Repository: incubator-ranger Updated Branches: refs/heads/master 63c547296 -> c20a0d1ad
RANGER-844: optimize policy retrieval for non-admin users Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/c20a0d1a Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/c20a0d1a Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/c20a0d1a Branch: refs/heads/master Commit: c20a0d1ad1995c404c0d32e85f820397226ea882 Parents: 63c5472 Author: Abhay Kulkarni <[email protected]> Authored: Mon Feb 1 12:07:41 2016 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Fri Feb 12 02:18:02 2016 -0800 ---------------------------------------------------------------------- .../policyengine/RangerPolicyEngineImpl.java | 7 +- .../org/apache/ranger/biz/ServiceDBStore.java | 59 ++++++---- .../common/RangerServicePoliciesCache.java | 37 ++++--- .../ranger/common/RangerServiceTagsCache.java | 35 +++--- .../apache/ranger/common/UserSessionBase.java | 2 + .../org/apache/ranger/db/XXGroupUserDao.java | 22 ++++ .../org/apache/ranger/rest/ServiceREST.java | 108 +++++++++++-------- .../resources/META-INF/jpa_named_queries.xml | 17 ++- .../src/main/webapp/WEB-INF/log4j.xml | 4 +- 9 files changed, 185 insertions(+), 106 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c20a0d1a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 022f5a7..1dd1e7b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -44,7 +44,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { private static final Log PERF_POLICYENGINE_AUDIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.audit"); private static final Log PERF_CONTEXTENRICHER_REQUEST_LOG = RangerPerfTracer.getPerfLogger("contextenricher.request"); - private static final int MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR = 500; + private static final int MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR = 100; private final RangerPolicyRepository policyRepository; private final RangerPolicyRepository tagPolicyRepository; @@ -312,12 +312,13 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")"); } + boolean ret = false; + RangerPerfTracer perf = null; if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + ",accessType=" + accessType + ")"); + perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + "," + userGroups + ",accessType=" + accessType + ")"); } - boolean ret = false; for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c20a0d1a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 68e64c3..8fefc9e 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1627,17 +1627,14 @@ public class ServiceDBStore extends AbstractServiceStore { throw new Exception("service does not exist - id='" + serviceId); } - RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr); - - List<RangerPolicy> ret = policyRetriever.getServicePolicies(service); + List<RangerPolicy> ret = getServicePolicies(service, filter); - if(filter != null) { - predicateUtil.applyFilter(ret, filter); + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceId + ") : policy-count=" + (ret == null ? 0 : ret.size())); } - return ret; - } + } public PList<RangerPolicy> getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception { if (LOG.isDebugEnabled()) { @@ -1652,6 +1649,9 @@ public class ServiceDBStore extends AbstractServiceStore { PList<RangerPolicy> ret = getPaginatedServicePolicies(service.getName(), filter); + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceDBStore.getPaginatedServicePolicies(" + serviceId + ")"); + } return ret; } @@ -1661,31 +1661,54 @@ public class ServiceDBStore extends AbstractServiceStore { LOG.debug("==> ServiceDBStore.getServicePolicies(" + serviceName + ")"); } + List<RangerPolicy> ret = null; + XXService service = daoMgr.getXXService().findByName(serviceName); if (service == null) { throw new Exception("service does not exist - name='" + serviceName); } - RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr); + ret = getServicePolicies(service, filter); - List<RangerPolicy> ret = policyRetriever.getServicePolicies(service); + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceName + "): count=" + ((ret == null) ? 0 : ret.size())); + } - if(filter != null) { + return ret; + } + + private List<RangerPolicy> getServicePolicies(XXService service, SearchFilter filter) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> ServiceDBStore.getServicePolicies()"); + } + + if (service == null) { + throw new Exception("service does not exist"); + } + + List<RangerPolicy> ret = null; + + ServicePolicies servicePolicies = RangerServicePoliciesCache.getInstance().getServicePolicies(service.getName(), this); + List<RangerPolicy> policies = servicePolicies != null ? servicePolicies.getPolicies() : null; + + if(policies != null && filter != null) { + ret = new ArrayList<RangerPolicy>(policies); predicateUtil.applyFilter(ret, filter); + } else { + ret = policies; } if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceName + "): count=" + ((ret == null) ? 0 : ret.size())); + LOG.debug("<== ServiceDBStore.getServicePolicies(): count=" + ((ret == null) ? 0 : ret.size())); } return ret; } - - private List<RangerPolicy> getServicePolicies(XXService service) throws Exception { + private List<RangerPolicy> getServicePoliciesFromDb(XXService service) throws Exception { if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceDBStore.getServicePolicies(" + service.getName() + ")"); + LOG.debug("==> ServiceDBStore.getServicePoliciesFromDb(" + service.getName() + ")"); } RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr); @@ -1693,7 +1716,7 @@ public class ServiceDBStore extends AbstractServiceStore { List<RangerPolicy> ret = policyRetriever.getServicePolicies(service); if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceDBStore.getServicePolicies(" + service.getName() + "): count=" + ((ret == null) ? 0 : ret.size())); + LOG.debug("<== ServiceDBStore.getServicePoliciesFromDb(" + service.getName() + "): count=" + ((ret == null) ? 0 : ret.size())); } return ret; @@ -1772,7 +1795,7 @@ public class ServiceDBStore extends AbstractServiceStore { XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName); - if(serviceDbObj == null) { + if (serviceDbObj == null) { throw new Exception("service does not exist. name=" + serviceName); } @@ -1801,12 +1824,12 @@ public class ServiceDBStore extends AbstractServiceStore { tagPolicies.setServiceName(tagServiceDbObj.getName()); tagPolicies.setPolicyVersion(tagServiceDbObj.getPolicyVersion()); tagPolicies.setPolicyUpdateTime(tagServiceDbObj.getPolicyUpdateTime()); - tagPolicies.setPolicies(getServicePolicies(tagServiceDbObj)); + tagPolicies.setPolicies(getServicePoliciesFromDb(tagServiceDbObj)); tagPolicies.setServiceDef(tagServiceDef); } } - policies = getServicePolicies(serviceDbObj); + policies = getServicePoliciesFromDb(serviceDbObj); } else { policies = new ArrayList<RangerPolicy>(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c20a0d1a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java index f4afa3e..b712f09 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java @@ -36,6 +36,8 @@ import java.util.concurrent.locks.ReentrantLock; public class RangerServicePoliciesCache { private static final Log LOG = LogFactory.getLog(RangerServicePoliciesCache.class); + private static final int MAX_WAIT_TIME_FOR_UPDATE = 10; + private static volatile RangerServicePoliciesCache sInstance = null; private final boolean useServicePoliciesCache; private final int waitTimeInSeconds; @@ -55,7 +57,7 @@ public class RangerServicePoliciesCache { private RangerServicePoliciesCache() { useServicePoliciesCache = RangerConfiguration.getInstance().getBoolean("ranger.admin.policy.download.usecache", true); - waitTimeInSeconds = RangerConfiguration.getInstance().getInt("ranger.admin.policy.download.cache.max.waittime.for.update", 20); + waitTimeInSeconds = RangerConfiguration.getInstance().getInt("ranger.admin.policy.download.cache.max.waittime.for.update", MAX_WAIT_TIME_FOR_UPDATE); } public void dump() { @@ -97,7 +99,7 @@ public class RangerServicePoliciesCache { return ret; } - public ServicePolicies getServicePolicies(String serviceName, ServiceStore serviceStore) { + public ServicePolicies getServicePolicies(String serviceName, ServiceStore serviceStore) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerServicePoliciesCache.getServicePolicies(" + serviceName + ")"); @@ -137,7 +139,10 @@ public class RangerServicePoliciesCache { if (serviceStore != null) { boolean refreshed = servicePoliciesWrapper.getLatestOrCached(serviceName, serviceStore); - LOG.info("tryRefreshFromStore returned " + refreshed); + + if(LOG.isDebugEnabled()) { + LOG.debug("getLatestOrCached returned " + refreshed); + } } else { LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies as service-store is null!"); } @@ -181,7 +186,7 @@ public class RangerServicePoliciesCache { return longestDbLoadTimeInMs; } - boolean getLatestOrCached(String serviceName, ServiceStore serviceStore) { + boolean getLatestOrCached(String serviceName, ServiceStore serviceStore) throws Exception { boolean ret = false; try { @@ -190,7 +195,7 @@ public class RangerServicePoliciesCache { getLatest(serviceName, serviceStore); } } catch (InterruptedException exception) { - LOG.error("tryRefreshFromStore:lock got interrupted..", exception); + LOG.error("getLatestOrCached:lock got interrupted..", exception); } finally { if (ret) { lock.unlock(); @@ -200,7 +205,7 @@ public class RangerServicePoliciesCache { return ret; } - void getLatest(String serviceName, ServiceStore serviceStore) { + void getLatest(String serviceName, ServiceStore serviceStore) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> ServicePoliciesWrapper.getLatest(" + serviceName + ")"); @@ -218,22 +223,16 @@ public class RangerServicePoliciesCache { LOG.debug("loading servicePolicies from db ... cachedServicePoliciesVersion=" + (servicePolicies != null ? servicePolicies.getPolicyVersion() : null) + ", servicePolicyVersionInDb=" + servicePolicyVersionInDb); } - ServicePolicies servicePoliciesFromDb = null; + long startTimeMs = System.currentTimeMillis(); - try { - long startTimeMs = System.currentTimeMillis(); + ServicePolicies servicePoliciesFromDb = serviceStore.getServicePolicies(serviceName); - servicePoliciesFromDb = serviceStore.getServicePolicies(serviceName); + long dbLoadTime = System.currentTimeMillis() - startTimeMs; - long dbLoadTime = System.currentTimeMillis() - startTimeMs; - - if (dbLoadTime > longestDbLoadTimeInMs) { - longestDbLoadTimeInMs = dbLoadTime; - } - updateTime = new Date(); - } catch (Exception exception) { - LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies from service-store", exception); + if (dbLoadTime > longestDbLoadTimeInMs) { + longestDbLoadTimeInMs = dbLoadTime; } + updateTime = new Date(); if (servicePoliciesFromDb != null) { if (servicePoliciesFromDb.getPolicyVersion() == null) { @@ -268,7 +267,7 @@ public class RangerServicePoliciesCache { policy.setUpdatedBy(null); policy.setUpdateTime(null); policy.setGuid(null); - policy.setName(null); + // policy.setName(null); /* this is used by GUI in policy list page */ policy.setDescription(null); policy.setResourceSignature(null); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c20a0d1a/security-admin/src/main/java/org/apache/ranger/common/RangerServiceTagsCache.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerServiceTagsCache.java b/security-admin/src/main/java/org/apache/ranger/common/RangerServiceTagsCache.java index e20cba8..cdc44e0 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RangerServiceTagsCache.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RangerServiceTagsCache.java @@ -37,6 +37,8 @@ import java.util.concurrent.locks.ReentrantLock; public class RangerServiceTagsCache { private static final Log LOG = LogFactory.getLog(RangerServiceTagsCache.class); + private static final int MAX_WAIT_TIME_FOR_UPDATE = 10; + private static volatile RangerServiceTagsCache sInstance = null; private final boolean useServiceTagsCache; private final int waitTimeInSeconds; @@ -56,7 +58,7 @@ public class RangerServiceTagsCache { private RangerServiceTagsCache() { useServiceTagsCache = RangerConfiguration.getInstance().getBoolean("ranger.admin.tag.download.usecache", true); - waitTimeInSeconds = RangerConfiguration.getInstance().getInt("ranger.admin.tag.download.cache.max.waittime.for.update", 20); + waitTimeInSeconds = RangerConfiguration.getInstance().getInt("ranger.admin.tag.download.cache.max.waittime.for.update", MAX_WAIT_TIME_FOR_UPDATE); } public void dump() { @@ -98,7 +100,7 @@ public class RangerServiceTagsCache { return ret; } - public ServiceTags getServiceTags(String serviceName, TagStore tagStore) { + public ServiceTags getServiceTags(String serviceName, TagStore tagStore) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerServiceTagsCache.getServiceTags(" + serviceName + ")"); @@ -138,7 +140,10 @@ public class RangerServiceTagsCache { if (tagStore != null) { boolean refreshed = serviceTagsWrapper.getLatestOrCached(serviceName, tagStore); - LOG.info("tryRefreshFromStore returned " + refreshed); + + if(LOG.isDebugEnabled()) { + LOG.debug("getLatestOrCached returned " + refreshed); + } } else { LOG.error("getServiceTags(" + serviceName + "): failed to get latest tags as tag-store is null!"); } @@ -182,7 +187,7 @@ public class RangerServiceTagsCache { return longestDbLoadTimeInMs; } - boolean getLatestOrCached(String serviceName, TagStore tagStore) { + boolean getLatestOrCached(String serviceName, TagStore tagStore) throws Exception { boolean ret = false; try { @@ -191,7 +196,7 @@ public class RangerServiceTagsCache { getLatest(serviceName, tagStore); } } catch (InterruptedException exception) { - LOG.error("tryRefreshFromStore:lock got interrupted..", exception); + LOG.error("getLatestOrCached:lock got interrupted..", exception); } finally { if (ret) { lock.unlock(); @@ -201,7 +206,7 @@ public class RangerServiceTagsCache { return ret; } - void getLatest(String serviceName, TagStore tagStore) { + void getLatest(String serviceName, TagStore tagStore) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceTagsWrapper.getLatest(" + serviceName + ")"); @@ -219,22 +224,16 @@ public class RangerServiceTagsCache { LOG.debug("loading serviceTags from db ... cachedServiceTagsVersion=" + (serviceTags != null ? serviceTags.getTagVersion() : null) + ", tagVersionInDb=" + tagVersionInDb); } - ServiceTags serviceTagsFromDb = null; + long startTimeMs = System.currentTimeMillis(); - try { - long startTimeMs = System.currentTimeMillis(); + ServiceTags serviceTagsFromDb = tagStore.getServiceTags(serviceName); - serviceTagsFromDb = tagStore.getServiceTags(serviceName); + long dbLoadTime = System.currentTimeMillis() - startTimeMs; - long dbLoadTime = System.currentTimeMillis() - startTimeMs; - - if (dbLoadTime > longestDbLoadTimeInMs) { - longestDbLoadTimeInMs = dbLoadTime; - } - updateTime = new Date(); - } catch (Exception exception) { - LOG.error("getServiceTags(" + serviceName + "): failed to get latest tags from tag-store", exception); + if (dbLoadTime > longestDbLoadTimeInMs) { + longestDbLoadTimeInMs = dbLoadTime; } + updateTime = new Date(); if (serviceTagsFromDb != null) { if (serviceTagsFromDb.getTagVersion() == null) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c20a0d1a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java index 4473d74..ff2a2d3 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java +++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java @@ -22,6 +22,7 @@ import java.io.Serializable; import java.util.ArrayList; import java.util.List; +import java.util.Set; import java.util.concurrent.CopyOnWriteArraySet; import org.apache.ranger.entity.XXAuthSession; @@ -40,6 +41,7 @@ public class UserSessionBase implements Serializable { private RangerUserPermission rangerUserPermission; int clientTimeOffsetInMinute = 0; private Boolean isSSOEnabled; + public Long getUserId() { if (xXPortalUser != null) { return xXPortalUser.getId(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c20a0d1a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java index ffc3c32..b437656 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java @@ -21,7 +21,9 @@ import java.util.ArrayList; +import java.util.HashSet; import java.util.List; +import java.util.Set; import javax.persistence.NoResultException; @@ -81,6 +83,26 @@ public class XXGroupUserDao extends BaseDao<XXGroupUser> { return null; } + public Set<String> findGroupNamesByUserName(String userName) { + List<String> groupList = null; + + if (userName != null) { + try { + groupList = getEntityManager().createNamedQuery("XXGroupUser.findGroupNamesByUserName", String.class).setParameter("userName", userName).getResultList(); + } catch (NoResultException e) { + logger.debug(e.getMessage()); + } + } else { + logger.debug("UserId not provided."); + } + + if(groupList != null) { + return new HashSet<String>(groupList); + } + + return new HashSet<String>(); + } + public List<XXGroupUser> findByGroupId(Long groupId) { if (groupId == null) { return new ArrayList<XXGroupUser>(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c20a0d1a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 174a5ee..4d84532 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -797,7 +797,7 @@ public class ServiceREST { if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.lookupResource(serviceName=" + serviceName + ")"); } - ret = serviceMgr.lookupResource(serviceName,context, svcStore); + ret = serviceMgr.lookupResource(serviceName, context, svcStore); } catch(WebApplicationException excp) { throw excp; } catch(Throwable excp) { @@ -1288,7 +1288,7 @@ public class ServiceREST { filter.setMaxRows(savedMaxRows); } - applyAdminAccessFilter(policies); + policies = applyAdminAccessFilter(policies); ret = toRangerPolicyList(policies, filter); } @@ -1323,7 +1323,7 @@ public class ServiceREST { } ret = svcStore.getPolicies(filter); - applyAdminAccessFilter(ret); + ret = applyAdminAccessFilter(ret); } catch(WebApplicationException excp) { throw excp; } catch(Throwable excp) { @@ -1358,7 +1358,7 @@ public class ServiceREST { } List<RangerPolicy> policies = getPolicies(request).getPolicies(); - applyAdminAccessFilter(policies); + policies = applyAdminAccessFilter(policies); ret = new Long(policies == null ? 0 : policies.size()); } catch(WebApplicationException excp) { @@ -1418,7 +1418,7 @@ public class ServiceREST { filter.setMaxRows(savedMaxRows); } - applyAdminAccessFilter(servicePolicies); + servicePolicies = applyAdminAccessFilter(servicePolicies); ret = toRangerPolicyList(servicePolicies, filter); } @@ -1479,7 +1479,7 @@ public class ServiceREST { filter.setMaxRows(savedMaxRows); } - applyAdminAccessFilter(servicePolicies); + servicePolicies = applyAdminAccessFilter(servicePolicies); ret = toRangerPolicyList(servicePolicies, filter); } @@ -1814,58 +1814,80 @@ public class ServiceREST { return svcStore.getPolicyForVersionNumber(policyId, versionNo); } - private void applyAdminAccessFilter(List<RangerPolicy> policies) { - boolean isAdmin = bizUtil.isAdmin(); - boolean isKeyAdmin = bizUtil.isKeyAdmin(); + private List<RangerPolicy> applyAdminAccessFilter(List<RangerPolicy> policies) { + List<RangerPolicy> ret = new ArrayList<RangerPolicy>(); + RangerPerfTracer perf = null; - if(!isAdmin && !isKeyAdmin && !CollectionUtils.isEmpty(policies)) { - String userName = bizUtil.getCurrentUserLoginId(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); - Map<String, RangerPolicyEngine> policyEngines = new HashMap<String, RangerPolicyEngine>(); + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.applyAdminAccessFilter(policyCount=" + (policies == null ? 0 : policies.size()) + ")"); + } - for(int i = 0; i < policies.size(); i++) { - RangerPolicy policy = policies.get(i); - String serviceName = policy.getService(); - RangerPolicyEngine policyEngine = policyEngines.get(serviceName); + if (CollectionUtils.isNotEmpty(policies)) { + boolean isAdmin = bizUtil.isAdmin(); + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + String userName = bizUtil.getCurrentUserLoginId(); + Set<String> userGroups = null; - if(policyEngine == null) { - policyEngine = getPolicyEngine(policy.getService()); + Map<String, List<RangerPolicy>> servicePoliciesMap = new HashMap<String, List<RangerPolicy>>(); - if(policyEngine != null) { - policyEngines.put(serviceName, policyEngine); - } - } + for (int i = 0; i < policies.size(); i++) { + RangerPolicy policy = policies.get(i); + String serviceName = policy.getService(); + List<RangerPolicy> policyList = servicePoliciesMap.get(serviceName); - boolean hasAdminAccess = hasAdminAccess(policyEngine, userName, userGroups, policy.getResources()); + if (policyList == null) { + policyList = new ArrayList<RangerPolicy>(); - if(!hasAdminAccess) { - policies.remove(i); - i--; + servicePoliciesMap.put(serviceName, policyList); } + + policyList.add(policy); } - } else if (isAdmin && !CollectionUtils.isEmpty(policies)) { - for (int i = 0; i < policies.size(); i++) { - XXService xService = daoManager.getXXService().findByName(policies.get(i).getService()); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + for (Map.Entry<String, List<RangerPolicy>> entry : servicePoliciesMap.entrySet()) { + String serviceName = entry.getKey(); + List<RangerPolicy> listToFilter = entry.getValue(); - if (xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - policies.remove(i); - i--; - } - } - } else if (isKeyAdmin && !CollectionUtils.isEmpty(policies)) { - for (int i = 0; i < policies.size(); i++) { + if (CollectionUtils.isNotEmpty(listToFilter)) { + if (isAdmin || isKeyAdmin) { + XXService xService = daoManager.getXXService().findByName(serviceName); + Long serviceDefId = xService.getType(); + boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId()); + + if (isAdmin) { + if (!isKmsService) { + ret.addAll(listToFilter); + } + } else { // isKeyAdmin + if (isKmsService) { + ret.addAll(listToFilter); + } + } + + continue; + } - XXService xService = daoManager.getXXService().findByName(policies.get(i).getService()); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + RangerPolicyEngine policyEngine = getPolicyEngine(serviceName); + + if (policyEngine != null) { + if(userGroups == null) { + userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName); + } + + for (RangerPolicy policy : listToFilter) { + if (policyEngine.isAccessAllowed(policy.getResources(), userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS)) { + ret.add(policy); + } + } + } - if (!xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - policies.remove(i); - i--; } } } + + RangerPerfTracer.log(perf); + + return ret; } void ensureAdminAccess(String serviceName, Map<String, RangerPolicyResource> resources) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c20a0d1a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 3de6d19..89764f5 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor +<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use @@ -177,6 +177,13 @@ </query> </named-query> + <named-query name="XXGroupUser.findGroupNamesByUserName"> + <query>SELECT obj.name FROM XXGroup obj + WHERE obj.id IN (SELECT gu.parentGroupId FROM XXGroupUser gu, XXUser u + WHERE gu.userId = u.id AND u.name=:userName) + </query> + </named-query> + <named-query name="XXGroupUser.findByGroupId"> <query>SELECT obj FROM XXGroupUser obj WHERE obj.parentGroupId=:groupId </query> @@ -846,12 +853,16 @@ </named-query> <named-query name="XXServiceResource.findByServiceId"> - <query>select obj from XXServiceResource obj where obj.serviceId = :serviceId</query> + <query>select obj from XXServiceResource obj where obj.serviceId = :serviceId + order by obj.id + </query> </named-query> <named-query name="XXServiceResource.findTaggedResourcesInServiceId"> <query>select obj from XXServiceResource obj where obj.serviceId = :serviceId and obj.id in - (select tagResMap.resourceId from XXTagResourceMap tagResMap)</query> + (select tagResMap.resourceId from XXTagResourceMap tagResMap) + order by obj.id + </query> </named-query> <named-query name="XXServiceResource.findByResourceSignature"> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c20a0d1a/security-admin/src/main/webapp/WEB-INF/log4j.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/WEB-INF/log4j.xml b/security-admin/src/main/webapp/WEB-INF/log4j.xml index 3510d02..f7d40bb 100644 --- a/security-admin/src/main/webapp/WEB-INF/log4j.xml +++ b/security-admin/src/main/webapp/WEB-INF/log4j.xml @@ -84,8 +84,8 @@ </category> <!-- - <category name="ranger.perf" additivity="false"> - <priority value="info" /> + <category name="org.apache.ranger.perf" additivity="false"> + <priority value="debug" /> <appender-ref ref="perf_appender" /> </category> -->
