Repository: incubator-ranger Updated Branches: refs/heads/ranger-0.5 410e04701 -> 987d959c3
RANGER-1161: Policy evaluation optimization: updating ranger-0.5 branch with relevant changes in master branch for RANGER-1162 Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/987d959c Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/987d959c Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/987d959c Branch: refs/heads/ranger-0.5 Commit: 987d959c3a790ef7c7c9884599e8eef028b39fb1 Parents: 410e047 Author: Madhan Neethiraj <[email protected]> Authored: Mon Aug 29 16:43:11 2016 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Aug 29 16:56:53 2016 -0700 ---------------------------------------------------------------------- .../RangerAbstractPolicyEvaluator.java | 19 +++-- .../RangerDefaultPolicyResourceMatcher.java | 5 ++ .../RangerPolicyResourceEvaluator.java | 2 + .../RangerPolicyResourceMatcher.java | 2 + .../ranger/plugin/util/RangerResourceTrie.java | 6 +- .../ranger/plugin/util/ServiceDefUtil.java | 73 ++++++++++++++++++++ 6 files changed, 101 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java index f3c2de6..dfde51d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java @@ -29,6 +29,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator; +import org.apache.ranger.plugin.util.ServiceDefUtil; import java.util.Map; @@ -37,9 +38,10 @@ import java.util.Map; public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator { private static final Log LOG = LogFactory.getLog(RangerAbstractPolicyEvaluator.class); - private RangerPolicy policy = null; - private RangerServiceDef serviceDef = null; - private int evalOrder = 0; + private RangerPolicy policy = null; + private RangerServiceDef serviceDef = null; + private Integer leafResourceLevel = null; + private int evalOrder = 0; @Override @@ -48,8 +50,9 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")"); } - this.policy = policy; - this.serviceDef = serviceDef; + this.policy = policy; + this.serviceDef = serviceDef; + this.leafResourceLevel = ServiceDefUtil.getLeafResourceLevel(serviceDef, getPolicyResource()); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")"); @@ -77,6 +80,12 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu } @Override + public Integer getLeafResourceLevel() { + return leafResourceLevel; + } + + + @Override public int getEvalOrder() { return evalOrder; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java index 5e0b54c..f6b15f6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java @@ -87,6 +87,11 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } @Override + public RangerServiceDef getServiceDef() { + return serviceDef; + } + + @Override public RangerResourceMatcher getResourceMatcher(String resourceName) { return matchers != null ? matchers.get(resourceName) : null; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java index 799e8b3..eed58e1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java @@ -33,4 +33,6 @@ public interface RangerPolicyResourceEvaluator extends Comparable<RangerPolicyRe Map<String, RangerPolicy.RangerPolicyResource> getPolicyResource(); RangerResourceMatcher getResourceMatcher(String resourceName); + + Integer getLeafResourceLevel(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java index bcfc017..49d5364 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java @@ -33,6 +33,8 @@ public interface RangerPolicyResourceMatcher { void init(); + RangerServiceDef getServiceDef(); + RangerResourceMatcher getResourceMatcher(String resourceName); boolean isMatch(RangerAccessResource resource); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java index 982d249..2079487 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java @@ -58,7 +58,7 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> { this.resourceName = resourceDef.getName(); this.optIgnoreCase = strIgnoreCase != null ? Boolean.parseBoolean(strIgnoreCase) : false; - this.optWildcard = strWildcard != null ? Boolean.parseBoolean(strWildcard) : false;; + this.optWildcard = strWildcard != null ? Boolean.parseBoolean(strWildcard) : false; this.wildcardChars = optWildcard ? DEFAULT_WILDCARD_CHARS : ""; this.root = new TrieNode(Character.valueOf((char)0)); @@ -67,6 +67,10 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> { RangerPolicyResource policyResource = policyResources != null ? policyResources.get(resourceName) : null; if(policyResource == null) { + if(evaluator.getLeafResourceLevel() != null && resourceDef.getLevel() != null && evaluator.getLeafResourceLevel() < resourceDef.getLevel()) { + root.addWildcardEvaluator(evaluator); + } + continue; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java new file mode 100644 index 0000000..f26ac44 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java @@ -0,0 +1,73 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.util; + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; + +import java.util.ArrayList; +import java.util.List; +import java.util.HashMap; +import java.util.Map; + +public class ServiceDefUtil { + + public static RangerResourceDef getResourceDef(RangerServiceDef serviceDef, String resource) { + RangerResourceDef ret = null; + + if(serviceDef != null && resource != null && CollectionUtils.isNotEmpty(serviceDef.getResources())) { + for(RangerResourceDef resourceDef : serviceDef.getResources()) { + if(StringUtils.equalsIgnoreCase(resourceDef.getName(), resource)) { + ret = resourceDef; + break; + } + } + } + + return ret; + } + + public static Integer getLeafResourceLevel(RangerServiceDef serviceDef, Map<String, RangerPolicy.RangerPolicyResource> policyResource) { + Integer ret = null; + + if(serviceDef != null && policyResource != null) { + for(Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : policyResource.entrySet()) { + String resource = entry.getKey(); + RangerResourceDef resourceDef = ServiceDefUtil.getResourceDef(serviceDef, resource); + + if(resourceDef != null && resourceDef.getLevel() != null) { + if(ret == null) { + ret = resourceDef.getLevel(); + } else if(ret < resourceDef.getLevel()) { + ret = resourceDef.getLevel(); + } + } + } + } + + return ret; + } +}
