agents-common/src/test/resources/policyengine/test_policyengine_hdfs_resourcespec.json - ranger - Git at Google

 {
   "serviceName":"hdfsdev",

   "serviceDef":{
     "name":"hdfs",
     "id":1,
     "resources":[
     {"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,
       "matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
       "matcherOptions":{"wildCard":true, "ignoreCase":true},
       "startDelimiterChar": "{", "endDelimiterChar": "}", "escapeChar":"%",
       "label":"Resource Path","description":"HDFS file or directory path"}
     ],
     "accessTypes":[
       {"name":"read","label":"Read"},
       {"name":"write","label":"Write"},
       {"name":"execute","label":"Execute"}
     ],
     "contextEnrichers": [ ],
     "policyConditions": [ ]
   },

   "policies":[
     {"id":1,"name":"allow-read-to-finance under /finance/rest*ricted/","isEnabled":true,"isAuditEnabled":true,
      "resources":{"path":{"values":["/finance/rest*ricted/"],"isRecursive":true}},
      "policyItems":[
        {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false, "conditions":[ ] }
      ]
     }
     ,
     {"id":2,"name":"allow-read-to-{USER} under /home/{USER}/","isEnabled":true,"isAuditEnabled":false,
       "resources":{"path":{"values":["/home/{USER}/"],"isRecursive":true}},
       "policyItems":[
         {"accesses":[{"type":"read","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false, "conditions":[ ] }
       ]
     }
   ],

   "tests":[
     {"name":"DENY 'read /home/user1/tmp/sales.db' for user=user2",
       "request":{
         "resource":{"elements":{"path":"/home/user1/tmp/sales.db"}},
         "accessType":"read","user":"user2","userGroups":[],"requestData":"DENY read /home/user1/tmp/sales.db to user2"
       },
       "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
     }
     ,
     {"name":"ALLOW 'read /home/user1/tmp/sales.db' for user=user1",
       "request":{
         "resource":{"elements":{"path":"/home/user1/tmp/sales.db"}},
         "accessType":"read","user":"user1","userGroups":[],"requestData":"ALLOW read /home/user1/tmp/sales.db to user1"
       },
       "result":{"isAudited":false,"isAllowed":true,"policyId":2}
     }
   ,

     {"name":"ALLOW 'read /finance/restricted/tmp/sales.db' for g=finance",
      "request":{
       "resource":{"elements":{"path":"/finance/restricted/tmp/sales.db"}},
       "accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/tmp/sales.db"
      },
      "result":{"isAudited":true,"isAllowed":true,"policyId":1}
     }

   ]
 }
	{
	"serviceName":"hdfsdev",

	"serviceDef":{
	"name":"hdfs",
	"id":1,
	"resources":[
	{"name":"path","type":"path","level":1,"mandatory":true,"lookupSupported":true,
	"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
	"matcherOptions":{"wildCard":true, "ignoreCase":true},
	"startDelimiterChar": "{", "endDelimiterChar": "}", "escapeChar":"%",
	"label":"Resource Path","description":"HDFS file or directory path"}
	],
	"accessTypes":[
	{"name":"read","label":"Read"},
	{"name":"write","label":"Write"},
	{"name":"execute","label":"Execute"}
	],
	"contextEnrichers": [ ],
	"policyConditions": [ ]
	},

	"policies":[
	{"id":1,"name":"allow-read-to-finance under /finance/rest*ricted/","isEnabled":true,"isAuditEnabled":true,
	"resources":{"path":{"values":["/finance/rest*ricted/"],"isRecursive":true}},
	"policyItems":[
	{"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["finance"],"delegateAdmin":false, "conditions":[ ] }
	]
	}
	,
	{"id":2,"name":"allow-read-to-{USER} under /home/{USER}/","isEnabled":true,"isAuditEnabled":false,
	"resources":{"path":{"values":["/home/{USER}/"],"isRecursive":true}},
	"policyItems":[
	{"accesses":[{"type":"read","isAllowed":true}],"users":["{USER}"],"groups":[],"delegateAdmin":false, "conditions":[ ] }
	]
	}
	],

	"tests":[
	{"name":"DENY 'read /home/user1/tmp/sales.db' for user=user2",
	"request":{
	"resource":{"elements":{"path":"/home/user1/tmp/sales.db"}},
	"accessType":"read","user":"user2","userGroups":[],"requestData":"DENY read /home/user1/tmp/sales.db to user2"
	},
	"result":{"isAudited":false,"isAllowed":false,"policyId":-1}
	}
	,
	{"name":"ALLOW 'read /home/user1/tmp/sales.db' for user=user1",
	"request":{
	"resource":{"elements":{"path":"/home/user1/tmp/sales.db"}},
	"accessType":"read","user":"user1","userGroups":[],"requestData":"ALLOW read /home/user1/tmp/sales.db to user1"
	},
	"result":{"isAudited":false,"isAllowed":true,"policyId":2}
	}
	,

	{"name":"ALLOW 'read /finance/restricted/tmp/sales.db' for g=finance",
	"request":{
	"resource":{"elements":{"path":"/finance/restricted/tmp/sales.db"}},
	"accessType":"read","user":"user1","userGroups":["finance"],"requestData":"read /finance/restricted/tmp/sales.db"
	},
	"result":{"isAudited":true,"isAllowed":true,"policyId":1}
	}

	]
	}