| { |
| "testCases": [ |
| { |
| "name": "Test multiple tag instances for resource hierarchy", |
| |
| "servicePolicies": { |
| "serviceName": "hivedev", |
| "serviceDef": { |
| "name": "hive", "id": 3, |
| "resources": [ |
| { "name": "database", "level": 1, "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Database", "description": "Hive Database" }, |
| { "name": "table", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Table", "description": "Hive Table" }, |
| { "name": "column", "level": 3, "parent": "table", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Column", "description": "Hive Column" } |
| ], |
| "accessTypes": [ |
| { "name": "select", "label": "Select" }, |
| { "name": "update", "label": "Update" }, |
| { "name": "create", "label": "Create" }, |
| { "name": "drop", "label": "Drop" }, |
| { "name": "alter", "label": "Alter" }, |
| { "name": "index", "label": "Index" }, |
| { "name": "lock", "label": "Lock" }, |
| { "name": "all", "label": "All" } |
| ], |
| "policyConditions": [ |
| { "itemId": 1, "name": "expression", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" }, "label": "Enter boolean expression", "description": "Boolean expression" } |
| ], |
| "dataMaskDef": { |
| "maskTypes": [ |
| { "itemId": 1, "name": "MASK", "label": "Mask", "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'" }, |
| { "itemId": 2, "name": "SHUFFLE", "label": "Shuffle", "description": "Randomly shuffle the contents" }, |
| { "itemId": 3, "name": "MASK_HASH", "label": "Hash", "description": "Hash value of the contents" }, |
| { "itemId": 4, "name": "MASK_NONE", "label": "No masking", "description": "Unmasked value of the contents" }, |
| { "itemId": 10, "name": "NULL", "label": "NULL", "description": "Replace with NULL" } |
| ], |
| "accessTypes":[ |
| { "name": "select", "label": "Select" } |
| ], |
| "resources":[ |
| { "name": "database", "matcherOptions": { "wildCard": false } }, |
| { "name": "table", "matcherOptions": { "wildCard": false } }, |
| { "name": "column", "matcherOptions": { "wildCard": false } } |
| ] |
| }, |
| "rowFilterDef": { |
| "accessTypes":[ |
| { "name": "select", "label": "Select"} |
| ], |
| "resources":[ |
| { "name": "database", "matcherOptions": { "wildCard": false } }, |
| { "name": "table", "matcherOptions": { "wildCard": false } } |
| ] |
| } |
| }, |
| "policies": [ |
| ], |
| "tagPolicies": { |
| "serviceName": "tagdev", |
| "serviceDef": { |
| "name": "tag", "id": 100, |
| "resources": [ |
| { "itemId": 1, "name": "tag", "type": "string", "level": 1, "parent": "", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": false }, "label": "TAG", "description": "TAG" } |
| ], |
| "accessTypes": [ |
| { "itemId": 1, "name": "hive:select", "label": "hive:select" }, |
| { "itemId": 2, "name": "hive:update", "label": "hive:update" }, |
| { "itemId": 3, "name": "hive:create", "label": "hive:create" }, |
| { "itemId": 4, "name": "hive:drop", "label": "hive:drop" }, |
| { "itemId": 5, "name": "hive:alter", "label": "hive:alter" }, |
| { "itemId": 6, "name": "hive:index", "label": "hive:index" }, |
| { "itemId": 7, "name": "hive:lock", "label": "hive:lock" }, |
| { "itemId": 8, "name": "hive:all", "label": "hive:all", |
| "impliedGrants": [ "hive:select", "hive:update", "hive:create", "hive:drop", "hive:alter", "hive:index", "hive:lock" ] } |
| ], |
| "dataMaskDef": { |
| "resources":[ |
| { "name": "tag" } |
| ] |
| }, |
| "contextEnrichers": [ |
| { "itemId": 1, "name": "TagEnricher", "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", "enricherOptions": { "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever", "tagRefresherPollingInterval": 60000, "serviceTagsFileName": "/policyengine/resource_hierarchy_tags.json" } } |
| ], |
| "policyConditions": [ |
| { "itemId": 1, "name": "expression", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" }, "label": "Enter boolean expression", "description": "Boolean expression" }, |
| { "itemId": 2, "name": "enforce-expiry", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", "evaluatorOptions": { "scriptTemplate": "ctx.isAccessedAfter('expiry_date');" }, "label": "Deny access after expiry_date?", "description": "Deny access after expiry_date? (yes/no)" }, |
| { "itemId": 3, "name": "ip-range", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", "evaluatorOptions": { }, "label": "IP Address Range", "description": "IP Address Range" } |
| ] |
| }, |
| "policies": [ |
| { "id": 1, "name": "1: access: SENSITIVE", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, |
| "resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } }, |
| "policyItems": [ |
| {"accesses": [{"type": "hive:select", "isAllowed": true}], "users": [ "test-user"] } |
| ] |
| }, |
| { "id": 2, "name": "2: access: ORDER", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, |
| "resources": { "tag": { "values": [ "ORDER" ], "isRecursive": false } }, |
| "policyItems": [ |
| {"accesses": [{"type": "hive:create", "isAllowed": true}], "users": [ "dba"] } |
| ] |
| }, |
| { "id": 3, "name": "2: access: CUSTOMER", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, |
| "resources": { "tag": { "values": [ "CUSTOMER" ], "isRecursive": false } }, |
| "policyItems": [ |
| {"accesses": [{"type": "hive:select", "isAllowed": true}], "users": [ "test-user"] } |
| ] |
| }, |
| { "id": 4, "name": "3: access: ADDRESS", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, |
| "resources": { "tag": { "values": [ "ADDRESS" ], "isRecursive": false } }, |
| "policyItems": [ |
| {"accesses": [{"type": "hive:select", "isAllowed": true}], "users": [ "test-user"] } |
| ] |
| }, |
| { "id": 101, "name": "101: mask: SENSITIVE(level=normal)", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, |
| "resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } }, |
| "conditions": [ { "type": "expression", "values": [ "TAG.level == 'normal'" ] } ], |
| "dataMaskPolicyItems": [ |
| { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "SHUFFLE"}} |
| ] |
| }, |
| { "id": 102, "name": "102: mask: SENSITIVE(level=high)", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, |
| "resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } }, |
| "conditions": [ { "type": "expression", "values": [ "TAG.level == 'high'" ] } ], |
| "dataMaskPolicyItems": [ |
| { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "MASK"}} |
| ] |
| }, |
| { "id": 103, "name": "103: mask: SENSITIVE(level=top)", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, |
| "resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } }, |
| "conditions": [ { "type": "expression", "values": [ "TAG.level == 'top'" ] } ], |
| "dataMaskPolicyItems": [ |
| { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "MASK_HASH"}} |
| ] |
| }, |
| { "id": 104, "name": "104: mask: CUSTOMER", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, |
| "resources": { "tag": { "values": [ "CUSTOMER" ], "isRecursive": false } }, |
| "dataMaskPolicyItems": [ |
| { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "MASK_NONE"}} |
| ] |
| }, |
| { "id": 105, "name": "105: mask: ADDRESS", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, |
| "resources": { "tag": { "values": [ "ADDRESS" ], "isRecursive": false } }, |
| "dataMaskPolicyItems": [ |
| { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "MASK_HASH"}} |
| ] |
| } |
| ] |
| } |
| }, |
| "tests": [ |
| { "name": "table: db1.tbl1", |
| "resource": { "elements": { "database": "db1", "table": "tbl1" } }, |
| "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } } |
| }, |
| { "name": "column: db1.tbl1.SSN", |
| "resource": { "elements": { "database": "db1", "table": "tbl1", "column": "SSN" } }, |
| "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, |
| "dataMasks": [ |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } |
| ] |
| }, |
| { "name": "column: db1.tbl1.Age", |
| "resource": { "elements": { "database": "db1", "table": "tbl1", "column": "Age" } }, |
| "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, |
| "dataMasks": [ |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } |
| ] |
| }, |
| { "name": "column: db1.tbl1.Name", |
| "resource": { "elements": { "database": "db1", "table": "tbl1", "column": "Name" } }, |
| "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, |
| "dataMasks": [ |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } |
| ] |
| }, |
| { "name": "database: db2", |
| "resource": { "elements": { "database": "db2" } }, |
| "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } } |
| }, |
| { "name": "table: db2.tbl1", |
| "resource": { "elements": { "database": "db2", "table": "tbl1" } }, |
| "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } } |
| }, |
| { "name": "column: db2.tbl1.Name", |
| "resource": { "elements": { "database": "db2", "table": "tbl1", "column": "Name" } }, |
| "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, |
| "dataMasks": [ |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, |
| {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } |
| ] |
| }, |
| { "name": "database: order", |
| "resource": { "elements": { "database": "order" } }, |
| "userPermissions": { "dba": { "create": { "result": 1, "isFinal": true } } } |
| }, |
| { "name": "table: order.customer", |
| "resource": { "elements": { "database": "order", "table": "customer" } }, |
| "userPermissions": { |
| "test-user": { "select": { "result": 1, "isFinal": true } }, |
| "dba": { "create": { "result": 1, "isFinal": true } } |
| } |
| }, |
| { "name": "column: order.customer.address", |
| "resource": { "elements": { "database": "order", "table": "customer", "column": "address" } }, |
| "userPermissions": { |
| "test-user": { "select": { "result": 1, "isFinal": true } }, |
| "dba": { "create": { "result": 1, "isFinal": true } } |
| }, |
| "dataMasks": [ |
| { "users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_NONE" }, "isConditional": false }, |
| { "users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": false } |
| ] |
| } |
| ] |
| } |
| ] |
| } |