This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new a4afbe9 RANGER-2396: Inconsistency in policy operations in a disabled
Ranger service
a4afbe9 is described below
commit a4afbe9ac9067435aecbd7ac370c6b99c0b7593f
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Sun Apr 7 15:24:33 2019 -0700
RANGER-2396: Inconsistency in policy operations in a disabled Ranger service
---
.../policyengine/RangerPolicyEngineImpl.java | 38 +++---
.../apache/ranger/plugin/util/ServicePolicies.java | 7 +-
.../java/org/apache/ranger/biz/ServiceDBStore.java | 143 ++++++++++++---------
.../ranger/common/RangerServicePoliciesCache.java | 25 ++--
4 files changed, 120 insertions(+), 93 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 5e10e0d..be256a9 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -165,26 +165,32 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
this.policyRepository = other.policyRepository;
other.isPolicyRepositoryShared = true;
}
- if
(CollectionUtils.isNotEmpty(defaultZoneDeltasForTagPolicies)) {
+ if (servicePolicies.getTagPolicies() == null) {
+ this.tagPolicyRepository = null;
if (other.tagPolicyRepository != null) {
- this.tagPolicyRepository = new
RangerPolicyRepository(other.tagPolicyRepository,
defaultZoneDeltasForTagPolicies, policyVersion);
- } else {
- // Only creates are expected
- List<RangerPolicy> tagPolicies = new
ArrayList<>();
- for (RangerPolicyDelta delta :
defaultZoneDeltasForTagPolicies) {
- if (delta.getChangeType() ==
RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) {
-
tagPolicies.add(delta.getPolicy());
- } else {
- LOG.warn("Expected
changeType:[" + RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE + "], found
policy-change-delta:[" + delta +"]");
+ other.isTagPolicyRepositoryShared = false;
+ }
+ } else {
+ if
(CollectionUtils.isNotEmpty(defaultZoneDeltasForTagPolicies)) {
+ if (other.tagPolicyRepository != null) {
+ this.tagPolicyRepository = new
RangerPolicyRepository(other.tagPolicyRepository,
defaultZoneDeltasForTagPolicies, policyVersion);
+ } else {
+ // Only creates are expected
+ List<RangerPolicy> tagPolicies = new
ArrayList<>();
+ for (RangerPolicyDelta delta :
defaultZoneDeltasForTagPolicies) {
+ if (delta.getChangeType() ==
RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE) {
+
tagPolicies.add(delta.getPolicy());
+ } else {
+ LOG.warn("Expected
changeType:[" + RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE + "], found
policy-change-delta:[" + delta + "]");
+ }
}
+
servicePolicies.getTagPolicies().setPolicies(tagPolicies);
+ this.tagPolicyRepository = new
RangerPolicyRepository(other.policyRepository.getAppId(),
servicePolicies.getTagPolicies(), other.policyRepository.getOptions(),
servicePolicies.getServiceDef(), servicePolicies.getServiceName());
}
-
servicePolicies.getTagPolicies().setPolicies(tagPolicies);
- this.tagPolicyRepository = new
RangerPolicyRepository(other.policyRepository.getAppId(),
servicePolicies.getTagPolicies(), other.policyRepository.getOptions(),
servicePolicies.getServiceDef(), servicePolicies.getServiceName());
-
+ } else {
+ this.tagPolicyRepository =
other.tagPolicyRepository;
+ other.isTagPolicyRepositoryShared = true;
}
- } else {
- this.tagPolicyRepository = other.tagPolicyRepository;
- other.isTagPolicyRepositoryShared = true;
}
List<RangerContextEnricher> tmpList;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
index 3ce9212..cbd2cb0 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
@@ -341,7 +341,7 @@ public class ServicePolicies implements
java.io.Serializable {
;
}
}
- private static ServicePolicies copyHeader(ServicePolicies source) {
+ static public ServicePolicies copyHeader(ServicePolicies source) {
ServicePolicies ret = new ServicePolicies();
ret.setServiceName(source.getServiceName());
@@ -350,8 +350,9 @@ public class ServicePolicies implements
java.io.Serializable {
ret.setAuditMode(source.getAuditMode());
ret.setServiceDef(source.getServiceDef());
ret.setPolicyUpdateTime(source.getPolicyUpdateTime());
- ret.setPolicyDeltas(Collections.emptyList());
+ ret.setSecurityZones(source.getSecurityZones());
ret.setPolicies(Collections.emptyList());
+ ret.setPolicyDeltas(null);
if (source.getTagPolicies() != null) {
TagPolicies tagPolicies =
copyHeader(source.getTagPolicies());
ret.setTagPolicies(tagPolicies);
@@ -360,7 +361,7 @@ public class ServicePolicies implements
java.io.Serializable {
return ret;
}
- private static TagPolicies copyHeader(TagPolicies source) {
+ static public TagPolicies copyHeader(TagPolicies source) {
TagPolicies ret = new TagPolicies();
ret.setServiceName(source.getServiceName());
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 4b1c0c4..574166c 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -2435,13 +2435,42 @@ public class ServiceDBStore extends
AbstractServiceStore {
ret =
RangerServicePoliciesCache.getInstance().getServicePolicies(serviceName,
serviceDbObj.getId(), lastKnownVersion, needsBackwardCompatibility, this);
}
+ if (LOG.isDebugEnabled()) {
+ RangerServicePoliciesCache.getInstance().dump();
+ }
+
if (ret != null && lastKnownVersion != null &&
lastKnownVersion.equals(ret.getPolicyVersion())) {
// ServicePolicies are not changed
ret = null;
}
- if (LOG.isDebugEnabled()) {
- RangerServicePoliciesCache.getInstance().dump();
+ if (ret != null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking if resource-service:[" +
ret.getServiceName() +"] is disabled");
+ }
+ if (!serviceDbObj.getIsenabled()) {
+ ret = ServicePolicies.copyHeader(ret);
+ } else if (ret.getTagPolicies() != null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking if tag-service:[" +
ret.getTagPolicies().getServiceName() +"] is disabled");
+ }
+ String tagServiceName =
ret.getTagPolicies().getServiceName();
+ if (StringUtils.isNotEmpty(tagServiceName)) {
+ XXService tagService =
daoMgr.getXXService().findByName(tagServiceName);
+ if (tagService == null ||
!tagService.getIsenabled()) {
+ if (LOG.isDebugEnabled()) {
+
LOG.debug("tag-service:[" + tagServiceName +"] is disabled");
+ }
+ ServicePolicies copy =
ServicePolicies.copyHeader(ret);
+ copy.setTagPolicies(null);
+ List<RangerPolicy> copyPolicies
= ret.getPolicies() != null ? new ArrayList<>(ret.getPolicies()) : null;
+ List<RangerPolicyDelta>
copyPolicyDeltas = ret.getPolicyDeltas() != null ? new
ArrayList<>(ret.getPolicyDeltas()) : null;
+ copy.setPolicies(copyPolicies);
+
copy.setPolicyDeltas(copyPolicyDeltas);
+ ret = copy;
+ }
+ }
+ }
}
if (LOG.isDebugEnabled()) {
@@ -2499,78 +2528,72 @@ public class ServiceDBStore extends
AbstractServiceStore {
String auditMode = getAuditMode(serviceType, serviceName);
- if (serviceDbObj.getIsenabled()) {
-
- XXService tagServiceDbObj = null;
- RangerServiceDef tagServiceDef = null;
- XXServiceVersionInfo tagServiceVersionInfoDbObj= null;
-
- if (serviceDbObj.getTagService() != null) {
- tagServiceDbObj =
daoMgr.getXXService().getById(serviceDbObj.getTagService());
- if (tagServiceDbObj != null &&
!tagServiceDbObj.getIsenabled()) {
- tagServiceDbObj = null;
- }
- }
-
- if (tagServiceDbObj != null) {
- tagServiceDef =
getServiceDef(tagServiceDbObj.getType());
+ XXService tagServiceDbObj = null;
+ RangerServiceDef tagServiceDef = null;
+ XXServiceVersionInfo tagServiceVersionInfoDbObj= null;
- if (tagServiceDef == null) {
- throw new Exception("service-def does
not exist. id=" + tagServiceDbObj.getType());
- }
+ if (serviceDbObj.getTagService() != null) {
+ tagServiceDbObj =
daoMgr.getXXService().getById(serviceDbObj.getTagService());
+ }
- tagServiceVersionInfoDbObj =
daoMgr.getXXServiceVersionInfo().findByServiceId(serviceDbObj.getTagService());
+ if (tagServiceDbObj != null) {
+ tagServiceDef =
getServiceDef(tagServiceDbObj.getType());
- if (tagServiceVersionInfoDbObj == null) {
- LOG.warn("serviceVersionInfo does not
exist. name=" + tagServiceDbObj.getName());
- }
+ if (tagServiceDef == null) {
+ throw new Exception("service-def does not
exist. id=" + tagServiceDbObj.getType());
}
- if (LOG.isDebugEnabled()) {
- LOG.debug("Support for incremental policy
updates enabled using \"ranger.admin.supports.policy.deltas\" configuation
parameter :[" + SUPPORTS_POLICY_DELTAS +"]");
- }
+ tagServiceVersionInfoDbObj =
daoMgr.getXXServiceVersionInfo().findByServiceId(serviceDbObj.getTagService());
- if (SUPPORTS_POLICY_DELTAS) {
- ret = getServicePoliciesWithDeltas(serviceDef,
serviceDbObj, tagServiceDef, tagServiceDbObj, lastKnownVersion);
+ if (tagServiceVersionInfoDbObj == null) {
+ LOG.warn("serviceVersionInfo does not exist.
name=" + tagServiceDbObj.getName());
}
+ }
- if (ret != null) {
- ret.setPolicyVersion(serviceVersionInfoDbObj ==
null ? null : serviceVersionInfoDbObj.getPolicyVersion());
- ret.setPolicyUpdateTime(serviceVersionInfoDbObj
== null ? null : serviceVersionInfoDbObj.getPolicyUpdateTime());
- ret.setAuditMode(auditMode);
- if (ret.getTagPolicies() != null) {
-
ret.getTagPolicies().setPolicyVersion(tagServiceVersionInfoDbObj == null ? null
: tagServiceVersionInfoDbObj.getPolicyVersion());
-
ret.getTagPolicies().setPolicyUpdateTime(tagServiceVersionInfoDbObj == null ?
null : tagServiceVersionInfoDbObj.getPolicyUpdateTime());
-
ret.getTagPolicies().setAuditMode(auditMode);
- }
- } else if (!getOnlyDeltas) {
- ServicePolicies.TagPolicies tagPolicies = null;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Support for incremental policy updates
enabled using \"ranger.admin.supports.policy.deltas\" configuation parameter
:[" + SUPPORTS_POLICY_DELTAS +"]");
+ }
- if (tagServiceDbObj != null) {
+ if (SUPPORTS_POLICY_DELTAS) {
+ ret = getServicePoliciesWithDeltas(serviceDef,
serviceDbObj, tagServiceDef, tagServiceDbObj, lastKnownVersion);
+ }
- tagPolicies = new
ServicePolicies.TagPolicies();
+ if (ret != null) {
+ ret.setPolicyVersion(serviceVersionInfoDbObj == null ?
null : serviceVersionInfoDbObj.getPolicyVersion());
+ ret.setPolicyUpdateTime(serviceVersionInfoDbObj == null
? null : serviceVersionInfoDbObj.getPolicyUpdateTime());
+ ret.setAuditMode(auditMode);
+ if (ret.getTagPolicies() != null) {
+
ret.getTagPolicies().setPolicyVersion(tagServiceVersionInfoDbObj == null ? null
: tagServiceVersionInfoDbObj.getPolicyVersion());
+
ret.getTagPolicies().setPolicyUpdateTime(tagServiceVersionInfoDbObj == null ?
null : tagServiceVersionInfoDbObj.getPolicyUpdateTime());
+ ret.getTagPolicies().setAuditMode(auditMode);
+ }
+ } else if (!getOnlyDeltas) {
+ ServicePolicies.TagPolicies tagPolicies = null;
-
tagPolicies.setServiceId(tagServiceDbObj.getId());
-
tagPolicies.setServiceName(tagServiceDbObj.getName());
-
tagPolicies.setPolicyVersion(tagServiceVersionInfoDbObj == null ? null :
tagServiceVersionInfoDbObj.getPolicyVersion());
-
tagPolicies.setPolicyUpdateTime(tagServiceVersionInfoDbObj == null ? null :
tagServiceVersionInfoDbObj.getPolicyUpdateTime());
-
tagPolicies.setPolicies(getServicePoliciesFromDb(tagServiceDbObj));
-
tagPolicies.setServiceDef(tagServiceDef);
- tagPolicies.setAuditMode(auditMode);
- }
- List<RangerPolicy> policies =
getServicePoliciesFromDb(serviceDbObj);
+ if (tagServiceDbObj != null) {
- ret = new ServicePolicies();
+ tagPolicies = new ServicePolicies.TagPolicies();
- ret.setServiceId(serviceDbObj.getId());
- ret.setServiceName(serviceDbObj.getName());
- ret.setPolicyVersion(serviceVersionInfoDbObj ==
null ? null : serviceVersionInfoDbObj.getPolicyVersion());
- ret.setPolicyUpdateTime(serviceVersionInfoDbObj
== null ? null : serviceVersionInfoDbObj.getPolicyUpdateTime());
- ret.setPolicies(policies);
- ret.setServiceDef(serviceDef);
- ret.setAuditMode(auditMode);
- ret.setTagPolicies(tagPolicies);
+
tagPolicies.setServiceId(tagServiceDbObj.getId());
+
tagPolicies.setServiceName(tagServiceDbObj.getName());
+
tagPolicies.setPolicyVersion(tagServiceVersionInfoDbObj == null ? null :
tagServiceVersionInfoDbObj.getPolicyVersion());
+
tagPolicies.setPolicyUpdateTime(tagServiceVersionInfoDbObj == null ? null :
tagServiceVersionInfoDbObj.getPolicyUpdateTime());
+
tagPolicies.setPolicies(getServicePoliciesFromDb(tagServiceDbObj));
+ tagPolicies.setServiceDef(tagServiceDef);
+ tagPolicies.setAuditMode(auditMode);
}
+ List<RangerPolicy> policies =
getServicePoliciesFromDb(serviceDbObj);
+
+ ret = new ServicePolicies();
+
+ ret.setServiceId(serviceDbObj.getId());
+ ret.setServiceName(serviceDbObj.getName());
+ ret.setPolicyVersion(serviceVersionInfoDbObj == null ?
null : serviceVersionInfoDbObj.getPolicyVersion());
+ ret.setPolicyUpdateTime(serviceVersionInfoDbObj == null
? null : serviceVersionInfoDbObj.getPolicyUpdateTime());
+ ret.setPolicies(policies);
+ ret.setServiceDef(serviceDef);
+ ret.setAuditMode(auditMode);
+ ret.setTagPolicies(tagPolicies);
}
if (LOG.isDebugEnabled()) {
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
index 86b3c00..8942b4e 100644
---
a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
+++
b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
@@ -65,25 +65,22 @@ public class RangerServicePoliciesCache {
}
public void dump() {
- if (LOG.isDebugEnabled()) {
-
- final Set<String> serviceNames;
-
- synchronized (this) {
- serviceNames = servicePoliciesMap.keySet();
- }
+ final Set<String> serviceNames;
- if (CollectionUtils.isNotEmpty(serviceNames)) {
+ synchronized (this) {
+ serviceNames = servicePoliciesMap.keySet();
+ }
- for (String serviceName : serviceNames) {
- final ServicePoliciesWrapper
cachedServicePoliciesWrapper;
+ if (CollectionUtils.isNotEmpty(serviceNames)) {
- synchronized (this) {
- cachedServicePoliciesWrapper =
servicePoliciesMap.get(serviceName);
- }
- LOG.debug("serviceName:" + serviceName
+ ", Cached-MetaData:" + cachedServicePoliciesWrapper);
+ for (String serviceName : serviceNames) {
+ final ServicePoliciesWrapper
cachedServicePoliciesWrapper;
+ synchronized (this) {
+ cachedServicePoliciesWrapper =
servicePoliciesMap.get(serviceName);
}
+ LOG.debug("serviceName:" + serviceName + ",
Cached-MetaData:" + cachedServicePoliciesWrapper);
+
}
}
}
