This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 7ec7ae557 RANGER-4378: removed static PolicyEngine.impliedAccessGrants
- #3
7ec7ae557 is described below
commit 7ec7ae557125c6e83ff13824dbd2d6780a5e01aa
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Thu Nov 2 20:11:25 2023 -0700
RANGER-4378: removed static PolicyEngine.impliedAccessGrants - #3
---
.../ranger/plugin/policyengine/PolicyEngine.java | 28 ++++------------------
.../RangerAbstractPolicyItemEvaluator.java | 3 +--
.../RangerAuditPolicyEvaluator.java | 6 ++---
.../RangerDefaultPolicyEvaluator.java | 19 +++++++--------
4 files changed, 16 insertions(+), 40 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index 858c3f542..704434b8e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -21,7 +21,6 @@ package org.apache.ranger.plugin.policyengine;
import java.util.ArrayList;
import java.util.Arrays;
-import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@@ -66,15 +65,8 @@ public class PolicyEngine {
private boolean useForwardedIPAddress;
private String[] trustedProxyAddresses;
private final Map<String, StringTokenReplacer> tokenReplacers = new
HashMap<>();
-
private final RangerReadWriteLock lock;
- static private Map<String, Map<String, Collection<String>>>
impliedAccessGrants = null;
-
- static public Map<String, Collection<String>>
getImpliedAccessGrants(RangerServiceDef serviceDef) {
- return impliedAccessGrants == null ? null :
impliedAccessGrants.get(serviceDef.getName());
- }
-
public RangerReadWriteLock.RangerLock getReadLock() {
return lock.getReadLock();
@@ -204,7 +196,7 @@ public class PolicyEngine {
PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory
- freeMemory) + ", Free memory:" + freeMemory);
}
- buildImpliedAccessGrants(servicePolicies);
+ normalizeServiceDefs(servicePolicies);
this.pluginContext = pluginContext;
this.lock = new RangerReadWriteLock(isUseReadWriteLock);
@@ -482,32 +474,20 @@ public class PolicyEngine {
}
}
- synchronized static private void buildImpliedAccessGrants(ServicePolicies
servicePolicies) {
+ private void normalizeServiceDefs(ServicePolicies servicePolicies) {
RangerServiceDef serviceDef = servicePolicies.getServiceDef();
if (serviceDef != null) {
- buildImpliedAccessGrants(ServiceDefUtil.normalize(serviceDef));
+ ServiceDefUtil.normalize(serviceDef);
RangerServiceDef tagServiceDef = servicePolicies.getTagPolicies()
!= null ? servicePolicies.getTagPolicies().getServiceDef() : null;
if (tagServiceDef != null) {
-
buildImpliedAccessGrants(ServiceDefUtil.normalizeAccessTypeDefs(ServiceDefUtil.normalize(tagServiceDef),
serviceDef.getName()));
+
ServiceDefUtil.normalizeAccessTypeDefs(ServiceDefUtil.normalize(tagServiceDef),
serviceDef.getName());
}
}
}
- static private void buildImpliedAccessGrants(RangerServiceDef serviceDef) {
- if (serviceDef != null) {
- RangerServiceDefHelper helper = new
RangerServiceDefHelper(serviceDef, false);
-
- if (impliedAccessGrants == null) {
- impliedAccessGrants = Collections.synchronizedMap(new
HashMap<>());
- }
-
- impliedAccessGrants.put(serviceDef.getName(),
helper.getImpliedAccessGrants());
- }
- }
-
private PolicyEngine(final PolicyEngine other, ServicePolicies
servicePolicies) {
this.useForwardedIPAddress = other.useForwardedIPAddress;
this.trustedProxyAddresses = other.trustedProxyAddresses;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
index a3e3806ec..2190ad281 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
@@ -29,7 +29,6 @@ import
org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.policyengine.PolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
@@ -118,7 +117,7 @@ public abstract class RangerAbstractPolicyItemEvaluator
implements RangerPolicyI
ret = policyItem;
} else {
// Compute implied-accesses
- Map<String, Collection<String>>
impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(serviceDef);
+ Map<String, Collection<String>>
impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants();
if (impliedAccessGrants != null &&
!impliedAccessGrants.isEmpty()) {
ret = new RangerPolicyItem(policyItem);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
index 9051a8ce4..96610e2eb 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
@@ -100,10 +100,10 @@ public class RangerAuditPolicyEvaluator extends
RangerDefaultPolicyEvaluator {
}
@Override
- protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef
serviceDef) {
- super.preprocessPolicy(policy, serviceDef);
+ protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef
serviceDef, RangerPolicyEngineOptions options) {
+ super.preprocessPolicy(policy, serviceDef, options);
- Map<String, Collection<String>> impliedAccessGrants =
PolicyEngine.getImpliedAccessGrants(serviceDef);
+ Map<String, Collection<String>> impliedAccessGrants =
options.getServiceDefHelper().getImpliedAccessGrants();
if (impliedAccessGrants == null || impliedAccessGrants.isEmpty()) {
return;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index bc627adf5..7fe2a2eb3 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -42,7 +42,6 @@ import
org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef;
import org.apache.ranger.plugin.model.RangerValiditySchedule;
-import org.apache.ranger.plugin.policyengine.PolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestWrapper;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
@@ -128,7 +127,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
policy = getPolicy();
- preprocessPolicy(policy, serviceDef);
+ preprocessPolicy(policy, serviceDef, options);
if(policy != null) {
validityScheduleEvaluators =
createValidityScheduleEvaluators(policy);
@@ -136,7 +135,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
this.disableRoleResolution =
options.disableRoleResolution;
if
(!options.disableAccessEvaluationWithPolicyACLSummary) {
- aclSummary = createPolicyACLSummary();
+ aclSummary =
createPolicyACLSummary(options.getServiceDefHelper().getImpliedAccessGrants());
}
useAclSummaryForEvaluation = aclSummary != null;
@@ -549,7 +548,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
public PolicyACLSummary getPolicyACLSummary() {
if (aclSummary == null) {
boolean forceCreation = true;
- aclSummary = createPolicyACLSummary(forceCreation);
+ aclSummary =
createPolicyACLSummary(ServiceDefUtil.getExpandedImpliedGrants(getServiceDef()),
forceCreation);
}
return aclSummary;
@@ -590,12 +589,12 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
is set to false). It may return null object if all accesses for
all user/groups cannot be determined statically.
*/
- private PolicyACLSummary createPolicyACLSummary() {
+ private PolicyACLSummary createPolicyACLSummary(Map<String,
Collection<String>> impliedAccessGrants) {
boolean forceCreation = false;
- return createPolicyACLSummary(forceCreation);
+ return createPolicyACLSummary(impliedAccessGrants,
forceCreation);
}
- private PolicyACLSummary createPolicyACLSummary(boolean
isCreationForced) {
+ private PolicyACLSummary createPolicyACLSummary(Map<String,
Collection<String>> impliedAccessGrants, boolean isCreationForced) {
PolicyACLSummary ret = null;
RangerPerfTracer perf = null;
@@ -625,8 +624,6 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
if (isUsableForEvaluation || isCreationForced) {
ret = new PolicyACLSummary();
- Map<String, Collection<String>> impliedAccessGrants =
PolicyEngine.getImpliedAccessGrants(getServiceDef());
-
for (RangerPolicyItem policyItem :
policy.getDenyPolicyItems()) {
ret.processPolicyItem(policyItem,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY,
hasNonPublicGroupOrConditionsInDenyExceptions ||
hasPublicGroupInDenyAndUsersInDenyExceptions, impliedAccessGrants);
@@ -1166,13 +1163,13 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
return sb;
}
- protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef
serviceDef) {
+ protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef
serviceDef, RangerPolicyEngineOptions options) {
if(policy == null || (!hasAllow() && !hasDeny()) || serviceDef
== null) {
return;
}
/*
- Map<String, Collection<String>> impliedAccessGrants =
getImpliedAccessGrants(serviceDef);
+ Map<String, Collection<String>> impliedAccessGrants =
options.getServiceDefHelper().getImpliedAccessGrants();
if(impliedAccessGrants == null ||
impliedAccessGrants.isEmpty()) {
return;
