This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 2e224cf9d RANGER-4136: Incorrect processing of tag-deltas by
RangerTagEnricher
2e224cf9d is described below
commit 2e224cf9d4d28f3e23b5f8462a92024993a104bc
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Wed Mar 22 11:28:51 2023 -0700
RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher
---
.../plugin/contextenricher/RangerTagEnricher.java | 19 ++++++++++++++-----
.../plugin/policyengine/RangerAccessRequestImpl.java | 10 +++++++++-
.../plugin/service/RangerDefaultRequestProcessor.java | 19 ++++++++++++++++++-
.../util/RangerResourceEvaluatorsRetriever.java | 2 +-
4 files changed, 42 insertions(+), 8 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index efb885a74..198d24d97 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -78,9 +78,8 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
private static final Logger PERF_SET_SERVICETAGS_LOG =
RangerPerfTracer.getPerfLogger("tagenricher.setservicetags");
private static final Logger PERF_SERVICETAGS_RETRIEVAL_LOG =
RangerPerfTracer.getPerfLogger("tagenricher.tags.retrieval");
-
private static final String TAG_REFRESHER_POLLINGINTERVAL_OPTION =
"tagRefresherPollingInterval";
- public static final String TAG_RETRIEVER_CLASSNAME_OPTION =
"tagRetrieverClassName";
+ public static final String TAG_RETRIEVER_CLASSNAME_OPTION =
"tagRetrieverClassName";
private static final String TAG_DISABLE_TRIE_PREFILTER_OPTION =
"disableTrieLookupPrefilter";
private RangerTagRefresher tagRefresher;
@@ -485,12 +484,19 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
if (resourceMatcher != null) {
for
(RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
+
RangerPolicy.RangerPolicyResource policyResource =
serviceResource.getResourceElements().get(resourceDef.getName());
+
RangerResourceTrie<RangerServiceResourceMatcher> trie =
serviceResourceTrie.get(resourceDef.getName());
+ if
(LOG.isDebugEnabled()) {
+
LOG.debug("Trying to add resource-matcher to " + (trie == null ? "new" :
"existing") + " trie for " + resourceDef.getName());
+ }
+
if (trie != null) {
-
trie.add(serviceResource.getResourceElements().get(resourceDef.getName()),
resourceMatcher);
+
trie.add(policyResource, resourceMatcher);
+
trie.wrapUpUpdate();
if
(LOG.isDebugEnabled()) {
-
LOG.debug("Added resource-matcher for service-resource:[" + serviceResource +
"]");
+
LOG.debug("Added resource-matcher for policy-resource:[" + policyResource +
"]");
}
} else {
trie = new
RangerResourceTrie<>(resourceDef, Collections.singletonList(resourceMatcher),
getPolicyEngineOptions().optimizeTagTrieForRetrieval,
getPolicyEngineOptions().optimizeTagTrieForSpace, null);
@@ -541,7 +547,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
RangerAccessResourceImpl accessResource = new
RangerAccessResourceImpl();
for (Map.Entry<String,
RangerPolicy.RangerPolicyResource> entry :
serviceResource.getResourceElements().entrySet()) {
- accessResource.setValue(entry.getKey(),
entry.getValue());
+ accessResource.setValue(entry.getKey(),
entry.getValue().getValues());
}
if (LOG.isDebugEnabled()) {
LOG.debug("RangerAccessResource:[" +
accessResource + "] created to represent service-resource[" + serviceResource +
"] to find evaluators from trie-map");
@@ -748,6 +754,9 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
RangerPerfTracer.logAlways(perf);
}
+ if (ret == null) {
+ ret = new ArrayList<>();
+ }
if(LOG.isDebugEnabled()) {
LOG.debug("<==
RangerTagEnricher.getEvaluators(request=" + request + "): evaluatorCount=" +
ret.size());
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
index fb7bcaada..e561c4c7c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
@@ -183,6 +183,9 @@ public class RangerAccessRequestImpl implements
RangerAccessRequest {
public void setResource(RangerAccessResource resource) {
this.resource = resource;
+ if (context != null) {
+
RangerAccessRequestUtil.setIsRequestPreprocessed(context, Boolean.FALSE);
+ }
}
public void setAccessType(String accessType) {
@@ -255,7 +258,12 @@ public class RangerAccessRequestImpl implements
RangerAccessRequest {
this.clusterType = clusterType;
}
- public void setResourceMatchingScope(ResourceMatchingScope scope) {
this.resourceMatchingScope = scope; }
+ public void setResourceMatchingScope(ResourceMatchingScope scope) {
+ this.resourceMatchingScope = scope;
+ if (context != null) {
+
RangerAccessRequestUtil.setIsRequestPreprocessed(context, Boolean.FALSE);
+ }
+ }
public void setContext(Map<String, Object> context) {
if (context == null) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
index 80d27e8e8..c78dbbce3 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
@@ -31,6 +31,7 @@ import
org.apache.ranger.plugin.policyengine.RangerMutableResource;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import java.util.List;
import java.util.Set;
@@ -38,6 +39,7 @@ import java.util.Set;
public class RangerDefaultRequestProcessor implements
RangerAccessRequestProcessor {
private static final Logger PERF_CONTEXTENRICHER_REQUEST_LOG =
RangerPerfTracer.getPerfLogger("contextenricher.request");
+ private static final Logger LOG =
LoggerFactory.getLogger(RangerDefaultRequestProcessor.class);
protected final PolicyEngine policyEngine;
@@ -48,10 +50,16 @@ public class RangerDefaultRequestProcessor implements
RangerAccessRequestProcess
@Override
public void preProcess(RangerAccessRequest request) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> preProcess(" + request + ")");
+ }
+
if
(RangerAccessRequestUtil.getIsRequestPreprocessed(request.getContext())) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== preProcess(" + request + ")");
+ }
return;
}
- RangerAccessRequestUtil.setIsRequestPreprocessed(request.getContext(),
Boolean.TRUE);
setResourceServiceDef(request);
@@ -97,6 +105,13 @@ public class RangerDefaultRequestProcessor implements
RangerAccessRequestProcess
}
enrich(request);
+
+ RangerAccessRequestUtil.setIsRequestPreprocessed(request.getContext(),
Boolean.TRUE);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== preProcess(" + request + ")");
+ }
+
}
@Override
@@ -115,6 +130,8 @@ public class RangerDefaultRequestProcessor implements
RangerAccessRequestProcess
RangerPerfTracer.log(perf);
}
+ } else {
+ LOG.info("No context-enrichers!!!");
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java
index dfe591c59..e60fe055b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java
@@ -112,7 +112,7 @@ public class RangerResourceEvaluatorsRetriever {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerResourceEvaluatorsRetriever.getEvaluators(" +
resource + ") : evaluator:[" + ret + "]");
+ LOG.debug("<== RangerResourceEvaluatorsRetriever.getEvaluators(" +
resource + ") : evaluator:[" + ret + "]");
}
return ret;
}
