Google Git
Sign in
apache / ranger / 30dd2b50280f0aee4ce2f7f45706616453c151a8 / . / agents-common / src / test / resources / policyengine / test_aclprovider_resource_hierarchy_tags.json
blob: 206a6563d00d60c334bc1d4ed7be30aeb36ffb72 [file] [log] [blame]
{
"testCases": [
{
"name": "Test multiple tag instances for resource hierarchy",
"servicePolicies": {
"serviceName": "hivedev",
"serviceDef": {
"name": "hive", "id": 3,
"resources": [
{ "name": "database", "level": 1, "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Database", "description": "Hive Database" },
{ "name": "table", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Table", "description": "Hive Table" },
{ "name": "column", "level": 3, "parent": "table", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Column", "description": "Hive Column" }
],
"accessTypes": [
{ "name": "select", "label": "Select" },
{ "name": "update", "label": "Update" },
{ "name": "create", "label": "Create" },
{ "name": "drop", "label": "Drop" },
{ "name": "alter", "label": "Alter" },
{ "name": "index", "label": "Index" },
{ "name": "lock", "label": "Lock" },
{ "name": "all", "label": "All" }
],
"policyConditions": [
{ "itemId": 1, "name": "expression", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" }, "label": "Enter boolean expression", "description": "Boolean expression" }
],
"dataMaskDef": {
"maskTypes": [
{ "itemId": 1, "name": "MASK", "label": "Mask", "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'" },
{ "itemId": 2, "name": "SHUFFLE", "label": "Shuffle", "description": "Randomly shuffle the contents" },
{ "itemId": 3, "name": "MASK_HASH", "label": "Hash", "description": "Hash value of the contents" },
{ "itemId": 4, "name": "MASK_NONE", "label": "No masking", "description": "Unmasked value of the contents" },
{ "itemId": 10, "name": "NULL", "label": "NULL", "description": "Replace with NULL" }
],
"accessTypes":[
{ "name": "select", "label": "Select" }
],
"resources":[
{ "name": "database", "matcherOptions": { "wildCard": false } },
{ "name": "table", "matcherOptions": { "wildCard": false } },
{ "name": "column", "matcherOptions": { "wildCard": false } }
]
},
"rowFilterDef": {
"accessTypes":[
{ "name": "select", "label": "Select"}
],
"resources":[
{ "name": "database", "matcherOptions": { "wildCard": false } },
{ "name": "table", "matcherOptions": { "wildCard": false } }
]
}
},
"policies": [
],
"tagPolicies": {
"serviceName": "tagdev",
"serviceDef": {
"name": "tag", "id": 100,
"resources": [
{ "itemId": 1, "name": "tag", "type": "string", "level": 1, "parent": "", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": false }, "label": "TAG", "description": "TAG" }
],
"accessTypes": [
{ "itemId": 1, "name": "hive:select", "label": "hive:select" },
{ "itemId": 2, "name": "hive:update", "label": "hive:update" },
{ "itemId": 3, "name": "hive:create", "label": "hive:create" },
{ "itemId": 4, "name": "hive:drop", "label": "hive:drop" },
{ "itemId": 5, "name": "hive:alter", "label": "hive:alter" },
{ "itemId": 6, "name": "hive:index", "label": "hive:index" },
{ "itemId": 7, "name": "hive:lock", "label": "hive:lock" },
{ "itemId": 8, "name": "hive:all", "label": "hive:all",
"impliedGrants": [ "hive:select", "hive:update", "hive:create", "hive:drop", "hive:alter", "hive:index", "hive:lock" ] }
],
"dataMaskDef": {
"resources":[
{ "name": "tag" }
]
},
"contextEnrichers": [
{ "itemId": 1, "name": "TagEnricher", "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", "enricherOptions": { "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever", "tagRefresherPollingInterval": 60000, "serviceTagsFileName": "/policyengine/resource_hierarchy_tags.json" } }
],
"policyConditions": [
{ "itemId": 1, "name": "expression", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" }, "label": "Enter boolean expression", "description": "Boolean expression" },
{ "itemId": 2, "name": "enforce-expiry", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", "evaluatorOptions": { "scriptTemplate": "ctx.isAccessedAfter('expiry_date');" }, "label": "Deny access after expiry_date?", "description": "Deny access after expiry_date? (yes/no)" },
{ "itemId": 3, "name": "ip-range", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", "evaluatorOptions": { }, "label": "IP Address Range", "description": "IP Address Range" }
]
},
"policies": [
{ "id": 1, "name": "1: access: SENSITIVE", "isEnabled": true, "isAuditEnabled": true, "policyType": 0,
"resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } },
"policyItems": [
{"accesses": [{"type": "hive:select", "isAllowed": true}], "users": [ "test-user"] }
]
},
{ "id": 2, "name": "2: access: ORDER", "isEnabled": true, "isAuditEnabled": true, "policyType": 0,
"resources": { "tag": { "values": [ "ORDER" ], "isRecursive": false } },
"policyItems": [
{"accesses": [{"type": "hive:create", "isAllowed": true}], "users": [ "dba"] }
]
},
{ "id": 3, "name": "2: access: CUSTOMER", "isEnabled": true, "isAuditEnabled": true, "policyType": 0,
"resources": { "tag": { "values": [ "CUSTOMER" ], "isRecursive": false } },
"policyItems": [
{"accesses": [{"type": "hive:select", "isAllowed": true}], "users": [ "test-user"] }
]
},
{ "id": 4, "name": "3: access: ADDRESS", "isEnabled": true, "isAuditEnabled": true, "policyType": 0,
"resources": { "tag": { "values": [ "ADDRESS" ], "isRecursive": false } },
"policyItems": [
{"accesses": [{"type": "hive:select", "isAllowed": true}], "users": [ "test-user"] }
]
},
{ "id": 101, "name": "101: mask: SENSITIVE(level=normal)", "isEnabled": true, "isAuditEnabled": true, "policyType": 1,
"resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } },
"conditions": [ { "type": "expression", "values": [ "TAG.level == 'normal'" ] } ],
"dataMaskPolicyItems": [
{ "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "SHUFFLE"}}
]
},
{ "id": 102, "name": "102: mask: SENSITIVE(level=high)", "isEnabled": true, "isAuditEnabled": true, "policyType": 1,
"resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } },
"conditions": [ { "type": "expression", "values": [ "TAG.level == 'high'" ] } ],
"dataMaskPolicyItems": [
{ "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "MASK"}}
]
},
{ "id": 103, "name": "103: mask: SENSITIVE(level=top)", "isEnabled": true, "isAuditEnabled": true, "policyType": 1,
"resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } },
"conditions": [ { "type": "expression", "values": [ "TAG.level == 'top'" ] } ],
"dataMaskPolicyItems": [
{ "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "MASK_HASH"}}
]
},
{ "id": 104, "name": "104: mask: CUSTOMER", "isEnabled": true, "isAuditEnabled": true, "policyType": 1,
"resources": { "tag": { "values": [ "CUSTOMER" ], "isRecursive": false } },
"dataMaskPolicyItems": [
{ "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "MASK_NONE"}}
]
},
{ "id": 105, "name": "105: mask: ADDRESS", "isEnabled": true, "isAuditEnabled": true, "policyType": 1,
"resources": { "tag": { "values": [ "ADDRESS" ], "isRecursive": false } },
"dataMaskPolicyItems": [
{ "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "MASK_HASH"}}
]
}
]
}
},
"tests": [
{ "name": "table: db1.tbl1",
"resource": { "elements": { "database": "db1", "table": "tbl1" } },
"userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }
},
{ "name": "column: db1.tbl1.SSN",
"resource": { "elements": { "database": "db1", "table": "tbl1", "column": "SSN" } },
"userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } },
"dataMasks": [
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true },
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true },
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true }
]
},
{ "name": "column: db1.tbl1.Age",
"resource": { "elements": { "database": "db1", "table": "tbl1", "column": "Age" } },
"userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } },
"dataMasks": [
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true },
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true },
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true }
]
},
{ "name": "column: db1.tbl1.Name",
"resource": { "elements": { "database": "db1", "table": "tbl1", "column": "Name" } },
"userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } },
"dataMasks": [
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true },
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true },
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true }
]
},
{ "name": "database: db2",
"resource": { "elements": { "database": "db2" } },
"userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }
},
{ "name": "table: db2.tbl1",
"resource": { "elements": { "database": "db2", "table": "tbl1" } },
"userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }
},
{ "name": "column: db2.tbl1.Name",
"resource": { "elements": { "database": "db2", "table": "tbl1", "column": "Name" } },
"userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } },
"dataMasks": [
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true },
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true },
{"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true }
]
},
{ "name": "database: order",
"resource": { "elements": { "database": "order" } },
"userPermissions": { "dba": { "create": { "result": 1, "isFinal": true } } }
},
{ "name": "table: order.customer",
"resource": { "elements": { "database": "order", "table": "customer" } },
"userPermissions": {
"test-user": { "select": { "result": 1, "isFinal": true } },
"dba": { "create": { "result": 1, "isFinal": true } }
}
},
{ "name": "column: order.customer.address",
"resource": { "elements": { "database": "order", "table": "customer", "column": "address" } },
"userPermissions": {
"test-user": { "select": { "result": 1, "isFinal": true } },
"dba": { "create": { "result": 1, "isFinal": true } }
},
"dataMasks": [
{ "users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_NONE" }, "isConditional": false },
{ "users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": false }
]
}
]
}
]
}