Google Git
Sign in
apache / ranger / refs/heads/master / . / agents-common / src / test / resources / policyengine / test_policyengine_audit_filter_hive.json
blob: 3225f157e9f5d8e5ca80dfff951332abbad5bee3 [file] [log] [blame]
{
"serviceName":"hivedev",
"serviceDef":{
"name":"hive",
"id":3,
"resources":[
{"name":"database","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Database","description":"Hive Database"},
{"name":"global","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Global","description":"Global"},
{"name":"url","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"URL","description":"URL"},
{"name":"hiveservice","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Service","description":"Hive Service"},
{"name":"table","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Table","description":"Hive Table"},
{"name":"udf","level":2,"parent":"database","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive UDF","description":"Hive UDF"},
{"name":"column","level":3,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"Hive Column","description":"Hive Column"}
],
"accessTypes":[
{"name":"select","label":"Select"},
{"name":"update","label":"Update"},
{"name":"create","label":"Create"},
{"name":"drop","label":"Drop"},
{"name":"alter","label":"Alter"},
{"name":"index","label":"Index"},
{"name":"lock","label":"Lock"},
{"name":"all","label":"All",
"impliedGrants": [
"select",
"update",
"create",
"drop",
"alter",
"index",
"lock"
]
}
]
},
"serviceConfig": {
"ranger.plugin.audit.filters": "[ {'accessResult': 'DENIED', 'isAudited': true}, {'resources':{'database':{'values':['temp']},'table':{'values':['tempdata']},'column':{'values':['*']}},'isAudited' : false}, {'resources':{'database':{'values':['sys']},'table':{'values':['dump']}},'users':['user2'],'isAudited': false }, {'actions':['METADATA OPERATION'], 'isAudited': false}, {'users':['superuser1'],'groups':['supergroup1'], 'isAudited': false} ]"
},
"policies": [
{"id":1,"name":"db=*:table=*,column=*","isEnabled":true,"isAuditEnabled":true,"policyType":0,
"resources":{"database":{"values":["*"]},"table":{"values":["*"]},"column":{"values":["*"]}},
"policyItems":[
{"accesses":[{"type":"select","isAllowed":true}],"users":["hive", "user1", "user2", "superuser1"],"groups":["supergroup1"],"delegateAdmin":false}
]
}
],
"tagPolicyInfo": {
"serviceName":"tagdev",
"serviceDef": {
"name": "tag",
"id": 100,
"resources": [
{
"itemId": 1,
"name": "tag",
"type": "string",
"level": 1,
"parent": "",
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": true,
"ignoreCase": false
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "TAG",
"description": "TAG"
}
],
"accessTypes": [
{
"itemId": 1,
"name": "hive:select",
"label": "hive:select"
},
{
"itemId": 2,
"name": "hive:update",
"label": "hive:update"
},
{
"itemId": 3,
"name": "hive:create",
"label": "hive:create"
}
,
{
"itemId": 4,
"name": "hive:grant",
"label": "hive:grant"
}
,
{
"itemId": 5,
"name": "hive:drop",
"label": "hive:drop"
}
,
{
"itemId": 6,
"name": "hive:alter",
"label": "hive:alter"
},
{
"itemId": 7,
"name": "hive:index",
"label": "hive:index"
},
{
"itemId": 8,
"name": "hive:lock",
"label": "hive:lock"
},
{
"itemId": 9,
"name": "hive:all",
"label": "hive:all",
"impliedGrants":
[
"hive:select",
"hive:update",
"hive:create",
"hive:grant",
"hive:drop",
"hive:alter",
"hive:index",
"hive:lock"
]
}
],
"contextEnrichers": [],
"policyConditions": []
},
"serviceConfig": {
"ranger.plugin.audit.filters": "[ {'resources':{'tag':{'values':['NO_AUDIT']}},'isAudited': false}, {'resources':{'tag':{'values':['SYS_DATA']}},'users':['user1'],'isAudited': false}, {'resources':{'tag':{'values':['HIPPA']}},'users':['user1'], 'isAudited': true} ]"
},
"tagPolicies":[
{"id":1001,"name":"DEFAULT","isEnabled":true,"isAuditEnabled":true,
"resources":{"tag":{"values":["DEFAULT"],"isRecursive":false}},
"policyItems":[{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false}]
},
{"id":1002,"name":"HIPPA","isEnabled":true,"isAuditEnabled":true,
"resources":{"tag":{"values":["HIPPA"],"isRecursive":false}},
"policyItems":[{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1","user2"],"groups":[],"delegateAdmin":false}]
}
]
},
"tests": [
{"name":"cmd -> select * from temp.tempdata, discard access audit for user1 to table -> temp.tempdata",
"request":{
"resource":{"elements":{"database":"temp","table":"tempdata", "column": "*"}},
"accessType":"select","user":"user1","userGroups":["user1"],"requestData":"select * from temp.tempdata"
},
"result":{"isAudited":false,"isAllowed":true,"policyId":-1}
},
{"name":"cmd -> use temp, discard access audit for user1 to database -> temp" ,
"request":{
"resource":{"elements":{"database":"temp"},
"accessType":"_any","user":"user1","userGroups":["user1"],"requestData":"use temp"
},
"result":{"isAudited":false,"isAllowed":true,"policyId":-1}
}
},
{"name":"cmd -> select * from sys.dump, discard access audit for user2 to table -> sys.dump",
"request":{
"resource":{"elements":{"database":"sys","table":"dump"}},
"accessType":"select","user":"user2","userGroups":[],"requestData":"select * from sys.dump"
},
"result":{"isAudited":false,"isAllowed":true,"policyId":-1}
},
{"name":"cmd -> select * from hr.emp, discard access audit for superuser1 for access to table -> hr.emp",
"request":{
"resource":{"elements":{"database":"hr"}},
"accessType":"select","user":"superuser1","userGroups":[],"requestData":"select * from hr.emp"
},
"result":{"isAudited":false,"isAllowed":true,"policyId":-1}
},
{"name":"cmd -> select * from hr.emp, discard access audit for supergroup1 to table -> hr.emp",
"request":{
"resource":{"elements":{"database":"hr","table":"emp"}},
"accessType":"select","user":"","userGroups":["supergroup1"],"requestData":"select * from hr.emp"
},
"result":{"isAudited":false,"isAllowed":true,"policyId":-1}
},
{"name":"cmd -> select * from hr.emp;', Audit access for user4 to table hr.emp",
"request":{
"resource":{"elements":{"database":"hr","table":"emp"}},
"accessType":"select","user":"user4","userGroups":[],"requestData":"select * from hr.emp"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":-1}
},
{"name":"cmd -> select * from sys.scheduled_queries, discard access audit for hive operation = METADATA OPERATION",
"request":{
"resource":{"elements":{"database":"sys","table":"scheduled_queries"}},
"accessType":"select","user":"hive","userGroups":[],"requestData":"select * from sys.scheduled_queries","action": "METADATA OPERATION"
},
"result":{"isAudited":false,"isAllowed":true,"policyId":-1}
},
{"name":"cmd -> select name from medical.data, Audit access of resources with TAG = HIPPA",
"request":{
"resource":{"elements":{"database":"medical", "table":"data", "column":"name"}},
"accessType":"select","user":"user2","userGroups":[],"requestData":"select name from medical.data for user1",
"context": {"TAGS": "[{\"type\":\"HIPPA\"}]"}
},
"result":{"isAudited":true,"isAllowed":true,"policyId":-1}
},
{"name":"cmd -> select name from temp.data, discard access audit of resources with TAG = NO_AUDIT",
"request":{
"resource":{"elements":{"database":"temp", "table":"data", "column":"name"}},
"accessType":"select","user":"user1","userGroups":[],"requestData":"select name from temp.data for user1",
"context": {"TAGS": "[{\"type\":\"NO_AUDIT\"}]"}
},
"result":{"isAudited":false,"isAllowed":true,"policyId":-1}
},
{"name":"cmd -> select name from sysdb.data, discard access audit of resources with TAG = SYS_DATA",
"request":{
"resource":{"elements":{"database":"sysdb", "table":"data", "column":"name"}},
"accessType":"select","user":"user1","userGroups":[],"requestData":"select name from sysdb.data for user1",
"context": {"TAGS": "[{\"type\":\"SYS_DATA\"}]"}
},
"result":{"isAudited":false,"isAllowed":true,"policyId":-1}
},
{"name":"cmd -> use sysdb, discard access audit of resource with TAG = SYS_DATA",
"request":{
"resource":{"elements":{"database":"sysdb"}},
"accessType":"_any","user":"user1","userGroups":[],"requestData":"use sysdb",
"context": {"TAGS": "[{\"type\":\"SYS_DATA\"}]"}
},
"result":{"isAudited":false,"isAllowed":true,"policyId":-1}
}
]
}