diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java index af71815eee..cb9d62f623 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java @@ -353,33 +353,34 @@ public void setPolicy(RangerPolicy policy) { } @Override - public boolean equals(Object other) { - if (other == null) { + public boolean equals(Object obj) { + if (this == obj) { + return true; + } else if (obj == null || getClass() != obj.getClass()) { return false; - } - - if (other instanceof AccessResult) { - AccessResult otherObject = (AccessResult) other; - return result == otherObject.result && isFinal == otherObject.isFinal; } else { - return false; + AccessResult other = (AccessResult) obj; + + return result == other.result && + isFinal == other.isFinal && + policy == null ? other.policy == null : (other.policy != null && Objects.equals(policy.getId(), other.policy.getId())); } } @Override public int hashCode() { - return Objects.hash(result, isFinal); // policy is not relevant for equals() and hashCode() + return Objects.hash(result, isFinal, policy == null ? null : policy.getId()); } @Override public String toString() { if (result == ACCESS_ALLOWED) { - return "ALLOWED, final=" + isFinal; + return "ALLOWED, final=" + isFinal + ", policyId=" + (policy != null ? policy.getId() : null); } if (result == ACCESS_DENIED) { - return "NOT_ALLOWED, final=" + isFinal; + return "NOT_ALLOWED, final=" + isFinal + ", policyId=" + (policy != null ? policy.getId() : null); } - return "CONDITIONAL_ALLOWED, final=" + isFinal; + return "CONDITIONAL_ALLOWED, final=" + isFinal + ", policyId=" + (policy != null ? policy.getId() : null); } } @@ -396,6 +397,15 @@ public static class DataMaskResult implements Serializable { private final RangerPolicyItemDataMaskInfo maskInfo; private boolean isConditional; + public DataMaskResult() { + this.users = new HashSet<>(); + this.groups = new HashSet<>(); + this.roles = new HashSet<>(); + this.accessTypes = new HashSet<>(); + this.maskInfo = new RangerPolicyItemDataMaskInfo(); + this.isConditional = false; + } + public DataMaskResult(Set users, Set groups, Set roles, Set accessTypes, RangerPolicyItemDataMaskInfo maskInfo) { this.users = users; this.groups = groups; @@ -527,6 +537,15 @@ public static class RowFilterResult implements Serializable { private final RangerPolicyItemRowFilterInfo filterInfo; private boolean isConditional; + public RowFilterResult() { + this.users = new HashSet<>(); + this.groups = new HashSet<>(); + this.roles = new HashSet<>(); + this.accessTypes = new HashSet<>(); + this.filterInfo = new RangerPolicyItemRowFilterInfo(); + this.isConditional = false; + } + public RowFilterResult(Set users, Set groups, Set roles, Set accessTypes, RangerPolicyItemRowFilterInfo filterInfo) { this.users = users; this.groups = groups; diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java index 5aa16030c9..b000cc6c3f 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java @@ -39,6 +39,8 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.lang.reflect.Type; +import java.util.ArrayList; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Objects; @@ -145,11 +147,11 @@ static class OneTest { String name; RangerAccessResource resource; ResourceMatchingScope resourceMatchingScope; - Map> userPermissions; - Map> groupPermissions; - Map> rolePermissions; - List rowFilters; - List dataMasks; + Map> userPermissions = new HashMap<>(); + Map> groupPermissions = new HashMap<>(); + Map> rolePermissions = new HashMap<>(); + List rowFilters = new ArrayList<>(); + List dataMasks = new ArrayList<>(); } } } diff --git a/agents-common/src/test/resources/plugin/test_base_plugin_hive.json b/agents-common/src/test/resources/plugin/test_base_plugin_hive.json index ccd3adcd88..29c12e5fd2 100644 --- a/agents-common/src/test/resources/plugin/test_base_plugin_hive.json +++ b/agents-common/src/test/resources/plugin/test_base_plugin_hive.json @@ -406,9 +406,9 @@ }, "acls": { "userACLs": { - "res-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 100 } } }, - "tag-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 200 } } }, - "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "res-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 110 } } }, + "tag-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 201 } } }, + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, @@ -425,8 +425,8 @@ }, "acls": { "userACLs": { - "res-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 100 } } }, - "tag-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 200 } } }, + "res-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 121 } } }, + "tag-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 202 } } }, "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, diff --git a/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_access.json b/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_access.json index c10eb8196e..6ae15d4a12 100644 --- a/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_access.json +++ b/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_access.json @@ -305,10 +305,10 @@ "request": { "resource": { "elements": { "database": "sales", "table": "prospects" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1" ], "projects": [ "project-1" ] @@ -319,10 +319,10 @@ "request": { "resource": { "elements": { "database": "sales", "table": "orders" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1" ], "projects": [ "project-1" ] @@ -338,10 +338,10 @@ "request": { "resource": { "elements": { "database": "sales", "table": "orders", "column": "created_time" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1" ], "projects": [ "project-1" ] @@ -357,11 +357,11 @@ "request": { "resource": { "elements": { "database": "finance", "table": "invoices" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "ds2-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ] @@ -372,11 +372,11 @@ "request": { "resource": { "elements": { "database": "finance", "table": "payments" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "ds2-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ] @@ -392,10 +392,10 @@ "request": { "resource": { "elements": { "database": "shipping", "table": "shipments" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds2-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-2" ], "projects": [ "project-1" ] @@ -411,12 +411,12 @@ "request": { "resource": { "elements": { "database": "customers", "table": "contact_info" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds3-user": { "select": { "result": 1, "isFinal": true } }, - "ds6-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj2-user": { "select": { "result": 1, "isFinal": true } }, - "proj4-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2003 } } }, + "ds3-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2003 } } }, + "ds6-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2006 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3002 } } }, + "proj2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3002 } } }, + "proj4-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3004 } } } }, "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ] @@ -432,8 +432,8 @@ "request": { "resource": { "elements": { "database": "operations", "table": "facilities" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds4-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2004 } } }, + "ds4-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2004 } } } }, "datasets": [ "dataset-4" ] } diff --git a/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_data_mask.json b/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_data_mask.json index c172c0c147..2922cdecf5 100644 --- a/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_data_mask.json +++ b/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_data_mask.json @@ -11,7 +11,7 @@ "name": "table: sales.prospects, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "sales", "table": "prospects" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-1" ], "projects": [ "project-1" ], "datasetIds": [ 1 ], "allowedByDatasets": [ "dataset-1" ], "isAllowed": true, "isAudited": true, "policyId": 2001 } }, @@ -19,7 +19,7 @@ "name": "column: sales.prospects.channel, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "sales", "table": "prospects", "column": "channel" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-1" ], "projects": [ "project-1" ], "datasetIds": [ 1 ], "allowedByDatasets": [ "dataset-1" ], "isAllowed": true, "isAudited": true, "policyId": 2001, "maskType": "MASK_NULL" } }, @@ -27,7 +27,7 @@ "name": "table: sales.orders, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "sales", "table": "orders" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-1" ], "projects": [ "project-1" ], "datasetIds": [ 1 ], "allowedByDatasets": [ "dataset-1" ], "isAllowed": true, "isAudited": true, "policyId": 2001 } }, @@ -35,7 +35,7 @@ "name": "column: sales.orders.amount, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "sales", "table": "orders", "column": "amount" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-1" ], "projects": [ "project-1" ], "datasetIds": [ 1 ], "allowedByDatasets": [ "dataset-1" ], "isAllowed": true, "isAudited": true, "policyId": 2001, "maskType": "CUSTOM", "maskedValue": "-1" } }, @@ -43,7 +43,7 @@ "name": "database: sales, user: ds-user, access: _any", "request": { "resource": { "elements": { "database": "sales" } }, - "accessType": "", "user": "ds-user", "userGroups": [] + "accessType": "", "user": "ds-user" }, "result": { "datasets": [ "dataset-1" ], "projects": [ "project-1" ], "datasetIds": [ 1 ], "allowedByDatasets": [ "dataset-1" ], "isAllowed": true, "isAudited": true, "policyId": 2001 } }, @@ -51,7 +51,7 @@ "name": "table: finance.invoices, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "finance", "table": "invoices" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "allowedByDatasets": [ "dataset-1", "dataset-2" ], "isAllowed": true, "isAudited": true, "policyId": 2001 } }, @@ -59,7 +59,7 @@ "name": "column: finance.invoices.amount, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "finance", "table": "invoices", "column": "amount" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "allowedByDatasets": [ "dataset-1", "dataset-2" ], "isAllowed": true, "isAudited": true, "policyId": 2001, "maskType": "CUSTOM", "maskedValue": "-1" } }, @@ -67,7 +67,7 @@ "name": "table: finance.invoices, user: ds1-user, access: select", "request": { "resource": { "elements": { "database": "finance", "table": "invoices" } }, - "accessType": "select", "user": "ds1-user", "userGroups": [] + "accessType": "select", "user": "ds1-user" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "allowedByDatasets": [ "dataset-1" ], "isAllowed": true, "isAudited": true, "policyId": 2001 } }, @@ -75,7 +75,7 @@ "name": "table: finance.invoices, user: ds2-user, access: select", "request": { "resource": { "elements": { "database": "finance", "table": "invoices" } }, - "accessType": "select", "user": "ds2-user", "userGroups": [] + "accessType": "select", "user": "ds2-user" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "allowedByDatasets": [ "dataset-2" ], "isAllowed": true, "isAudited": true, "policyId": 2002 } }, @@ -83,7 +83,7 @@ "name": "table: finance.payments, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "finance", "table": "payments" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "allowedByDatasets": [ "dataset-1", "dataset-2" ], "isAllowed": true, "isAudited": true, "policyId": 2001 } }, @@ -91,7 +91,7 @@ "name": "column: finance.payments.amount, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "finance", "table": "payments", "column": "amount" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "allowedByDatasets": [ "dataset-1", "dataset-2" ], "isAllowed": true, "isAudited": true, "policyId": 2001, "maskType": "CUSTOM", "maskedValue": "-1" } }, @@ -99,7 +99,7 @@ "name": "database: finance, user: ds-user, access: _any", "request": { "resource": { "elements": { "database": "finance" } }, - "accessType": "", "user": "ds-user", "userGroups": [] + "accessType": "", "user": "ds-user" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "allowedByDatasets": [ "dataset-1", "dataset-2" ], "isAllowed": true, "isAudited": true, "policyId": 2001 } }, @@ -107,7 +107,7 @@ "name": "table: shipping.shipments, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "shipping", "table": "shipments" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 2 ], "allowedByDatasets": [ "dataset-2" ], "isAllowed": true, "isAudited": true, "policyId": 2002 } }, @@ -115,7 +115,7 @@ "name": "database: shipping, user: ds-user, access: _any", "request": { "resource": { "elements": { "database": "shipping" } }, - "accessType": "", "user": "ds-user", "userGroups": [] + "accessType": "", "user": "ds-user" }, "result": { "datasets": [ "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 2 ], "allowedByDatasets": [ "dataset-2" ], "isAllowed": true, "isAudited": true, "policyId": 2002 } }, @@ -123,7 +123,7 @@ "name": "table: customers.contact_info, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "customers", "table": "contact_info" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ], "datasetIds": [ 3, 6 ], "allowedByDatasets": [ "dataset-3", "dataset-6" ], "isAllowed": true, "isAudited": true, "policyId": 2003 } }, @@ -131,7 +131,7 @@ "name": "table: customers.contact_info, user: ds3-user, access: select", "request": { "resource": { "elements": { "database": "customers", "table": "contact_info" } }, - "accessType": "select", "user": "ds3-user", "userGroups": [] + "accessType": "select", "user": "ds3-user" }, "result": { "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ], "datasetIds": [ 3, 6 ], "allowedByDatasets": [ "dataset-3" ], "isAllowed": true, "isAudited": true, "policyId": 2003 } }, @@ -139,7 +139,7 @@ "name": "table: customers.contact_info, user: ds6-user, access: select", "request": { "resource": { "elements": { "database": "customers", "table": "contact_info" } }, - "accessType": "select", "user": "ds6-user", "userGroups": [] + "accessType": "select", "user": "ds6-user" }, "result": { "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ], "datasetIds": [ 3, 6 ], "allowedByDatasets": [ "dataset-6" ], "isAllowed": true, "isAudited": true, "policyId": 2006 } }, @@ -147,7 +147,7 @@ "name": "database: customers, user: ds-user, access: _any", "request": { "resource": { "elements": { "database": "customers" } }, - "accessType": "", "user": "ds-user", "userGroups": [] + "accessType": "", "user": "ds-user" }, "result": { "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ], "datasetIds": [ 3, 6 ], "allowedByDatasets": [ "dataset-3", "dataset-6" ], "isAllowed": true, "isAudited": true, "policyId": 2003 } }, @@ -155,7 +155,7 @@ "name": "table: operations.facilities, user: ds-user, access: select", "request": { "resource": { "elements": { "database": "operations", "table": "facilities" } }, - "accessType": "select", "user": "ds-user", "userGroups": [] + "accessType": "select", "user": "ds-user" }, "result": { "datasets": [ "dataset-4" ], "projects": null, "datasetIds": [ 4 ], "allowedByDatasets": [ "dataset-4" ], "isAllowed": true, "isAudited": true, "policyId": 2004 } }, @@ -163,7 +163,7 @@ "name": "database: operations, user: ds-user, access: _any", "request": { "resource": { "elements": { "database": "operations" } }, - "accessType": "", "user": "ds-user", "userGroups": [] + "accessType": "", "user": "ds-user" }, "result": { "datasets": [ "dataset-4" ], "projects": null, "datasetIds": [ 4 ], "allowedByDatasets": [ "dataset-4" ], "isAllowed": true, "isAudited": true, "policyId": 2004 } }, @@ -173,7 +173,7 @@ "name": "table: sales.prospects, user: proj-user, access: select", "request": { "resource": { "elements": { "database": "sales", "table": "prospects" } }, - "accessType": "select", "user": "proj-user", "userGroups": [] + "accessType": "select", "user": "proj-user" }, "result": { "datasets": [ "dataset-1" ], "projects": [ "project-1" ], "datasetIds": [ 1 ], "allowedByProjects": [ "project-1" ], "isAllowed": true, "isAudited": true, "policyId": 3001 } }, @@ -181,7 +181,7 @@ "name": "table: sales.orders, user: proj-user, access: select", "request": { "resource": { "elements": { "database": "sales", "table": "orders" } }, - "accessType": "select", "user": "proj-user", "userGroups": [] + "accessType": "select", "user": "proj-user" }, "result": { "datasets": [ "dataset-1" ], "projects": [ "project-1" ], "datasetIds": [ 1 ], "allowedByProjects": [ "project-1" ], "isAllowed": true, "isAudited": true, "policyId": 3001 } }, @@ -189,7 +189,7 @@ "name": "table: finance.invoices, user: proj-user, access: select", "request": { "resource": { "elements": { "database": "finance", "table": "invoices" } }, - "accessType": "select", "user": "proj-user", "userGroups": [] + "accessType": "select", "user": "proj-user" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "allowedByProjects": [ "project-1" ], "isAllowed": true, "isAudited": true, "policyId": 3001 } }, @@ -197,7 +197,7 @@ "name": "table: finance.payments, user: proj-user, access: select", "request": { "resource": { "elements": { "database": "finance", "table": "payments" } }, - "accessType": "select", "user": "proj-user", "userGroups": [] + "accessType": "select", "user": "proj-user" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "allowedByProjects": [ "project-1" ], "isAllowed": true, "isAudited": true, "policyId": 3001 } }, @@ -205,7 +205,7 @@ "name": "table: shipping.shipments, user: proj-user, access: select", "request": { "resource": { "elements": { "database": "shipping", "table": "shipments" } }, - "accessType": "select", "user": "proj-user", "userGroups": [] + "accessType": "select", "user": "proj-user" }, "result": { "datasets": [ "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 2 ], "allowedByProjects": [ "project-1" ], "isAllowed": true, "isAudited": true, "policyId": 3001 } }, @@ -213,7 +213,7 @@ "name": "table: customers.contact_info, user: proj-user, access: select", "request": { "resource": { "elements": { "database": "customers", "table": "contact_info" } }, - "accessType": "select", "user": "proj-user", "userGroups": [] + "accessType": "select", "user": "proj-user" }, "result": { "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ], "datasetIds": [ 3, 6 ], "allowedByProjects": [ "project-2", "project-4" ], "isAllowed": true, "isAudited": true, "policyId": 3002 } }, @@ -221,7 +221,7 @@ "name": "table: customers.contact_info, user: proj2-user, access: select", "request": { "resource": { "elements": { "database": "customers", "table": "contact_info" } }, - "accessType": "select", "user": "proj2-user", "userGroups": [] + "accessType": "select", "user": "proj2-user" }, "result": { "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ], "datasetIds": [ 3, 6 ], "allowedByProjects": [ "project-2" ], "isAllowed": true, "isAudited": true, "policyId": 3002 } }, @@ -229,7 +229,7 @@ "name": "table: customers.contact_info, user: proj4-user, access: select", "request": { "resource": { "elements": { "database": "customers", "table": "contact_info" } }, - "accessType": "select", "user": "proj4-user", "userGroups": [] + "accessType": "select", "user": "proj4-user" }, "result": { "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ], "datasetIds": [ 3, 6 ], "allowedByProjects": [ "project-4" ], "isAllowed": true, "isAudited": true, "policyId": 3004 } }, @@ -237,7 +237,7 @@ "name": "table: operations.facilities, user: proj-user, access: select", "request": { "resource": { "elements": { "database": "operations", "table": "facilities" } }, - "accessType": "select", "user": "proj-user", "userGroups": [] + "accessType": "select", "user": "proj-user" }, "result": { "datasets": [ "dataset-4" ], "projects": null, "datasetIds": [ 4 ], "isAllowed": false, "isAudited": true, "policyId": -1 } }, @@ -247,7 +247,7 @@ "name": "table: sales.prospects, user: scott, access: select", "request": { "resource": { "elements": { "database": "sales", "table": "prospects" } }, - "accessType": "select", "user": "scott", "userGroups": [] + "accessType": "select", "user": "scott" }, "result": { "datasets": [ "dataset-1" ], "projects": [ "project-1" ], "datasetIds": [ 1 ], "isAllowed": false, "isAudited": true, "policyId": -1 } }, @@ -255,7 +255,7 @@ "name": "table: sales.orders, user: scott, access: select", "request": { "resource": { "elements": { "database": "sales", "table": "orders" } }, - "accessType": "select", "user": "scott", "userGroups": [] + "accessType": "select", "user": "scott" }, "result": { "datasets": [ "dataset-1" ], "projects": [ "project-1" ], "datasetIds": [ 1 ], "isAllowed": false, "isAudited": true, "policyId": -1 } }, @@ -263,7 +263,7 @@ "name": "table: finance.invoices, user: scott, access: select", "request": { "resource": { "elements": { "database": "finance", "table": "invoices" } }, - "accessType": "select", "user": "scott", "userGroups": [] + "accessType": "select", "user": "scott" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "isAllowed": false, "isAudited": true, "policyId": -1 } }, @@ -271,7 +271,7 @@ "name": "table: finance.payments, user: scott, access: select", "request": { "resource": { "elements": { "database": "finance", "table": "payments" } }, - "accessType": "select", "user": "scott", "userGroups": [] + "accessType": "select", "user": "scott" }, "result": { "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 1, 2 ], "isAllowed": false, "isAudited": true, "policyId": -1 } }, @@ -279,7 +279,7 @@ "name": "table: shipping.shipments, user: scott, access: select", "request": { "resource": { "elements": { "database": "shipping", "table": "shipments" } }, - "accessType": "select", "user": "scott", "userGroups": [] + "accessType": "select", "user": "scott" }, "result": { "datasets": [ "dataset-2" ], "projects": [ "project-1" ], "datasetIds": [ 2 ], "isAllowed": false, "isAudited": true, "policyId": -1 } }, @@ -287,7 +287,7 @@ "name": "table: customers.contact_info, user: scott, access: select", "request": { "resource": { "elements": { "database": "customers", "table": "contact_info" } }, - "accessType": "select", "user": "scott", "userGroups": [] + "accessType": "select", "user": "scott" }, "result": { "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ], "datasetIds": [ 3, 6 ], "isAllowed": false, "isAudited": true, "policyId": -1 } }, @@ -295,7 +295,7 @@ "name": "table: operations.facilities, user: scott, access: select", "request": { "resource": { "elements": { "database": "operations", "table": "facilities" } }, - "accessType": "select", "user": "scott", "userGroups": [] + "accessType": "select", "user": "scott" }, "result": { "datasets": [ "dataset-4" ], "projects": null, "datasetIds": [ 4 ], "isAllowed": false, "isAudited": true, "policyId": -1 } }, @@ -305,7 +305,7 @@ "name": "table: operations.facilities, user: scott, access: select", "request": { "resource": { "elements": { "database": "operations", "table": "facilities" } }, - "accessType": "select", "user": "scott", "userGroups": [] + "accessType": "select", "user": "scott" }, "result": { "datasets": [ "dataset-4" ], "projects": null, "datasetIds": [ 4 ], "isAllowed": false, "isAudited": true, "policyId": -1 } }, @@ -314,7 +314,7 @@ "name": "table: operations.facilities, user: ds-user, access: update", "request": { "resource": { "elements": { "database": "operations", "table": "facilities" } }, - "accessType": "update", "user": "ds-user", "userGroups": [] + "accessType": "update", "user": "ds-user" }, "result": null }, @@ -329,10 +329,10 @@ "request": { "resource": { "elements": { "database": "sales", "table": "prospects" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1" ], "projects": [ "project-1" ] @@ -343,10 +343,10 @@ "request": { "resource": { "elements": { "database": "sales", "table": "orders" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1" ], "projects": [ "project-1" ] @@ -362,10 +362,10 @@ "request": { "resource": { "elements": { "database": "sales", "table": "orders", "column": "created_time" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1" ], "projects": [ "project-1" ] @@ -381,11 +381,11 @@ "request": { "resource": { "elements": { "database": "finance", "table": "invoices" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "ds2-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ] @@ -396,11 +396,11 @@ "request": { "resource": { "elements": { "database": "finance", "table": "payments" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "ds2-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ] @@ -416,10 +416,10 @@ "request": { "resource": { "elements": { "database": "shipping", "table": "shipments" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds2-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-2" ], "projects": [ "project-1" ] @@ -435,12 +435,12 @@ "request": { "resource": { "elements": { "database": "customers", "table": "contact_info" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds3-user": { "select": { "result": 1, "isFinal": true } }, - "ds6-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj2-user": { "select": { "result": 1, "isFinal": true } }, - "proj4-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2003 } } }, + "ds3-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2003 } } }, + "ds6-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2006 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3002 } } }, + "proj2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3002 } } }, + "proj4-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3004 } } } }, "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ] @@ -456,12 +456,27 @@ "request": { "resource": { "elements": { "database": "operations", "table": "facilities" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds4-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2004 } } }, + "ds4-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2004 } } } }, "datasets": [ "dataset-4" ] } }, + { + "name": "ACLs: column: finance.invoices.amount", + "request": { "resource": { "elements": { "database": "finance", "table": "invoices", "column": "amount" } } }, + "acls": { + "userACLs": { + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } + }, + "datasets": [ "dataset-1", "dataset-2" ], + "projects": [ "project-1" ] + } + }, { "name": "Datasets for principals: users[ ds-user ]", diff --git a/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_row_filter.json b/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_row_filter.json index 6e1b7e0608..409c9bcafc 100644 --- a/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_row_filter.json +++ b/agents-common/src/test/resources/policyengine/gds/test_gds_policy_hive_row_filter.json @@ -332,10 +332,10 @@ "request": { "resource": { "elements": { "database": "sales", "table": "prospects" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1" ], "projects": [ "project-1" ] @@ -346,10 +346,10 @@ "request": { "resource": { "elements": { "database": "sales", "table": "orders" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1" ], "projects": [ "project-1" ] @@ -365,10 +365,10 @@ "request": { "resource": { "elements": { "database": "sales", "table": "orders", "column": "created_time" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1" ], "projects": [ "project-1" ] @@ -384,11 +384,11 @@ "request": { "resource": { "elements": { "database": "finance", "table": "invoices" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "ds2-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ] @@ -399,11 +399,11 @@ "request": { "resource": { "elements": { "database": "finance", "table": "payments" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds1-user": { "select": { "result": 1, "isFinal": true } }, - "ds2-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "ds1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2001 } } }, + "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-1", "dataset-2" ], "projects": [ "project-1" ] @@ -419,10 +419,10 @@ "request": { "resource": { "elements": { "database": "shipping", "table": "shipments" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds2-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj1-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "ds2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2002 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } }, + "proj1-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3001 } } } }, "datasets": [ "dataset-2" ], "projects": [ "project-1" ] @@ -438,12 +438,12 @@ "request": { "resource": { "elements": { "database": "customers", "table": "contact_info" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds3-user": { "select": { "result": 1, "isFinal": true } }, - "ds6-user": { "select": { "result": 1, "isFinal": true } }, - "proj-user": { "select": { "result": 1, "isFinal": true } }, - "proj2-user": { "select": { "result": 1, "isFinal": true } }, - "proj4-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2003 } } }, + "ds3-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2003 } } }, + "ds6-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2006 } } }, + "proj-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3002 } } }, + "proj2-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3002 } } }, + "proj4-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3004 } } } }, "datasets": [ "dataset-3", "dataset-6" ], "projects": [ "project-2", "project-4" ] @@ -459,8 +459,8 @@ "request": { "resource": { "elements": { "database": "operations", "table": "facilities" } } }, "acls": { "userACLs": { - "ds-user": { "select": { "result": 1, "isFinal": true } }, - "ds4-user": { "select": { "result": 1, "isFinal": true } } + "ds-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2004 } } }, + "ds4-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 2004 } } } }, "datasets": [ "dataset-4" ] } diff --git a/agents-common/src/test/resources/policyengine/test_aclprovider_default.json b/agents-common/src/test/resources/policyengine/test_aclprovider_default.json index 105630d5e0..0390a4925e 100644 --- a/agents-common/src/test/resources/policyengine/test_aclprovider_default.json +++ b/agents-common/src/test/resources/policyengine/test_aclprovider_default.json @@ -8,415 +8,222 @@ "serviceDef": { "name": "hive", "id": 3, "resources": [ - { "name": "database", "level": 1, "mandatory": true, "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard": true, "ignoreCase": true }, - "label": "Hive Database", "description": "Hive Database" - }, - { - "name": "table", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard": true, "ignoreCase": true }, - "label": "Hive Table", "description": "Hive Table" - }, - { - "name": "udf", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard": true, "ignoreCase": true }, - "label": "Hive UDF", "description": "Hive UDF" - }, - { - "name": "column", "level": 3, "parent": "table", "mandatory": true, "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard": true, "ignoreCase": true }, - "label": "Hive Column", "description": "Hive Column" - } + { "name": "database", "level": 1, "parent": "", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Database", "description": "Hive Database" }, + { "name": "table", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Table", "description": "Hive Table" }, + { "name": "udf", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive UDF", "description": "Hive UDF" }, + { "name": "column", "level": 3, "parent": "table", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Column", "description": "Hive Column" } ], "accessTypes": [ { "name": "select", "label": "Select" }, { "name": "update", "label": "Update" }, { "name": "create", "label": "Create" }, - { "name": "drop", "label": "Drop" }, - { "name": "alter", "label": "Alter" }, - { "name": "index", "label": "Index" }, - { "name": "lock", "label": "Lock" }, - { "name": "all", "label": "All" } + { "name": "drop", "label": "Drop" }, + { "name": "alter", "label": "Alter" }, + { "name": "index", "label": "Index" }, + { "name": "lock", "label": "Lock" }, + { "name": "all", "label": "All" } ], - "policyConditions":[ - { "itemId": 1, "name": "ip-range", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", "evaluatorOptions": { }, - "label": "IP Address Range", "description": "IP Address Range" - } + "policyConditions": [ + { "itemId": 1, "name": "ip-range", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", "evaluatorOptions": { }, "label": "IP Address Range", "description": "IP Address Range" } ] }, "policies": [ { "id": 1, "name": "db=default: audit-all-access", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "default" ] }, - "table": { "values": [ "*" ] }, - "column": { "values": [ "*" ] } - }, + "resources": { "database": { "values": [ "default" ] }, "table": { "values": [ "*" ] }, "column": { "values": [ "*" ] } }, "policyItems": [ - { "accesses": [], "users": [], "groups": [ "public" ], "delegateAdmin": false } + { "groups": [ "public" ], "delegateAdmin": false } ] }, { "id": 2, "name": "db=default; table=test1,test2; column=column1", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "default" ] }, - "table": { "values": [ "test1", "test2" ] }, - "column": { "values": [ "column1" ] } - }, + "resources": { "database": { "values": [ "default" ] }, "table": { "values": [ "test1", "test2" ] }, "column": { "values": [ "column1" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [ "user1", "user2" ], "groups": [ "group1", "group2" ], - "delegateAdmin": false - }, - { "accesses": [ { "type": "create", "isAllowed": true }, { "type": "drop", "isAllowed": true } ], - "users": [ "admin" ], "groups": [ "cluster-admin" ], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1", "user2" ], "groups": [ "group1", "group2" ], "delegateAdmin": false }, + { "accesses": [ { "type": "create", "isAllowed": true }, { "type": "drop", "isAllowed": true } ], "users": [ "admin" ], "groups": [ "cluster-admin" ], "delegateAdmin": true } ] }, { "id": 3, "name": "db=default; table=test1,test2; column=column2", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "default" ] }, - "table": { "values": [ "test1", "test2" ] }, - "column": { "values": [ "column2" ] } - }, + "resources": { "database": { "values": [ "default" ] }, "table": { "values": [ "test1", "test2" ] }, "column": { "values": [ "column2" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [ "user1", "user2" ], "groups": [ "group1", "group2" ], - "delegateAdmin": false - }, - { - "accesses": [ - { "type": "create", "isAllowed": true }, - { "type": "drop", "isAllowed": true } - ], - "users": [ "admin" ], "groups": [ "cluster-admin" ], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1", "user2" ], "groups": [ "group1", "group2" ], "delegateAdmin": false }, + { "accesses": [ { "type": "create", "isAllowed": true }, { "type": "drop", "isAllowed": true } ], "users": [ "admin" ], "groups": [ "cluster-admin" ], "delegateAdmin": true } ] }, { "id": 4, "name": "db=finance; table=fin_*; column=*", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "finance" ] }, - "table": { "values": [ "fin_*" ] }, - "column": { "values": [ "*" ] } - }, + "resources": { "database": { "values": [ "finance" ] }, "table": { "values": [ "fin_*" ] }, "column": { "values": [ "*" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [ "user1", "user2" ], "groups": [ "finance-controller" ], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1", "user2" ], "groups": [ "finance-controller" ], "delegateAdmin": true } ] }, { "id": 5, "name": "db=db1; table=tmp; column=tmp*", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "db1" ] }, - "table": { "values": [ "tmp" ] }, - "column": { "values": [ "tmp*" ], "isExcludes": false } - }, + "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tmp" ] }, "column": { "values": [ "tmp*" ], "isExcludes": false } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ], - "users": [ "user1", "user2" ], "groups": [ "cluster-admin", "finance-controller" ], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ], "users": [ "user1", "user2" ], "groups": [ "cluster-admin", "finance-controller" ], "delegateAdmin": true } ] }, { "id": 6, "name": "db=hr;udf=udf", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "hr" ] }, - "udf": { "values": [ "udf" ] } - }, + "resources": { "database": { "values": [ "hr" ] }, "udf": { "values": [ "udf" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ], - "users": [ "user1", "user2" ], "groups": [ "cluster-admin" ], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ], "users": [ "user1", "user2" ], "groups": [ "cluster-admin" ], "delegateAdmin": true } ] }, { "id": 7, "name": "db=hr;udf=udf*", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "hr" ] }, - "udf": { "values": [ "udf*" ] } - }, + "resources": { "database": { "values": [ "hr" ] }, "udf": { "values": [ "udf*" ] } }, "denyPolicyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ], - "users": [ "user3" ], "groups": [ "public" ], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ], "users": [ "user3" ], "groups": [ "public" ], "delegateAdmin": true } ] }, { "id": 8, "name": "db=hr*;udf=udf", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "hr*" ] }, - "udf": { "values": [ "udf" ] } - }, "validitySchedules": [ { "startTime": "2018/01/12 14:32:00", "endTime": "2020/02/13 12:16:00" } ], + "resources": { "database": { "values": [ "hr*" ] }, "udf": { "values": [ "udf" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ], - "users": [ "user4" ], "groups": [ "hr-admin" ], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ], "users": [ "user4" ], "groups": [ "hr-admin" ], "delegateAdmin": true } ] }, { "id": 9, "name": "db=default; table=test2; column=column2", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "default" ] }, - "table": { "values": [ "test2" ] }, - "column": { "values": [ "column2" ] } - }, + "resources": { "database": { "values": [ "default" ] }, "table": { "values": [ "test2" ] }, "column": { "values": [ "column2" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [ "user2", "user3" ], "groups": [], - "delegateAdmin": false - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2", "user3" ], "delegateAdmin": false } ], "denyPolicyItems": [ - { - "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ], - "users": [ "user2", "user3", "user4" ], "groups": [ "group3" ], - "delegateAdmin": false - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "create", "isAllowed": true } ], "users": [ "user2", "user3", "user4" ], "groups": [ "group3" ], "delegateAdmin": false } ], "denyExceptions": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [ "user3" ], "groups": [], - "delegateAdmin": false - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user3" ], "delegateAdmin": false } ] }, { "id": 10, "name": "db=finance; table=fin_*; column=salary", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "finance" ] }, - "table": { "values": [ "fin_*" ] }, - "column": { "values": [ "salary" ] } + "resources": { "database": { "values": [ "finance" ] }, "table": { "values": [ "fin_*" ] }, "column": { "values": [ "salary" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [ "user3" ], "groups": [ "cluster-admin" ], - "delegateAdmin": true, - "conditions":[{"type":"ip-range","values":["1.*.1.*"]}] - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user3" ], "groups": [ "cluster-admin" ], "delegateAdmin": true, "conditions": [{ "type": "ip-range", "values": ["1.*.1.*"] }] } ] }, { "id": 11, "name": "db=default; table=table; column=column", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "default" ] }, - "table": { "values": [ "table" ] }, - "column": { "values": [ "column" ] } + "resources": { "database": { "values": [ "default" ] }, "table": { "values": [ "table" ] }, "column": { "values": [ "column" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [ "user1", "user2", "user3", "user4" ], "groups": [ "cluster-admin" ], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1", "user2", "user3", "user4" ], "groups": [ "cluster-admin" ], "delegateAdmin": true } ], "allowExceptions": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [ "user4" ], "groups": [ "finance-admin" ], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user4" ], "groups": [ "finance-admin" ], "delegateAdmin": true } ], "denyPolicyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [ "user2", "user3" ], "groups": [ "public" ], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2", "user3" ], "groups": [ "public" ], "delegateAdmin": true } ], "denyExceptions": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [ "user2", "user4" ], "groups": [], - "delegateAdmin": true - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2", "user4" ], "delegateAdmin": true } ] }, { "id": 12, "name": "db=finance; table=accounts; column=status", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "finance" ] }, - "table": { "values": [ "accounts" ] }, - "column": { "values": [ "status" ] } - }, + "resources": { "database": { "values": [ "finance" ] }, "table": { "values": [ "accounts" ] }, "column": { "values": [ "status" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ], - "users": [ "john", "jane" ], "groups": [ "accounting", "admin" ], - "delegateAdmin": true - }, - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [], "groups": [ "public" ] - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ], "users": [ "john", "jane" ], "groups": [ "accounting", "admin" ], "delegateAdmin": true }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "groups": [ "public" ] } ], "allowExceptions": [ - { "accesses": [ { "type": "update", "isAllowed": true } ], - "users": [ "mary" ], "groups": [ "interns" ] - } + { "accesses": [ { "type": "update", "isAllowed": true } ], "users": [ "mary" ], "groups": [ "interns" ] } ], "denyPolicyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [], "groups": [ "housekeeping" ] - } + { "accesses": [ { "type": "select", "isAllowed": true } ], "groups": [ "housekeeping" ] } ] }, { "id": 13, "name": "db=finance; table=accounts; column=amount", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "finance" ] }, - "table": { "values": [ "accounts" ] }, - "column": { "values": [ "amount" ] } - }, + "resources": { "database": { "values": [ "finance" ] }, "table": { "values": [ "accounts" ] }, "column": { "values": [ "amount" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ], - "users": [ "john", "jane" ], "groups": [ "accounting", "admin" ], - "delegateAdmin": true - }, - { "accesses": [ { "type": "select", "isAllowed": true } ], - "users": [], "groups": [ "public" ] - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ], "users": [ "john", "jane" ], "groups": [ "accounting", "admin" ], "delegateAdmin": true }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "groups": [ "public" ] } ], "allowExceptions": [ - { "accesses": [ { "type": "update", "isAllowed": true } ], - "users": [ "mary" ], "groups": [ "interns" ] - } + { "accesses": [ { "type": "update", "isAllowed": true } ], "users": [ "mary" ], "groups": [ "interns" ] } ], "denyPolicyItems": [ - { "accesses": [ { "type": "drop", "isAllowed": true } ], - "users": [], "groups": [ "housekeeping" ] - } + { "accesses": [ { "type": "drop", "isAllowed": true } ], "groups": [ "housekeeping" ] } ] }, { "id": 13, "name": "db=db1; table=tbl1; column=col1", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "db1" ] }, - "table": { "values": [ "tbl1" ] }, - "column": { "values": [ "col1" ] } - }, + "resources": { "database": { "values": [ "db1" ] }, "table": { "values": [ "tbl1" ] }, "column": { "values": [ "col1" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ], - "users": [ "john", "jane" ] - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ], "users": [ "john", "jane" ] } ], "allowExceptions": [ - { "accesses": [ { "type": "update", "isAllowed": true } ], - "users": [ "john" ], - "conditions":[{"type":"ip-range","values":["1.*.1.*"]}] - } + { "accesses": [ { "type": "update", "isAllowed": true } ], "users": [ "john" ], "conditions": [{ "type": "ip-range", "values": ["1.*.1.*"] }] } ], "denyPolicyItems": [ - { "accesses": [ { "type": "drop", "isAllowed": true } ], - "users": ["adam", "eve"] - } + { "accesses": [ { "type": "drop", "isAllowed": true } ], "users": ["adam", "eve"] } ], "denyExceptions": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "drop", "isAllowed": true }], - "users": ["eve"], - "conditions":[{"type":"ip-range","values":["10.*.10.*"]}] - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "drop", "isAllowed": true }], "users": ["eve"], "conditions": [{ "type": "ip-range", "values": ["10.*.10.*"] }] } ] }, { "id": 14, "name": "db=db2; table=tbl2; column=col2", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "db2" ] }, - "table": { "values": [ "tbl2" ] }, - "column": { "values": [ "col2" ] } - }, + "resources": { "database": { "values": [ "db2" ] }, "table": { "values": [ "tbl2" ] }, "column": { "values": [ "col2" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ], - "users": [ "john", "jane" ] - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ], "users": [ "john", "jane" ] } ], "allowExceptions": [ - { "accesses": [ { "type": "update", "isAllowed": true } ], - "users": [ "john" ] - } + { "accesses": [ { "type": "update", "isAllowed": true } ], "users": [ "john" ] } ], "denyPolicyItems": [ - { "accesses": [ { "type": "drop", "isAllowed": true } ], - "users": ["adam", "eve"] - } + { "accesses": [ { "type": "drop", "isAllowed": true } ], "users": ["adam", "eve"] } ], "denyExceptions": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "drop", "isAllowed": true }], - "users": ["eve"], - "conditions":[{"type":"ip-range","values":["10.*.10.*"]}] - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "drop", "isAllowed": true }], "users": ["eve"], "conditions": [{ "type": "ip-range", "values": ["10.*.10.*"] }] } ] }, { "id": 15, "name": "db=db3; table=tbl3; column=col3", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "db3" ] }, - "table": { "values": [ "tbl3" ] }, - "column": { "values": [ "col3" ] } - }, + "resources": { "database": { "values": [ "db3" ] }, "table": { "values": [ "tbl3" ] }, "column": { "values": [ "col3" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ], - "users": [ "john", "jane" ], "roles": ["tarzan"] - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true } ], "users": [ "john", "jane" ], "roles": ["tarzan"] } ], "denyPolicyItems": [ - { "accesses": [ { "type": "drop", "isAllowed": true } ], - "users": ["adam", "eve"], "roles": ["eden"] - } + { "accesses": [ { "type": "drop", "isAllowed": true } ], "users": ["adam", "eve"], "roles": ["eden"] } ] }, { "id": 20, "name": "db=denyAllElse; table=table-1; column=column-1", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "database": { "values": [ "denyAllElse" ] }, - "table": { "values": [ "table-1" ] }, - "column": { "values": [ "column-1" ] } - }, "isDenyAllElse": true, + "resources": { "database": { "values": [ "denyAllElse" ] }, "table": { "values": [ "table-1" ] }, "column": { "values": [ "column-1" ] } }, "policyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true }, { "type": "create", "isAllowed": true }, { "type": "drop", "isAllowed": true }, { "type": "alter", "isAllowed": true }, { "type": "index", "isAllowed": true }], - "users": [ "user1", "user3" ] - } + { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "update", "isAllowed": true }, { "type": "create", "isAllowed": true }, { "type": "drop", "isAllowed": true }, { "type": "alter", "isAllowed": true }, { "type": "index", "isAllowed": true }], "users": [ "user1", "user3" ] } ], "allowExceptions": [ - { "accesses": [ { "type": "update", "isAllowed": true } ], - "users": ["user1", "user2"] - } + { "accesses": [ { "type": "update", "isAllowed": true } ], "users": ["user1", "user2"] } ] }, - { "id": 21, "name": "db=user_{USER}, table=*, column=*", "isEnabled": true, "isAuditEnabled": true, "isDenyAllElse": false, - "resources": { "database": { "values": [ "user_{USER}*" ] }, "table": { "values": [ "*" ] }, "column": { "values": [ "*" ] } }, + { "id": 21, "name": "db=user_{USER }, table=*, column=*", "isEnabled": true, "isAuditEnabled": true, "isDenyAllElse": false, + "resources": { "database": { "values": [ "user_{USER }*" ] }, "table": { "values": [ "*" ] }, "column": { "values": [ "*" ] } }, "policyItems": [ - { "accesses": [ { "type": "select" }, { "type": "update" } ], - "groups": [ "public" ] - } + { "accesses": [ { "type": "select" }, { "type": "update" } ], "groups": [ "public" ] } ] }, { "id": 22, "name": "db=dept_${{USER.dept}}, table=*, column=*", "isEnabled": true, "isAuditEnabled": true, "isDenyAllElse": false, "resources": { "database": { "values": [ "dept_${{USER.dept}}" ] }, "table": { "values": [ "*" ] }, "column": { "values": [ "*" ] } }, "policyItems": [ - { "accesses": [ { "type": "select" } ], - "groups": [ "public", "engg" ] - } + { "accesses": [ { "type": "select" } ], "groups": [ "public", "engg" ] } ] }, { "id": 23, "name": "db=dept_engg, table=*, column=*", "isEnabled": true, "isAuditEnabled": true, "isDenyAllElse": false, "resources": { "database": { "values": [ "dept_engg" ] }, "table": { "values": [ "*" ] }, "column": { "values": [ "*" ] } }, "policyItems": [ - { "accesses": [ { "type": "select" } ], - "groups": [ "engg" ] - } + { "accesses": [ { "type": "select" } ], "groups": [ "engg" ] } ] } ], @@ -425,12 +232,7 @@ "serviceDef": { "name": "tag", "id": 100, "resources": [ - { "itemId": 1, "name": "tag", "type": "string", "level": 1, "parent": "", "mandatory": true, - "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard": true, "ignoreCase": false }, - "label": "TAG", "description": "TAG" - } + { "itemId": 1, "name": "tag", "type": "string", "level": 1, "parent": "", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": false }, "label": "TAG", "description": "TAG" } ], "accessTypes": [ { "itemId": 1, "name": "hive:select", "label": "hive:select" }, @@ -440,140 +242,65 @@ { "itemId": 5, "name": "hive:alter", "label": "hive:alter" }, { "itemId": 6, "name": "hive:index", "label": "hive:index" }, { "itemId": 7, "name": "hive:lock", "label": "hive:lock" }, - { "itemId": 8, "name": "hive:all", "label": "hive:all", - "impliedGrants": [ "hive:select", "hive:update", "hive:create", "hive:drop", "hive:alter", "hive:index", "hive:lock" ] } + { "itemId": 8, "name": "hive:all", "label": "hive:all", "impliedGrants": [ "hive:select", "hive:update", "hive:create", "hive:drop", "hive:alter", "hive:index", "hive:lock" ] } ], "contextEnrichers": [ - { "itemId": 1, "name": "TagEnricher", - "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", - "enricherOptions": { - "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever", - "tagRefresherPollingInterval": 60000, - "serviceTagsFileName": "/policyengine/ACLResourceTags.json" - } - } + { "itemId": 1, "name": "TagEnricher", "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", "enricherOptions": { "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever", "tagRefresherPollingInterval": 60000, "serviceTagsFileName": "/policyengine/ACLResourceTags.json" } } ], "policyConditions": [ - { "itemId": 1, "name": "expression", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", - "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" }, - "label": "Enter boolean expression", "description": "Boolean expression" - }, - { - "itemId": 2, "name": "enforce-expiry", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", - "evaluatorOptions": { "scriptTemplate": "ctx.isAccessedAfter('expiry_date');" }, - "label": "Deny access after expiry_date?", "description": "Deny access after expiry_date? (yes/no)" - }, - { - "itemId": 3, "name": "ip-range", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", "evaluatorOptions": { }, - "label": "IP Address Range", "description": "IP Address Range" - } + { "itemId": 1, "name": "expression", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" }, "label": "Enter boolean expression", "description": "Boolean expression" }, + { "itemId": 2, "name": "enforce-expiry", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", "evaluatorOptions": { "scriptTemplate": "ctx.isAccessedAfter('expiry_date');" }, "label": "Deny access after expiry_date?", "description": "Deny access after expiry_date? (yes/no)" }, + { "itemId": 3, "name": "ip-range", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", "evaluatorOptions": { }, "label": "IP Address Range", "description": "IP Address Range" } ] }, "policies": [ { "id": 101, "name": "RESTRICTED_TAG_POLICY", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "tag": { "values": [ "RESTRICTED" ], "isRecursive": false } - }, + "resources": { "tag": { "values": [ "RESTRICTED" ], "isRecursive": false } }, "policyItems": [ - { "accesses": [ { "type": "hive:select", "isAllowed": true } ], - "users": [ "hive", "user1" ], - "groups": [], - "delegateAdmin": false, - "conditions": [ - { "type": "expression", "values": [ "if ( tagAttr.get('score') < 2 ) ctx.result = true;" ] } - ] - } + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "hive", "user1" ], "delegateAdmin": false, "conditions": [ { "type": "expression", "values": [ "if ( tagAttr.get('score') < 2 ) ctx.result = true;" ] } ] } ] }, { "id": 102, "name": "PII_TAG_POLICY", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "tag": { "values": [ "PII" ], "isRecursive": false } - }, + "resources": { "tag": { "values": [ "PII" ], "isRecursive": false } }, "policyItems": [ - { "accesses": [ { "type": "hive:select", "isAllowed": true }, { "type": "hive:create", "isAllowed": true } ], - "users": [ "hive" ], "groups": [], - "delegateAdmin": false - } + { "accesses": [ { "type": "hive:select", "isAllowed": true }, { "type": "hive:create", "isAllowed": true } ], "users": [ "hive" ], "delegateAdmin": false } ], "denyPolicyItems": [ - { "accesses": [ { "type": "hive:select", "isAllowed": true } ], - "users": [ "hive" ], "groups": [], - "delegateAdmin": false - } + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "hive" ], "delegateAdmin": false } ] }, { "id": 103, "name": "PII_TAG_POLICY-FINAL", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "tag": { "values": [ "PII-FINAL" ], "isRecursive": false } - }, + "resources": { "tag": { "values": [ "PII-FINAL" ], "isRecursive": false } }, "policyItems": [ - { "accesses": [ { "type": "hive:index", "isAllowed": true } ], - "users": [ ], "groups": [ "public" ], - "delegateAdmin": false, - "conditions":[{"type":"ip-range","values":["1.*.1.*"]}] - } + { "accesses": [ { "type": "hive:index", "isAllowed": true } ], "users": [ ], "groups": [ "public" ], "delegateAdmin": false, "conditions":[{ "type":"ip-range", "values":["1.*.1.*"] }] } ], "denyPolicyItems": [ - { "accesses": [ { "type": "hive:select", "isAllowed": true } ], - "users": [ "admin" ], "groups": [], - "delegateAdmin": false - } + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "admin" ], "delegateAdmin": false } ], "denyExceptions": [ - { - "accesses": [ - { "type": "hive:drop", "isAllowed": true } - ], - "users": [ "hive" ], "groups": [], - "delegateAdmin": false - } + { "accesses": [ { "type": "hive:drop", "isAllowed": true } ], "users": [ "hive" ], "delegateAdmin": false } ] }, { "id": 104, "name": "RESTRICTED_TAG_POLICY_FINAL", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "tag": { "values": [ "RESTRICTED-FINAL" ], "isRecursive": false } - }, + "resources": { "tag": { "values": [ "RESTRICTED-FINAL" ], "isRecursive": false } }, "denyPolicyItems": [ - { "accesses": [ { "type": "hive:select", "isAllowed": true } ], - "users": [], "groups": [ "public" ], - "delegateAdmin": false - } + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "groups": [ "public" ], "delegateAdmin": false } ], "denyExceptions": [ - { "accesses": [ { "type": "hive:select", "isAllowed": true } ], - "users": [ "hive", "user1" ], "groups": [], - "delegateAdmin": false, - "conditions": [ - { "type": "expression", "values": [ "if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;" ] } - ] - } + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "hive", "user1" ], "delegateAdmin": false, "conditions": [ { "type": "expression", "values": [ "if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;" ] } ] } ] }, { "id": 105, "name": "EXPIRES_ON", "isEnabled": true, "isAuditEnabled": true, - "resources": { - "tag": { "values": [ "EXPIRES_ON" ], "isRecursive": false } - }, + "resources": { "tag": { "values": [ "EXPIRES_ON" ], "isRecursive": false } }, "denyPolicyItems": [ - { "accesses": [ { "type": "hive:select", "isAllowed": true } ], - "users": [], "groups": [ "public" ], - "delegateAdmin": false, - "conditions": [ - { "type": "enforce-expiry", "values": [ "yes" ] } - ] - } + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "groups": [ "public" ], "delegateAdmin": false, "conditions": [ { "type": "enforce-expiry", "values": [ "yes" ] } ] } ], "denyExceptions": [ - { "accesses": [ { "type": "hive:select", "isAllowed": true } ], - "users": [ "dataloader" ], "groups": [], - "delegateAdmin": false - } + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "dataloader" ], "delegateAdmin": false } ] } ] @@ -581,101 +308,168 @@ }, "tests": [ - { "name": "{USER} macro in database name", + { + "name": "{USER } macro in database name", "resource": { "elements": { "database": "user_madhan", "table": "test_tbl1" } }, - "groupPermissions": { "public": { "select": { "result": 2, "isFinal": true }, "update": { "result": 2, "isFinal": true } } }, - "userPermissions": {}, "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "groupPermissions": { + "public": { "select": { "result": 2, "isFinal": true, "policy": { "id": 21 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 21 } } } + } }, - { "name": "${{USER.dept}} macro in database name", + { + "name": "${{USER.dept}} macro in database name", "resource": { "elements": { "database": "dept_engg", "table": "test_tbl1" } }, - "groupPermissions": { "public": { "select": { "result": 2, "isFinal": true } }, "engg": { "select": { "result": 1, "isFinal": true } } }, - "userPermissions": {}, "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "groupPermissions": { + "public": { "select": { "result": 2, "isFinal": true, "policy": { "id": 22 } } }, + "engg": { "select": { "result": 1, "isFinal": true, "policy": { "id": 23 } } } + } }, { "name": "denyAllElse-test", - "resource": {"elements":{"database":"denyAllElse", "table":"table-1", "column": "column-1" }}, - "userPermissions": - {"user1": {"select": {"result": 1, "isFinal": true}, "update": {"result": -1, "isFinal": true},"create": {"result": 1, "isFinal": true},"drop": {"result": 1, "isFinal": true},"alter": {"result": 1, "isFinal": true},"index": {"result": 1, "isFinal": true},"lock": {"result": -1, "isFinal": true}}, - "user2": {"select": {"result": -1, "isFinal": true}, "update": {"result": -1, "isFinal": true},"create": {"result": -1, "isFinal": true},"drop": {"result": -1, "isFinal": true},"alter": {"result": -1, "isFinal": true},"index": {"result": -1, "isFinal": true},"lock": {"result": -1, "isFinal": true}}, - "user3": {"select": {"result": 1, "isFinal": true}, "update": {"result": 1, "isFinal": true},"create": {"result": 1, "isFinal": true},"drop": {"result": 1, "isFinal": true},"alter": {"result": 1, "isFinal": true},"index": {"result": 1, "isFinal": true},"lock": {"result": -1, "isFinal": true}}}, - "groupPermissions": {"public": {"select": {"result": 2, "isFinal": true}, "update": {"result": 2, "isFinal": true},"create": {"result": 2, "isFinal": true},"drop": {"result": 2, "isFinal": true},"alter": {"result": 2, "isFinal": true},"index": {"result": 2, "isFinal": true},"lock": {"result": -1, "isFinal": true}}}, - "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "denyAllElse", "table": "table-1", "column": "column-1" } }, + "userPermissions": { + "user1": { "select": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "update": { "result": -1, "isFinal": true, "policy": { "id": 20 } }, "create": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "drop": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "alter": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "index": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "lock": { "result": -1, "isFinal": true, "policy": { "id": 20 } } }, + "user2": { "select": { "result": -1, "isFinal": true, "policy": { "id": 20 } }, "update": { "result": -1, "isFinal": true, "policy": { "id": 20 } }, "create": { "result": -1, "isFinal": true, "policy": { "id": 20 } }, "drop": { "result": -1, "isFinal": true, "policy": { "id": 20 } }, "alter": { "result": -1, "isFinal": true, "policy": { "id": 20 } }, "index": { "result": -1, "isFinal": true, "policy": { "id": 20 } }, "lock": { "result": -1, "isFinal": true, "policy": { "id": 20 } } }, + "user3": { "select": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "update": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "create": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "drop": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "alter": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "index": { "result": 1, "isFinal": true, "policy": { "id": 20 } }, "lock": { "result": -1, "isFinal": true, "policy": { "id": 20 } } } + }, + "groupPermissions": { + "public": { "select": { "result": 2, "isFinal": true, "policy": { "id": 20 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 20 } }, "create": { "result": 2, "isFinal": true, "policy": { "id": 20 } }, "drop": { "result": 2, "isFinal": true, "policy": { "id": 20 } }, "alter": { "result": 2, "isFinal": true, "policy": { "id": 20 } }, "index": { "result": 2, "isFinal": true, "policy": { "id": 20 } }, "lock": { "result": -1, "isFinal": true, "policy": { "id": 20 } } } + } }, { "name": "all-deny-test", - "resource": {"elements":{"database":"hr", "udf":"udf" }}, - "userPermissions": {}, - "groupPermissions": {"public": {"select":{"result":-1, "isFinal":true},"create":{"result":-1, "isFinal":true},"_admin":{"result":-1, "isFinal":true}}}, - "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "hr", "udf": "udf" } }, + "groupPermissions": { + "public": { "select": { "result": -1, "isFinal": true, "policy": { "id": 7 } }, "create": { "result": -1, "isFinal": true, "policy": { "id": 7 } }, "_admin": { "result": -1, "isFinal": true, "policy": { "id": 7 } } } + } }, { "name": "no-deny-test", - "resource": {"elements":{"database":"default", "table":"test1", "column":"column2"}}, - "userPermissions": {"user1":{"select":{"result":1, "isFinal":true}}, "user2":{"select":{"result":1, "isFinal":true}}, "admin":{"create":{"result":1, "isFinal":true},"drop":{"result":1, "isFinal":true},"_admin":{"result":1, "isFinal":true}}}, - "groupPermissions": {"group1": {"select":{"result":1, "isFinal":true}}, "group2": {"select":{"result":1, "isFinal":true}},"cluster-admin": {"create":{"result":1, "isFinal":true},"drop":{"result":1, "isFinal":true}, "_admin":{"result":1, "isFinal":true}}}, - "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "default", "table": "test1", "column": "column2" } }, + "userPermissions": { + "user1": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3 } } }, + "user2": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3 } } }, + "admin": { "create": { "result": 1, "isFinal": true, "policy": { "id": 3 } }, "drop": { "result": 1, "isFinal": true, "policy": { "id": 3 } }, "_admin": { "result": 1, "isFinal": true, "policy": { "id": 3 } } } + }, + "groupPermissions": { + "group1": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3 } } }, + "group2": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3 } } }, + "cluster-admin": { "create": { "result": 1, "isFinal": true, "policy": { "id": 3 } }, "drop": { "result": 1, "isFinal": true, "policy": { "id": 3 } }, "_admin": { "result": 1, "isFinal": true, "policy": { "id": 3 } } } + } }, { "name": "partial-deny-test", - "resource": {"elements":{"database":"default", "table":"test2", "column":"column2"}}, - "userPermissions": {"user1":{"select":{"result":1, "isFinal":true}}, "user2":{"select":{"result":-1, "isFinal":true},"create":{"result":-1, "isFinal":true}}, "user3":{"select":{"result":1, "isFinal":true},"create":{"result":-1, "isFinal":true}},"user4":{"select":{"result":-1, "isFinal":true},"create":{"result":-1, "isFinal":true}},"admin":{"create":{"result":1, "isFinal":true},"drop":{"result":1, "isFinal":true},"_admin":{"result":1, "isFinal":true}}}, - "groupPermissions": {"group1": {"select":{"result":1, "isFinal":true}}, "group2": {"select":{"result":1, "isFinal":true}},"group3": {"select":{"result":-1, "isFinal":true},"create":{"result":-1, "isFinal":true}},"cluster-admin": {"create":{"result":1, "isFinal":true},"drop":{"result":1, "isFinal":true},"_admin":{"result":1, "isFinal":true}}}, - "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "default", "table": "test2", "column": "column2" } }, + "userPermissions": { + "user1": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3 } } }, + "user2": { "select": { "result": -1, "isFinal": true, "policy": { "id": 3 } }, "create": { "result": -1, "isFinal": true, "policy": { "id": 9 } } }, + "user3": { "select": { "result": 1, "isFinal": true, "policy": { "id": 9 } }, "create": { "result": -1, "isFinal": true, "policy": { "id": 9 } } }, + "user4": { "select": { "result": -1, "isFinal": true, "policy": { "id": 9 } }, "create": { "result": -1, "isFinal": true, "policy": { "id": 9 } } }, + "admin": { "create": { "result": 1, "isFinal": true, "policy": { "id": 3 } }, "drop": { "result": 1, "isFinal": true, "policy": { "id": 3 } }, "_admin": { "result": 1, "isFinal": true, "policy": { "id": 3 } } } + }, + "groupPermissions": { + "group1": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3 } } }, + "group2": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3 } } }, + "group3": { "select": { "result": -1, "isFinal": true, "policy": { "id": 9 } }, "create": { "result": -1, "isFinal": true, "policy": { "id": 9 } } }, + "cluster-admin": { "create": { "result": 1, "isFinal": true, "policy": { "id": 3 } }, "drop": { "result": 1, "isFinal": true, "policy": { "id": 3 } }, "_admin": { "result": 1, "isFinal": true, "policy": { "id": 3 } } } + } }, { "name": "conditional-deny-test", - "resource": {"elements":{"database":"finance", "table":"fin_1", "column":"salary"}}, - "userPermissions": {"user1":{"select":{"result":1, "isFinal":true},"_admin":{"result":1, "isFinal":true}}, "user2":{"select":{"result":1, "isFinal":true},"_admin":{"result":1, "isFinal":true}}, "user3":{"select":{"result":2, "isFinal":true},"_admin":{"result":2, "isFinal":true}} }, - "groupPermissions": {"finance-controller": {"select":{"result":1, "isFinal":true},"_admin":{"result":1, "isFinal":true}}, "cluster-admin": {"select":{"result":2, "isFinal":true},"_admin":{"result":2, "isFinal":true}}}, - "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "finance", "table": "fin_1", "column": "salary" } }, + "userPermissions": { + "user1": { "select": { "result": 1, "isFinal": true, "policy": { "id": 4 } }, "_admin": { "result": 1, "isFinal": true, "policy": { "id": 4 } } }, + "user2": { "select": { "result": 1, "isFinal": true, "policy": { "id": 4 } }, "_admin": { "result": 1, "isFinal": true, "policy": { "id": 4 } } }, + "user3": { "select": { "result": 2, "isFinal": true, "policy": { "id": 10 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 10 } } } }, + "groupPermissions": { + "finance-controller": { "select": { "result": 1, "isFinal": true, "policy": { "id": 4 } }, "_admin": { "result": 1, "isFinal": true, "policy": { "id": 4 } } }, + "cluster-admin": { "select": { "result": 2, "isFinal": true, "policy": { "id": 10 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 10 } } } + } }, { "name": "conditional-tag-only-test-descendant", - "resource": {"elements":{"database":"finance", "table":"sales"}}, + "resource": { "elements": { "database": "finance", "table": "sales" } }, "resourceMatchingScope": "SELF_OR_DESCENDANTS", - "userPermissions": {"hive":{"select":{"result":-1, "isFinal":true},"create":{"result":1, "isFinal":true}}, "admin":{"select":{"result":-1, "isFinal":true}} }, - "groupPermissions": {"public": {"index":{"result":2, "isFinal":true}}}, - "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "userPermissions": { + "hive": { "select": { "result": -1, "isFinal": true, "policy": { "id": 102 } }, "create": { "result": 1, "isFinal": true, "policy": { "id": 102 } } }, + "admin": { "select": { "result": -1, "isFinal": true, "policy": { "id": 103 } } } + }, + "groupPermissions": { + "public": { "index": { "result": 2, "isFinal": true, "policy": { "id": 103 } } } + } }, { "name": "all-types-of-policy-items", - "resource": {"elements":{"database":"default", "table":"table", "column":"column"}}, - "userPermissions": {"user1":{"select":{"result":2, "isFinal":true}, "_admin":{"result":2, "isFinal":true}}, "user2":{"select":{"result":2, "isFinal":true}, "_admin":{"result":2, "isFinal":true}}, "user3":{"select":{"result":2, "isFinal":true}, "_admin":{"result":2, "isFinal":true}}, "user4":{"select":{"result":2, "isFinal":true}, "_admin":{"result":2, "isFinal":true}} }, - "groupPermissions": {"public": {"select":{"result":2, "isFinal":true}, "_admin":{"result":2, "isFinal":true}}, "cluster-admin": {"select":{"result":2, "isFinal":true}, "_admin":{"result":2, "isFinal":true}}}, - "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "default", "table": "table", "column": "column" } }, + "userPermissions": { + "user1": { "select": { "result": 2, "isFinal": true, "policy": { "id": 11 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 11 } } }, + "user2": { "select": { "result": 2, "isFinal": true, "policy": { "id": 11 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 11 } } }, + "user3": { "select": { "result": 2, "isFinal": true, "policy": { "id": 11 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 11 } } }, + "user4": { "select": { "result": 2, "isFinal": true, "policy": { "id": 11 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 11 } } } + }, + "groupPermissions": { + "public": { "select": { "result": 2, "isFinal": true, "policy": { "id": 11 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 11 } } }, + "cluster-admin": { "select": { "result": 2, "isFinal": true, "policy": { "id": 11 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 11 } } } + } }, { "name": "public-allow-test", - "resource": {"elements":{"database":"finance", "table":"accounts", "column": "status" }}, - "userPermissions": {"john":{"select":{"result":2, "isFinal":true}, "update":{"result":2, "isFinal":true}, "_admin":{"result": 2, "isFinal": true}}, "jane":{"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}, "_admin":{"result": 2, "isFinal": true}}}, - "groupPermissions": {"public": {"select":{"result":2, "isFinal":true}}, "accounting": {"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true},"_admin":{"result":2, "isFinal":true}}, "admin": {"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true},"_admin":{"result":2, "isFinal":true}}, "housekeeping":{"select":{"result":-1, "isFinal":true}}}, - "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "finance", "table": "accounts", "column": "status" } }, + "userPermissions": { + "john": { "select": { "result": 2, "isFinal": true, "policy": { "id": 12 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 12 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 12 } } }, + "jane": { "select": { "result": 2, "isFinal": true, "policy": { "id": 12 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 12 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 12 } } } }, + "groupPermissions": { + "public": { "select": { "result": 2, "isFinal": true, "policy": { "id": 12 } } }, + "accounting": { "select": { "result": 2, "isFinal": true, "policy": { "id": 12 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 12 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 12 } } }, + "admin": { "select": { "result": 2, "isFinal": true, "policy": { "id": 12 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 12 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 12 } } }, + "housekeeping": { "select": { "result": -1, "isFinal": true, "policy": { "id": 12 } } } + } }, { "name": "public-allow-test-next", - "resource": {"elements":{"database":"finance", "table":"accounts", "column": "amount" }}, - "userPermissions": {"john":{"select":{"result":2, "isFinal":true}, "update":{"result":2, "isFinal":true}, "_admin":{"result":2, "isFinal":true}}, "jane":{"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}, "_admin":{"result":2, "isFinal":true}}}, - "groupPermissions": {"public": {"select":{"result":2, "isFinal":true}}, "accounting": {"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true},"_admin":{"result":2, "isFinal":true}}, "admin": {"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true},"_admin":{"result":2, "isFinal":true}}, "housekeeping":{"drop":{"result":-1, "isFinal":true}}}, - "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "finance", "table": "accounts", "column": "amount" } }, + "userPermissions": { + "john": { "select": { "result": 2, "isFinal": true, "policy": { "id": 13 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 13 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 13 } } }, + "jane": { "select": { "result": 2, "isFinal": true, "policy": { "id": 13 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 13 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 13 } } } + }, + "groupPermissions": { + "public": { "select": { "result": 2, "isFinal": true, "policy": { "id": 13 } } }, + "accounting": { "select": { "result": 2, "isFinal": true, "policy": { "id": 13 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 13 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 13 } } }, + "admin": { "select": { "result": 2, "isFinal": true, "policy": { "id": 13 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 13 } }, "_admin": { "result": 2, "isFinal": true, "policy": { "id": 13 } } }, + "housekeeping": { "drop": { "result": -1, "isFinal": true, "policy": { "id": 13 } } } + } }, { "name": "conditions-in-exceptions-test", - "resource": {"elements":{"database":"db1", "table":"tbl1", "column": "col1" }}, - "userPermissions": {"john":{"select":{"result":2, "isFinal":true}, "update":{"result":2, "isFinal":true}}, "jane":{"select":{"result":2, "isFinal":true},"update":{"result":2, "isFinal":true}}, "adam":{"drop":{"result":2, "isFinal":true}}, "eve":{"drop":{"result":2, "isFinal":true}}}, - "groupPermissions": {}, "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "db1", "table": "tbl1", "column": "col1" } }, + "userPermissions": { + "john": { "select": { "result": 2, "isFinal": true, "policy": { "id": 13 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 13 } } }, + "jane": { "select": { "result": 2, "isFinal": true, "policy": { "id": 13 } }, "update": { "result": 2, "isFinal": true, "policy": { "id": 13 } } }, + "adam": { "drop": { "result": 2, "isFinal": true, "policy": { "id": 13 } } }, + "eve": { "drop": { "result": 2, "isFinal": true, "policy": { "id": 13 } } } + } }, { "name": "conditions-in-some-exceptions-test", - "resource": {"elements":{"database":"db2", "table":"tbl2", "column": "col2" }}, - "userPermissions": {"john":{"select":{"result":1, "isFinal":true}, "update":{"result":-1, "isFinal":true}}, "jane":{"select":{"result":1, "isFinal":true},"update":{"result":1, "isFinal":true}}, "adam":{"drop":{"result":2, "isFinal":true}}, "eve":{"drop":{"result":2, "isFinal":true}}}, - "groupPermissions": {}, "rolePermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "db2", "table": "tbl2", "column": "col2" } }, + "userPermissions": { + "john": { "select": { "result": 1, "isFinal": true, "policy": { "id": 14 } }, "update": { "result": -1, "isFinal": true, "policy": { "id": 14 } } }, + "jane": { "select": { "result": 1, "isFinal": true, "policy": { "id": 14 } }, "update": { "result": 1, "isFinal": true, "policy": { "id": 14 } } }, + "adam": { "drop": { "result": 2, "isFinal": true, "policy": { "id": 14 } } }, + "eve": { "drop": { "result": 2, "isFinal": true, "policy": { "id": 14 } } } } }, { "name": "roles-test", - "resource": {"elements":{"database":"db3", "table":"tbl3", "column": "col3" }}, - "userPermissions": {"john":{"select":{"result":1, "isFinal":true}, "update":{"result":1, "isFinal":true}}, "jane":{"select":{"result":1, "isFinal":true},"update":{"result":1, "isFinal":true}}, "adam":{"drop":{"result":-1, "isFinal":true}}, "eve":{"drop":{"result":-1, "isFinal":true}}}, - "rolePermissions": {"tarzan":{"select":{"result":1, "isFinal":true}, "update":{"result":1, "isFinal":true}}, "eden":{"drop":{"result":-1, "isFinal":true}}}, - "groupPermissions": {}, "dataMasks": [], "rowFilters": [] + "resource": { "elements": { "database": "db3", "table": "tbl3", "column": "col3" } }, + "userPermissions": { + "john": { "select": { "result": 1, "isFinal": true, "policy": { "id": 15 } }, "update": { "result": 1, "isFinal": true, "policy": { "id": 15 } } }, + "jane": { "select": { "result": 1, "isFinal": true, "policy": { "id": 15 } }, "update": { "result": 1, "isFinal": true, "policy": { "id": 15 } } }, + "adam": { "drop": { "result": -1, "isFinal": true, "policy": { "id": 15 } } }, + "eve": { "drop": { "result": -1, "isFinal": true, "policy": { "id": 15 } } } + }, + "rolePermissions": { + "tarzan": { "select": { "result": 1, "isFinal": true, "policy": { "id": 15 } }, "update": { "result": 1, "isFinal": true, "policy": { "id": 15 } } }, + "eden": { "drop": { "result": -1, "isFinal": true, "policy": { "id": 15 } } } + } } ] } diff --git a/agents-common/src/test/resources/policyengine/test_aclprovider_hdfs.json b/agents-common/src/test/resources/policyengine/test_aclprovider_hdfs.json index 37a06787dc..0ff029376a 100644 --- a/agents-common/src/test/resources/policyengine/test_aclprovider_hdfs.json +++ b/agents-common/src/test/resources/policyengine/test_aclprovider_hdfs.json @@ -6,99 +6,49 @@ "servicePolicies": { "serviceName": "hivedev", "serviceDef": { - "name": "hdfs", - "id": 1, + "name": "hdfs", "id": 1, "resources": [ - { - "name": "path", - "type": "path", - "level": 1, - "mandatory": true, - "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher", - "matcherOptions": { - "wildCard": true, - "ignoreCase": true - }, - "label": "Resource Path", - "description": "HDFS file or directory path" - } + { "name": "path", "type": "path", "level": 1, "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Resource Path", "description": "HDFS file or directory path" } ], "accessTypes": [ - { - "name": "read", - "label": "Read" - }, - { - "name": "write", - "label": "Write" - }, - { - "name": "execute", - "label": "Execute" - } + { "name": "read", "label": "Read" }, + { "name": "write", "label": "Write" }, + { "name": "execute", "label": "Execute" } ], "contextEnrichers": [ - { - "itemId": 1, - "name": "GeolocationEnricher", - "enricher": "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", - "enricherOptions": { - "FilePath": "/etc/ranger/geo/geo.txt", - "ForceRead": "false", - "IPInDotFormat": "true", - "geolocation.meta.prefix": "TEST_" - } - } + { "itemId": 1, "name": "GeolocationEnricher", "enricher": "org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider", "enricherOptions": { "FilePath": "/etc/ranger/geo/geo.txt", "ForceRead": "false", "IPInDotFormat": "true", "geolocation.meta.prefix": "TEST_" } } ], "policyConditions": [ - { - "itemId": 1, - "name": "ScriptConditionEvaluator", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", - "evaluatorOptions": { - "engineName": "JavaScript" - }, - "label": "Script", - "description": "Script to execute" - } + { "itemId": 1, "name": "ScriptConditionEvaluator", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", "evaluatorOptions": { "engineName": "JavaScript" }, "label": "Script", "description": "Script to execute" } ] }, "policies": [ { "id": 1, "name": "audit-all-access under /finance/restricted/", - "resources": { - "path": {"values": ["/finance/restricted/"], "isRecursive": true} - }, + "resources": { "path": { "values": [ "/finance/restricted/" ], "isRecursive": true } }, "policyItems": [ - {"accesses": [], "users": [], "groups": [ "public"]} + { "groups": [ "public" ] } ] }, { "id": 2, "name": "allow-read-to-all under /public/", - "resources": { - "path": {"values": [ "/public/*" ], "isRecursive": true} - }, + "resources": { "path": { "values": [ "/public/*" ], "isRecursive": true } }, "policyItems": [ - {"accesses": [{"type": "read", "isAllowed": true},{"type": "execute", "isAllowed": true}], "users": [], "groups": ["public"]} + { "accesses": [ { "type": "read", "isAllowed": true },{ "type": "execute", "isAllowed": true } ], "groups": [ "public" ] } ] }, { "id": 3, "name": "allow-read-to-finance under /finance/restricted", - "resources": { - "path": {"values": [ "/finance/restricted" ], "isRecursive": true} - }, + "resources": { "path": { "values": [ "/finance/restricted" ], "isRecursive": true } }, "policyItems": [ - {"accesses": [{"type": "read", "isAllowed": true}], "users": [], "groups": ["finance"]} + { "accesses": [ { "type": "read", "isAllowed": true } ], "groups": [ "finance" ] } ] }, { "id": 4, "name": "allow-read-to-finance under /finance/limited", - "resources": { - "path": {"values": [ "/finance/limited"], "isRecursive": true} - }, + "resources": { "path": { "values": [ "/finance/limited" ], "isRecursive": true } }, "policyItems": [ - {"accesses": [{"type": "read", "isAllowed": true}], "users": [], "groups": ["stewards"]} + { "accesses": [ { "type": "read", "isAllowed": true } ], "groups": [ "stewards" ] } ] } ] @@ -106,21 +56,24 @@ "tests": [ { "name": "test-finance-restricted", - "resource": {"elements":{"path":"/finance/restricted"}}, - "groupPermissions": {"finance": {"read": {"result": 1, "isFinal": true}}}, - "userPermissions": {}, "rolePermissions": {}, "rowFilters": [], "dataMasks": [] + "resource": { "elements":{ "path":"/finance/restricted" } }, + "groupPermissions": { + "finance": { "read": { "result": 1, "isFinal": true, "policy": { "id": 3 } } } + } }, { "name": "test-finance-limited", - "resource": {"elements":{"path":"/finance/limited"}}, - "groupPermissions": {"stewards": {"read": {"result": 1, "isFinal": true}}}, - "userPermissions": {}, "rolePermissions": {}, "rowFilters": [], "dataMasks": [] + "resource": { "elements":{ "path":"/finance/limited" } }, + "groupPermissions": { + "stewards": { "read": { "result": 1, "isFinal": true, "policy": { "id": 4 } } } + } }, { "name": "test-anything-under-public", - "resource": {"elements":{"path":"/public/anything"}}, - "groupPermissions": {"public": {"read": {"result": 1, "isFinal": true}, "execute": {"result": 1, "isFinal": true}}}, - "userPermissions": {}, "rolePermissions": {}, "rowFilters": [], "dataMasks": [] + "resource": { "elements":{ "path":"/public/anything" } }, + "groupPermissions": { + "public": { "read": { "result": 1, "isFinal": true, "policy": { "id": 2 } }, "execute": { "result": 1, "isFinal": true, "policy": { "id": 2 } } } + } } ] } diff --git a/agents-common/src/test/resources/policyengine/test_aclprovider_mask_filter.json b/agents-common/src/test/resources/policyengine/test_aclprovider_mask_filter.json index ae9c04a6f3..975aa5e93f 100644 --- a/agents-common/src/test/resources/policyengine/test_aclprovider_mask_filter.json +++ b/agents-common/src/test/resources/policyengine/test_aclprovider_mask_filter.json @@ -8,212 +8,142 @@ "serviceDef": { "name": "hive", "id": 3, "resources": [ - { "name": "database", "level": 1, "mandatory": true, "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard": true, "ignoreCase": true }, - "label": "Hive Database", "description": "Hive Database" - }, - { - "name": "table", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard": true, "ignoreCase": true }, - "label": "Hive Table", "description": "Hive Table" - }, - { - "name": "udf", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard": true, "ignoreCase": true }, - "label": "Hive UDF", "description": "Hive UDF" - }, - { - "name": "column", "level": 3, "parent": "table", "mandatory": true, "lookupSupported": true, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard": true, "ignoreCase": true }, - "label": "Hive Column", "description": "Hive Column" - } + { "name": "database", "level": 1, "parent": "", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Database", "description": "Hive Database" }, + { "name": "table", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Table", "description": "Hive Table" }, + { "name": "udf", "level": 2, "parent": "database", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive UDF", "description": "Hive UDF" }, + { "name": "column", "level": 3, "parent": "table", "mandatory": true, "lookupSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": true }, "label": "Hive Column", "description": "Hive Column" } ], "accessTypes": [ { "name": "select", "label": "Select" }, { "name": "update", "label": "Update" }, { "name": "create", "label": "Create" }, - { "name": "drop", "label": "Drop" }, - { "name": "alter", "label": "Alter" }, - { "name": "index", "label": "Index" }, - { "name": "lock", "label": "Lock" }, - { "name": "all", "label": "All" } + { "name": "drop", "label": "Drop" }, + { "name": "alter", "label": "Alter" }, + { "name": "index", "label": "Index" }, + { "name": "lock", "label": "Lock" }, + { "name": "all", "label": "All" } ], "policyConditions": [ - { "itemId": 1, "name": "expression", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", - "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" }, - "label": "Enter boolean expression", "description": "Boolean expression" - } + { "itemId": 1, "name": "expression", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" }, "label": "Enter boolean expression", "description": "Boolean expression" } ], "dataMaskDef": { "maskTypes": [ - { - "itemId": 1, - "name": "MASK", - "label": "Mask", - "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'" - }, - { - "itemId": 2, - "name": "SHUFFLE", - "label": "Shuffle", - "description": "Randomly shuffle the contents" - }, - { - "itemId": 3, - "name": "MASH_HASH", - "label": "Hash", - "description": "Hash value of the contents" - }, - { - "itemId": 4, - "name": "MASH_NONE", - "label": "No masking", - "description": "Unmasked value of the contents" - }, - { - "itemId": 10, - "name": "NULL", - "label": "NULL", - "description": "Replace with NULL" - } - + { "itemId": 1, "name": "MASK", "label": "Mask", "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'" }, + { "itemId": 2, "name": "SHUFFLE", "label": "Shuffle", "description": "Randomly shuffle the contents" }, + { "itemId": 3, "name": "MASH_HASH", "label": "Hash", "description": "Hash value of the contents" }, + { "itemId": 4, "name": "MASH_NONE", "label": "No masking", "description": "Unmasked value of the contents" }, + { "itemId": 10, "name": "NULL", "label": "NULL", "description": "Replace with NULL" } ], - "accessTypes":[ - {"name":"select","label":"Select"} + "accessTypes": [ + { "name": "select", "label": "Select" } ], - "resources":[ - {"name":"database","matcherOptions":{"wildCard":false}}, - {"name":"table","matcherOptions":{"wildCard":false}}, - {"name":"column","matcherOptions":{"wildCard":false}} + "resources": [ + { "name": "database", "matcherOptions": { "wildCard": false } }, + { "name": "table", "matcherOptions": { "wildCard": false } }, + { "name": "column", "matcherOptions": { "wildCard": false } } ] }, "rowFilterDef": { - "accessTypes":[ - {"name":"select","label":"Select"} + "accessTypes": [ + { "name": "select", "label": "Select" } ], - "resources":[ - {"name":"database","matcherOptions":{"wildCard":false}}, - {"name":"table","matcherOptions":{"wildCard":false}} + "resources": [ + { "name": "database", "matcherOptions": { "wildCard": false } }, + { "name": "table", "matcherOptions": { "wildCard": false } } ] } }, "policies": [ - {"id":101,"name":"01: db=employee, table=personal, column=ssn: mask","isEnabled":true,"isAuditEnabled":true,"policyType":1, - "resources":{"database":{"values":["employee"]},"table":{"values":["personal"]},"column":{"values":["ssn"]}}, - "dataMaskPolicyItems":[ - {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"MASK"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"SHUFFLE"} - } + { + "id": 101, "name": "01: db=employee, table=personal, column=ssn: mask", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, + "resources": { "database": { "values": [ "employee" ] }, "table": { "values": [ "personal" ] }, "column": { "values": [ "ssn" ] } }, + "dataMaskPolicyItems": [ + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK" } }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "SHUFFLE" } } ] }, - {"id":1011,"name":"02: db=employee, table=personal, column=ssn,dummy: mask","isEnabled":true,"isAuditEnabled":true,"policyType":1, - "resources":{"database":{"values":["employee"]},"table":{"values":["personal"]},"column":{"values":["ssn", "dummy"]}}, - "dataMaskPolicyItems":[ - {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"HASH"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"MASK"} - } + { + "id": 1011, "name": "02: db=employee, table=personal, column=ssn,dummy: mask", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, + "resources": { "database": { "values": [ "employee" ] }, "table": { "values": [ "personal" ] }, "column": { "values": [ "ssn", "dummy" ] } }, + "dataMaskPolicyItems": [ + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "HASH" } }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK" } } ] }, - {"id":102,"name":"db=hr, table=employee, column=date_of_birth: mask","isEnabled":true,"isAuditEnabled":true,"policyType":1, - "resources":{"database":{"values":["hr"]},"table":{"values":["employee"]},"column":{"values":["date_of_birth"]}}, - "dataMaskPolicyItems":[ - {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"MASK"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"SHUFFLE"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user3"],"groups":[],"conditions":[{"type": "expression", "values": ["test"]}],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"LAST_4"} - } + { + "id": 102, "name": "db=hr, table=employee, column=date_of_birth: mask", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, + "resources": { "database": { "values": [ "hr" ] }, "table": { "values": [ "employee" ] }, "column": { "values": [ "date_of_birth" ] } }, + "dataMaskPolicyItems": [ + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK" } }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "SHUFFLE" } }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user3" ], "conditions": [ { "type": "expression", "values": [ "test" ] } ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "LAST_4" } } ] }, - {"id":103,"name":"db=hr, table=employee, column=project: conditional-mask: validity-schedule","isEnabled":true,"isAuditEnabled":true,"policyType":1, - "resources":{"database":{"values":["hr"]},"table":{"values":["employee"]},"column":{"values":["project"]}}, - "validitySchedules": [{"startTime": "2018/01/12 14:32:00", "endTime": "2020/01/12 14:32:00"}], - "dataMaskPolicyItems":[ - {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"MASK"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"HASH"} - } + { + "id": 103, "name": "db=hr, table=employee, column=project: conditional-mask: validity-schedule", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, + "resources": { "database": { "values": [ "hr" ] }, "table": { "values": [ "employee" ] }, "column": { "values": [ "project" ] } }, + "validitySchedules": [ { "startTime": "2018/01/12 14:32:00", "endTime": "2020/01/12 14:32:00" } ], + "dataMaskPolicyItems": [ + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK" } }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "HASH" } } ] }, - { "id": 104, "name": "db=test_db, table=dept_${{USER.dept}}, column=col1: unmasked for users in the department", + { + "id": 104, "name": "db=test_db, table=dept_${{USER.dept}}, column=col1: unmasked for users in the department", "isEnabled": true, "isAuditEnabled": true, "policyPriority": 1, "policyType": 1, "resources": { "database": { "values": [ "test_db" ] }, "table": { "values": [ "dept_${{USER.dept}}" ] }, "column": { "values": [ "col1" ] } }, "dataMaskPolicyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "{USER}" ], "groups": [], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK_NONE" } } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "{USER}" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK_NONE" } } ] }, - { "id": 105, "name": "db=test_db, table=dept_hr, column=col1: mask hash for all users", + { + "id": 105, "name": "db=test_db, table=dept_hr, column=col1: mask hash for all users", "isEnabled": true, "isAuditEnabled": true, "policyPriority": 0, "policyType": 1, "resources": { "database": { "values": [ "test_db" ] }, "table": { "values": [ "dept_hr" ] }, "column": { "values": [ "col1" ] } }, "dataMaskPolicyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [], "groups": [ "public" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK_HASH" } } + { "accesses": [ { "type": "select", "isAllowed": true } ], "groups": [ "public" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK_HASH" } } ] }, - {"id":201,"name":"db=employee, table=personal: row-filter","isEnabled":true,"isAuditEnabled":true,"policyType":2, - "resources":{"database":{"values":["employee"]},"table":{"values":["personal"]}}, - "rowFilterPolicyItems":[ - {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "rowFilterInfo": {"filterExpr":"location='US'"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "rowFilterInfo": {"filterExpr":"location='CA'"} - } + { + "id": 201, "name": "db=employee, table=personal: row-filter", "isEnabled": true, "isAuditEnabled": true, "policyType": 2, + "resources": { "database": { "values": [ "employee" ] }, "table": { "values": [ "personal" ] } }, + "rowFilterPolicyItems": [ + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1" ], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "location='US'" } }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2" ], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "location='CA'" } } ] }, - {"id":202,"name":"db=hr, table=employee: row-filter","isEnabled":true,"isAuditEnabled":true,"policyType":2, - "resources":{"database":{"values":["hr"]},"table":{"values":["employee"]}}, - "rowFilterPolicyItems":[ - {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "rowFilterInfo": {"filterExpr":"dept='production'"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "rowFilterInfo": {"filterExpr":"dept='purchase'"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user3"],"groups":[],"conditions":[{"type": "expression", "values": ["test"]}],"delegateAdmin":false, - "rowFilterInfo": {"filterExpr":"location='GR'"} - } + { + "id": 202, "name": "db=hr, table=employee: row-filter", "isEnabled": true, "isAuditEnabled": true, "policyType": 2, + "resources": { "database": { "values": [ "hr" ] }, "table": { "values": [ "employee" ] } }, + "rowFilterPolicyItems": [ + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1" ], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "dept='production'" } }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2" ], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "dept='purchase'" } }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user3" ], "conditions": [ { "type": "expression", "values": [ "test" ] } ], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "location='GR'" } } ] }, - {"id":203,"name":"db=hr, table=employee2: conditional-row-filter: validity-schedule","isEnabled":true,"isAuditEnabled":true,"policyType":2, - "resources":{"database":{"values":["hr"]},"table":{"values":["employee2"]}}, - "validitySchedules": [{"startTime": "2018/01/12 14:32:00", "endTime": "2020/01/12 14:32:00"}], - "rowFilterPolicyItems":[ - {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "rowFilterInfo": {"filterExpr":"dept='production'"} - }, - {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "rowFilterInfo": {"filterExpr":"dept='purchase'"} - } + { + "id": 203, "name": "db=hr, table=employee2: conditional-row-filter: validity-schedule", "isEnabled": true, "isAuditEnabled": true, "policyType": 2, + "resources": { "database": { "values": [ "hr" ] }, "table": { "values": [ "employee2" ] } }, + "validitySchedules": [ { "startTime": "2018/01/12 14:32:00", "endTime": "2020/01/12 14:32:00" } ], + "rowFilterPolicyItems": [ + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user1" ], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "dept='production'" } }, + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "user2" ], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "dept='purchase'" } } ] }, - { "id": 204, "name": "db=test_db, table=dept_${{USER.dept}}: no filter for users in the department", + { + "id": 204, "name": "db=test_db, table=dept_${{USER.dept}}: no filter for users in the department", "isEnabled": true, "isAuditEnabled": true, "policyPriority": 1, "policyType": 2, "resources": { "database": { "values": [ "test_db" ] }, "table": { "values": [ "dept_${{USER.dept}}" ] } }, "rowFilterPolicyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "{USER}" ], "groups": [], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "1 = 1" } } + { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "{USER}" ], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "1 = 1" } } ] }, - { "id": 205, "name": "db=test_db, table=dept_hr: row-filter", + { + "id": 205, "name": "db=test_db, table=dept_hr: row-filter", "isEnabled": true, "isAuditEnabled": true, "policyPriority": 0, "policyType": 2, "resources": { "database": { "values": [ "test_db" ] }, "table": { "values": [ "dept_hr" ] } }, "rowFilterPolicyItems": [ - { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [], "groups": [ "public" ], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "dept != 'hr'" } } + { "accesses": [ { "type": "select", "isAllowed": true } ], "groups": [ "public" ], "delegateAdmin": false, "rowFilterInfo": { "filterExpr": "dept != 'hr'" } } ] } ], @@ -222,202 +152,161 @@ "serviceDef": { "name": "tag", "id": 100, "resources": [ - { "itemId": 1, "name": "tag", "type": "string", "level": 1, "parent": "", "mandatory": true, - "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, - "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", - "matcherOptions": { "wildCard": true, "ignoreCase": false }, - "label": "TAG", "description": "TAG" - } + { "itemId": 1, "name": "tag", "type": "string", "level": 1, "parent": "", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": true, "ignoreCase": false }, "label": "TAG", "description": "TAG" } ], "accessTypes": [ { "itemId": 1, "name": "hive:select", "label": "hive:select" }, { "itemId": 2, "name": "hive:update", "label": "hive:update" }, { "itemId": 3, "name": "hive:create", "label": "hive:create" }, - { "itemId": 4, "name": "hive:drop", "label": "hive:drop" }, - { "itemId": 5, "name": "hive:alter", "label": "hive:alter" }, - { "itemId": 6, "name": "hive:index", "label": "hive:index" }, - { "itemId": 7, "name": "hive:lock", "label": "hive:lock" }, - { "itemId": 8, "name": "hive:all", "label": "hive:all", - "impliedGrants": [ "hive:select", "hive:update", "hive:create", "hive:drop", "hive:alter", "hive:index", "hive:lock" ] } + { "itemId": 4, "name": "hive:drop", "label": "hive:drop" }, + { "itemId": 5, "name": "hive:alter", "label": "hive:alter" }, + { "itemId": 6, "name": "hive:index", "label": "hive:index" }, + { "itemId": 7, "name": "hive:lock", "label": "hive:lock" }, + { "itemId": 8, "name": "hive:all", "label": "hive:all", "impliedGrants": [ "hive:select", "hive:update", "hive:create", "hive:drop", "hive:alter", "hive:index", "hive:lock" ] } ], "dataMaskDef": { - "resources":[ - {"name":"tag"} + "resources": [ + { "name": "tag" } ] }, "contextEnrichers": [ - { "itemId": 1, "name": "TagEnricher", - "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", - "enricherOptions": { - "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever", - "tagRefresherPollingInterval": 60000, - "serviceTagsFileName": "/policyengine/ACLResourceTags.json" - } - } + { "itemId": 1, "name": "TagEnricher", "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", "enricherOptions": { "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerFileBasedTagRetriever", "tagRefresherPollingInterval": 60000, "serviceTagsFileName": "/policyengine/ACLResourceTags.json" } } ], "policyConditions": [ - { "itemId": 1, "name": "expression", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", - "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" }, - "label": "Enter boolean expression", "description": "Boolean expression" - }, - { - "itemId": 2, "name": "enforce-expiry", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", - "evaluatorOptions": { "scriptTemplate": "ctx.isAccessedAfter('expiry_date');" }, - "label": "Deny access after expiry_date?", "description": "Deny access after expiry_date? (yes/no)" - }, - { - "itemId": 3, "name": "ip-range", - "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", "evaluatorOptions": { }, - "label": "IP Address Range", "description": "IP Address Range" - } + { "itemId": 1, "name": "expression", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", "evaluatorOptions": { "engineName": "JavaScript", "ui.isMultiline": "true" }, "label": "Enter boolean expression", "description": "Boolean expression" }, + { "itemId": 2, "name": "enforce-expiry", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", "evaluatorOptions": { "scriptTemplate": "ctx.isAccessedAfter('expiry_date');" }, "label": "Deny access after expiry_date?", "description": "Deny access after expiry_date? (yes/no)" }, + { "itemId": 3, "name": "ip-range", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", "evaluatorOptions": { }, "label": "IP Address Range", "description": "IP Address Range" } ] }, "policies": [ - { "id": 101, "name": "RESTRICTED", "isEnabled": true, "isAuditEnabled": true,"policyType":1, - "resources": { - "tag": { "values": [ "RESTRICTED" ], "isRecursive": false } - }, - "dataMaskPolicyItems":[ - {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"MASK"} - }, - {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"HASH"} - } + { + "id": 101, "name": "RESTRICTED", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, + "resources": { "tag": { "values": [ "RESTRICTED" ], "isRecursive": false } }, + "dataMaskPolicyItems": [ + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "user1" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK" } }, + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "user2" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "HASH" } } ] }, - { "id": 102, "name": "DATA_QUALITY", "isEnabled": true, "isAuditEnabled": true,"policyType":1, - "resources": { - "tag": { "values": [ "DATA_QUALITY" ], "isRecursive": false } - }, - "dataMaskPolicyItems":[ - {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"MASK"}, "conditions": [{ "type": "expression", "values": [ "tag.score > 0.6" ] }] - }, - {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"HASH"}, "conditions": [{ "type": "expression", "values": [ "tag.score > 0.6" ] }] - } + { + "id": 102, "name": "DATA_QUALITY", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, + "resources": { "tag": { "values": [ "DATA_QUALITY" ], "isRecursive": false } }, + "dataMaskPolicyItems": [ + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "user1" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK" }, "conditions": [ { "type": "expression", "values": [ "tag.score > 0.6" ] } ] }, + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "user2" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "HASH" }, "conditions": [ { "type": "expression", "values": [ "tag.score > 0.6" ] } ] } ] }, - { "id": 103, "name": "RESTRICTED-FINAL: conditional mask - validity schedule", "isEnabled": true, "isAuditEnabled": true,"policyType":1, - "resources": { - "tag": { "values": [ "RESTRICTED-FINAL" ], "isRecursive": false } - }, - "validitySchedules": [{"startTime": "2018/01/12 14:32:00", "endTime": "2020/01/12 14:32:00"}], - "dataMaskPolicyItems":[ - {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"MASK"} - }, - {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false, - "dataMaskInfo": {"dataMaskType":"HASH"} - } + { + "id": 103, "name": "RESTRICTED-FINAL: conditional mask - validity schedule", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, + "validitySchedules": [ { "startTime": "2018/01/12 14:32:00", "endTime": "2020/01/12 14:32:00" } ], + "resources": { "tag": { "values": [ "RESTRICTED-FINAL" ], "isRecursive": false } }, + "dataMaskPolicyItems": [ + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "user1" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK" } }, + { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "user2" ], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "HASH" } } ] } ] } }, "tests": [ - {"name":"mask: employee.personal.ssn", - "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}}, + { + "name": "mask: employee.personal.ssn", + "resource": { "elements": { "database": "employee", "table": "personal", "column": "ssn" } }, "dataMasks": [ - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"MASK"}}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"SHUFFLE"}}, - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"HASH"}}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"MASK"}} - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "user1" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" } }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" } }, + { "users": [ "user1" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "HASH" } }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" } } + ] }, - {"name":"mask: hr.employee.date_of_birth", - "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth"}}, + { + "name": "mask: hr.employee.date_of_birth", + "resource": { "elements": { "database": "hr", "table": "employee", "column": "date_of_birth" } }, "dataMasks": [ - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"MASK"}}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"SHUFFLE"}}, - {"users":["user3"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"LAST_4"}, "isConditional": true} - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "user1" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" } }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" } }, + { "users": [ "user3" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "LAST_4" }, "isConditional": true } + ] }, - {"name":"mask: hr.employee.project - conditional: validity-schedule", - "resource":{"elements":{"database":"hr", "table":"employee", "column":"project"}}, + { + "name": "mask: hr.employee.project - conditional: validity-schedule", + "resource": { "elements": { "database": "hr", "table": "employee", "column": "project" } }, "dataMasks": [ - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"MASK"}, "isConditional": true}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"HASH"}, "isConditional": true} - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "user1" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "HASH" }, "isConditional": true } + ] }, - {"name":"mask: employee.personal.city - tag-based: RESTRICTED", - "resource":{"elements":{"database":"employee", "table":"personal", "column":"city"}}, + { + "name": "mask: employee.personal.city - tag-based: RESTRICTED", + "resource": { "elements": { "database": "employee", "table": "personal", "column": "city" } }, "dataMasks": [ - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"MASK"}}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"HASH"}} - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "user1" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" } }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "HASH" } } + ] }, - {"name":"mask: employee.personal.mrn - tag-based: DATA_QUALITY; conditional", - "resource":{"elements":{"database":"employee", "table":"personal", "column":"mrn"}}, + { + "name": "mask: employee.personal.mrn - tag-based: DATA_QUALITY; conditional", + "resource": { "elements": { "database": "employee", "table": "personal", "column": "mrn" } }, "dataMasks": [ - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"MASK"}, "isConditional": true}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"HASH"}, "isConditional": true} - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "user1" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "HASH" }, "isConditional": true } + ] }, - {"name":"mask: employee.personal.address - tag-based: RESTRICTED-FINAL; conditional: validity-schedule", - "resource":{"elements":{"database":"employee", "table":"personal", "column":"address"}}, + { + "name": "mask: employee.personal.address - tag-based: RESTRICTED-FINAL; conditional: validity-schedule", + "resource": { "elements": { "database": "employee", "table": "personal", "column": "address" } }, "dataMasks": [ - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"MASK"}, "isConditional": true}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"HASH"}, "isConditional": true} - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "user1" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "HASH" }, "isConditional": true } + ] }, - {"name":"mask: finance.forecast.revenue - tag-based: RESTRICTED; conditional: tag-validity-period", - "resource":{"elements":{"database":"finance", "table":"forecast", "column":"revenue"}}, + { + "name": "mask: finance.forecast.revenue - tag-based: RESTRICTED; conditional: tag-validity-period", + "resource": { "elements": { "database": "finance", "table": "forecast", "column": "revenue" } }, "dataMasks": [ - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"MASK"}, "isConditional": true}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"HASH"}, "isConditional": true} - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "user1" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "HASH" }, "isConditional": true } + ] }, - { "name": "mask: test_db.dept_hr.col1: conditional", - "resource": { "elements": { "database": "test_db", "table":"dept_hr", "column":"col1" } }, + { + "name": "mask: test_db.dept_hr.col1: conditional", + "resource": { "elements": { "database": "test_db", "table": "dept_hr", "column": "col1" } }, "dataMasks": [ - { "users": [ ], "groups": [ "public" ], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_NONE" }, "isConditional": true }, - { "users": [ ], "groups": [ "public" ], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": false } - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "groups": [ "public" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_NONE" }, "isConditional": true }, + { "groups": [ "public" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": false } + ] }, - {"name":"row-filter: employee.personal", - "resource":{"elements":{"database":"employee", "table":"personal"}}, - "rowFilters":[ - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "filterInfo":{"filterExpr":"location='US'"}}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "filterInfo":{"filterExpr":"location='CA'"}} - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "dataMasks": [] + { + "name": "row-filter: employee.personal", + "resource": { "elements": { "database": "employee", "table": "personal" } }, + "rowFilters": [ + { "users": [ "user1" ], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "location='US'" } }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "location='CA'" } } + ] }, - {"name":"row-filter: hr.employee", - "resource":{"elements":{"database":"hr", "table":"employee"}}, - "rowFilters":[ - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "filterInfo":{"filterExpr":"dept='production'"}}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "filterInfo":{"filterExpr":"dept='purchase'"}}, - {"users":["user3"], "groups":[], "roles":[], "accessTypes":["select"], "filterInfo":{"filterExpr":"location='GR'"}, "isConditional": true} - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "dataMasks": [] + { + "name": "row-filter: hr.employee", + "resource": { "elements": { "database": "hr", "table": "employee" } }, + "rowFilters": [ + { "users": [ "user1" ], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "dept='production'" } }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "dept='purchase'" } }, + { "users": [ "user3" ], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "location='GR'" }, "isConditional": true } + ] }, - {"name":"row-filter: hr.employee2 - conditional: validity-schedule", - "resource":{"elements":{"database":"hr", "table":"employee2"}}, - "rowFilters":[ - {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "filterInfo":{"filterExpr":"dept='production'"}, "isConditional": true}, - {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "filterInfo":{"filterExpr":"dept='purchase'"}, "isConditional": true} - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "dataMasks": [] + { + "name": "row-filter: hr.employee2 - conditional: validity-schedule", + "resource": { "elements": { "database": "hr", "table": "employee2" } }, + "rowFilters": [ + { "users": [ "user1" ], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "dept='production'" }, "isConditional": true }, + { "users": [ "user2" ], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "dept='purchase'" }, "isConditional": true } + ] }, - { "name": "row-filter: test_db.dept_hr: conditional", - "resource": { "elements": { "database": "test_db", "table":"dept_hr" } }, + { + "name": "row-filter: test_db.dept_hr: conditional", + "resource": { "elements": { "database": "test_db", "table": "dept_hr" } }, "rowFilters": [ - { "users": [], "groups": [ "public" ], "roles": [], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "1 = 1" }, "isConditional": true }, - { "users": [], "groups": [ "public" ], "roles": [], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "dept != 'hr'" }, "isConditional": false } - ], - "userPermissions": {}, "groupPermissions": {}, "rolePermissions": {}, "dataMasks": [] + { "groups": [ "public" ], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "1 = 1" }, "isConditional": true }, + { "groups": [ "public" ], "accessTypes": [ "select" ], "filterInfo": { "filterExpr": "dept != 'hr'" }, "isConditional": false } + ] } ] } diff --git a/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json b/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json index 4e9d29229f..5810d567be 100644 --- a/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json +++ b/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json @@ -87,38 +87,44 @@ ] }, "policies": [ - { "id": 1, "name": "1: access: SENSITIVE", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, + { + "id": 1, "name": "1: access: SENSITIVE", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, "resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } }, "policyItems": [ - {"accesses": [{"type": "hive:select", "isAllowed": true}], "users": [ "test-user"] } + { "accesses": [ { "type": "hive:select", "isAllowed": true}], "users": [ "test-user"] } ] }, - { "id": 2, "name": "2: access: ORDER", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, + { + "id": 2, "name": "2: access: ORDER", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, "resources": { "tag": { "values": [ "ORDER" ], "isRecursive": false } }, "policyItems": [ - {"accesses": [{"type": "hive:create", "isAllowed": true}], "users": [ "dba"] } + { "accesses": [ { "type": "hive:create", "isAllowed": true}], "users": [ "dba"] } ] }, - { "id": 3, "name": "2: access: CUSTOMER", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, + { + "id": 3, "name": "2: access: CUSTOMER", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, "resources": { "tag": { "values": [ "CUSTOMER" ], "isRecursive": false } }, "policyItems": [ - {"accesses": [{"type": "hive:select", "isAllowed": true}], "users": [ "test-user"] } + { "accesses": [ { "type": "hive:select", "isAllowed": true}], "users": [ "test-user"] } ] }, - { "id": 4, "name": "3: access: ADDRESS", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, + { + "id": 4, "name": "3: access: ADDRESS", "isEnabled": true, "isAuditEnabled": true, "policyType": 0, "resources": { "tag": { "values": [ "ADDRESS" ], "isRecursive": false } }, "policyItems": [ - {"accesses": [{"type": "hive:select", "isAllowed": true}], "users": [ "test-user"] } + { "accesses": [ { "type": "hive:select", "isAllowed": true}], "users": [ "test-user"] } ] }, - { "id": 101, "name": "101: mask: SENSITIVE(level=normal)", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, + { + "id": 101, "name": "101: mask: SENSITIVE(level=normal)", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } }, "conditions": [ { "type": "expression", "values": [ "TAG.level == 'normal'" ] } ], "dataMaskPolicyItems": [ { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "SHUFFLE"}} ] }, - { "id": 102, "name": "102: mask: SENSITIVE(level=high)", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, + { + "id": 102, "name": "102: mask: SENSITIVE(level=high)", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "resources": { "tag": { "values": [ "SENSITIVE" ], "isRecursive": false } }, "conditions": [ { "type": "expression", "values": [ "TAG.level == 'high'" ] } ], "dataMaskPolicyItems": [ @@ -138,7 +144,8 @@ { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "MASK_NONE"}} ] }, - { "id": 105, "name": "105: mask: ADDRESS", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, + { + "id": 105, "name": "105: mask: ADDRESS", "isEnabled": true, "isAuditEnabled": true, "policyType": 1, "resources": { "tag": { "values": [ "ADDRESS" ], "isRecursive": false } }, "dataMaskPolicyItems": [ { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "test-user"], "dataMaskInfo": { "dataMaskType": "MASK_HASH"}} @@ -148,85 +155,84 @@ } }, "tests": [ - { "name": "table: db1.tbl1", + { + "name": "table: db1.tbl1", "resource": { "elements": { "database": "db1", "table": "tbl1" } }, - "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, - "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [], "dataMasks": [] + "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 1 } } } } }, - { "name": "column: db1.tbl1.SSN", + { + "name": "column: db1.tbl1.SSN", "resource": { "elements": { "database": "db1", "table": "tbl1", "column": "SSN" } }, - "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, + "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 1 } } } }, "dataMasks": [ - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } - ], - "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } + ] }, - { "name": "column: db1.tbl1.Age", + { + "name": "column: db1.tbl1.Age", "resource": { "elements": { "database": "db1", "table": "tbl1", "column": "Age" } }, - "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, + "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 1 } } } }, "dataMasks": [ - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } - ], - "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } + ] }, { "name": "column: db1.tbl1.Name", "resource": { "elements": { "database": "db1", "table": "tbl1", "column": "Name" } }, - "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, + "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 1 } } } }, "dataMasks": [ - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } - ], - "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } + ] }, - { "name": "database: db2", + { + "name": "database: db2", "resource": { "elements": { "database": "db2" } }, - "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, - "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [], "dataMasks": [] + "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 1 } } } } }, - { "name": "table: db2.tbl1", + { + "name": "table: db2.tbl1", "resource": { "elements": { "database": "db2", "table": "tbl1" } }, - "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, - "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [], "dataMasks": [] + "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 1 } } } } }, - { "name": "column: db2.tbl1.Name", + { + "name": "column: db2.tbl1.Name", "resource": { "elements": { "database": "db2", "table": "tbl1", "column": "Name" } }, - "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true } } }, + "userPermissions": { "test-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 1 } } } }, "dataMasks": [ - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, - {"users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } - ], - "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "SHUFFLE" }, "isConditional": true }, + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK" }, "isConditional": true }, + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": true } + ] }, - { "name": "database: order", + { + "name": "database: order", "resource": { "elements": { "database": "order" } }, - "userPermissions": { "dba": { "create": { "result": 1, "isFinal": true } } }, - "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [], "dataMasks": [] + "userPermissions": { "dba": { "create": { "result": 1, "isFinal": true, "policy": { "id": 2 } } } } }, - { "name": "table: order.customer", + { + "name": "table: order.customer", "resource": { "elements": { "database": "order", "table": "customer" } }, "userPermissions": { - "test-user": { "select": { "result": 1, "isFinal": true } }, - "dba": { "create": { "result": 1, "isFinal": true } } - }, - "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [], "dataMasks": [] + "test-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 3 } } }, + "dba": { "create": { "result": 1, "isFinal": true, "policy": { "id": 2 } } } + } }, - { "name": "column: order.customer.address", + { + "name": "column: order.customer.address", "resource": { "elements": { "database": "order", "table": "customer", "column": "address" } }, "userPermissions": { - "test-user": { "select": { "result": 1, "isFinal": true } }, - "dba": { "create": { "result": 1, "isFinal": true } } + "test-user": { "select": { "result": 1, "isFinal": true, "policy": { "id": 4 } } }, + "dba": { "create": { "result": 1, "isFinal": true, "policy": { "id": 2 } } } }, "dataMasks": [ - { "users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_NONE" }, "isConditional": false }, - { "users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": false } - ], - "groupPermissions": {}, "rolePermissions": {}, "rowFilters": [] + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_NONE" }, "isConditional": false }, + { "users": [ "test-user" ], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": false } + ] } ] }