RANGER-1161: Policy evaluation optimization by using trie lookup to reduce number policies evaluated
(cherry picked from commit 480776a9eb2004e3684b1d8f92f29fbeb2815233) Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b265605f Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b265605f Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b265605f Branch: refs/heads/ranger-0.6 Commit: b265605f5ea532e6f46ad9eafc616509834e9d43 Parents: d79f127 Author: Madhan Neethiraj <[email protected]> Authored: Wed Aug 24 12:25:39 2016 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Sep 15 12:20:45 2016 -0700 ---------------------------------------------------------------------- .../policyengine/RangerPolicyEngineImpl.java | 21 +- .../policyengine/RangerPolicyEngineOptions.java | 1 + .../policyengine/RangerPolicyRepository.java | 151 ++++++- .../RangerDefaultPolicyEvaluator.java | 9 + .../policyevaluator/RangerPolicyEvaluator.java | 6 + .../RangerDefaultPolicyResourceMatcher.java | 5 + .../RangerPolicyResourceMatcher.java | 3 + .../RangerAbstractResourceMatcher.java | 3 + .../resourcematcher/RangerResourceMatcher.java | 2 + .../ranger/plugin/service/RangerBasePlugin.java | 1 + .../ranger/plugin/util/RangerResourceTrie.java | 391 +++++++++++++++++++ .../ranger/policyengine/CommandLineParser.java | 14 +- .../ranger/policyengine/PerfTestEngine.java | 17 +- .../ranger/policyengine/PerfTestOptions.java | 12 +- .../RangerPolicyenginePerfTester.java | 9 +- .../org/apache/ranger/rest/ServiceREST.java | 1 + 16 files changed, 614 insertions(+), 32 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 661d54f..161e1be 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -313,7 +313,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerDataMaskResult ret = new RangerDataMaskResult(getServiceName(), getServiceDef(), request); if(request != null) { - List<RangerPolicyEvaluator> evaluators = policyRepository.getDataMaskPolicyEvaluators(); + List<RangerPolicyEvaluator> evaluators = policyRepository.getDataMaskPolicyEvaluators(request.getResource()); for (RangerPolicyEvaluator evaluator : evaluators) { evaluator.evaluate(request, ret); @@ -355,7 +355,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerRowFilterResult ret = new RangerRowFilterResult(getServiceName(), getServiceDef(), request); if(request != null) { - List<RangerPolicyEvaluator> evaluators = policyRepository.getRowFilterPolicyEvaluators(); + List<RangerPolicyEvaluator> evaluators = policyRepository.getRowFilterPolicyEvaluators(request.getResource()); for (RangerPolicyEvaluator evaluator : evaluators) { evaluator.evaluate(request, ret); @@ -400,7 +400,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } boolean ret = false; - for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) { + for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators(resource)) { ret = evaluator.isAccessAllowed(resource, user, userGroups, accessType); if (ret) { @@ -534,7 +534,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request); List<RangerPolicyEvaluator> tagPolicyEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators(); - List<RangerPolicyEvaluator> resPolicyEvaluators = policyRepository.getPolicyEvaluators(); if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) { List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); @@ -543,13 +542,17 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { for (RangerTag tag : tags) { RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request); - for (RangerPolicyEvaluator evaluator : tagPolicyEvaluators) { + List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(tagEvalRequest.getResource()); + + for (RangerPolicyEvaluator evaluator : evaluators) { evaluator.getResourceAccessInfo(tagEvalRequest, ret); } } } } + List<RangerPolicyEvaluator> resPolicyEvaluators = policyRepository.getPolicyEvaluators(request.getResource()); + if(CollectionUtils.isNotEmpty(resPolicyEvaluators)) { for (RangerPolicyEvaluator evaluator : resPolicyEvaluators) { evaluator.getResourceAccessInfo(request, ret); @@ -596,7 +599,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { ret.setIsAccessDetermined(false); // discard allowed result by tag-policies, to evaluate resource policies for possible deny } - List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators(); + List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators(request.getResource()); for (RangerPolicyEvaluator evaluator : evaluators) { ret.incrementEvaluatedPoliciesCount(); evaluator.evaluate(request, ret); @@ -632,9 +635,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ", " + result + ")"); } - List<RangerPolicyEvaluator> evaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators(); + List<RangerPolicyEvaluator> tagEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators(); - if (CollectionUtils.isNotEmpty(evaluators)) { + if (CollectionUtils.isNotEmpty(tagEvaluators)) { List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext()); if(CollectionUtils.isNotEmpty(tags)) { @@ -654,6 +657,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { } tagEvalResult.setAuditResultFrom(result); + List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(tagEvalRequest.getResource()); + for (RangerPolicyEvaluator evaluator : evaluators) { tagEvalResult.incrementEvaluatedPoliciesCount(); if(! evaluator.isMatch(tagEvalRequest.getResource())) http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java index 805f5a5..2b2cf9b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java @@ -29,4 +29,5 @@ public class RangerPolicyEngineOptions { public boolean disableCustomConditions = false; public boolean disableTagPolicyEvaluation = true; public boolean evaluateDelegateAdminOnly = false; + public boolean disableTrieLookupPrefilter = false; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java index 40fe8b6..d06aecd 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java @@ -32,15 +32,18 @@ import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator; import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.store.AbstractServiceStore; import org.apache.ranger.plugin.util.RangerPerfTracer; +import org.apache.ranger.plugin.util.RangerResourceTrie; import org.apache.ranger.plugin.util.ServiceDefUtil; import org.apache.ranger.plugin.util.ServicePolicies; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; +import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; +import java.util.Set; class RangerPolicyRepository { private static final Log LOG = LogFactory.getLog(RangerPolicyRepository.class); @@ -84,6 +87,10 @@ class RangerPolicyRepository { private final String componentServiceName; private final RangerServiceDef componentServiceDef; + private final boolean disableTrieLookupPrefilter; + private final Map<String, RangerResourceTrie> policyResourceTrie; + private final Map<String, RangerResourceTrie> dataMaskResourceTrie; + private final Map<String, RangerResourceTrie> rowFilterResourceTrie; RangerPolicyRepository(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options) { super(); @@ -125,12 +132,24 @@ class RangerPolicyRepository { this.accessAuditCache = null; } + this.disableTrieLookupPrefilter = options.disableTrieLookupPrefilter; + + if(this.disableTrieLookupPrefilter) { + policyResourceTrie = null; + dataMaskResourceTrie = null; + rowFilterResourceTrie = null; + } else { + policyResourceTrie = new HashMap<String, RangerResourceTrie>(); + dataMaskResourceTrie = new HashMap<String, RangerResourceTrie>(); + rowFilterResourceTrie = new HashMap<String, RangerResourceTrie>(); + } + if(LOG.isDebugEnabled()) { LOG.debug("RangerPolicyRepository : building policy-repository for service[" + serviceName + "] with auditMode[" + auditModeEnum + "]"); } - init(options); + init(options); } RangerPolicyRepository(String appId, ServicePolicies.TagPolicies tagPolicies, RangerPolicyEngineOptions options, @@ -160,13 +179,24 @@ class RangerPolicyRepository { this.accessAuditCache = null; + this.disableTrieLookupPrefilter = options.disableTrieLookupPrefilter; + + if(this.disableTrieLookupPrefilter) { + policyResourceTrie = null; + dataMaskResourceTrie = null; + rowFilterResourceTrie = null; + } else { + policyResourceTrie = new HashMap<String, RangerResourceTrie>(); + dataMaskResourceTrie = new HashMap<String, RangerResourceTrie>(); + rowFilterResourceTrie = new HashMap<String, RangerResourceTrie>(); + } + if(LOG.isDebugEnabled()) { LOG.debug("RangerPolicyRepository : building tag-policy-repository for tag service[" + serviceName + "] with auditMode[" + auditModeEnum +"]"); } init(options); - } public String getServiceName() { return serviceName; } @@ -189,14 +219,85 @@ class RangerPolicyRepository { return policyEvaluators; } + List<RangerPolicyEvaluator> getPolicyEvaluators(RangerAccessResource resource) { + return disableTrieLookupPrefilter ? getPolicyEvaluators() : getPolicyEvaluators(policyResourceTrie, resource); + } + List<RangerPolicyEvaluator> getDataMaskPolicyEvaluators() { return dataMaskPolicyEvaluators; } + List<RangerPolicyEvaluator> getDataMaskPolicyEvaluators(RangerAccessResource resource) { + return disableTrieLookupPrefilter ? getDataMaskPolicyEvaluators() : getPolicyEvaluators(dataMaskResourceTrie, resource); + } + List<RangerPolicyEvaluator> getRowFilterPolicyEvaluators() { return rowFilterPolicyEvaluators; } + List<RangerPolicyEvaluator> getRowFilterPolicyEvaluators(RangerAccessResource resource) { + return disableTrieLookupPrefilter ? getRowFilterPolicyEvaluators() : getPolicyEvaluators(rowFilterResourceTrie, resource); + } + + private List<RangerPolicyEvaluator> getPolicyEvaluators(Map<String, RangerResourceTrie> resourceTrie, RangerAccessResource resource) { + List<RangerPolicyEvaluator> ret = null; + Set<String> resourceKeys = resource == null ? null : resource.getKeys(); + + if(CollectionUtils.isNotEmpty(resourceKeys)) { + boolean isRetModifiable = false; + + for(String resourceName : resourceKeys) { + RangerResourceTrie trie = resourceTrie.get(resourceName); + + if(trie == null) { // if no trie exists for this resource level, ignore and continue to next level + continue; + } + + List<RangerPolicyEvaluator> resourceEvaluators = trie.getPoliciesForResource(resource.getValue(resourceName)); + + if(CollectionUtils.isEmpty(resourceEvaluators)) { // no policies for this resource, bail out + ret = null; + } else if(ret == null) { // initialize ret with policies found for this resource + ret = resourceEvaluators; + } else { // remove policies from ret that are not in resourceEvaluators + if(isRetModifiable) { + ret.retainAll(resourceEvaluators); + } else { + final List<RangerPolicyEvaluator> shorterList; + final List<RangerPolicyEvaluator> longerList; + + if (ret.size() < resourceEvaluators.size()) { + shorterList = ret; + longerList = resourceEvaluators; + } else { + shorterList = resourceEvaluators; + longerList = ret; + } + + ret = new ArrayList<>(shorterList); + ret.retainAll(longerList); + isRetModifiable = true; + } + } + + if(CollectionUtils.isEmpty(ret)) { // if no policy exists, bail out and return empty list + ret = null; + break; + } + } + } + + if(ret == null) { + ret = Collections.emptyList(); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerPolicyRepository.getPolicyEvaluators(" + resource.getAsString() + "): evaluatorCount=" + ret.size()); + } + + return ret; + } + private RangerServiceDef normalizeAccessTypeDefs(RangerServiceDef serviceDef, final String componentType) { if (serviceDef != null && StringUtils.isNotBlank(componentType)) { @@ -428,6 +529,8 @@ class RangerPolicyRepository { } this.contextEnrichers = Collections.unmodifiableList(contextEnrichers); + initResourceTries(); + if(LOG.isDebugEnabled()) { LOG.debug("policy evaluation order: " + this.policyEvaluators.size() + " policies"); @@ -453,6 +556,26 @@ class RangerPolicyRepository { LOG.debug("rowFilter policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder()); } + + LOG.debug("policyResourceTrie: " + this.policyResourceTrie); + LOG.debug("dataMaskResourceTrie: " + this.dataMaskResourceTrie); + LOG.debug("rowFilterResourceTrie: " + this.rowFilterResourceTrie); + } + } + + private void initResourceTries() { + if(! this.disableTrieLookupPrefilter) { + policyResourceTrie.clear(); + dataMaskResourceTrie.clear(); + rowFilterResourceTrie.clear(); + + if (serviceDef != null && serviceDef.getResources() != null) { + for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { + policyResourceTrie.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, policyEvaluators)); + dataMaskResourceTrie.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, dataMaskPolicyEvaluators)); + rowFilterResourceTrie.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, rowFilterPolicyEvaluators)); + } + } } } @@ -609,15 +732,33 @@ class RangerPolicyRepository { LOG.debug("==> reorderPolicyEvaluators()"); } - this.policyEvaluators = getReorderedPolicyEvaluators(this.policyEvaluators); - this.dataMaskPolicyEvaluators = getReorderedPolicyEvaluators(this.dataMaskPolicyEvaluators); - this.rowFilterPolicyEvaluators = getReorderedPolicyEvaluators(this.rowFilterPolicyEvaluators); + if(disableTrieLookupPrefilter) { + policyEvaluators = getReorderedPolicyEvaluators(policyEvaluators); + dataMaskPolicyEvaluators = getReorderedPolicyEvaluators(dataMaskPolicyEvaluators); + rowFilterPolicyEvaluators = getReorderedPolicyEvaluators(rowFilterPolicyEvaluators); + } else { + reorderPolicyEvaluators(policyResourceTrie); + reorderPolicyEvaluators(dataMaskResourceTrie); + reorderPolicyEvaluators(rowFilterResourceTrie); + } if (LOG.isDebugEnabled()) { LOG.debug("<== reorderPolicyEvaluators()"); } } + private void reorderPolicyEvaluators(Map<String, RangerResourceTrie> trieMap) { + if(trieMap != null) { + for(Map.Entry<String, RangerResourceTrie> entry : trieMap.entrySet()) { + RangerResourceTrie trie = entry.getValue(); + + if(trie != null) { + trie.reorderPolicyEvaluators(); + } + } + } + } + private List<RangerPolicyEvaluator> getReorderedPolicyEvaluators(List<RangerPolicyEvaluator> evaluators) { List<RangerPolicyEvaluator> ret = evaluators; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index f954ccf..eb46353 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -51,6 +51,7 @@ import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; import org.apache.ranger.plugin.policyengine.RangerRowFilterResult; import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher; import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; +import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; import org.apache.ranger.plugin.util.RangerPerfTracer; import org.apache.ranger.plugin.util.ServiceDefUtil; @@ -77,6 +78,14 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } @Override + public RangerPolicyResourceMatcher getPolicyResourceMatcher() { return resourceMatcher; } + + @Override + public RangerResourceMatcher getResourceMatcher(String resourceName) { + return resourceMatcher != null ? resourceMatcher.getResourceMatcher(resourceName) : null; + } + + @Override public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyEvaluator.init()"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java index a7dc833..23069cf 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java @@ -33,6 +33,8 @@ import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo; import org.apache.ranger.plugin.policyengine.RangerRowFilterResult; +import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher; +import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> { @@ -64,6 +66,10 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> boolean isAuditEnabled(); + RangerPolicyResourceMatcher getPolicyResourceMatcher(); + + RangerResourceMatcher getResourceMatcher(String resourceName); + void evaluate(RangerAccessRequest request, RangerAccessResult result); void evaluate(RangerAccessRequest request, RangerDataMaskResult result); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java index 733049f..78589cd 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java @@ -180,6 +180,11 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM } @Override + public RangerResourceMatcher getResourceMatcher(String resourceName) { + return matchers != null ? matchers.get(resourceName) : null; + } + + @Override public boolean isMatch(RangerAccessResource resource) { if(LOG.isDebugEnabled()) { LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resource + ")"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java index 54b9586..80da868 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java @@ -25,6 +25,7 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; public interface RangerPolicyResourceMatcher { void setServiceDef(RangerServiceDef serviceDef); @@ -35,6 +36,8 @@ public interface RangerPolicyResourceMatcher { void init(); + RangerResourceMatcher getResourceMatcher(String resourceName); + boolean isMatch(RangerAccessResource resource); boolean isMatch(Map<String, RangerPolicyResource> resources); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java index 329b8e8..574f2eb 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java @@ -94,6 +94,9 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat } } + @Override + public boolean isMatchAny() { return isMatchAny; } + protected List<ResourceMatcher> buildResourceMatchers() { List<ResourceMatcher> ret = new ArrayList<ResourceMatcher> (); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java index c1b3404..8f1cebe 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java @@ -29,6 +29,8 @@ public interface RangerResourceMatcher { void init(); + boolean isMatchAny(); + boolean isMatch(String resource); boolean isCompleteMatch(String resource); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 760fab7..8e984df 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -133,6 +133,7 @@ public class RangerBasePlugin { policyEngineOptions.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", false); policyEngineOptions.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", false); policyEngineOptions.disableTagPolicyEvaluation = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", false); + policyEngineOptions.disableTrieLookupPrefilter = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false); RangerAdminClient admin = createAdminClient(serviceName, appId, propertyPrefix); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java new file mode 100644 index 0000000..809c07e --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java @@ -0,0 +1,391 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.util; + + +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; +import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher; +import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + + +public class RangerResourceTrie { + private static final Log LOG = LogFactory.getLog(RangerResourceTrie.class); + + private static final String DEFAULT_WILDCARD_CHARS = "*?"; + + private final String resourceName; + private final boolean optIgnoreCase; + private final boolean optWildcard; + private final String wildcardChars; + private final TrieNode root; + + public RangerResourceTrie(RangerServiceDef.RangerResourceDef resourceDef, List<RangerPolicyEvaluator> evaluators) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerResourceTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + ")"); + } + + Map<String, String> matcherOptions = resourceDef.getMatcherOptions(); + String strIgnoreCase = matcherOptions != null ? matcherOptions.get(RangerAbstractResourceMatcher.OPTION_IGNORE_CASE) : null; + String strWildcard = matcherOptions != null ? matcherOptions.get(RangerAbstractResourceMatcher.OPTION_WILD_CARD) : null; + + this.resourceName = resourceDef.getName(); + this.optIgnoreCase = strIgnoreCase != null ? Boolean.parseBoolean(strIgnoreCase) : false; + this.optWildcard = strWildcard != null ? Boolean.parseBoolean(strWildcard) : false;; + this.wildcardChars = optWildcard ? DEFAULT_WILDCARD_CHARS : ""; + this.root = new TrieNode(Character.valueOf((char)0)); + + for(RangerPolicyEvaluator evaluator : evaluators) { + RangerPolicy policy = evaluator.getPolicy(); + Map<String, RangerPolicyResource> policyResources = policy != null ? policy.getResources() : null; + RangerPolicyResource policyResource = policyResources != null ? policyResources.get(resourceName) : null; + + if(policyResource == null) { + continue; + } + + if(policyResource.getIsExcludes()) { + root.addWildcardPolicy(evaluator); + } else { + RangerResourceMatcher resourceMatcher = evaluator.getResourceMatcher(resourceName); + + if(resourceMatcher != null && resourceMatcher.isMatchAny()) { + root.addWildcardPolicy(evaluator); + } else { + for (String resource : policyResource.getValues()) { + insert(resource, policyResource.getIsRecursive(), evaluator); + } + } + } + } + + root.postSetup(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerResourceTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + "): " + toString()); + } + } + + public String getResourceName() { + return resourceName; + } + + public List<RangerPolicyEvaluator> getPoliciesForResource(String resource) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerResourceTrie.getPoliciesForResource(" + resource + ")"); + } + + List<RangerPolicyEvaluator> ret = null; + + TrieNode curr = root; + + final int len = resource.length(); + for(int i = 0; i < len; i++) { + Character ch = getLookupChar(resource.charAt(i)); + TrieNode child = curr.getChild(ch); + + if(child == null) { + ret = curr.getWildcardPolicies(); + curr = null; // so that curr.getPolicies() will not be called below + break; + } + + curr = child; + } + + if(ret == null) { + if(curr != null) { + ret = curr.getPolicies(); + } + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerResourceTrie.getPoliciesForResource(" + resource + "): evaluatorCount=" + (ret == null ? 0 : ret.size())); + } + + return ret; + } + + public int getNodeCount() { + return root.getNodeCount(); + } + + public int getMaxDepth() { + return root.getMaxDepth(); + } + + public void reorderPolicyEvaluators() { + root.reorderPolicyEvaluators(); + } + + private Character getLookupChar(char ch) { + return optIgnoreCase ? Character.valueOf(Character.toLowerCase(ch)) : Character.valueOf(ch); + } + + private void insert(String resource, boolean isRecursive, RangerPolicyEvaluator evaluator) { + TrieNode curr = root; + boolean isWildcard = false; + + if(optIgnoreCase) { + resource = resource.toLowerCase(); + } + + final int len = resource.length(); + for(int i = 0; i < len; i++) { + Character ch = getLookupChar(resource.charAt(i)); + + if(optWildcard) { + if (wildcardChars.indexOf(ch) != -1) { + isWildcard = true; + break; + } + } + + curr = curr.getOrCreateChild(ch); + } + + if(isWildcard || isRecursive) { + curr.addWildcardPolicy(evaluator); + } else { + curr.addPolicy(evaluator); + } + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + + sb.append("nodeCount=").append(getNodeCount()); + sb.append("; maxDepth=").append(getMaxDepth()); + sb.append(Character.LINE_SEPARATOR); + root.toString("", sb); + + return sb.toString(); + } +} + +class TrieNode { + private final Character c; + private Map<Character, TrieNode> children = null; + private List<RangerPolicyEvaluator> policies = null; + private List<RangerPolicyEvaluator> wildcardPolicies = null; + + TrieNode(Character c) { + this.c = c; + } + + Character getChar() { + return c; + } + + Map<Character, TrieNode> getChildren() { + return children; + } + + List<RangerPolicyEvaluator> getPolicies() { + return policies; + } + + List<RangerPolicyEvaluator> getWildcardPolicies() { + return wildcardPolicies; + } + + TrieNode getChild(Character c) { + TrieNode ret = children == null ? null : children.get(c); + + return ret; + } + + int getNodeCount() { + int ret = 1; + + if(children != null) { + for(Map.Entry<Character, TrieNode> entry : children.entrySet()) { + TrieNode child = entry.getValue(); + + ret += child.getNodeCount(); + } + } + + return ret; + } + + int getMaxDepth() { + int ret = 0; + + if(children != null) { + for(Map.Entry<Character, TrieNode> entry : children.entrySet()) { + TrieNode child = entry.getValue(); + + int maxChildDepth = child.getMaxDepth(); + + if(maxChildDepth > ret) { + ret = maxChildDepth; + } + } + } + + return ret + 1; + } + + TrieNode getOrCreateChild(Character c) { + if(children == null) { + children = new HashMap<Character, TrieNode>(); + } + + TrieNode child = children.get(c); + + if(child == null) { + child = new TrieNode(c); + children.put(c, child); + } + + return child; + } + + void addPolicy(RangerPolicyEvaluator evaluator) { + if(policies == null) { + policies = new ArrayList<RangerPolicyEvaluator>(); + } + + if(!policies.contains(evaluator)) { + policies.add(evaluator); + } + } + + void addPolicies(List<RangerPolicyEvaluator> evaluators) { + if(CollectionUtils.isNotEmpty(evaluators)) { + for(RangerPolicyEvaluator evaluator : evaluators) { + addPolicy(evaluator); + } + } + } + + void addWildcardPolicy(RangerPolicyEvaluator evaluator) { + if(wildcardPolicies == null) { + wildcardPolicies = new ArrayList<RangerPolicyEvaluator>(); + } + + if(!wildcardPolicies.contains(evaluator)) { + wildcardPolicies.add(evaluator); + } + } + + void addWildcardPolicies(List<RangerPolicyEvaluator> evaluators) { + if(CollectionUtils.isNotEmpty(evaluators)) { + for(RangerPolicyEvaluator evaluator : evaluators) { + addWildcardPolicy(evaluator); + } + } + } + + void postSetup() { + addPolicies(wildcardPolicies); + + if(wildcardPolicies != null) { + Collections.sort(wildcardPolicies); + } + + if(policies != null) { + Collections.sort(policies); + } + + if(children != null) { + for(Map.Entry<Character, TrieNode> entry : children.entrySet()) { + TrieNode child = entry.getValue(); + + child.addWildcardPolicies(wildcardPolicies); + + child.postSetup(); + } + } + } + + void reorderPolicyEvaluators() { + wildcardPolicies = getSortedCopy(wildcardPolicies); + policies = getSortedCopy(policies); + } + + public void toString(String prefix, StringBuilder sb) { + String nodeValue = prefix; + + if(c != 0) { + nodeValue += c; + } + + sb.append("nodeValue=").append(nodeValue); + sb.append("; childCount=").append(children == null ? 0 : children.size()); + sb.append("; policies=[ "); + if(policies != null) { + for(RangerPolicyEvaluator evaluator : policies) { + sb.append(evaluator.getPolicy().getId()).append(" "); + } + } + sb.append("]"); + + sb.append("; wildcardPolicies=[ "); + if(wildcardPolicies != null) { + for(RangerPolicyEvaluator evaluator : wildcardPolicies) { + sb.append(evaluator.getPolicy().getId()).append(" "); + } + } + sb.append("]"); + sb.append(Character.LINE_SEPARATOR); + + if(children != null) { + for(Map.Entry<Character, TrieNode> entry : children.entrySet()) { + TrieNode child = entry.getValue(); + + child.toString(nodeValue, sb); + } + } + } + + public void clear() { + children = null; + policies = null; + wildcardPolicies = null; + } + + private List<RangerPolicyEvaluator> getSortedCopy(List<RangerPolicyEvaluator> evaluators) { + final List<RangerPolicyEvaluator> ret; + + if(CollectionUtils.isNotEmpty(evaluators)) { + ret = new ArrayList<RangerPolicyEvaluator>(wildcardPolicies); + + Collections.sort(ret); + } else { + ret = evaluators; + } + + return ret; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java ---------------------------------------------------------------------- diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java index d6c028f..e8edd9e 100644 --- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java +++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java @@ -52,7 +52,8 @@ public class CommandLineParser private int concurrentClientCount = 1; private int iterationsCount = 1; - private boolean isDynamicReorderingEnabled = false; + private boolean isDynamicReorderingDisabled = true; + private boolean isTrieLookupPrefixDisabled = true; private Options options = new Options(); @@ -62,7 +63,7 @@ public class CommandLineParser PerfTestOptions ret = null; if (parseArguments(args) && validateInputFiles()) { // Instantiate a data-object and return - ret = new PerfTestOptions(servicePoliciesFileURL, requestFileURLs, statCollectionFileURL, concurrentClientCount, iterationsCount, isDynamicReorderingEnabled); + ret = new PerfTestOptions(servicePoliciesFileURL, requestFileURLs, statCollectionFileURL, concurrentClientCount, iterationsCount, isDynamicReorderingDisabled, isTrieLookupPrefixDisabled); } else { showUsage(); } @@ -98,6 +99,7 @@ public class CommandLineParser options.addOption("c", "clients", true, "Number of concurrent clients"); options.addOption("n", "cycles", true, "Number of iterations"); options.addOption("o", "optimize", false, "Enable usage-based policy reordering"); + options.addOption("t", "trie-prefilter", false, "Enable trie-prefilter"); org.apache.commons.cli.CommandLineParser commandLineParser = new DefaultParser(); @@ -125,13 +127,17 @@ public class CommandLineParser iterationsCount = Integer.parseInt(iterationsOptionValue); } if (commandLine.hasOption("o")) { - isDynamicReorderingEnabled = true; + isDynamicReorderingDisabled = false; + } + if (commandLine.hasOption("t")) { + isTrieLookupPrefixDisabled = false; } if (LOG.isDebugEnabled()) { LOG.debug("servicePoliciesFileName=" + servicePoliciesFileName + ", requestFileName=" + Arrays.toString(requestFileNames)); LOG.debug("concurrentClientCount=" + concurrentClientCount + ", iterationsCount=" + iterationsCount); - LOG.debug("isDynamicReorderingEnabled=" + isDynamicReorderingEnabled); + LOG.debug("isDynamicReorderingDisabled=" + isDynamicReorderingDisabled); + LOG.debug("isTrieLookupPrefixDisabled=" + isTrieLookupPrefixDisabled); } ret = true; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java ---------------------------------------------------------------------- diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java index cf83260..8d89794 100644 --- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java +++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java @@ -24,7 +24,6 @@ import com.google.gson.GsonBuilder; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.policyengine.*; -import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.util.ServicePolicies; import java.io.InputStream; @@ -39,13 +38,15 @@ public class PerfTestEngine { static private final long POLICY_ENGINE_REORDER_AFTER_PROCESSING_REQUESTS_COUNT = 100; private final URL servicePoliciesFileURL; - private final boolean isDynamicReorderingEnabled; + private final RangerPolicyEngineOptions policyEngineOptions; private RangerPolicyEngine policyEvaluationEngine; + private final boolean disableDynamicPolicyEvalReordering; private AtomicLong requestCount = new AtomicLong(); - public PerfTestEngine(final URL servicePoliciesFileURL, boolean isDynamicReorderingEnabled) { + public PerfTestEngine(final URL servicePoliciesFileURL, RangerPolicyEngineOptions policyEngineOptions, boolean disableDynamicPolicyEvalReordering) { this.servicePoliciesFileURL = servicePoliciesFileURL; - this.isDynamicReorderingEnabled = isDynamicReorderingEnabled; + this.policyEngineOptions = policyEngineOptions; + this.disableDynamicPolicyEvalReordering = disableDynamicPolicyEvalReordering; } public boolean init() { @@ -70,11 +71,7 @@ public class PerfTestEngine { servicePolicies = gsonBuilder.fromJson(reader, ServicePolicies.class); - RangerPolicyEngineOptions engineOptions = new RangerPolicyEngineOptions(); - engineOptions.disableTagPolicyEvaluation = false; - engineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED; - - policyEvaluationEngine = new RangerPolicyEngineImpl("perf-test", servicePolicies, engineOptions); + policyEvaluationEngine = new RangerPolicyEngineImpl("perf-test", servicePolicies, policyEngineOptions); requestCount.set(0L); @@ -112,7 +109,7 @@ public class PerfTestEngine { long processedRequestCount = requestCount.getAndIncrement(); - if (isDynamicReorderingEnabled && (processedRequestCount % POLICY_ENGINE_REORDER_AFTER_PROCESSING_REQUESTS_COUNT) == 0) { + if (!disableDynamicPolicyEvalReordering && (processedRequestCount % POLICY_ENGINE_REORDER_AFTER_PROCESSING_REQUESTS_COUNT) == 0) { policyEvaluationEngine.reorderPolicyEvaluators(); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java ---------------------------------------------------------------------- diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java index 321ee69..d6e04ea 100644 --- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java +++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java @@ -26,19 +26,21 @@ public class PerfTestOptions { private final URL servicePoliciesFileURL; private final URL[] requestFileURLs; private final URL statCollectionFileURL; - private final boolean isDynamicReorderingEnabled; + private final boolean isDynamicReorderingDisabled; + private final boolean isTrieLookupPrefixDisabled; private final int concurrentClientCount; private final int iterationsCount; - PerfTestOptions(URL servicePoliciesFileURL, URL[] requestFileURLs, URL statCollectionFileURL, int concurrentClientCount, int iterationsCount, boolean isDynamicReorderingEnabled) { + PerfTestOptions(URL servicePoliciesFileURL, URL[] requestFileURLs, URL statCollectionFileURL, int concurrentClientCount, int iterationsCount, boolean isDynamicReorderingDisabled, boolean isTrieLookupPrefixDisabled) { this.servicePoliciesFileURL = servicePoliciesFileURL; this.requestFileURLs = requestFileURLs; this.statCollectionFileURL = statCollectionFileURL; this.iterationsCount = iterationsCount; this.concurrentClientCount = concurrentClientCount; - this.isDynamicReorderingEnabled = isDynamicReorderingEnabled; + this.isDynamicReorderingDisabled = isDynamicReorderingDisabled; + this.isTrieLookupPrefixDisabled = isTrieLookupPrefixDisabled; } public URL getServicePoliciesFileURL() { @@ -61,5 +63,7 @@ public class PerfTestOptions { return iterationsCount; } - public boolean getIsDynamicReorderingEnabled() { return isDynamicReorderingEnabled; } + public boolean getIsDynamicReorderingDisabled() { return isDynamicReorderingDisabled; } + + public boolean getIsTrieLookupPrefixDisabled() { return isTrieLookupPrefixDisabled; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java ---------------------------------------------------------------------- diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java index 03ea6d0..056c548 100644 --- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java +++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java @@ -21,6 +21,8 @@ package org.apache.ranger.policyengine; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; +import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; import org.apache.ranger.plugin.util.PerfDataRecorder; import java.io.BufferedReader; @@ -54,7 +56,12 @@ public class RangerPolicyenginePerfTester { URL servicePoliciesFileURL = perfTestOptions.getServicePoliciesFileURL(); - PerfTestEngine perfTestEngine = new PerfTestEngine(servicePoliciesFileURL, perfTestOptions.getIsDynamicReorderingEnabled()); + RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions(); + policyEngineOptions.disableTagPolicyEvaluation = false; + policyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED; + policyEngineOptions.disableTrieLookupPrefilter = perfTestOptions.getIsTrieLookupPrefixDisabled(); + + PerfTestEngine perfTestEngine = new PerfTestEngine(servicePoliciesFileURL, policyEngineOptions, perfTestOptions.getIsDynamicReorderingDisabled()); if (!perfTestEngine.init()) { LOG.error("Error initializing test data. Existing..."); System.exit(1); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index c491021..eea2ad3 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -2263,6 +2263,7 @@ public class ServiceREST { options.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true); options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true); options.evaluateDelegateAdminOnly = false; + options.disableTrieLookupPrefilter = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false); ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L);
