Google Git
Sign in
apache / ranger / 4bb2f6f81b6bf31e4b19f07e01e4355a76ab3e0f / . / agents-common / src / test / resources / policyengine / test_policyengine_tag_hive_filebased.json
blob: 73fe540c7a1ca92a5bee55803073cf59befa2a8b [file] [log] [blame]
{
"serviceName":"hivedev",
"serviceDef":{
"name":"hive",
"id":3,
"resources":[
{"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Database","description":"Hive Database"},
{"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Table","description":"Hive Table"},
{"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"},
{"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Column","description":"Hive Column"}
],
"accessTypes":[
{"name":"select","label":"Select"},
{"name":"update","label":"Update"},
{"name":"create","label":"Create"},
{"name":"grant","label":"Grant"},
{"name":"drop","label":"Drop"},
{"name":"alter","label":"Alter"},
{"name":"index","label":"Index"},
{"name":"lock","label":"Lock"},
{"name":"all","label":"All",
"impliedGrants": [
"select",
"update",
"create",
"grant",
"drop",
"alter",
"index",
"lock"
]
}
]
},
"policies":[
{"id":101,"name":"db=*: audit-all-access","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", "user2"],"groups":["public"],"delegateAdmin":false}
]
},
{"id":102,"name":"db=*, udf=*: audit-all-access","isEnabled":true,"isAuditEnabled":true,
"resources":{"database":{"values":["*"]},"udf":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"all","isAllowed":true}],"users":["hive", "user1", "user2"],"groups":["public"],"delegateAdmin":false}
]
}
],
"tagPolicyInfo": {
"serviceName":"tagdev",
"serviceDef": {
"name": "tag",
"id": 100,
"resources": [
{
"itemId": 1,
"name": "tag",
"type": "string",
"level": 1,
"parent": "",
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": true,
"ignoreCase": false
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "TAG",
"description": "TAG"
}
],
"accessTypes": [
{
"itemId": 1,
"name": "hive:select",
"label": "hive:select"
},
{
"itemId": 2,
"name": "hive:update",
"label": "hive:update"
},
{
"itemId": 3,
"name": "hive:create",
"label": "hive:create"
}
,
{
"itemId": 4,
"name": "hive:grant",
"label": "hive:grant"
}
,
{
"itemId": 5,
"name": "hive:drop",
"label": "hive:drop"
}
,
{
"itemId": 6,
"name": "hive:alter",
"label": "hive:alter"
},
{
"itemId": 7,
"name": "hive:index",
"label": "hive:index"
},
{
"itemId": 8,
"name": "hive:lock",
"label": "hive:lock"
},
{
"itemId": 9,
"name": "hive:all",
"label": "hive:all",
"impliedGrants":
[
"hive:select",
"hive:update",
"hive:create",
"hive:grant",
"hive:drop",
"hive:alter",
"hive:index",
"hive:lock"
]
}
],
"contextEnrichers": [
{
"itemId": 1,
"name" : "TagEnricher",
"enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
"enricherOptions" : {"tagRetrieverClassName":"org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever", "tagRefresherPollingInterval":60000, "serviceTagsFileName":"/policyengine/resourceTags.json"}
}
],
"policyConditions": [
{
"itemId":1,
"name":"expression",
"evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
"evaluatorOptions" : {"engineName":"JavaScript", "ui.isMultiline":"true"},
"label":"Enter boolean expression",
"description": "Boolean expression"
},
{
"itemId":2,
"name":"enforce-expiry",
"evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
"evaluatorOptions" : { "scriptTemplate":"ctx.isAccessedAfter('expiry_date');" },
"label":"Deny access after expiry_date?",
"description": "Deny access after expiry_date? (yes/no)"
}
]
},
"tagPolicies":[
{"id":1,"name":"RESTRICTED_TAG_POLICY","isEnabled":true,"isAuditEnabled":true,
"resources":{"tag":{"values":["RESTRICTED"],"isRecursive":false}},
"policyItems":[
{
"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
"conditions":[{
"type":"expression",
"values":["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
}]
}
]
},
{"id":2,"name":"PII_TAG_POLICY","isEnabled":true,"isAuditEnabled":true,
"resources":{"tag":{"values":["PII"],"isRecursive":false}},
"policyItems":[
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive"],"groups":[],"delegateAdmin":false}
]
},
{"id":3,"name":"PII_TAG_POLICY-FINAL","isEnabled":true,"isAuditEnabled":true,
"resources":{"tag":{"values":["PII-FINAL"],"isRecursive":false}},
"denyPolicyItems":[
{"accesses":[{"type":"hive:all","isAllowed":true}],"users":[""],"groups":["public"],"delegateAdmin":false}
]
,
"denyExceptions":[
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive"],"groups":[],"delegateAdmin":false}
]
},
{"id":4,"name":"RESTRICTED_TAG_POLICY_FINAL","isEnabled":true,"isAuditEnabled":true,
"resources":{"tag":{"values":["RESTRICTED-FINAL"],"isRecursive":false}},
"denyPolicyItems":[
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
]
,
"denyExceptions":[
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
"conditions":[{
"type":"expression",
"values":["if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;"]
}]
}
]
},
{"id":5,"name":"EXPIRES_ON","isEnabled":true,"isAuditEnabled":true,
"resources":{"tag":{"values":["EXPIRES_ON"],"isRecursive":false}},
"denyPolicyItems":[
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false,
"conditions":[{"type":"enforce-expiry","values":["yes"]}]
}
]
,
"denyExceptions":[
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["dataloader"],"groups":[],"delegateAdmin":false}
]
}
]
},
"tests":[
{"name":"ALLOW 'select ssn from employee.personal;' for user1 using EXPIRES_ON tag",
"request":{
"resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}},
"accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":101}
},
{"name":"DENY 'select id from employee.personal;' for user1 using EXPIRES_ON tag",
"request":{
"resource":{"elements":{"database":"employee", "table":"personal", "column":"id"}},
"accessType":"select","user":"user1","userGroups":[],"requestData":"select id from employee.personal;' for user1"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":5}
},
{"name":"ALLOW 'select emp-number from employee.personal;' for dataloader using EXPIRES_ON tag",
"request":{
"resource":{"elements":{"database":"employee", "table":"personal", "column":"emp-number"}},
"accessType":"select","user":"dataloader","userGroups":[],"requestData":"select emp-number from employee.personal;' for dataloader"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":101}
},
{"name":"DENY 'select salary from employee.personal;' for user1 using EXPIRES_ON tag",
"request":{
"resource":{"elements":{"database":"employee", "table":"personal", "column":"salary"}},
"accessType":"select","user":"user1","userGroups":[],"requestData":"select salary from employee.personal;' for user1"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":5}
},
{"name":"ALLOW 'select city from employee.personal;' for user1 using RESTRICTED tag",
"request":{
"resource":{"elements":{"database":"employee", "table":"personal", "column":"city"}},
"accessType":"select","user":"user1","userGroups":[],"requestData":"select city from employee.personal;' for user1"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":101}
},
{"name":"DENY 'select address from employee.personal;' for user2 using RESTRICTED-FINAL tag",
"request":{
"resource":{"elements":{"database":"employee", "table":"personal", "column":"address"}},
"accessType":"select","user":"user2","userGroups":[],"requestData":"select address from employee.personal;' for user2"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":4}
},
{"name":"ALLOW 'select name from employee.personal;' for user1 - no tag",
"request":{
"resource":{"elements":{"database":"employee", "table":"personal", "column":"name"}},
"accessType":"select","user":"user1","userGroups":[],"requestData":"select name from employee.personal;' for user1"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":101}
},
{"name":"ALLOW 'select name from default.table1;' for hive using PII, PII-FINAL tags",
"request":{
"resource":{"elements":{"database":"default", "table":"table1", "column":"name"}},
"accessType":"select","user":"hive","userGroups":[],"requestData":"select name from default.table1;' for hive"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":2}
},
{"name":"DENY 'desc default.table1;' for hive using PII, PII-FINAL tags",
"request":{
"resource":{"elements":{"database":"default", "table":"table1"}},
"accessType":"","user":"hive","userGroups":[],"requestData":"desc default.table1;' for hive"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":3}
},
{"name":"DENY 'desc default.table2;' for user1 using PII-FINAL tag",
"request":{
"resource":{"elements":{"database":"default", "table":"table2"}},
"accessType":"","user":"user1","userGroups":[],"requestData":"desc default.table2;' for user1"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":3}
},
{"name":"DENY 'use default;' for user1 using PII, PII-FINAL tags",
"request":{
"resource":{"elements":{"database":"default"}},
"accessType":"","user":"user1","userGroups":[],"requestData":"use default for user user1"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":3}
},
{"name":"ALLOW 'select name from default.table3;' for hive using PII tag",
"request":{
"resource":{"elements":{"database":"default", "table":"table3", "column":"name"}},
"accessType":"select","user":"hive","userGroups":[],"requestData":"select name from default.table3 for user hive"
},
"result":{"isAudited":true,"isAllowed":true,"policyId":2}
}
]
}