apache · bhaveshamre · May 26, 2026
diff --git a/plugin-ozone/pom.xml b/plugin-ozone/pom.xml
@@ -159,6 +159,12 @@ limitations under the License.
             <version>${junit.jupiter.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>${mockito.version}</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-junit-jupiter</artifactId>

diff --git a/...test/java/org/apache/ranger/authorization/ozone/authorizer/TestRangerOzoneAuthorizer.java b/...test/java/org/apache/ranger/authorization/ozone/authorizer/TestRangerOzoneAuthorizer.java
@@ -29,11 +29,18 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
 import org.apache.ranger.plugin.model.RangerInlinePolicy;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 import org.apache.ranger.plugin.util.JsonUtilsV2;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.MethodOrderer;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestMethodOrder;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.junit.jupiter.MockitoExtension;
 
+import java.lang.reflect.Field;
 import java.net.InetAddress;
 import java.util.Arrays;
 import java.util.Collections;
@@ -47,8 +54,17 @@
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 
-public class TestRangerOzoneAuthorizer {
+/**
+ * @generated by Cursor
+ * @description : Unit Test cases for RangerOzoneAuthorizer
+ */
+@ExtendWith(MockitoExtension.class)
+@TestMethodOrder(MethodOrderer.MethodName.class)
+class TestRangerOzoneAuthorizer {
     private static final String RANGER_SERVICE_TYPE = "ozone";
     private static final String RANGER_APP_ID       = "om";
     private static final String OZONE_SERVICE_ID    = "om";
@@ -62,10 +78,10 @@ public class TestRangerOzoneAuthorizer {
     private final UserGroupInformation user2     = UserGroupInformation.createRemoteUser("user2");
     private final String               role1     = "role1";
 
-    private final OzoneObj   vol1  = new OzoneObjInfo.Builder().setResType(OzoneObj.ResourceType.VOLUME).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName("vol1").build();
-    private final OzoneObj   buck1 = new OzoneObjInfo.Builder().setResType(OzoneObj.ResourceType.BUCKET).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName("vol1").setBucketName("buck1").build();
-    private final OzoneObj   key1  = new OzoneObjInfo.Builder().setResType(OzoneObj.ResourceType.KEY).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName("vol1").setBucketName("buck1").setKeyName("key1").build();
-    private final OzoneObj   vol2  = new OzoneObjInfo.Builder().setResType(OzoneObj.ResourceType.VOLUME).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName("vol2").build();
+    private final OzoneObj   vol1      = new OzoneObjInfo.Builder().setResType(OzoneObj.ResourceType.VOLUME).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName("vol1").build();
+    private final OzoneObj   buck1     = new OzoneObjInfo.Builder().setResType(OzoneObj.ResourceType.BUCKET).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName("vol1").setBucketName("buck1").build();
+    private final OzoneObj   key1      = new OzoneObjInfo.Builder().setResType(OzoneObj.ResourceType.KEY).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName("vol1").setBucketName("buck1").setKeyName("key1").build();
+    private final OzoneObj   vol2      = new OzoneObjInfo.Builder().setResType(OzoneObj.ResourceType.VOLUME).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName("vol2").build();
     private final OzoneGrant grantList = new OzoneGrant(new HashSet<>(Arrays.asList(vol1, buck1)), Collections.singleton(IAccessAuthorizer.ACLType.LIST));
     private final OzoneGrant grantRead = new OzoneGrant(Collections.singleton(key1), Collections.singleton(IAccessAuthorizer.ACLType.READ));
 
@@ -78,7 +94,7 @@ public class TestRangerOzoneAuthorizer {
             .setOwnerName(OWNER_NAME);
 
     @BeforeAll
-    public static void setUpBeforeClass() {
+    static void setUpBeforeClass() {
         RangerPluginConfig pluginConfig = new RangerPluginConfig(RANGER_SERVICE_TYPE, null, RANGER_APP_ID, null, null, null); // loads ranger-ozone-security.xml
         RangerBasePlugin   plugin       = new RangerBasePlugin(pluginConfig);
 
@@ -91,15 +107,15 @@ public static void setUpBeforeClass() {
     }
 
     @Test
-    public void testAssumeRoleDeny() {
+    void testAssumeRoleDeny() {
         // user2 should not be allowed to assume role1 - no Ranger policy grants this permission
         AssumeRoleRequest request = new AssumeRoleRequest(hostname, ipAddress, user2, role1, null);
 
         assertThrows(OMException.class, () -> ozoneAuthorizer.generateAssumeRoleSessionPolicy(request));
     }
 
     @Test
-    public void testAssumeRoleWithEmptyGrants() throws Exception {
+    void testAssumeRoleWithEmptyGrants() throws Exception {
         Set<OzoneGrant>   grants  = Collections.emptySet();
         AssumeRoleRequest request = new AssumeRoleRequest(hostname, ipAddress, user1, role1, grants);
 
@@ -135,7 +151,7 @@ public void testAssumeRoleWithEmptyGrants() throws Exception {
     }
 
     @Test
-    public void testAssumeRoleWithNullGrants() throws Exception {
+    void testAssumeRoleWithNullGrants() throws Exception {
         Set<OzoneGrant>   grants  = null;
         AssumeRoleRequest request = new AssumeRoleRequest(hostname, ipAddress, user1, role1, grants);
 
@@ -171,7 +187,7 @@ public void testAssumeRoleWithNullGrants() throws Exception {
     }
 
     @Test
-    public void testAssumeRoleWithGrants() throws Exception {
+    void testAssumeRoleWithGrants() throws Exception {
         Set<OzoneGrant>   grants  = new HashSet<>(Arrays.asList(grantList, grantRead));
         AssumeRoleRequest request = new AssumeRoleRequest(hostname, ipAddress, user1, role1, grants);
 
@@ -201,4 +217,82 @@ public void testAssumeRoleWithGrants() throws Exception {
         assertTrue(ozoneAuthorizer.checkAccess(buck1, ctxListWithSessionPolicy), "session-policy should allow list on bucket vol1/buck1");
         assertTrue(ozoneAuthorizer.checkAccess(key1, ctxReadWithSessionPolicy), "session-policy should allow read on key vol1/buck1/key1");
     }
+
+    @Test
+    void test05_checkAccess_whenPolicyAllows_returnsTrue() throws Exception {
+        RangerBasePlugin active = readRangerPluginField();
+
+        try {
+            RangerBasePlugin plugin = mock(RangerBasePlugin.class);
+            when(plugin.getClusterName()).thenReturn("test-cluster");
+
+            RangerAccessResult result = mock(RangerAccessResult.class);
+            when(result.getIsAllowed()).thenReturn(true);
+            when(plugin.isAccessAllowed(any(RangerAccessRequestImpl.class))).thenReturn(result);
+
+            RangerOzoneAuthorizer authorizer = new RangerOzoneAuthorizer(plugin);
+            RequestContext        context    = reqCtxBuilder.setAclRights(IAccessAuthorizer.ACLType.READ).build();
+
+            assertTrue(authorizer.checkAccess(key1, context));
+        } finally {
+            writeRangerPluginField(active);
+        }
+    }
+
+    @Test
+    void test06_checkAccess_whenPrefixResource_returnsFalse() throws Exception {
+        RangerBasePlugin active = readRangerPluginField();
+
+        try {
+            RangerBasePlugin plugin = mock(RangerBasePlugin.class);
+            when(plugin.getClusterName()).thenReturn("test-cluster");
+
+            RangerOzoneAuthorizer authorizer = new RangerOzoneAuthorizer(plugin);
+            OzoneObj prefix = new OzoneObjInfo.Builder()
+                    .setResType(OzoneObj.ResourceType.PREFIX)
+                    .setStoreType(OzoneObj.StoreType.OZONE)
+                    .setVolumeName("vol1")
+                    .setBucketName("buck1")
+                    .setPrefixName("pre")
+                    .build();
+            RequestContext context = reqCtxBuilder.setAclRights(IAccessAuthorizer.ACLType.READ).build();
+
+            assertFalse(authorizer.checkAccess(prefix, context));
+        } finally {
+            writeRangerPluginField(active);
+        }
+    }
+
+    @Test
+    void test07_generateAssumeRoleSessionPolicy_whenTargetRoleNameNull_throwsOmException() {
+        AssumeRoleRequest request = new AssumeRoleRequest(hostname, ipAddress, user1, null, null);
+
+        assertThrows(OMException.class, () -> ozoneAuthorizer.generateAssumeRoleSessionPolicy(request));
+    }
+
+    @Test
+    void test08_generateAssumeRoleSessionPolicy_whenPluginUninitialized_throwsOmException() throws Exception {
+        RangerBasePlugin active = readRangerPluginField();
+
+        try {
+            writeRangerPluginField(null);
+            AssumeRoleRequest request = new AssumeRoleRequest(hostname, ipAddress, user1, role1, null);
+
+            assertThrows(OMException.class, () -> ozoneAuthorizer.generateAssumeRoleSessionPolicy(request));
+        } finally {
+            writeRangerPluginField(active);
+        }
+    }
+
+    private static RangerBasePlugin readRangerPluginField() throws Exception {
+        Field field = RangerOzoneAuthorizer.class.getDeclaredField("rangerPlugin");
+        field.setAccessible(true);
+        return (RangerBasePlugin) field.get(null);
+    }
+
+    private static void writeRangerPluginField(RangerBasePlugin plugin) throws Exception {
+        Field field = RangerOzoneAuthorizer.class.getDeclaredField("rangerPlugin");
+        field.setAccessible(true);
+        field.set(null, plugin);
+    }
 }