This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 7ec7ae557 RANGER-4378: removed static PolicyEngine.impliedAccessGrants - #3 7ec7ae557 is described below commit 7ec7ae557125c6e83ff13824dbd2d6780a5e01aa Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Thu Nov 2 20:11:25 2023 -0700 RANGER-4378: removed static PolicyEngine.impliedAccessGrants - #3 --- .../ranger/plugin/policyengine/PolicyEngine.java | 28 ++++------------------ .../RangerAbstractPolicyItemEvaluator.java | 3 +-- .../RangerAuditPolicyEvaluator.java | 6 ++--- .../RangerDefaultPolicyEvaluator.java | 19 +++++++-------- 4 files changed, 16 insertions(+), 40 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index 858c3f542..704434b8e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -21,7 +21,6 @@ package org.apache.ranger.plugin.policyengine; import java.util.ArrayList; import java.util.Arrays; -import java.util.Collection; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -66,15 +65,8 @@ public class PolicyEngine { private boolean useForwardedIPAddress; private String[] trustedProxyAddresses; private final Map<String, StringTokenReplacer> tokenReplacers = new HashMap<>(); - private final RangerReadWriteLock lock; - static private Map<String, Map<String, Collection<String>>> impliedAccessGrants = null; - - static public Map<String, Collection<String>> getImpliedAccessGrants(RangerServiceDef serviceDef) { - return impliedAccessGrants == null ? null : impliedAccessGrants.get(serviceDef.getName()); - } - public RangerReadWriteLock.RangerLock getReadLock() { return lock.getReadLock(); @@ -204,7 +196,7 @@ public class PolicyEngine { PERF_POLICYENGINE_INIT_LOG.debug("In-Use memory: " + (totalMemory - freeMemory) + ", Free memory:" + freeMemory); } - buildImpliedAccessGrants(servicePolicies); + normalizeServiceDefs(servicePolicies); this.pluginContext = pluginContext; this.lock = new RangerReadWriteLock(isUseReadWriteLock); @@ -482,32 +474,20 @@ public class PolicyEngine { } } - synchronized static private void buildImpliedAccessGrants(ServicePolicies servicePolicies) { + private void normalizeServiceDefs(ServicePolicies servicePolicies) { RangerServiceDef serviceDef = servicePolicies.getServiceDef(); if (serviceDef != null) { - buildImpliedAccessGrants(ServiceDefUtil.normalize(serviceDef)); + ServiceDefUtil.normalize(serviceDef); RangerServiceDef tagServiceDef = servicePolicies.getTagPolicies() != null ? servicePolicies.getTagPolicies().getServiceDef() : null; if (tagServiceDef != null) { - buildImpliedAccessGrants(ServiceDefUtil.normalizeAccessTypeDefs(ServiceDefUtil.normalize(tagServiceDef), serviceDef.getName())); + ServiceDefUtil.normalizeAccessTypeDefs(ServiceDefUtil.normalize(tagServiceDef), serviceDef.getName()); } } } - static private void buildImpliedAccessGrants(RangerServiceDef serviceDef) { - if (serviceDef != null) { - RangerServiceDefHelper helper = new RangerServiceDefHelper(serviceDef, false); - - if (impliedAccessGrants == null) { - impliedAccessGrants = Collections.synchronizedMap(new HashMap<>()); - } - - impliedAccessGrants.put(serviceDef.getName(), helper.getImpliedAccessGrants()); - } - } - private PolicyEngine(final PolicyEngine other, ServicePolicies servicePolicies) { this.useForwardedIPAddress = other.useForwardedIPAddress; this.trustedProxyAddresses = other.trustedProxyAddresses; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java index a3e3806ec..2190ad281 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java @@ -29,7 +29,6 @@ import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.policyengine.PolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; @@ -118,7 +117,7 @@ public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyI ret = policyItem; } else { // Compute implied-accesses - Map<String, Collection<String>> impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(serviceDef); + Map<String, Collection<String>> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants(); if (impliedAccessGrants != null && !impliedAccessGrants.isEmpty()) { ret = new RangerPolicyItem(policyItem); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java index 9051a8ce4..96610e2eb 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java @@ -100,10 +100,10 @@ public class RangerAuditPolicyEvaluator extends RangerDefaultPolicyEvaluator { } @Override - protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef) { - super.preprocessPolicy(policy, serviceDef); + protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { + super.preprocessPolicy(policy, serviceDef, options); - Map<String, Collection<String>> impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(serviceDef); + Map<String, Collection<String>> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants(); if (impliedAccessGrants == null || impliedAccessGrants.isEmpty()) { return; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index bc627adf5..7fe2a2eb3 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -42,7 +42,6 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; import org.apache.ranger.plugin.model.RangerValiditySchedule; -import org.apache.ranger.plugin.policyengine.PolicyEngine; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessRequestWrapper; import org.apache.ranger.plugin.policyengine.RangerAccessResource; @@ -128,7 +127,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator policy = getPolicy(); - preprocessPolicy(policy, serviceDef); + preprocessPolicy(policy, serviceDef, options); if(policy != null) { validityScheduleEvaluators = createValidityScheduleEvaluators(policy); @@ -136,7 +135,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator this.disableRoleResolution = options.disableRoleResolution; if (!options.disableAccessEvaluationWithPolicyACLSummary) { - aclSummary = createPolicyACLSummary(); + aclSummary = createPolicyACLSummary(options.getServiceDefHelper().getImpliedAccessGrants()); } useAclSummaryForEvaluation = aclSummary != null; @@ -549,7 +548,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator public PolicyACLSummary getPolicyACLSummary() { if (aclSummary == null) { boolean forceCreation = true; - aclSummary = createPolicyACLSummary(forceCreation); + aclSummary = createPolicyACLSummary(ServiceDefUtil.getExpandedImpliedGrants(getServiceDef()), forceCreation); } return aclSummary; @@ -590,12 +589,12 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator is set to false). It may return null object if all accesses for all user/groups cannot be determined statically. */ - private PolicyACLSummary createPolicyACLSummary() { + private PolicyACLSummary createPolicyACLSummary(Map<String, Collection<String>> impliedAccessGrants) { boolean forceCreation = false; - return createPolicyACLSummary(forceCreation); + return createPolicyACLSummary(impliedAccessGrants, forceCreation); } - private PolicyACLSummary createPolicyACLSummary(boolean isCreationForced) { + private PolicyACLSummary createPolicyACLSummary(Map<String, Collection<String>> impliedAccessGrants, boolean isCreationForced) { PolicyACLSummary ret = null; RangerPerfTracer perf = null; @@ -625,8 +624,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (isUsableForEvaluation || isCreationForced) { ret = new PolicyACLSummary(); - Map<String, Collection<String>> impliedAccessGrants = PolicyEngine.getImpliedAccessGrants(getServiceDef()); - for (RangerPolicyItem policyItem : policy.getDenyPolicyItems()) { ret.processPolicyItem(policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY, hasNonPublicGroupOrConditionsInDenyExceptions || hasPublicGroupInDenyAndUsersInDenyExceptions, impliedAccessGrants); @@ -1166,13 +1163,13 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return sb; } - protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef) { + protected void preprocessPolicy(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { if(policy == null || (!hasAllow() && !hasDeny()) || serviceDef == null) { return; } /* - Map<String, Collection<String>> impliedAccessGrants = getImpliedAccessGrants(serviceDef); + Map<String, Collection<String>> impliedAccessGrants = options.getServiceDefHelper().getImpliedAccessGrants(); if(impliedAccessGrants == null || impliedAccessGrants.isEmpty()) { return;