This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new d8a670ce8 RANGER-4824: Remove ACL-based policy engine unit test code
d8a670ce8 is described below
commit d8a670ce8ecee1d6db66979ce65b5690a5950a4c
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Tue Jun 18 11:01:15 2024 -0700
RANGER-4824: Remove ACL-based policy engine unit test code
---
.../policyengine/RangerPolicyEngineOptions.java | 4 +-
.../RangerDefaultPolicyEvaluator.java | 412 ++++-----------------
.../RangerOptimizedPolicyEvaluator.java | 8 +-
.../plugin/policyengine/TestPolicyEngine.java | 44 +--
.../policyengine/TestPolicyEngineForDeltas.java | 49 +--
5 files changed, 88 insertions(+), 429 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index f5f412797..f881eaa14 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -37,6 +37,7 @@ public class RangerPolicyEngineOptions {
public boolean evaluateDelegateAdminOnly = false;
public boolean enableTagEnricherWithLocalRefresher = false;
public boolean enableUserStoreEnricherWithLocalRefresher = false;
+ @Deprecated
public boolean disableAccessEvaluationWithPolicyACLSummary = true;
public boolean optimizeTrieForRetrieval = false;
public boolean disableRoleResolution = true;
@@ -62,7 +63,6 @@ public class RangerPolicyEngineOptions {
this.evaluateDelegateAdminOnly =
other.evaluateDelegateAdminOnly;
this.enableTagEnricherWithLocalRefresher =
other.enableTagEnricherWithLocalRefresher;
this.enableUserStoreEnricherWithLocalRefresher =
other.enableUserStoreEnricherWithLocalRefresher;
- this.disableAccessEvaluationWithPolicyACLSummary =
other.disableAccessEvaluationWithPolicyACLSummary;
this.optimizeTrieForRetrieval = other.optimizeTrieForRetrieval;
this.disableRoleResolution = other.disableRoleResolution;
this.serviceDefHelper = null;
@@ -95,7 +95,6 @@ public class RangerPolicyEngineOptions {
evaluateDelegateAdminOnly = false;
enableTagEnricherWithLocalRefresher = false;
enableUserStoreEnricherWithLocalRefresher = false;
- disableAccessEvaluationWithPolicyACLSummary =
conf.getBoolean(propertyPrefix +
".policyengine.option.disable.access.evaluation.with.policy.acl.summary", true);
optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix +
".policyengine.option.optimize.trie.for.retrieval", false);
disableRoleResolution = conf.getBoolean(propertyPrefix +
".policyengine.option.disable.role.resolution", true);
optimizeTrieForSpace = conf.getBoolean(propertyPrefix +
".policyengine.option.optimize.trie.for.space", false);
@@ -118,7 +117,6 @@ public class RangerPolicyEngineOptions {
evaluateDelegateAdminOnly = false;
enableTagEnricherWithLocalRefresher = false;
enableUserStoreEnricherWithLocalRefresher = false;
- disableAccessEvaluationWithPolicyACLSummary =
conf.getBoolean(propertyPrefix +
".policyengine.option.disable.access.evaluation.with.policy.acl.summary", true);
optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix +
".policyengine.option.optimize.trie.for.retrieval", false);
disableRoleResolution = conf.getBoolean(propertyPrefix +
".policyengine.option.disable.role.resolution", true);
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 33d56ec57..be6cd5584 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -78,7 +78,6 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
private List<RangerConditionEvaluator> conditionEvaluators;
private String perfTag;
private PolicyACLSummary aclSummary = null;
- private boolean useAclSummaryForEvaluation = false;
private boolean disableRoleResolution = true;
List<RangerPolicyItemEvaluator> getAllowEvaluators() { return
allowEvaluators; }
@@ -88,8 +87,6 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
List<RangerDataMaskPolicyItemEvaluator> getDataMaskEvaluators() {
return dataMaskEvaluators; }
List<RangerRowFilterPolicyItemEvaluator> getRowFilterEvaluators() {
return rowFilterEvaluators; }
- boolean isUseAclSummaryForEvaluation() { return
useAclSummaryForEvaluation; }
-
@Override
public int getPolicyConditionsCount() {
return conditionEvaluators.size();
@@ -135,29 +132,16 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
this.disableRoleResolution =
options.disableRoleResolution;
- if
(!options.disableAccessEvaluationWithPolicyACLSummary) {
- aclSummary =
createPolicyACLSummary(options.getServiceDefHelper().getImpliedAccessGrants());
- }
-
- useAclSummaryForEvaluation = aclSummary != null;
+ allowEvaluators = createPolicyItemEvaluators(policy,
serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
- if (useAclSummaryForEvaluation) {
- allowEvaluators =
Collections.<RangerPolicyItemEvaluator>emptyList();
+ if
(ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies(serviceDef,
getPluginContext())) {
+ denyEvaluators =
createPolicyItemEvaluators(policy, serviceDef, options,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
+ allowExceptionEvaluators =
createPolicyItemEvaluators(policy, serviceDef, options,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
+ denyExceptionEvaluators =
createPolicyItemEvaluators(policy, serviceDef, options,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
+ } else {
denyEvaluators =
Collections.<RangerPolicyItemEvaluator>emptyList();
allowExceptionEvaluators =
Collections.<RangerPolicyItemEvaluator>emptyList();
denyExceptionEvaluators =
Collections.<RangerPolicyItemEvaluator>emptyList();
- } else {
- allowEvaluators =
createPolicyItemEvaluators(policy, serviceDef, options,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
-
- if
(ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies(serviceDef,
getPluginContext())) {
- denyEvaluators =
createPolicyItemEvaluators(policy, serviceDef, options,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
- allowExceptionEvaluators =
createPolicyItemEvaluators(policy, serviceDef, options,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
- denyExceptionEvaluators =
createPolicyItemEvaluators(policy, serviceDef, options,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
- } else {
- denyEvaluators =
Collections.<RangerPolicyItemEvaluator>emptyList();
- allowExceptionEvaluators =
Collections.<RangerPolicyItemEvaluator>emptyList();
- denyExceptionEvaluators =
Collections.<RangerPolicyItemEvaluator>emptyList();
- }
}
dataMaskEvaluators =
createDataMaskPolicyItemEvaluators(policy, serviceDef, options,
policy.getDataMaskPolicyItems());
@@ -187,10 +171,6 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
RangerPerfTracer.log(perf);
- if (useAclSummaryForEvaluation && (policy.getPolicyType() ==
null || policy.getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
- LOG.info("PolicyEvaluator for policy:[" +
policy.getId() + "] is set up to use ACL Summary to evaluate access");
- }
-
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
}
@@ -548,10 +528,8 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
@Override
public PolicyACLSummary getPolicyACLSummary() {
if (aclSummary == null) {
- boolean forceCreation = true;
- aclSummary =
createPolicyACLSummary(ServiceDefUtil.getExpandedImpliedGrants(getServiceDef()),
forceCreation);
+ aclSummary =
createPolicyACLSummary(ServiceDefUtil.getExpandedImpliedGrants(getServiceDef()),
true);
}
-
return aclSummary;
}
@@ -590,10 +568,6 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
is set to false). It may return null object if all accesses for
all user/groups cannot be determined statically.
*/
- private PolicyACLSummary createPolicyACLSummary(Map<String,
Collection<String>> impliedAccessGrants) {
- boolean forceCreation = false;
- return createPolicyACLSummary(impliedAccessGrants,
forceCreation);
- }
private PolicyACLSummary createPolicyACLSummary(Map<String,
Collection<String>> impliedAccessGrants, boolean isCreationForced) {
PolicyACLSummary ret = null;
@@ -830,229 +804,99 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
return ret;
}
- private Integer getAccessACLForOneGroup(RangerAccessRequest request,
Set<String> accessesInGroup) {
- Integer ret = null;
- Map<String, Integer> accessTypeResults =
RangerAccessRequestUtil.getAccessTypeACLResults(request);
-
- boolean isAccessDetermined = true;
- boolean isAccessDenied = false;
- Integer deniedAccessResult = null;
-
- for (String accessType : accessesInGroup) {
- Integer accessResult =
accessTypeResults.get(accessType);
- if (accessResult != null) {
- if (accessResult.equals(ACCESS_ALLOWED)) {
- // Allow
- isAccessDenied = false;
- ret = accessResult;
- break;
- } else {
- isAccessDenied = true;
- if (deniedAccessResult == null) {
- deniedAccessResult =
accessResult;
- }
- }
- } else {
- isAccessDetermined = false;
- }
- }
- if (isAccessDetermined && isAccessDenied) {
- ret = deniedAccessResult;
- }
- return ret;
- }
-
- private Integer getCompositeACLResult(RangerAccessRequest request) {
- Integer ret
= null;
- Set<Set<String>> allAccessTypeGroups =
RangerAccessRequestUtil.getAllRequestedAccessTypeGroups(request);
-
- if (CollectionUtils.isEmpty(allAccessTypeGroups)) {
- Set<String> allAccessTypes
= RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
- ret = getAccessACLForOneGroup(request, allAccessTypes);
- } else {
- boolean isAccessDetermined
= true;
- boolean isAccessAllowed
= false;
- Integer allowResult
= null;
-
- for (Set<String> accessesInGroup : allAccessTypeGroups)
{
- Integer groupResult =
getAccessACLForOneGroup(request, accessesInGroup);
- if (groupResult != null) {
- if
(!groupResult.equals(ACCESS_ALLOWED)) {
- // Deny
- isAccessAllowed = false;
- ret
= groupResult;
- break;
- } else {
- isAccessAllowed = true;
- if (allowResult == null) {
- allowResult =
groupResult;
- }
- }
- } else {
- // Some group is not completely
authorized yet
- isAccessDetermined = false;
- }
- }
- if (isAccessDetermined && isAccessAllowed) {
- ret = allowResult;
- }
- }
- return ret;
- }
-
protected void evaluatePolicyItems(RangerAccessRequest request,
RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult result) {
if(LOG.isDebugEnabled()) {
LOG.debug("==>
RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result +
", " + matchType + ")");
}
- if (useAclSummaryForEvaluation && (getPolicy().getPolicyType()
== null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Using ACL Summary for access
evaluation. PolicyId=[" + getPolicyId() + "]");
- }
- Integer accessResult = null;
- if (request.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
- accessResult =
lookupPolicyACLSummary(request.getUser(), request.getUserGroups(),
request.getUserRoles(), RangerPolicyEngine.ANY_ACCESS);
- } else {
- Map<String, Integer> accessTypeACLResults =
RangerAccessRequestUtil.getAccessTypeACLResults(request);
- Set<String> allRequestedAccesses =
RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
+ Set<String> allRequestedAccesses =
RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
- if (allRequestedAccesses.size() > 1) {
- for (String accessType :
allRequestedAccesses) {
+ if (CollectionUtils.isNotEmpty(allRequestedAccesses)) {
+ Map<String, RangerAccessResult> accessTypeResults =
RangerAccessRequestUtil.getAccessTypeResults(request);
- Integer denyResult = null;
- Integer allowResult = null;
+ for (String accessType : allRequestedAccesses) {
- Integer oneAccessResult =
lookupPolicyACLSummary(request.getUser(), request.getUserGroups(),
request.getUserRoles(), accessType);
- if (oneAccessResult != null) {
- if
(oneAccessResult.equals(ACCESS_DENIED)) {
- denyResult =
oneAccessResult;
- }
- if
(oneAccessResult.equals(ACCESS_ALLOWED)) {
- allowResult =
oneAccessResult;
- }
- Integer oldResult =
accessTypeACLResults.get(accessType);
- if (oldResult == null) {
-
accessTypeACLResults.put(accessType, allowResult != null ? allowResult :
denyResult);
- } else {
- if
(oldResult.equals(ACCESS_ALLOWED)) {
- if
(denyResult != null) {
-
accessTypeACLResults.put(accessType, denyResult);
- } else {
-
accessTypeACLResults.put(accessType, allowResult);
- }
- } else {
-
accessTypeACLResults.put(accessType, denyResult);
- }
- }
- }
- }
- Integer compositeACLResult =
getCompositeACLResult(request);
- if (compositeACLResult != null) {
- accessResult =
compositeACLResult;
- }
- } else {
- accessResult =
lookupPolicyACLSummary(request.getUser(), request.getUserGroups(),
request.getUserRoles(), request.getAccessType());
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking for accessType:[" +
accessType + "]");
}
- }
+ RangerAccessResult denyResult = null;
+ RangerAccessResult allowResult = null;
+ boolean noResult = false;
- if (accessResult != null) {
- updateAccessResult(result, matchType,
accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED), null);
- } else if (getPolicy().getIsDenyAllElse()) {
- updateAccessResult(result, matchType, false,
"matched deny-all-else policy");
- }
- } else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Using policyItemEvaluators for
access evaluation. PolicyId=[" + getPolicyId() + "]");
- }
- Set<String> allRequestedAccesses =
RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
-
- if (CollectionUtils.isNotEmpty(allRequestedAccesses) ) {
- Map<String, RangerAccessResult>
accessTypeResults = RangerAccessRequestUtil.getAccessTypeResults(request);
-
- for (String accessType : allRequestedAccesses) {
+ RangerAccessRequestWrapper oneRequest = new
RangerAccessRequestWrapper(request, accessType);
+ RangerAccessResult oneResult = new
RangerAccessResult(result.getPolicyType(), result.getServiceName(),
result.getServiceDef(), oneRequest);
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking for
accessType:[" + accessType + "]");
- }
- RangerAccessResult denyResult = null;
- RangerAccessResult allowResult = null;
- boolean noResult = false;
-
- RangerAccessRequestWrapper oneRequest =
new RangerAccessRequestWrapper(request, accessType);
- RangerAccessResult oneResult =
new RangerAccessResult(result.getPolicyType(), result.getServiceName(),
result.getServiceDef(), oneRequest);
+ oneResult.setAuditResultFrom(result);
- oneResult.setAuditResultFrom(result);
+ RangerPolicyItemEvaluator matchedPolicyItem =
getMatchingPolicyItem(oneRequest, oneResult);
- RangerPolicyItemEvaluator
matchedPolicyItem = getMatchingPolicyItem(oneRequest, oneResult);
+ if (matchedPolicyItem != null) {
+
matchedPolicyItem.updateAccessResult(this, oneResult, matchType);
+ } else if (getPolicy().getIsDenyAllElse() &&
(getPolicy().getPolicyType() == null || getPolicy().getPolicyType() ==
RangerPolicy.POLICY_TYPE_ACCESS)) {
+ updateAccessResult(oneResult,
matchType, false, "matched deny-all-else policy");
+ }
- if (matchedPolicyItem != null) {
-
matchedPolicyItem.updateAccessResult(this, oneResult, matchType);
- } else if
(getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null ||
getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
- updateAccessResult(oneResult,
matchType, false, "matched deny-all-else policy");
- }
+ if (oneResult.getIsAllowed()) {
+ allowResult = oneResult;
+ } else if (oneResult.getIsAccessDetermined()) {
+ denyResult = oneResult;
+ } else {
+ noResult = true;
+ }
- if (oneResult.getIsAllowed()) {
- allowResult = oneResult;
- } else if
(oneResult.getIsAccessDetermined()) {
- denyResult = oneResult;
+ if (!noResult) {
+ RangerAccessResult oldResult =
accessTypeResults.get(accessType);
+ if (oldResult == null) {
+
accessTypeResults.put(accessType, allowResult != null ? allowResult :
denyResult);
} else {
- noResult = true;
- }
-
- if (!noResult) {
- RangerAccessResult oldResult =
accessTypeResults.get(accessType);
- if (oldResult == null) {
-
accessTypeResults.put(accessType, allowResult != null ? allowResult :
denyResult);
- } else {
- int oldPriority =
oldResult.getPolicyPriority();
- if
(oldResult.getIsAllowed()) {
- if (denyResult
!= null) {
- if
(getPolicyPriority() >= oldPriority) {
-
accessTypeResults.put(accessType, denyResult);
+ int oldPriority =
oldResult.getPolicyPriority();
+ if (oldResult.getIsAllowed()) {
+ if (denyResult != null)
{
+ if
(getPolicyPriority() >= oldPriority) {
+
accessTypeResults.put(accessType, denyResult);
+ }
+ } else {
+ if
(getPolicy().getPolicyType() == null || getPolicy().getPolicyType() ==
RangerPolicy.POLICY_TYPE_ACCESS) {
+ if
(getPolicyPriority() > oldPriority) {
+
accessTypeResults.put(accessType, allowResult);
}
} else {
- if
(getPolicy().getPolicyType() == null || getPolicy().getPolicyType() ==
RangerPolicy.POLICY_TYPE_ACCESS) {
-
if (getPolicyPriority() > oldPriority) {
-
accessTypeResults.put(accessType, allowResult);
-
}
- } else {
-
if (getPolicyPriority() >= oldPriority) {
-
accessTypeResults.put(accessType, allowResult);
-
}
+ if
(getPolicyPriority() >= oldPriority) {
+
accessTypeResults.put(accessType, allowResult);
}
}
- } else { // Earlier
evaluator denied this access
- if
(getPolicyPriority() >= oldPriority && allowResult != null &&
(oneRequest.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(oneRequest.getContext()))) {
-
accessTypeResults.put(accessType, allowResult);
- } else {
- if
(getPolicyPriority() > oldPriority && denyResult != null) {
-
accessTypeResults.put(accessType, denyResult);
- }
+ }
+ } else { // Earlier evaluator
denied this access
+ if (getPolicyPriority()
>= oldPriority && allowResult != null && (oneRequest.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(oneRequest.getContext()))) {
+
accessTypeResults.put(accessType, allowResult);
+ } else {
+ if
(getPolicyPriority() > oldPriority && denyResult != null) {
+
accessTypeResults.put(accessType, denyResult);
}
}
}
- /* At least one access is
allowed - this evaluator need not be checked for other accesses as the test
below
- * implies that there is only
one access group in the request
- */
- if
(oneRequest.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(oneRequest.getContext())) {
- if (allowResult !=
null) {
- break;
- }
+ }
+ /* At least one access is allowed -
this evaluator need not be checked for other accesses as the test below
+ * implies that there is only one
access group in the request
+ */
+ if (oneRequest.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(oneRequest.getContext())) {
+ if (allowResult != null) {
+ break;
}
}
}
+ }
- RangerAccessResult compositeAccessResult =
getCompositeAccessResult(request);
- if (compositeAccessResult != null) {
-
result.setAccessResultFrom(compositeAccessResult);
- }
- } else {
- RangerPolicyItemEvaluator matchedPolicyItem =
getMatchingPolicyItem(request, result);
- if (matchedPolicyItem != null) {
-
matchedPolicyItem.updateAccessResult(this, result, matchType);
- } else if (getPolicy().getIsDenyAllElse() &&
(getPolicy().getPolicyType() == null || getPolicy().getPolicyType() ==
RangerPolicy.POLICY_TYPE_ACCESS)) {
- updateAccessResult(result, matchType,
false, "matched deny-all-else policy");
- }
+ RangerAccessResult compositeAccessResult =
getCompositeAccessResult(request);
+ if (compositeAccessResult != null) {
+
result.setAccessResultFrom(compositeAccessResult);
+ }
+ } else {
+ RangerPolicyItemEvaluator matchedPolicyItem =
getMatchingPolicyItem(request, result);
+ if (matchedPolicyItem != null) {
+ matchedPolicyItem.updateAccessResult(this,
result, matchType);
+ } else if (getPolicy().getIsDenyAllElse() &&
(getPolicy().getPolicyType() == null || getPolicy().getPolicyType() ==
RangerPolicy.POLICY_TYPE_ACCESS)) {
+ updateAccessResult(result, matchType, false,
"matched deny-all-else policy");
}
}
@@ -1131,95 +975,6 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
return ret;
}
- private Integer lookupPolicyACLSummary(String user, Set<String>
userGroups, Set<String> userRoles, String accessType) {
- Integer accessResult = null;
-
- Map<String, PolicyACLSummary.AccessResult> accesses =
aclSummary.getUsersAccessInfo().get(user);
-
- accessResult = lookupAccess(user, accessType, accesses);
-
- if (accessResult == null) {
-
- Set<String> groups = new HashSet<>();
- groups.add(RangerPolicyEngine.GROUP_PUBLIC);
- groups.addAll(userGroups);
-
- for (String userGroup : groups) {
- accesses =
aclSummary.getGroupsAccessInfo().get(userGroup);
- accessResult = lookupAccess(userGroup,
accessType, accesses);
- if (accessResult != null) {
- break;
- }
- }
-
- if (accessResult == null) {
- if (userRoles != null) {
- for (String userRole : userRoles) {
- accesses =
aclSummary.getRolesAccessInfo().get(userRole);
- accessResult =
lookupAccess(userRole, accessType, accesses);
- if (accessResult != null) {
- break;
- }
- }
- }
- }
- }
-
- return accessResult;
- }
-
- private Integer lookupAccess(String userOrGroup, String accessType,
Map<String, PolicyACLSummary.AccessResult> accesses) {
- Integer ret = null;
- if (accesses != null) {
- if (accessType.equals(RangerPolicyEngine.ANY_ACCESS)) {
- ret = getAccessResultForAnyAccess(accesses);
- } else {
- PolicyACLSummary.AccessResult accessResult =
accesses.get(accessType);
- if (accessResult != null) {
- if (accessResult.getResult() ==
RangerPolicyEvaluator.ACCESS_CONDITIONAL) {
- LOG.error("Access should not be
conditional at this point! user=[" + userOrGroup + "], " + "accessType=[" +
accessType + "]");
- } else {
- ret = accessResult.getResult();
- }
- }
- }
- }
- return ret;
- }
-
- private Integer getAccessResultForAnyAccess(Map<String,
PolicyACLSummary.AccessResult> accesses) {
- final Integer ret;
-
- int allowedAccessCount = 0;
- int deniedAccessCount = 0;
-
- for (Map.Entry<String, PolicyACLSummary.AccessResult> entry :
accesses.entrySet()) {
- if (StringUtils.equals(entry.getKey(),
RangerPolicyEngine.ADMIN_ACCESS)) {
- // Don't count admin access if present
- continue;
- }
- PolicyACLSummary.AccessResult accessResult =
entry.getValue();
- if (accessResult.getResult() ==
RangerPolicyEvaluator.ACCESS_ALLOWED) {
- allowedAccessCount++;
- break;
- } else if (accessResult.getResult() ==
RangerPolicyEvaluator.ACCESS_DENIED) {
- deniedAccessCount++;
- }
- }
-
- if (allowedAccessCount > 0) {
- // At least one access allowed
- ret = RangerPolicyEvaluator.ACCESS_ALLOWED;
- } else if (deniedAccessCount ==
getServiceDef().getAccessTypes().size()) {
- // All accesses explicitly denied
- ret = RangerPolicyEvaluator.ACCESS_DENIED;
- } else {
- ret = null;
- }
-
- return ret;
- }
-
protected RangerPolicyItemEvaluator getDeterminingPolicyItem(String
user, Set<String> userGroups, Set<String> roles, String owner, String
accessType) {
if(LOG.isDebugEnabled()) {
LOG.debug("==>
RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + user + ", " +
userGroups + ", " + roles + ", " + owner + ", " + accessType + ")");
@@ -1319,25 +1074,14 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
perf =
RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG,
"RangerPolicyEvaluator.isAccessAllowed(hashCode=" +
Integer.toHexString(System.identityHashCode(this)) + "," + perfTag + ")");
}
- if (useAclSummaryForEvaluation && (getPolicy().getPolicyType()
== null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Using ACL Summary for checking if
access is allowed. PolicyId=[" + getPolicyId() +"]");
- }
-
- Integer accessResult = StringUtils.isEmpty(accessType)
? null : lookupPolicyACLSummary(user, userGroups, roles, accessType);
- if (accessResult != null &&
accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED)) {
- ret = true;
- }
- } else {
- if (LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("Using policyItemEvaluators for
checking if access is allowed. PolicyId=[" + getPolicyId() +"]");
- }
+ }
- RangerPolicyItemEvaluator item =
this.getDeterminingPolicyItem(user, userGroups, roles, owner, accessType);
+ RangerPolicyItemEvaluator item =
this.getDeterminingPolicyItem(user, userGroups, roles, owner, accessType);
- if (item != null && item.getPolicyItemType() ==
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
- ret = true;
- }
+ if (item != null && item.getPolicyItemType() ==
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
+ ret = true;
}
RangerPerfTracer.log(perf);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index b62fdfbb6..665ee3cbe 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -254,9 +254,7 @@ public class RangerOptimizedPolicyEvaluator extends
RangerDefaultPolicyEvaluator
protected boolean hasMatchablePolicyItem(RangerAccessRequest request) {
boolean ret = false;
- if (isUseAclSummaryForEvaluation()) {
- ret = true;
- } else if (checkIfAllEvaluatorsInitialized()) {
+ if (checkIfAllEvaluatorsInitialized()) {
if (hasPublicGroup || hasCurrentUser || isOwnerMatch(request) ||
users.contains(request.getUser()) || CollectionUtils.containsAny(groups,
request.getUserGroups()) || (CollectionUtils.isNotEmpty(roles) &&
CollectionUtils.containsAny(roles,
RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext()))))
{
if (hasAllPerms || request.isAccessTypeAny()) {
ret = true;
@@ -301,9 +299,7 @@ public class RangerOptimizedPolicyEvaluator extends
RangerDefaultPolicyEvaluator
private boolean hasMatchablePolicyItem(String user, Set<String>
userGroups, Set<String> rolesFromContext, String owner, String accessType) {
boolean ret = false;
- if (isUseAclSummaryForEvaluation()) {
- ret = true;
- } else if (checkIfAllEvaluatorsInitialized()) {
+ if (checkIfAllEvaluatorsInitialized()) {
boolean hasRole = false;
if (CollectionUtils.isNotEmpty(roles)) {
if (CollectionUtils.isNotEmpty(rolesFromContext)) {
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index d78084589..34f1f07f4 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -606,8 +606,6 @@ public class TestPolicyEngine {
RangerPolicyEngineOptions policyEngineOptions =
config.getPolicyEngineOptions();
- policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
-
setPluginConfig(config, ".super.users", testCase.superUsers);
setPluginConfig(config, ".super.groups", testCase.superGroups);
setPluginConfig(config, ".audit.exclude.users",
testCase.auditExcludedUsers);
@@ -622,25 +620,17 @@ public class TestPolicyEngine {
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
- policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary =
false;
-
- RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
-
-
policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
-
policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
-
- runTestCaseTests(policyEngine,
policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName,
testCase.tests);
+ runTestCaseTests(policyEngine, testCase.serviceDef, testName,
testCase.tests);
if (testCase.updatedPolicies != null) {
servicePolicies.setPolicyDeltas(testCase.updatedPolicies.policyDeltas);
servicePolicies.setSecurityZones(testCase.updatedPolicies.securityZones);
RangerPolicyEngine updatedPolicyEngine =
RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
- RangerPolicyEngine updatedPolicyEngineForEvaluatingWithACLs =
RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs,
servicePolicies);
- runTestCaseTests(updatedPolicyEngine,
updatedPolicyEngineForEvaluatingWithACLs, testCase.serviceDef, testName,
testCase.updatedTests);
+ runTestCaseTests(updatedPolicyEngine,
testCase.serviceDef, testName, testCase.updatedTests);
}
}
- private void runTestCaseTests(RangerPolicyEngine policyEngine,
RangerPolicyEngine policyEngineForEvaluatingWithACLs, RangerServiceDef
serviceDef, String testName, List<TestData> tests) {
+ private void runTestCaseTests(RangerPolicyEngine policyEngine,
RangerServiceDef serviceDef, String testName, List<TestData> tests) {
RangerAccessRequest request = null;
for(TestData test : tests) {
@@ -734,14 +724,6 @@ public class TestPolicyEngine {
assertNotNull("result was null! - " +
test.name, result);
assertEquals("isAllowed mismatched! - " +
test.name, expected.getIsAllowed(), result.getIsAllowed());
assertEquals("isAudited mismatched! - " +
test.name, expected.getIsAudited(), result.getIsAudited());
-
- result =
policyEngineForEvaluatingWithACLs.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " + test.name, result);
- assertEquals("isAllowed mismatched! - " + test.name,
expected.getIsAllowed(), result.getIsAllowed());
- assertEquals("isAudited mismatched! - " + test.name,
expected.getIsAudited(), result.getIsAudited());
}
if(test.dataMaskResult != null) {
@@ -757,17 +739,6 @@ public class TestPolicyEngine {
assertEquals("maskCondition mismatched! - " + test.name,
expected.getMaskCondition(), result.getMaskCondition());
assertEquals("maskedValue mismatched! - " + test.name,
expected.getMaskedValue(), result.getMaskedValue());
assertEquals("policyId mismatched! - " + test.name,
expected.getPolicyId(), result.getPolicyId());
-
- result =
policyEngineForEvaluatingWithACLs.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " +
test.name, result);
- assertEquals("maskType mismatched! - " +
test.name, expected.getMaskType(), result.getMaskType());
- assertEquals("maskCondition mismatched! - " +
test.name, expected.getMaskCondition(), result.getMaskCondition());
- assertEquals("maskedValue mismatched! - " +
test.name, expected.getMaskedValue(), result.getMaskedValue());
- assertEquals("policyId mismatched! - " +
test.name, expected.getPolicyId(), result.getPolicyId());
-
}
if(test.rowFilterResult != null) {
@@ -781,15 +752,6 @@ public class TestPolicyEngine {
assertNotNull("result was null! - " + test.name, result);
assertEquals("filterExpr mismatched! - " + test.name,
expected.getFilterExpr(), result.getFilterExpr());
assertEquals("policyId mismatched! - " + test.name,
expected.getPolicyId(), result.getPolicyId());
-
- result =
policyEngineForEvaluatingWithACLs.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " +
test.name, result);
- assertEquals("filterExpr mismatched! - " +
test.name, expected.getFilterExpr(), result.getFilterExpr());
- assertEquals("policyId mismatched! - " +
test.name, expected.getPolicyId(), result.getPolicyId());
-
}
if(test.resourceAccessInfo != null) {
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java
index 3e5086cdf..961fde2eb 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java
@@ -275,8 +275,6 @@ public class TestPolicyEngineForDeltas {
RangerPolicyEngineOptions policyEngineOptions =
config.getPolicyEngineOptions();
- policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
-
setPluginConfig(config, ".super.users", testCase.superUsers);
setPluginConfig(config, ".super.groups", testCase.superGroups);
setPluginConfig(config, ".audit.exclude.users",
testCase.auditExcludedUsers);
@@ -291,16 +289,9 @@ public class TestPolicyEngineForDeltas {
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
- policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary =
false;
-
- RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new
RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
-
-
policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
-
policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
-
PolicyEngineTestCase.TestsInfo testsInfo = testCase.testsInfo;
do {
- runTestCaseTests(policyEngine,
policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName,
testsInfo.tests);
+ runTestCaseTests(policyEngine, testCase.serviceDef,
testName, testsInfo.tests);
if (testsInfo.updatedPolicies != null &&
CollectionUtils.isNotEmpty(testsInfo.updatedPolicies.policyDeltas)) {
servicePolicies.setPolicyDeltas(testsInfo.updatedPolicies.policyDeltas);
servicePolicies.setPolicies(null);
@@ -308,12 +299,8 @@ public class TestPolicyEngineForDeltas {
servicePolicies.setSecurityZones(testsInfo.updatedPolicies.securityZones);
}
policyEngine = (RangerPolicyEngineImpl)
RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
- policyEngineForEvaluatingWithACLs =
(RangerPolicyEngineImpl)
RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs,
servicePolicies);
- if (policyEngine != null &&
policyEngineForEvaluatingWithACLs != null) {
- testsInfo = testsInfo.updatedTestsInfo;
- } else {
- testsInfo = null;
- }
+
+ testsInfo = null;
} else {
testsInfo = null;
}
@@ -322,7 +309,7 @@ public class TestPolicyEngineForDeltas {
}
- private void runTestCaseTests(RangerPolicyEngine policyEngine,
RangerPolicyEngine policyEngineForEvaluatingWithACLs, RangerServiceDef
serviceDef, String testName, List<TestData> tests) {
+ private void runTestCaseTests(RangerPolicyEngine policyEngine,
RangerServiceDef serviceDef, String testName, List<TestData> tests) {
RangerAccessRequest request;
for(TestData test : tests) {
@@ -408,14 +395,6 @@ public class TestPolicyEngineForDeltas {
assertEquals("isAllowed mismatched! - " +
test.name, expected.getIsAllowed(), result.getIsAllowed());
assertEquals("policy-id mismatched! - " +
test.name, expected.getPolicyId(), result.getPolicyId());
assertEquals("isAudited mismatched! - " +
test.name, expected.getIsAudited(), result.getIsAudited() &&
result.getIsAuditedDetermined());
-
- result =
policyEngineForEvaluatingWithACLs.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " + test.name, result);
- assertEquals("isAllowed mismatched! - " + test.name,
expected.getIsAllowed(), result.getIsAllowed());
- assertEquals("isAudited mismatched! - " + test.name,
expected.getIsAudited(), result.getIsAudited());
}
if(test.dataMaskResult != null) {
@@ -431,17 +410,6 @@ public class TestPolicyEngineForDeltas {
assertEquals("maskCondition mismatched! - " + test.name,
expected.getMaskCondition(), result.getMaskCondition());
assertEquals("maskedValue mismatched! - " + test.name,
expected.getMaskedValue(), result.getMaskedValue());
assertEquals("policyId mismatched! - " + test.name,
expected.getPolicyId(), result.getPolicyId());
-
- result =
policyEngineForEvaluatingWithACLs.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " +
test.name, result);
- assertEquals("maskType mismatched! - " +
test.name, expected.getMaskType(), result.getMaskType());
- assertEquals("maskCondition mismatched! - " +
test.name, expected.getMaskCondition(), result.getMaskCondition());
- assertEquals("maskedValue mismatched! - " +
test.name, expected.getMaskedValue(), result.getMaskedValue());
- assertEquals("policyId mismatched! - " +
test.name, expected.getPolicyId(), result.getPolicyId());
-
}
if(test.rowFilterResult != null) {
@@ -455,15 +423,6 @@ public class TestPolicyEngineForDeltas {
assertNotNull("result was null! - " + test.name, result);
assertEquals("filterExpr mismatched! - " + test.name,
expected.getFilterExpr(), result.getFilterExpr());
assertEquals("policyId mismatched! - " + test.name,
expected.getPolicyId(), result.getPolicyId());
-
- result =
policyEngineForEvaluatingWithACLs.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " +
test.name, result);
- assertEquals("filterExpr mismatched! - " +
test.name, expected.getFilterExpr(), result.getFilterExpr());
- assertEquals("policyId mismatched! - " +
test.name, expected.getPolicyId(), result.getPolicyId());
-
}
if(test.resourceAccessInfo != null) {
