Examples of org.apache.sentry.provider.file.PolicyEngine

• org.apache.sentry.provider.file.PolicyEngine

    append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
    append("[groups]", otherPolicyFile);
    append("other_group = malicious_role", otherPolicyFile);
    append("[roles]", otherPolicyFile);
    append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile);
    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
    ImmutableSet<String> permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            new Server("server1"),
            new Database("other_group_db")
    }), Lists.newArrayList("other_group")).get("other_group");
    Assert.assertTrue(permissions.toString(), permissions.isEmpty());

    }), Lists.newArrayList("other_group")).get("other_group");
    Assert.assertTrue(permissions.toString(), permissions.isEmpty());
  }
  @Test
  public void testPerDbFileCannotContainUsersOrDatabases() throws Exception {
    PolicyEngine policy;
    ImmutableSet<String> permissions;
    PolicyFile policyFile;
    // test sanity
    policyFile = PolicyFile.createAdminOnServer1("admin1");
    policyFile.write(globalPolicyFile);
    policyFile.write(otherPolicyFile);
    policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
    permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            new Server("server1")
    }), Lists.newArrayList("admin")).get("admin");
    Assert.assertEquals(permissions.toString(), "[server=server1]");
    // test to ensure [users] fails parsing of per-db file
    policyFile.addDatabase("other", otherPolicyFile.getPath());
    policyFile.write(globalPolicyFile);
    policyFile.write(otherPolicyFile);
    policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
    permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            new Server("server1")
    }), Lists.newArrayList("admin")).get("admin");
    Assert.assertEquals(permissions.toString(), "[server=server1]");
    // test to ensure [databases] fails parsing of per-db file
    // by removing the user mapping from the per-db policy file
    policyFile.removeGroupsFromUser("admin1", "admin")
      .write(otherPolicyFile);
    policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
    permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            new Server("server1")
    }), Lists.newArrayList("admin")).get("admin");
    Assert.assertEquals(permissions.toString(), "[server=server1]");
  }

    append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
    append("[groups]", otherPolicyFile);
    append("other_group = malicious_role", otherPolicyFile);
    append("[roles]", otherPolicyFile);
    append("malicious_role = server=server1", otherPolicyFile);
    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
    ImmutableSet<String> permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            new Server("server1"),
            new Database("other_group_db")
    }), Lists.newArrayList("other_group")).get("other_group");
    Assert.assertTrue(permissions.toString(), permissions.isEmpty());

  public void testServerAll() throws Exception {
    append("[groups]", globalPolicyFile);
    append("group = malicious_role", globalPolicyFile);
    append("[roles]", globalPolicyFile);
    append("malicious_role = server=*", globalPolicyFile);
    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
    ImmutableSet<String> permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            Server.ALL,
            new Database("some_db")
    }), Lists.newArrayList("group")).get("group");
    Assert.assertTrue(permissions.toString(), permissions.isEmpty());

  public void testServerIncorrect() throws Exception {
    append("[groups]", globalPolicyFile);
    append("group = malicious_role", globalPolicyFile);
    append("[roles]", globalPolicyFile);
    append("malicious_role = server=server2", globalPolicyFile);
    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
    ImmutableSet<String> permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            Server.ALL,
            new Database("some_db")
    }), Lists.newArrayList("group")).get("group");
    Assert.assertTrue(permissions.toString(), permissions.isEmpty());

  public void testAll() throws Exception {
    append("[groups]", globalPolicyFile);
    append("group = malicious_role", globalPolicyFile);
    append("[roles]", globalPolicyFile);
    append("malicious_role = *", globalPolicyFile);
    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
    ImmutableSet<String> permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            Server.ALL,
            new Database("some_db")
    }), Lists.newArrayList("group")).get("group");
    Assert.assertTrue(permissions.toString(), permissions.isEmpty());

    append("[groups]", db2PolicyFile);
    append("db2_group = db2_rule", db2PolicyFile);
    append("[roles]", db2PolicyFile);
    append("db2_rule = server=server1->db=db2->table=purchases->action=select", db2PolicyFile);

    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");

    // verify that the db1 rule is empty
    ImmutableSet<String> permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            new Server("server1"),
            new Database("db1")
    }), Lists.newArrayList("db1_group")).get("db1_group");
    Assert.assertTrue(permissions.toString(), permissions.isEmpty());

    permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            new Server("server1"),
            new Database("db2")
    }), Lists.newArrayList("db2_group")).get("db2_group");
    Assert.assertEquals(permissions.toString(), 1, permissions.size());

    permissions = policy.getPermissions(
        Arrays.asList(new Authorizable[] {
            new Server("server1"),
            new Database("db2")
    }), Lists.newArrayList("db2_group")).get("db2_group");
    Assert.assertEquals(permissions.toString(), 1, permissions.size());