isAllowed": true } ],
+                "users": [ "admin" ], "groups": [ "cluster-admin" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 3, "name": "db=default; table=test1,test2; column=column2", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "default" ] },
+              "table": { "values": [ "test1", "test2" ] },
+              "column": { "values": [ "column2" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user1", "user2" ], "groups": [ "group1", "group2" ],
+                "delegateAdmin": false
+              },
+              {
+                "accesses": [
+                  { "type": "create", "isAllowed": true },
+                  { "type": "drop", "isAllowed": true }
+                ],
+                "users": [ "admin" ], "groups": [ "cluster-admin" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 4, "name": "db=finance; table=fin_*; column=*", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "finance" ] },
+              "table": { "values": [ "fin_*" ] },
+              "column": { "values": [ "*" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user1", "user2" ], "groups": [ "finance-controller" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 5, "name": "db=db1; table=tmp; column=tmp*", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "db1" ] },
+              "table": { "values": [ "tmp" ] },
+              "column": { "values": [ "tmp*" ], "isExcludes": false }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ],
+                "users": [ "user1", "user2" ], "groups": [ "cluster-admin", "finance-controller" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 6, "name": "db=hr;udf=udf", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "hr" ] },
+              "udf": { "values": [ "udf" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ],
+                "users": [ "user1", "user2" ], "groups": [ "cluster-admin" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 7, "name": "db=hr;udf=udf*", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "hr" ] },
+              "udf": { "values": [ "udf*" ] }
+            },
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ],
+                "users": [ "user3" ], "groups": [ "public" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 8, "name": "db=hr*;udf=udf", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "hr*" ] },
+              "udf": { "values": [ "udf" ] }
+            },
+            "validitySchedules": [
+              { "startTime": "2018/01/12 14:32:00", "endTime": "2020/02/13 12:16:00" }
+            ],
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ],
+                "users": [ "user4" ], "groups": [ "hr-admin" ],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 9, "name": "db=default; table=test2; column=column2", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "default" ] },
+              "table": { "values": [ "test2" ] },
+              "column": { "values": [ "column2" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user2", "user3" ], "groups": [],
+                "delegateAdmin": false
+              }
+            ],
+            "denyPolicyItems": [
+              {
+                "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ],
+                "users": [ "user2", "user3", "user4" ], "groups": [ "group3" ],
+                "delegateAdmin": false
+              }
+            ],
+            "denyExceptions": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user3" ], "groups": [],
+                "delegateAdmin": false
+              }
+            ]
+          },
+          {
+            "id": 10, "name": "db=finance; table=fin_*; column=salary", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "finance" ] },
+              "table": { "values": [ "fin_*" ] },
+              "column": { "values": [ "salary" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user3" ], "groups": [ "cluster-admin" ],
+                "delegateAdmin": true,
+                "conditions":[{"type":"ip-range","values":["1.*.1.*"]}]
+              }
+            ]
+          },
+          {
+            "id": 11, "name": "db=default; table=table; column=column", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "default" ] },
+              "table": { "values": [ "table" ] },
+              "column": { "values": [ "column" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user1", "user2", "user3", "user4" ], "groups": [ "cluster-admin" ],
+                "delegateAdmin": true
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user4" ], "groups": [ "finance-admin" ],
+                "delegateAdmin": true
+              }
+            ],
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user2", "user3" ], "groups": [ "public" ],
+                "delegateAdmin": true
+              }
+            ],
+            "denyExceptions": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [ "user2", "user4" ], "groups": [],
+                "delegateAdmin": true
+              }
+            ]
+          },
+          {
+            "id": 12, "name": "db=finance; table=accounts; column=status", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "finance" ] },
+              "table": { "values": [ "accounts" ] },
+              "column": { "values": [ "status" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ],
+                "users": [ "john", "jane" ], "groups": [ "accounting", "admin" ],
+                "delegateAdmin": true
+              },
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [], "groups": [ "public" ]
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "update", "isAllowed": true } ],
+                "users": [ "mary" ], "groups": [ "interns" ]
+              }
+            ],
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [], "groups": [ "housekeeping" ]
+              }
+            ]
+          },
+          {
+            "id": 13, "name": "db=finance; table=accounts; column=amount", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "finance" ] },
+              "table": { "values": [ "accounts" ] },
+              "column": { "values": [ "amount" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ],
+                "users": [ "john", "jane" ], "groups": [ "accounting", "admin" ],
+                "delegateAdmin": true
+              },
+              { "accesses": [ { "type": "select", "isAllowed": true } ],
+                "users": [], "groups": [ "public" ]
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "update", "isAllowed": true } ],
+                "users": [ "mary" ], "groups": [ "interns" ]
+              }
+            ],
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "drop", "isAllowed": true } ],
+                "users": [], "groups": [ "housekeeping" ]
+              }
+            ]
+          },
+          {
+            "id": 13, "name": "db=db1; table=tbl1; column=col1", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "db1" ] },
+              "table": { "values": [ "tbl1" ] },
+              "column": { "values": [ "col1" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ],
+                "users": [ "john", "jane" ]
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "update", "isAllowed": true } ],
+                "users": [ "john" ],
+                "conditions":[{"type":"ip-range","values":["1.*.1.*"]}]
+              }
+            ],
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "drop", "isAllowed": true } ],
+                "users": ["adam", "eve"]
+              }
+            ],
+            "denyExceptions": [
+              { "accesses": [ { "type": "select", "isAllowed": true },  { "type": "drop", "isAllowed": true }],
+                "users": ["eve"],
+                "conditions":[{"type":"ip-range","values":["10.*.10.*"]}]
+              }
+            ]
+          },
+          {
+            "id": 14, "name": "db=db2; table=tbl2; column=col2", "isEnabled": true, "isAuditEnabled": true,
+            "resources": {
+              "database": { "values": [ "db2" ] },
+              "table": { "values": [ "tbl2" ] },
+              "column": { "values": [ "col2" ] }
+            },
+            "policyItems": [
+              { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ],
+                "users": [ "john", "jane" ]
+              }
+            ],
+            "allowExceptions": [
+              { "accesses": [ { "type": "update", "isAllowed": true } ],
+                "users": [ "john" ]
+              }
+            ],
+            "denyPolicyItems": [
+              { "accesses": [ { "type": "drop", "isAllowed": true } ],
+                "users": ["adam", "eve"]
+              }
+            ],
+            "denyExceptions": [
+              { "accesses": [ { "type": "select", "isAllowed": true },  { "type": "drop", "isAllowed": true }],
+                "users": ["eve"],
+                "conditions":[{"type":"ip-range","values":["10.*.10.*"]}]
+              }
+            ]
+          }
+        ],
+        "tagPolicies": {
+          "serviceName": "tagdev",
+          "serviceDef": {
+            "name": "tag", "id": 100,
+            "resources": [
+              { "itemId": 1, "name": "tag", "type": "string", "level": 1, "parent": "", "mandatory": true,
+                "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false,
+                "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+                "matcherOptions": { "wildCard": true, "ignoreCase": false },
+                "label": "TAG", "description": "TAG"
+              }
+            ],
+            "accessTypes": [
+              { "itemId": 1, "name": "hive:select", "label": "hive:select" },
+              { "itemId": 2, "name": "hive:update", "label": "hive:update" },
+              { "itemId": 3, "name": "hive:create", "label": "hive:create" },
+              { "itemId": 4, "name": "hive:drop", "label": "hive:drop" },
+              { "itemId": 5, "name": "hive:alter", "label": "hive:alter" },
+              { "itemId": 6, "name": "hive:index", "label": "hive:index" },
+              { "itemId": 7, "name": "hive:lock", "label": "hive:lock" },
+              { "itemId": 8, "name": "hive:all", "label": "hive:all", 
+		"impliedGrants": [ "hive:select", "hive:update", "hive:create", "hive:drop", "hive:alter", "hive:index", "hive:lock" ] }
+            ],
+            "contextEnrichers": [
+              { "itemId": 1, "name": "TagEnricher",
+                "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
+                "enricherOptions": {
+                  "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever",
+                  "tagRefresherPollingInterval": 60000,
+                  "serviceTagsFileName": "/policyengine/ACLResourceTags.json"
+                }
+              }
+            ],
+            "policyConditions": [
+              { "itemId": 1, "name": "expression",
+                "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+                "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" },
+                "label": "Enter boolean expression", "description": "Boolean expression"
+              },
+              {
+                "itemId": 2, "name": "enforce-expiry",
+                "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
+                "evaluatorOptions": { "scriptTemplate": "ctx.isAccessedAfter('expiry_date');" },
+                "label": "Deny access after expiry_date?", "description": "Deny access after expiry_date? (yes/no)"
+              },
+              {
+                "itemId": 3, "name": "ip-range",
+                "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", "evaluatorOptions": { },
+                "label": "IP Address Range", "description": "IP Address Range"
+              }
+            ]
+          },
+          "policies": [
+            { "id": 101, "name": "RESTRICTED_TAG_POLICY", "isEnabled": true, "isAuditEnabled": true,
+              "resources": {
+                "tag": { "values": [ "RESTRICTED" ], "isRecursive": false }
+              },
+              "policyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [ "hive", "user1" ],
+                  "groups": [],
+                  "delegateAdmin": false,
+                  "conditions": [
+                    { "type": "expression", "values": [ "if ( tagAttr.get('score') < 2 ) ctx.result = true;" ] }
+                  ]
+                }
+              ]
+            },
+            {
+              "id": 102, "name": "PII_TAG_POLICY", "isEnabled": true, "isAuditEnabled": true,
+              "resources": {
+                "tag": { "values": [ "PII" ], "isRecursive": false }
+              },
+              "policyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true }, { "type": "hive:create", "isAllowed": true } ],
+                  "users": [ "hive" ], "groups": [],
+                  "delegateAdmin": false
+                }
+              ],
+              "denyPolicyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [ "hive" ], "groups": [],
+                  "delegateAdmin": false
+                }
+              ]
+            },
+            {
+              "id": 103, "name": "PII_TAG_POLICY-FINAL", "isEnabled": true, "isAuditEnabled": true,
+              "resources": {
+                "tag": { "values": [ "PII-FINAL" ], "isRecursive": false }
+              },
+              "policyItems": [
+                { "accesses": [ { "type": "hive:index", "isAllowed": true } ],
+                  "users": [ ], "groups": [ "public" ],
+                  "delegateAdmin": false,
+                  "conditions":[{"type":"ip-range","values":["1.*.1.*"]}]
+                }
+              ],
+              "denyPolicyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [ "admin" ], "groups": [],
+                  "delegateAdmin": false
+                }
+              ],
+              "denyExceptions": [
+                {
+                  "accesses": [
+                    { "type": "hive:drop", "isAllowed": true }
+                  ],
+                  "users": [ "hive" ], "groups": [],
+                  "delegateAdmin": false
+                }
+              ]
+            },
+            {
+              "id": 104, "name": "RESTRICTED_TAG_POLICY_FINAL", "isEnabled": true, "isAuditEnabled": true,
+              "resources": {
+                "tag": { "values": [ "RESTRICTED-FINAL" ], "isRecursive": false }
+              },
+              "denyPolicyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [], "groups": [ "public" ],
+                  "delegateAdmin": false
+                }
+              ],
+              "denyExceptions": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [ "hive", "user1" ], "groups": [],
+                  "delegateAdmin": false,
+                  "conditions": [
+                    { "type": "expression", "values": [ "if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;" ] }
+                  ]
+                }
+              ]
+            },
+            {
+              "id": 105, "name": "EXPIRES_ON", "isEnabled": true, "isAuditEnabled": true,
+              "resources": {
+                "tag": { "values": [ "EXPIRES_ON" ], "isRecursive": false }
+              },
+              "denyPolicyItems": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [], "groups": [ "public" ],
+                  "delegateAdmin": false,
+                  "conditions": [
+                    { "type": "enforce-expiry", "values": [ "yes" ] }
+                  ]
+                }
+              ],
+              "denyExceptions": [
+                { "accesses": [ { "type": "hive:select", "isAllowed": true } ],
+                  "users": [ "dataloader" ], "groups": [],
+                  "delegateAdmin": false
+                }
+              ]
+            }
+          ]
+        }
+      },
+
+      "tests": [
+        {
+          "name": "all-deny-test",
+          "resource": {"elements":{"database":"hr", "udf":"udf" }},
+          "userPermissions": {},
+          "groupPermissions": {"public": {"select":{"result":-1, "isFinal":true},"create":{"result":-1, "isFinal":true}}}
+        },
+        {
+          "name": "no-deny-test",
+          "resource": {"elements":{"database":"default", "table":"test1", "column":"column2"}},
+          "userPermissions": {"user1":{"select":{"result":1, "isFinal":true}}, "user2":{"select":{"result":1, "isFinal":true}}, "admin":{"create":{"result":1, "isFinal":true},"drop":{"result":1, "isFinal":true}}},
+          "groupPermissions": {"group1": {"select":{"result":1, "isFinal":true}}, "group2": {"select":{"result":1, "isFinal":true}},"cluster-admin": {"create":{"result":1, "isFinal":true},"drop":{"result":1, "isFinal":true}}}
+        },
+        {
+          "name": "partial-deny-test",
+          "resource": {"elements":{"database":"default", "table":"test2", "column":"column2"}},
+          "userPermissions": {"user1":{"select":{"result":1, "isFinal":true}}, "user2":{"select":{"result":-1, "isFinal":true},"create":{"result":-1, "isFinal":true}}, "user3":{"select":{"result":1, "isFinal":true},"create":{"result":-1, "isFinal":true}},"user4":{"select":{"result":-1, "isFinal":true},"create":{"result":-1, "isFinal":true}},"admin":{"create":{"result":1, "isFinal":true},"drop":{"result":1, "isFinal":true}}},
+          "groupPermissions": {"group1": {"select":{"result":1, "isFinal":true}}, "group2": {"select":{"result":1, "isFinal":true}},"group3": {"select":{"result":-1, "isFinal":true},"create":{"result":-1, "isFinal":true}},"cluster-admin": {"create":{"result":1, "isFinal":true},"drop":{"result":1, "isFinal":true}}}
+        },
+        {
+          "name": "conditional-deny-test",
+          "resource": {"elements":{"database":"finance", "table":"fin_1", "column":"salary"}},
+          "userPermissions": {"user1":{"select":{"result":1, "isFinal":true}}, "user2":{"select":{"result":1, "isFinal":true}}, "user3":{"select":{"result":2, "isFinal":true}} },
+          "groupPermissions": {"finance-controller": {"select":{"result":1, "isFinal":true}}, "cluster-admin": {"select":{"result":2, "isFinal":true}}}
+        },
+        {
+          "name": "conditional-tag-only-test-descendant",
+          "resource": {"elements":{"database":"finance", "table":"sales"}},
+          "userPermissions": {"hive":{"select":{"result":-1, "isFinal":true},"create":{"result":1, "isFinal":true}, "drop":{"result":-1, "isFinal":true}}, "admin":{"select":{"result":-1, "isFinal":true}} },
+          "groupPermissions": {"public": {"index":{"result":2, "isFinal":true}}}
+        },
+        {
+          "name": "all-types-of-policy-items",
+          "resource": {"elements":{"database":"default", "table":"table", "column":"column"}},
+          "userPermissions": {"user1":{"select":{"result":2, "isFinal":true}}, "user2":{"select":{"result":2, "isFinal":true}}, "user3":{"select":{"result":2, "isFinal":true}}, "user4":{"select":{"result":2, "isFinal":true}} },
+          "groupPermissions": {"public": {"select":{"result":2, "isFinal":true}}, "cluster-admin": {"select":{"result":2, "isFinal":true}}}
+        },
+        {
+          "name": "public-allow-test",
+          "resource": {"elements":{"database":"finance", "table":"accounts", "column": "status" }},
+          "userPermissions": {"john":{"select":{"result":2, "isFinal":true}, "update":{"result":2, "isFinal":true}}, "jane":{"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}}, "mary":{"update":{"result":-1, "isFinal":true}}},
+          "groupPermissions": {"public": {"select":{"result":2, "isFinal":true}}, "accounting": {"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}}, "admin": {"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}}, "interns":{"update":{"result":-1, "isFinal":true}}, "housekeeping":{"select":{"result":-1, "isFinal":true}}}
+        },
+        {
+          "name": "public-allow-test-next",
+          "resource": {"elements":{"database":"finance", "table":"accounts", "column": "amount" }},
+          "userPermissions": {"john":{"select":{"result":2, "isFinal":true}, "update":{"result":2, "isFinal":true}}, "jane":{"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}}, "mary":{"update":{"result":-1, "isFinal":true}}},
+          "groupPermissions": {"public": {"select":{"result":2, "isFinal":true}}, "accounting": {"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}}, "admin": {"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}}, "interns":{"update":{"result":-1, "isFinal":true}}, "housekeeping":{"drop":{"result":-1, "isFinal":true}}}
+        },
+        {
+          "name": "conditions-in-exceptions-test",
+          "resource": {"elements":{"database":"db1", "table":"tbl1", "column": "col1" }},
+          "userPermissions": {"john":{"select":{"result":2, "isFinal":true}, "update":{"result":2, "isFinal":true}}, "jane":{"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}}, "adam":{"drop":{"result":2, "isFinal":true}}, "eve":{"drop":{"result":2, "isFinal":true}}},
+          "groupPermissions": {}
+        },
+        {
+          "name": "conditions-in-some-exceptions-test",
+          "resource": {"elements":{"database":"db2", "table":"tbl2", "column": "col2" }},
+          "userPermissions": {"john":{"select":{"result":1, "isFinal":true}, "update":{"result":-1, "isFinal":true}}, "jane":{"select":{"result":1, "isFinal":true},"update":{"result":1, "isFinal":true}}, "adam":{"drop":{"result":2, "isFinal":true}}, "eve":{"drop":{"result":2, "isFinal":true}}},
+          "groupPermissions": {}
+        }
+      ]
+    }
+  ]
+}

http://git-wip-us.apache.org/repos/asf/ranger/blob/3b510f8c/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
index 11f31e3..ef75887 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -224,7 +224,7 @@
         "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}},
         "accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1",
 
-        "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2026-06-15T15:05:15.000Z\"}, \"matchType\":1}]"}
+        "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2026-06-15T15:05:15.000Z\"}, \"matchType\":\"SELF\"}]"}
       },
       "result":{"isAudited":true,"isAllowed":true,"policyId":101}
     },


Mime
View raw message