Merge pull request #6 from ing-bank/add-deny-subdir-policy

added additional policy to deny access to demobucket subdir

Author: kr7ysztof

airlock-dev-apache-ranger/resources/policy/ranger-policy-deny-subdir-s3.json

@@ -0,0 +1,45 @@
+{
+  "service": "testservice",
+  "name": "testuser_deny_subdir",
+  "description": "FOR TESTING PURPOSES, Deny access for testuser to subfolder of demobucket",
+  "isAuditEnabled": true,
+  "resources": {
+    "path": {
+      "values": [
+        "/demobucket/subdir"
+      ],
+      "isExcludes": false,
+      "isRecursive": true
+    }
+  },
+  "policyItems": [],
+  "denyPolicyItems": [
+    {
+      "accesses": [
+        {
+          "type": "read",
+          "isAllowed": true
+        },
+        {
+          "type": "write",
+          "isAllowed": true
+        }
+      ],
+      "users": [
+        "testuser"
+      ],
+      "groups": [],
+      "conditions": [],
+      "delegateAdmin": false
+    }
+  ],
+  "allowExceptions": [],
+  "denyExceptions": [],
+  "dataMaskPolicyItems": [],
+  "rowFilterPolicyItems": [],
+  "options": {},
+  "validitySchedules": [],
+  "policyLabels": [],
+  "isEnabled": true,
+  "version": 1
+}

airlock-dev-apache-ranger/setup-ranger.sh

@@ -37,6 +37,7 @@ if [ "$start_timeout_exceeded" = "false" ]; then
     # Setup ranger policies
     printf "Creating policy... \n"
     curl -u admin:admin -d "@/tmp/resources/policy/ranger-policy-s3.json" -X POST -H "Accept: application/json" -H "Content-Type: application/json" http://localhost:6080/service/public/v2/api/policy
+    curl -u admin:admin -d "@/tmp/resources/policy/ranger-policy-deny-subdir-s3.json" -X POST -H "Accept: application/json" -H "Content-Type: application/json" http://localhost:6080/service/public/v2/api/policy
     printf "\nPolicy created\n"
 
     echo "Done setting up Ranger for s3"