This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 6dc937647 RANGER-5295:added test cases for GDS masking
6dc937647 is described below
commit 6dc9376476948dcc86d86ebb9cc149415bda459a
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Thu Aug 28 17:08:27 2025 -0700
RANGER-5295:added test cases for GDS masking
---
.../plugin/service/TestRangerBasePlugin.java | 21 +++++
.../src/test/resources/plugin/hive_policies.json | 29 +++++-
.../resources/plugin/test_base_plugin_hive.json | 100 ++++++++++++++++++++-
.../policyengine/gds/gds_info_hive_access.json | 5 ++
4 files changed, 153 insertions(+), 2 deletions(-)
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/service/TestRangerBasePlugin.java
b/agents-common/src/test/java/org/apache/ranger/plugin/service/TestRangerBasePlugin.java
index a73ea148b..ac6b87478 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/service/TestRangerBasePlugin.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/service/TestRangerBasePlugin.java
@@ -27,6 +27,7 @@
import com.google.gson.JsonParseException;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
@@ -120,6 +121,26 @@ private void runTests(Reader reader, String testName)
throws Exception {
assertEquals("isAllowed mismatched! - " + test.name,
test.result.getPolicyId(), result.getPolicyId());
assertEquals("isAudited mismatched! - " + test.name,
test.result.getIsAudited(), result.getIsAudited());
assertEquals("isAuditedDetermined mismatched! - " + test.name,
test.result.getIsAuditedDetermined(), result.getIsAuditedDetermined());
+
+ result = plugin.evalDataMaskPolicies(request, new
RangerDefaultAuditHandler());
+
+ if (test.result.getMaskType() != null) {
+ assertNotNull("result was null! - " + test.name, result);
+ assertEquals("maskType mismatched! - " + test.name,
test.result.getMaskType(), result.getMaskType());
+ assertEquals("maskedValue mismatched! - " + test.name,
test.result.getMaskedValue(), result.getMaskedValue());
+ assertEquals("maskCondition mismatched! - " + test.name,
test.result.getMaskCondition(), result.getMaskCondition());
+ } else {
+ assertEquals("maskType mismatched! - " + test.name,
test.result.getMaskType(), result != null ? result.getMaskType() : null);
+ }
+
+ result = plugin.evalRowFilterPolicies(request, new
RangerDefaultAuditHandler());
+
+ if (test.result.getFilterExpr() != null) {
+ assertNotNull("result was null! - " + test.name, result);
+ assertEquals("filterExpr mismatched! - " + test.name,
test.result.getFilterExpr(), result.getFilterExpr());
+ } else {
+ assertEquals("filterExpr mismatched! - " + test.name,
test.result.getFilterExpr(), result != null ? result.getFilterExpr() : null);
+ }
}
if (test.acls != null) {
diff --git a/agents-common/src/test/resources/plugin/hive_policies.json
b/agents-common/src/test/resources/plugin/hive_policies.json
index 7eef385f5..f119e09be 100644
--- a/agents-common/src/test/resources/plugin/hive_policies.json
+++ b/agents-common/src/test/resources/plugin/hive_policies.json
@@ -25,7 +25,34 @@
{ "name": "all", "label": "All",
"impliedGrants": [ "select", "update", "create", "drop", "alter",
"index", "lock", "read", "write", "repladmin", "serviceadmin" ]
}
- ]
+ ],
+ "dataMaskDef": {
+ "accessTypes": [ { "name": "select" }],
+ "resources": [
+ { "name": "database", "matcherOptions": { "wildCard": "false" },
"lookupSupported": true, "uiHint":"{ \"singleValue\":true }" },
+ { "name": "table", "matcherOptions": { "wildCard": "false" },
"lookupSupported": true, "uiHint":"{ \"singleValue\":true }" },
+ { "name": "column", "matcherOptions": { "wildCard": "false" },
"lookupSupported": true, "uiHint":"{ \"singleValue\":true }" }
+ ],
+ "maskTypes": [
+ { "itemId": 1, "name": "MASK", "label": "Redact",
"description": "Replace lowercase with 'x', uppercase with
'X', digits with '0'", "transformer": "mask({col})", "dataMaskOptions": { } },
+ { "itemId": 2, "name": "MASK_SHOW_LAST_4", "label": "Partial mask:
show last 4", "description": "Show last 4 characters; replace rest with
'x'", "transformer": "mask_show_last_n({col}, 4, 'x', 'x',
'x', -1, '1')" },
+ { "itemId": 3, "name": "MASK_SHOW_FIRST_4", "label": "Partial mask:
show first 4", "description": "Show first 4 characters; replace rest with
'x'", "transformer": "mask_show_first_n({col}, 4, 'x', 'x',
'x', -1, '1')" },
+ { "itemId": 4, "name": "MASK_HASH", "label": "Hash",
"description": "Hash the value",
"transformer": "mask_hash({col})" },
+ { "itemId": 5, "name": "MASK_NULL", "label": "Nullify",
"description": "Replace with NULL" },
+ { "itemId": 6, "name": "MASK_NONE", "label": "Unmasked
(retain original value)", "description": "No masking" },
+ { "itemId": 12, "name": "MASK_DATE_SHOW_YEAR", "label": "Date: show
only year", "description": "Date: show only year",
"transformer": "mask({col}, 'x', 'x', 'x', -1, '1',
1, 0, -1)" },
+ { "itemId": 13, "name": "CUSTOM", "label": "Custom",
"description": "Custom" }
+ ]
+ },
+ "rowFilterDef": {
+ "accessTypes": [
+ { "name": "select" }
+ ],
+ "resources": [
+ { "name": "database", "matcherOptions": { "wildCard": "false" },
"lookupSupported": true, "mandatory": true, "uiHint": "{ \"singleValue\":true
}" },
+ { "name": "table", "matcherOptions": { "wildCard": "false" },
"lookupSupported": true, "mandatory": true, "uiHint": "{ \"singleValue\":true
}" }
+ ]
+ }
},
"securityZones": {
"sales": {
diff --git a/agents-common/src/test/resources/plugin/test_base_plugin_hive.json
b/agents-common/src/test/resources/plugin/test_base_plugin_hive.json
index b6d27da5f..86b0ad35d 100644
--- a/agents-common/src/test/resources/plugin/test_base_plugin_hive.json
+++ b/agents-common/src/test/resources/plugin/test_base_plugin_hive.json
@@ -233,7 +233,105 @@
},
"result": { "isAllowed": false, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": -1 }
},
-
+
+
+ {
+ "name": "table: customers.shipping_address, user: res-user, access:
select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address" } },
+ "accessType": "select", "user": "res-user", "userGroups": []
+ },
+ "result": { "isAllowed": false, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": -1 }
+ },
+ {
+ "name": "table: customers.shipping_address, user: tag-user, access:
select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address" } },
+ "accessType": "select", "user": "tag-user", "userGroups": []
+ },
+ "result": { "isAllowed": false, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": -1 }
+ },
+ {
+ "name": "table: customers.shipping_address, user: ds-user, access:
select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address" } },
+ "accessType": "select", "user": "ds-user", "userGroups": []
+ },
+ "result": { "isAllowed": false, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": -1,
"additionalInfo": { "filterExpr": "country = 'US'" } }
+ },
+ {
+ "name": "mask: column: customers.shipping_address.phone, user: ds-user,
access: select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address", "column": "phone" } },
+ "accessType": "select", "user": "ds-user", "userGroups": []
+ },
+ "result": { "isAllowed": true, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": 2006,
"additionalInfo": { "maskType": "MASK_SHOW_LAST_4" } }
+ },
+ {
+ "name": "mask: column: customers.shipping_address.city, user: ds-user,
access: select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address", "column": "city" } },
+ "accessType": "select", "user": "ds-user", "userGroups": []
+ },
+ "result": { "isAllowed": true, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": 2006,
"additionalInfo": { "maskType": "MASK_SHOW_FIRST_4" } }
+ },
+ {
+ "name": "mask: column: customers.shipping_address.zip, user: ds-user,
access: select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address", "column": "zip" } },
+ "accessType": "select", "user": "ds-user", "userGroups": []
+ },
+ "result": { "isAllowed": true, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": 2006,
"additionalInfo": null }
+ },
+ {
+ "name": "mask: column: customers.shipping_address.non-existing, user:
ds-user, access: select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address", "column": "non-existing" } },
+ "accessType": "select", "user": "ds-user", "userGroups": []
+ },
+ "result": { "isAllowed": false, "isAccessDetermined": "true",
"isAudited": false, "isAuditedDetermined": false, "policyId": -1,
"additionalInfo": null }
+ },
+ {
+ "name": "mask: column: customers.shipping_address.phone, user: ds6-user,
access: select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address", "column": "phone" } },
+ "accessType": "select", "user": "ds6-user", "userGroups": []
+ },
+ "result": { "isAllowed": true, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": 2006,
"additionalInfo": { "maskType": "MASK_SHOW_LAST_4" } }
+ },
+ {
+ "name": "table: customers.shipping_address, user: ds3-user, access:
select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address" } },
+ "accessType": "select", "user": "ds3-user", "userGroups": []
+ },
+ "result": { "isAllowed": false, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": -1 }
+ },
+ {
+ "name": "table: customers.shipping_address, user: proj-user, access:
select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address" } },
+ "accessType": "select", "user": "proj-user", "userGroups": []
+ },
+ "result": { "isAllowed": false, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": -1,
"additionalInfo": { "filterExpr": "country = 'US'" } }
+ },
+ {
+ "name": "table: customers.shipping_address, user: proj2-user, access:
select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address" } },
+ "accessType": "select", "user": "proj2-user", "userGroups": []
+ },
+ "result": { "isAllowed": false, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": -1 }
+ },
+ {
+ "name": "table: customers.shipping_address, user: no-user, access:
select",
+ "request": {
+ "resource": { "elements": { "database": "customers", "table":
"shipping_address" } },
+ "accessType": "select", "user": "no-user", "userGroups": []
+ },
+ "result": { "isAllowed": false, "isAccessDetermined": "true",
"isAudited": true, "isAuditedDetermined": true, "policyId": -1 }
+ },
+
{
"name": "table: operations.facilities, user: res-user, access: select",
"request": {
diff --git
a/agents-common/src/test/resources/policyengine/gds/gds_info_hive_access.json
b/agents-common/src/test/resources/policyengine/gds/gds_info_hive_access.json
index 07089cf5f..96b399c85 100644
---
a/agents-common/src/test/resources/policyengine/gds/gds_info_hive_access.json
+++
b/agents-common/src/test/resources/policyengine/gds/gds_info_hive_access.json
@@ -169,6 +169,11 @@
"id": 61, "dataShareId": 6, "conditionExpr": "", "accessTypes": [
"select" ],
"resource": { "database": { "values": [ "customers" ] }, "table": {
"values": [ "contact_info" ] } },
"subResourceType": "column", "subResource": { "values": [ "*" ] },
"subResourceMasks": null
+ },
+ {
+ "id": 71, "dataShareId": 6, "conditionExpr": "", "accessTypes": [
"select" ],
+ "resource": { "database": { "values": [ "customers" ] }, "table": {
"values": [ "shipping_address" ] } }, "rowFilter": { "filterExpr": "country =
'US'" },
+ "subResourceType": "column", "subResource": { "values": [ "phone",
"city", "zip" ] }, "subResourceMasks": [ { "values": [ "phone" ], "maskInfo": {
"dataMaskType": "MASK_SHOW_LAST_4" } }, { "values": [ "city" ], "maskInfo": {
"dataMaskType": "MASK_SHOW_FIRST_4" } } ]
}
],
"gdsVersion": 1
