Repository: incubator-ranger Updated Branches: refs/heads/ranger-0.5 5f778cf82 -> 087a7c859
RANGER-1144: Policy engine optimization: quick skip of policy based on user/groups, accessTypes Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/087a7c85 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/087a7c85 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/087a7c85 Branch: refs/heads/ranger-0.5 Commit: 087a7c859f04de4188f75172370fdb9bc28b6abb Parents: 5f778cf Author: Abhay Kulkarni <[email protected]> Authored: Wed Aug 10 12:00:46 2016 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Aug 11 15:17:41 2016 -0700 ---------------------------------------------------------------------- .../RangerAbstractPolicyEvaluator.java | 10 +++ .../RangerDefaultPolicyEvaluator.java | 7 ++- .../RangerOptimizedPolicyEvaluator.java | 65 ++++++++++++++------ 3 files changed, 60 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/087a7c85/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java index 178b9d8..14a003b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java @@ -21,11 +21,13 @@ package org.apache.ranger.plugin.policyevaluator; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator { @@ -93,6 +95,14 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu this.evalOrder = evalOrder; } + public boolean hasAllow() { + return policy != null && CollectionUtils.isNotEmpty(policy.getPolicyItems()); + } + + protected boolean hasMatchablePolicyItem(RangerAccessRequest request) { + return hasAllow(); + } + @Override public String toString( ) { StringBuilder sb = new StringBuilder(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/087a7c85/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index efc9f92..67ea9b2 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -152,8 +152,11 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (!result.getIsAccessDetermined()) { // Try Match only if it was not attempted as part of evaluating Audit requirement if (!isMatchAttempted) { - matchResult = isResourceMatch(request); - isMatchAttempted = true; + // Attempt matching only if there may be a matchable policyItem + if (hasMatchablePolicyItem(request)) { + matchResult = isResourceMatch(request); + isMatchAttempted = true; + } } // Go further to evaluate access only if match or head match was found at this point http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/087a7c85/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java index 4abc1bf..6953a7d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java @@ -202,33 +202,58 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator return priorityLevel; } - @Override - protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")"); - } + @Override + protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")"); + } - boolean ret = false; + boolean ret = hasMatchablePolicyItem(user, userGroups, accessType) && super.isAccessAllowed(user, userGroups, accessType); - if (hasPublicGroup || users.contains(user) || CollectionUtils.containsAny(groups, userGroups)) { - if (StringUtils.isEmpty(accessType)) { - accessType = RangerPolicyEngine.ANY_ACCESS; - } + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret); + } - boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS); - boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS); + return ret; + } - if (isAnyAccess || (isAdminAccess && delegateAdmin) || hasAllPerms || accessPerms.contains(accessType)) { - ret = super.isAccessAllowed(user, userGroups, accessType); - } - } + @Override + protected boolean hasMatchablePolicyItem(RangerAccessRequest request) { + boolean ret = false; + + if (hasPublicGroup || users.contains(request.getUser()) || CollectionUtils.containsAny(groups, request.getUserGroups())) { + if(request.isAccessTypeDelegatedAdmin()) { + ret = delegateAdmin; + } else if(hasAllPerms) { + ret = true; + } else { + ret = request.isAccessTypeAny() || accessPerms.contains(request.getAccessType()); + } + } + + return ret; + } - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret); + + private boolean hasMatchablePolicyItem(String user, Set<String> userGroups, String accessType) { + boolean ret = false; + + if (hasPublicGroup || users.contains(user) || CollectionUtils.containsAny(groups, userGroups)) { + boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS); + + if(isAdminAccess) { + ret = delegateAdmin; + } else if(hasAllPerms) { + ret = true; + } else { + boolean isAccessTypeAny = StringUtils.isEmpty(accessType) || StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS); + + ret = isAccessTypeAny || accessPerms.contains(accessType); + } } - return ret; - } + return ret; + } @Override protected void evaluatePolicyItemsForAccess(RangerAccessRequest request, RangerAccessResult result) {
