----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73301/#review222884 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java Lines 93 (patched) <https://reviews.apache.org/r/73301/#comment312062> iter.next() is already called in previous line. Please review and update. agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java Lines 101 (patched) <https://reviews.apache.org/r/73301/#comment312063> LOG.warn("Unexpected: found existing policy for CHANGE_TYPE_POLICY_CREATE: " + Arrays.toString(deletedPolicies.toArray())); agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java Lines 106 (patched) <https://reviews.apache.org/r/73301/#comment312064> LOG.warn("Unexpected: found no policy or multiple policies for CHANGE_TYPE_POLICY_UPDATE: " + Arrays.toString(deletedPolicies.toArray())); agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java Lines 113 (patched) <https://reviews.apache.org/r/73301/#comment312065> LOG.warn("Unexpected: found no policy or multiple policies for CHANGE_TYPE_POLICY_DELETE: " + Arrays.toString(deletedPolicies.toArray())); security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java Lines 3144 (patched) <https://reviews.apache.org/r/73301/#comment312066> retrievedPolicyVersion is the version of the last policy in the list of deltas. Using this to populate ServicePolicies.policyVesion, #3184, doesn't seem appropriate. Same for retrievedTagPolicyVersion and #3192. security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java Line 369 (original), 363 (patched) <https://reviews.apache.org/r/73301/#comment312068> Consider replacing #363 - #369 with: result = Objects.equals(dbPolicyVersion, cachedPolicyVersion); security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java Line 401 (original), 371 (patched) <https://reviews.apache.org/r/73301/#comment312067> LOG.warn("checkCacheSanity(serviceName=" + serviceName + "): policy cache has incorrect version. policyVersionInDB=" + dbPolicyVersion + ", policyVersionInCache=" + cachedPolicyVersion); security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java Line 167 (original), 169 (patched) <https://reviews.apache.org/r/73301/#comment312061> Would policyId be null for changes that require delta-reset (i.e. full-download) - like changes in service-def (eg. context enrichers), service (eg. tag-service association), service-config (eg. plugin config for superusers/serviceadmins)? If this is an expected case, warn log doesn't seem appropriate. Consider an info level log, like: LOG.info("delta-reset-event: log-record-id=" + logRecordId + "; service-type=" + serviceType + "; policy-change-type=" + policyChangeType + ". Discarding " + ret.size() + " deltas"); - Madhan Neethiraj On April 26, 2021, 5:52 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73301/ > ----------------------------------------------------------- > > (Updated April 26, 2021, 5:52 p.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan > Periasamy. > > > Bugs: RANGER-3253 > https://issues.apache.org/jira/browse/RANGER-3253 > > > Repository: ranger > > > Description > ------- > > Ranger admin, when incremental policies are enabled, retrieves changes to > policies from database since last provided policy-version and applies these > changes on the cached policies to compute new set of policies. This > computation needs to be more resilient - for example - if a change suggests > that a policy is created, but it already exists in the policy-cache, then it > should not be added again. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java > f92cd3f7b > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java > 4661f79b9 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 4fb71f0b7 > > security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java > 1176e0b9e > security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java > 0a1d1c142 > > > Diff: https://reviews.apache.org/r/73301/diff/1/ > > > Testing > ------- > > Passes all unit tests. > > > Thanks, > > Abhay Kulkarni > >
