You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/09/15 19:52:10 UTC
[6/9] incubator-ranger git commit: RANGER-1161: Policy evaluation
optimization by using trie lookup to reduce number policies evaluated
RANGER-1161: Policy evaluation optimization by using trie lookup to reduce number policies evaluated
(cherry picked from commit 480776a9eb2004e3684b1d8f92f29fbeb2815233)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b265605f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b265605f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b265605f
Branch: refs/heads/ranger-0.6
Commit: b265605f5ea532e6f46ad9eafc616509834e9d43
Parents: d79f127
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Wed Aug 24 12:25:39 2016 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Sep 15 12:20:45 2016 -0700
----------------------------------------------------------------------
.../policyengine/RangerPolicyEngineImpl.java | 21 +-
.../policyengine/RangerPolicyEngineOptions.java | 1 +
.../policyengine/RangerPolicyRepository.java | 151 ++++++-
.../RangerDefaultPolicyEvaluator.java | 9 +
.../policyevaluator/RangerPolicyEvaluator.java | 6 +
.../RangerDefaultPolicyResourceMatcher.java | 5 +
.../RangerPolicyResourceMatcher.java | 3 +
.../RangerAbstractResourceMatcher.java | 3 +
.../resourcematcher/RangerResourceMatcher.java | 2 +
.../ranger/plugin/service/RangerBasePlugin.java | 1 +
.../ranger/plugin/util/RangerResourceTrie.java | 391 +++++++++++++++++++
.../ranger/policyengine/CommandLineParser.java | 14 +-
.../ranger/policyengine/PerfTestEngine.java | 17 +-
.../ranger/policyengine/PerfTestOptions.java | 12 +-
.../RangerPolicyenginePerfTester.java | 9 +-
.../org/apache/ranger/rest/ServiceREST.java | 1 +
16 files changed, 614 insertions(+), 32 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 661d54f..161e1be 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -313,7 +313,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
RangerDataMaskResult ret = new RangerDataMaskResult(getServiceName(), getServiceDef(), request);
if(request != null) {
- List<RangerPolicyEvaluator> evaluators = policyRepository.getDataMaskPolicyEvaluators();
+ List<RangerPolicyEvaluator> evaluators = policyRepository.getDataMaskPolicyEvaluators(request.getResource());
for (RangerPolicyEvaluator evaluator : evaluators) {
evaluator.evaluate(request, ret);
@@ -355,7 +355,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
RangerRowFilterResult ret = new RangerRowFilterResult(getServiceName(), getServiceDef(), request);
if(request != null) {
- List<RangerPolicyEvaluator> evaluators = policyRepository.getRowFilterPolicyEvaluators();
+ List<RangerPolicyEvaluator> evaluators = policyRepository.getRowFilterPolicyEvaluators(request.getResource());
for (RangerPolicyEvaluator evaluator : evaluators) {
evaluator.evaluate(request, ret);
@@ -400,7 +400,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
boolean ret = false;
- for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
+ for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators(resource)) {
ret = evaluator.isAccessAllowed(resource, user, userGroups, accessType);
if (ret) {
@@ -534,7 +534,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
RangerResourceAccessInfo ret = new RangerResourceAccessInfo(request);
List<RangerPolicyEvaluator> tagPolicyEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators();
- List<RangerPolicyEvaluator> resPolicyEvaluators = policyRepository.getPolicyEvaluators();
if (CollectionUtils.isNotEmpty(tagPolicyEvaluators)) {
List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
@@ -543,13 +542,17 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
for (RangerTag tag : tags) {
RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
- for (RangerPolicyEvaluator evaluator : tagPolicyEvaluators) {
+ List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(tagEvalRequest.getResource());
+
+ for (RangerPolicyEvaluator evaluator : evaluators) {
evaluator.getResourceAccessInfo(tagEvalRequest, ret);
}
}
}
}
+ List<RangerPolicyEvaluator> resPolicyEvaluators = policyRepository.getPolicyEvaluators(request.getResource());
+
if(CollectionUtils.isNotEmpty(resPolicyEvaluators)) {
for (RangerPolicyEvaluator evaluator : resPolicyEvaluators) {
evaluator.getResourceAccessInfo(request, ret);
@@ -596,7 +599,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
ret.setIsAccessDetermined(false); // discard allowed result by tag-policies, to evaluate resource policies for possible deny
}
- List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators();
+ List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators(request.getResource());
for (RangerPolicyEvaluator evaluator : evaluators) {
ret.incrementEvaluatedPoliciesCount();
evaluator.evaluate(request, ret);
@@ -632,9 +635,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ", " + result + ")");
}
- List<RangerPolicyEvaluator> evaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators();
+ List<RangerPolicyEvaluator> tagEvaluators = tagPolicyRepository == null ? null : tagPolicyRepository.getPolicyEvaluators();
- if (CollectionUtils.isNotEmpty(evaluators)) {
+ if (CollectionUtils.isNotEmpty(tagEvaluators)) {
List<RangerTag> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
if(CollectionUtils.isNotEmpty(tags)) {
@@ -654,6 +657,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
tagEvalResult.setAuditResultFrom(result);
+ List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(tagEvalRequest.getResource());
+
for (RangerPolicyEvaluator evaluator : evaluators) {
tagEvalResult.incrementEvaluatedPoliciesCount();
if(! evaluator.isMatch(tagEvalRequest.getResource()))
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index 805f5a5..2b2cf9b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -29,4 +29,5 @@ public class RangerPolicyEngineOptions {
public boolean disableCustomConditions = false;
public boolean disableTagPolicyEvaluation = true;
public boolean evaluateDelegateAdminOnly = false;
+ public boolean disableTrieLookupPrefilter = false;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 40fe8b6..d06aecd 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -32,15 +32,18 @@ import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.store.AbstractServiceStore;
import org.apache.ranger.plugin.util.RangerPerfTracer;
+import org.apache.ranger.plugin.util.RangerResourceTrie;
import org.apache.ranger.plugin.util.ServiceDefUtil;
import org.apache.ranger.plugin.util.ServicePolicies;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
+import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.Set;
class RangerPolicyRepository {
private static final Log LOG = LogFactory.getLog(RangerPolicyRepository.class);
@@ -84,6 +87,10 @@ class RangerPolicyRepository {
private final String componentServiceName;
private final RangerServiceDef componentServiceDef;
+ private final boolean disableTrieLookupPrefilter;
+ private final Map<String, RangerResourceTrie> policyResourceTrie;
+ private final Map<String, RangerResourceTrie> dataMaskResourceTrie;
+ private final Map<String, RangerResourceTrie> rowFilterResourceTrie;
RangerPolicyRepository(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options) {
super();
@@ -125,12 +132,24 @@ class RangerPolicyRepository {
this.accessAuditCache = null;
}
+ this.disableTrieLookupPrefilter = options.disableTrieLookupPrefilter;
+
+ if(this.disableTrieLookupPrefilter) {
+ policyResourceTrie = null;
+ dataMaskResourceTrie = null;
+ rowFilterResourceTrie = null;
+ } else {
+ policyResourceTrie = new HashMap<String, RangerResourceTrie>();
+ dataMaskResourceTrie = new HashMap<String, RangerResourceTrie>();
+ rowFilterResourceTrie = new HashMap<String, RangerResourceTrie>();
+ }
+
if(LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyRepository : building policy-repository for service[" + serviceName
+ "] with auditMode[" + auditModeEnum + "]");
}
- init(options);
+ init(options);
}
RangerPolicyRepository(String appId, ServicePolicies.TagPolicies tagPolicies, RangerPolicyEngineOptions options,
@@ -160,13 +179,24 @@ class RangerPolicyRepository {
this.accessAuditCache = null;
+ this.disableTrieLookupPrefilter = options.disableTrieLookupPrefilter;
+
+ if(this.disableTrieLookupPrefilter) {
+ policyResourceTrie = null;
+ dataMaskResourceTrie = null;
+ rowFilterResourceTrie = null;
+ } else {
+ policyResourceTrie = new HashMap<String, RangerResourceTrie>();
+ dataMaskResourceTrie = new HashMap<String, RangerResourceTrie>();
+ rowFilterResourceTrie = new HashMap<String, RangerResourceTrie>();
+ }
+
if(LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyRepository : building tag-policy-repository for tag service[" + serviceName
+ "] with auditMode[" + auditModeEnum +"]");
}
init(options);
-
}
public String getServiceName() { return serviceName; }
@@ -189,14 +219,85 @@ class RangerPolicyRepository {
return policyEvaluators;
}
+ List<RangerPolicyEvaluator> getPolicyEvaluators(RangerAccessResource resource) {
+ return disableTrieLookupPrefilter ? getPolicyEvaluators() : getPolicyEvaluators(policyResourceTrie, resource);
+ }
+
List<RangerPolicyEvaluator> getDataMaskPolicyEvaluators() {
return dataMaskPolicyEvaluators;
}
+ List<RangerPolicyEvaluator> getDataMaskPolicyEvaluators(RangerAccessResource resource) {
+ return disableTrieLookupPrefilter ? getDataMaskPolicyEvaluators() : getPolicyEvaluators(dataMaskResourceTrie, resource);
+ }
+
List<RangerPolicyEvaluator> getRowFilterPolicyEvaluators() {
return rowFilterPolicyEvaluators;
}
+ List<RangerPolicyEvaluator> getRowFilterPolicyEvaluators(RangerAccessResource resource) {
+ return disableTrieLookupPrefilter ? getRowFilterPolicyEvaluators() : getPolicyEvaluators(rowFilterResourceTrie, resource);
+ }
+
+ private List<RangerPolicyEvaluator> getPolicyEvaluators(Map<String, RangerResourceTrie> resourceTrie, RangerAccessResource resource) {
+ List<RangerPolicyEvaluator> ret = null;
+ Set<String> resourceKeys = resource == null ? null : resource.getKeys();
+
+ if(CollectionUtils.isNotEmpty(resourceKeys)) {
+ boolean isRetModifiable = false;
+
+ for(String resourceName : resourceKeys) {
+ RangerResourceTrie trie = resourceTrie.get(resourceName);
+
+ if(trie == null) { // if no trie exists for this resource level, ignore and continue to next level
+ continue;
+ }
+
+ List<RangerPolicyEvaluator> resourceEvaluators = trie.getPoliciesForResource(resource.getValue(resourceName));
+
+ if(CollectionUtils.isEmpty(resourceEvaluators)) { // no policies for this resource, bail out
+ ret = null;
+ } else if(ret == null) { // initialize ret with policies found for this resource
+ ret = resourceEvaluators;
+ } else { // remove policies from ret that are not in resourceEvaluators
+ if(isRetModifiable) {
+ ret.retainAll(resourceEvaluators);
+ } else {
+ final List<RangerPolicyEvaluator> shorterList;
+ final List<RangerPolicyEvaluator> longerList;
+
+ if (ret.size() < resourceEvaluators.size()) {
+ shorterList = ret;
+ longerList = resourceEvaluators;
+ } else {
+ shorterList = resourceEvaluators;
+ longerList = ret;
+ }
+
+ ret = new ArrayList<>(shorterList);
+ ret.retainAll(longerList);
+ isRetModifiable = true;
+ }
+ }
+
+ if(CollectionUtils.isEmpty(ret)) { // if no policy exists, bail out and return empty list
+ ret = null;
+ break;
+ }
+ }
+ }
+
+ if(ret == null) {
+ ret = Collections.emptyList();
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyRepository.getPolicyEvaluators(" + resource.getAsString() + "): evaluatorCount=" + ret.size());
+ }
+
+ return ret;
+ }
+
private RangerServiceDef normalizeAccessTypeDefs(RangerServiceDef serviceDef, final String componentType) {
if (serviceDef != null && StringUtils.isNotBlank(componentType)) {
@@ -428,6 +529,8 @@ class RangerPolicyRepository {
}
this.contextEnrichers = Collections.unmodifiableList(contextEnrichers);
+ initResourceTries();
+
if(LOG.isDebugEnabled()) {
LOG.debug("policy evaluation order: " + this.policyEvaluators.size() + " policies");
@@ -453,6 +556,26 @@ class RangerPolicyRepository {
LOG.debug("rowFilter policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder());
}
+
+ LOG.debug("policyResourceTrie: " + this.policyResourceTrie);
+ LOG.debug("dataMaskResourceTrie: " + this.dataMaskResourceTrie);
+ LOG.debug("rowFilterResourceTrie: " + this.rowFilterResourceTrie);
+ }
+ }
+
+ private void initResourceTries() {
+ if(! this.disableTrieLookupPrefilter) {
+ policyResourceTrie.clear();
+ dataMaskResourceTrie.clear();
+ rowFilterResourceTrie.clear();
+
+ if (serviceDef != null && serviceDef.getResources() != null) {
+ for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) {
+ policyResourceTrie.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, policyEvaluators));
+ dataMaskResourceTrie.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, dataMaskPolicyEvaluators));
+ rowFilterResourceTrie.put(resourceDef.getName(), new RangerResourceTrie(resourceDef, rowFilterPolicyEvaluators));
+ }
+ }
}
}
@@ -609,15 +732,33 @@ class RangerPolicyRepository {
LOG.debug("==> reorderPolicyEvaluators()");
}
- this.policyEvaluators = getReorderedPolicyEvaluators(this.policyEvaluators);
- this.dataMaskPolicyEvaluators = getReorderedPolicyEvaluators(this.dataMaskPolicyEvaluators);
- this.rowFilterPolicyEvaluators = getReorderedPolicyEvaluators(this.rowFilterPolicyEvaluators);
+ if(disableTrieLookupPrefilter) {
+ policyEvaluators = getReorderedPolicyEvaluators(policyEvaluators);
+ dataMaskPolicyEvaluators = getReorderedPolicyEvaluators(dataMaskPolicyEvaluators);
+ rowFilterPolicyEvaluators = getReorderedPolicyEvaluators(rowFilterPolicyEvaluators);
+ } else {
+ reorderPolicyEvaluators(policyResourceTrie);
+ reorderPolicyEvaluators(dataMaskResourceTrie);
+ reorderPolicyEvaluators(rowFilterResourceTrie);
+ }
if (LOG.isDebugEnabled()) {
LOG.debug("<== reorderPolicyEvaluators()");
}
}
+ private void reorderPolicyEvaluators(Map<String, RangerResourceTrie> trieMap) {
+ if(trieMap != null) {
+ for(Map.Entry<String, RangerResourceTrie> entry : trieMap.entrySet()) {
+ RangerResourceTrie trie = entry.getValue();
+
+ if(trie != null) {
+ trie.reorderPolicyEvaluators();
+ }
+ }
+ }
+ }
+
private List<RangerPolicyEvaluator> getReorderedPolicyEvaluators(List<RangerPolicyEvaluator> evaluators) {
List<RangerPolicyEvaluator> ret = evaluators;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index f954ccf..eb46353 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -51,6 +51,7 @@ import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.policyengine.RangerRowFilterResult;
import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServiceDefUtil;
@@ -77,6 +78,14 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
@Override
+ public RangerPolicyResourceMatcher getPolicyResourceMatcher() { return resourceMatcher; }
+
+ @Override
+ public RangerResourceMatcher getResourceMatcher(String resourceName) {
+ return resourceMatcher != null ? resourceMatcher.getResourceMatcher(resourceName) : null;
+ }
+
+ @Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.init()");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index a7dc833..23069cf 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -33,6 +33,8 @@ import org.apache.ranger.plugin.policyengine.RangerDataMaskResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.policyengine.RangerRowFilterResult;
+import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> {
@@ -64,6 +66,10 @@ public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator>
boolean isAuditEnabled();
+ RangerPolicyResourceMatcher getPolicyResourceMatcher();
+
+ RangerResourceMatcher getResourceMatcher(String resourceName);
+
void evaluate(RangerAccessRequest request, RangerAccessResult result);
void evaluate(RangerAccessRequest request, RangerDataMaskResult result);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 733049f..78589cd 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -180,6 +180,11 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
@Override
+ public RangerResourceMatcher getResourceMatcher(String resourceName) {
+ return matchers != null ? matchers.get(resourceName) : null;
+ }
+
+ @Override
public boolean isMatch(RangerAccessResource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyResourceMatcher.isMatch(" + resource + ")");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
index 54b9586..80da868 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
@@ -25,6 +25,7 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
+import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
public interface RangerPolicyResourceMatcher {
void setServiceDef(RangerServiceDef serviceDef);
@@ -35,6 +36,8 @@ public interface RangerPolicyResourceMatcher {
void init();
+ RangerResourceMatcher getResourceMatcher(String resourceName);
+
boolean isMatch(RangerAccessResource resource);
boolean isMatch(Map<String, RangerPolicyResource> resources);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index 329b8e8..574f2eb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -94,6 +94,9 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
}
}
+ @Override
+ public boolean isMatchAny() { return isMatchAny; }
+
protected List<ResourceMatcher> buildResourceMatchers() {
List<ResourceMatcher> ret = new ArrayList<ResourceMatcher> ();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
index c1b3404..8f1cebe 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
@@ -29,6 +29,8 @@ public interface RangerResourceMatcher {
void init();
+ boolean isMatchAny();
+
boolean isMatch(String resource);
boolean isCompleteMatch(String resource);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 760fab7..8e984df 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -133,6 +133,7 @@ public class RangerBasePlugin {
policyEngineOptions.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", false);
policyEngineOptions.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", false);
policyEngineOptions.disableTagPolicyEvaluation = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", false);
+ policyEngineOptions.disableTrieLookupPrefilter = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
RangerAdminClient admin = createAdminClient(serviceName, appId, propertyPrefix);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
new file mode 100644
index 0000000..809c07e
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
@@ -0,0 +1,391 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.util;
+
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
+import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+
+public class RangerResourceTrie {
+ private static final Log LOG = LogFactory.getLog(RangerResourceTrie.class);
+
+ private static final String DEFAULT_WILDCARD_CHARS = "*?";
+
+ private final String resourceName;
+ private final boolean optIgnoreCase;
+ private final boolean optWildcard;
+ private final String wildcardChars;
+ private final TrieNode root;
+
+ public RangerResourceTrie(RangerServiceDef.RangerResourceDef resourceDef, List<RangerPolicyEvaluator> evaluators) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerResourceTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + ")");
+ }
+
+ Map<String, String> matcherOptions = resourceDef.getMatcherOptions();
+ String strIgnoreCase = matcherOptions != null ? matcherOptions.get(RangerAbstractResourceMatcher.OPTION_IGNORE_CASE) : null;
+ String strWildcard = matcherOptions != null ? matcherOptions.get(RangerAbstractResourceMatcher.OPTION_WILD_CARD) : null;
+
+ this.resourceName = resourceDef.getName();
+ this.optIgnoreCase = strIgnoreCase != null ? Boolean.parseBoolean(strIgnoreCase) : false;
+ this.optWildcard = strWildcard != null ? Boolean.parseBoolean(strWildcard) : false;;
+ this.wildcardChars = optWildcard ? DEFAULT_WILDCARD_CHARS : "";
+ this.root = new TrieNode(Character.valueOf((char)0));
+
+ for(RangerPolicyEvaluator evaluator : evaluators) {
+ RangerPolicy policy = evaluator.getPolicy();
+ Map<String, RangerPolicyResource> policyResources = policy != null ? policy.getResources() : null;
+ RangerPolicyResource policyResource = policyResources != null ? policyResources.get(resourceName) : null;
+
+ if(policyResource == null) {
+ continue;
+ }
+
+ if(policyResource.getIsExcludes()) {
+ root.addWildcardPolicy(evaluator);
+ } else {
+ RangerResourceMatcher resourceMatcher = evaluator.getResourceMatcher(resourceName);
+
+ if(resourceMatcher != null && resourceMatcher.isMatchAny()) {
+ root.addWildcardPolicy(evaluator);
+ } else {
+ for (String resource : policyResource.getValues()) {
+ insert(resource, policyResource.getIsRecursive(), evaluator);
+ }
+ }
+ }
+ }
+
+ root.postSetup();
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerResourceTrie(" + resourceDef.getName() + ", evaluatorCount=" + evaluators.size() + "): " + toString());
+ }
+ }
+
+ public String getResourceName() {
+ return resourceName;
+ }
+
+ public List<RangerPolicyEvaluator> getPoliciesForResource(String resource) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerResourceTrie.getPoliciesForResource(" + resource + ")");
+ }
+
+ List<RangerPolicyEvaluator> ret = null;
+
+ TrieNode curr = root;
+
+ final int len = resource.length();
+ for(int i = 0; i < len; i++) {
+ Character ch = getLookupChar(resource.charAt(i));
+ TrieNode child = curr.getChild(ch);
+
+ if(child == null) {
+ ret = curr.getWildcardPolicies();
+ curr = null; // so that curr.getPolicies() will not be called below
+ break;
+ }
+
+ curr = child;
+ }
+
+ if(ret == null) {
+ if(curr != null) {
+ ret = curr.getPolicies();
+ }
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerResourceTrie.getPoliciesForResource(" + resource + "): evaluatorCount=" + (ret == null ? 0 : ret.size()));
+ }
+
+ return ret;
+ }
+
+ public int getNodeCount() {
+ return root.getNodeCount();
+ }
+
+ public int getMaxDepth() {
+ return root.getMaxDepth();
+ }
+
+ public void reorderPolicyEvaluators() {
+ root.reorderPolicyEvaluators();
+ }
+
+ private Character getLookupChar(char ch) {
+ return optIgnoreCase ? Character.valueOf(Character.toLowerCase(ch)) : Character.valueOf(ch);
+ }
+
+ private void insert(String resource, boolean isRecursive, RangerPolicyEvaluator evaluator) {
+ TrieNode curr = root;
+ boolean isWildcard = false;
+
+ if(optIgnoreCase) {
+ resource = resource.toLowerCase();
+ }
+
+ final int len = resource.length();
+ for(int i = 0; i < len; i++) {
+ Character ch = getLookupChar(resource.charAt(i));
+
+ if(optWildcard) {
+ if (wildcardChars.indexOf(ch) != -1) {
+ isWildcard = true;
+ break;
+ }
+ }
+
+ curr = curr.getOrCreateChild(ch);
+ }
+
+ if(isWildcard || isRecursive) {
+ curr.addWildcardPolicy(evaluator);
+ } else {
+ curr.addPolicy(evaluator);
+ }
+ }
+
+ @Override
+ public String toString() {
+ StringBuilder sb = new StringBuilder();
+
+ sb.append("nodeCount=").append(getNodeCount());
+ sb.append("; maxDepth=").append(getMaxDepth());
+ sb.append(Character.LINE_SEPARATOR);
+ root.toString("", sb);
+
+ return sb.toString();
+ }
+}
+
+class TrieNode {
+ private final Character c;
+ private Map<Character, TrieNode> children = null;
+ private List<RangerPolicyEvaluator> policies = null;
+ private List<RangerPolicyEvaluator> wildcardPolicies = null;
+
+ TrieNode(Character c) {
+ this.c = c;
+ }
+
+ Character getChar() {
+ return c;
+ }
+
+ Map<Character, TrieNode> getChildren() {
+ return children;
+ }
+
+ List<RangerPolicyEvaluator> getPolicies() {
+ return policies;
+ }
+
+ List<RangerPolicyEvaluator> getWildcardPolicies() {
+ return wildcardPolicies;
+ }
+
+ TrieNode getChild(Character c) {
+ TrieNode ret = children == null ? null : children.get(c);
+
+ return ret;
+ }
+
+ int getNodeCount() {
+ int ret = 1;
+
+ if(children != null) {
+ for(Map.Entry<Character, TrieNode> entry : children.entrySet()) {
+ TrieNode child = entry.getValue();
+
+ ret += child.getNodeCount();
+ }
+ }
+
+ return ret;
+ }
+
+ int getMaxDepth() {
+ int ret = 0;
+
+ if(children != null) {
+ for(Map.Entry<Character, TrieNode> entry : children.entrySet()) {
+ TrieNode child = entry.getValue();
+
+ int maxChildDepth = child.getMaxDepth();
+
+ if(maxChildDepth > ret) {
+ ret = maxChildDepth;
+ }
+ }
+ }
+
+ return ret + 1;
+ }
+
+ TrieNode getOrCreateChild(Character c) {
+ if(children == null) {
+ children = new HashMap<Character, TrieNode>();
+ }
+
+ TrieNode child = children.get(c);
+
+ if(child == null) {
+ child = new TrieNode(c);
+ children.put(c, child);
+ }
+
+ return child;
+ }
+
+ void addPolicy(RangerPolicyEvaluator evaluator) {
+ if(policies == null) {
+ policies = new ArrayList<RangerPolicyEvaluator>();
+ }
+
+ if(!policies.contains(evaluator)) {
+ policies.add(evaluator);
+ }
+ }
+
+ void addPolicies(List<RangerPolicyEvaluator> evaluators) {
+ if(CollectionUtils.isNotEmpty(evaluators)) {
+ for(RangerPolicyEvaluator evaluator : evaluators) {
+ addPolicy(evaluator);
+ }
+ }
+ }
+
+ void addWildcardPolicy(RangerPolicyEvaluator evaluator) {
+ if(wildcardPolicies == null) {
+ wildcardPolicies = new ArrayList<RangerPolicyEvaluator>();
+ }
+
+ if(!wildcardPolicies.contains(evaluator)) {
+ wildcardPolicies.add(evaluator);
+ }
+ }
+
+ void addWildcardPolicies(List<RangerPolicyEvaluator> evaluators) {
+ if(CollectionUtils.isNotEmpty(evaluators)) {
+ for(RangerPolicyEvaluator evaluator : evaluators) {
+ addWildcardPolicy(evaluator);
+ }
+ }
+ }
+
+ void postSetup() {
+ addPolicies(wildcardPolicies);
+
+ if(wildcardPolicies != null) {
+ Collections.sort(wildcardPolicies);
+ }
+
+ if(policies != null) {
+ Collections.sort(policies);
+ }
+
+ if(children != null) {
+ for(Map.Entry<Character, TrieNode> entry : children.entrySet()) {
+ TrieNode child = entry.getValue();
+
+ child.addWildcardPolicies(wildcardPolicies);
+
+ child.postSetup();
+ }
+ }
+ }
+
+ void reorderPolicyEvaluators() {
+ wildcardPolicies = getSortedCopy(wildcardPolicies);
+ policies = getSortedCopy(policies);
+ }
+
+ public void toString(String prefix, StringBuilder sb) {
+ String nodeValue = prefix;
+
+ if(c != 0) {
+ nodeValue += c;
+ }
+
+ sb.append("nodeValue=").append(nodeValue);
+ sb.append("; childCount=").append(children == null ? 0 : children.size());
+ sb.append("; policies=[ ");
+ if(policies != null) {
+ for(RangerPolicyEvaluator evaluator : policies) {
+ sb.append(evaluator.getPolicy().getId()).append(" ");
+ }
+ }
+ sb.append("]");
+
+ sb.append("; wildcardPolicies=[ ");
+ if(wildcardPolicies != null) {
+ for(RangerPolicyEvaluator evaluator : wildcardPolicies) {
+ sb.append(evaluator.getPolicy().getId()).append(" ");
+ }
+ }
+ sb.append("]");
+ sb.append(Character.LINE_SEPARATOR);
+
+ if(children != null) {
+ for(Map.Entry<Character, TrieNode> entry : children.entrySet()) {
+ TrieNode child = entry.getValue();
+
+ child.toString(nodeValue, sb);
+ }
+ }
+ }
+
+ public void clear() {
+ children = null;
+ policies = null;
+ wildcardPolicies = null;
+ }
+
+ private List<RangerPolicyEvaluator> getSortedCopy(List<RangerPolicyEvaluator> evaluators) {
+ final List<RangerPolicyEvaluator> ret;
+
+ if(CollectionUtils.isNotEmpty(evaluators)) {
+ ret = new ArrayList<RangerPolicyEvaluator>(wildcardPolicies);
+
+ Collections.sort(ret);
+ } else {
+ ret = evaluators;
+ }
+
+ return ret;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
index d6c028f..e8edd9e 100644
--- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
@@ -52,7 +52,8 @@ public class CommandLineParser
private int concurrentClientCount = 1;
private int iterationsCount = 1;
- private boolean isDynamicReorderingEnabled = false;
+ private boolean isDynamicReorderingDisabled = true;
+ private boolean isTrieLookupPrefixDisabled = true;
private Options options = new Options();
@@ -62,7 +63,7 @@ public class CommandLineParser
PerfTestOptions ret = null;
if (parseArguments(args) && validateInputFiles()) {
// Instantiate a data-object and return
- ret = new PerfTestOptions(servicePoliciesFileURL, requestFileURLs, statCollectionFileURL, concurrentClientCount, iterationsCount, isDynamicReorderingEnabled);
+ ret = new PerfTestOptions(servicePoliciesFileURL, requestFileURLs, statCollectionFileURL, concurrentClientCount, iterationsCount, isDynamicReorderingDisabled, isTrieLookupPrefixDisabled);
} else {
showUsage();
}
@@ -98,6 +99,7 @@ public class CommandLineParser
options.addOption("c", "clients", true, "Number of concurrent clients");
options.addOption("n", "cycles", true, "Number of iterations");
options.addOption("o", "optimize", false, "Enable usage-based policy reordering");
+ options.addOption("t", "trie-prefilter", false, "Enable trie-prefilter");
org.apache.commons.cli.CommandLineParser commandLineParser = new DefaultParser();
@@ -125,13 +127,17 @@ public class CommandLineParser
iterationsCount = Integer.parseInt(iterationsOptionValue);
}
if (commandLine.hasOption("o")) {
- isDynamicReorderingEnabled = true;
+ isDynamicReorderingDisabled = false;
+ }
+ if (commandLine.hasOption("t")) {
+ isTrieLookupPrefixDisabled = false;
}
if (LOG.isDebugEnabled()) {
LOG.debug("servicePoliciesFileName=" + servicePoliciesFileName + ", requestFileName=" + Arrays.toString(requestFileNames));
LOG.debug("concurrentClientCount=" + concurrentClientCount + ", iterationsCount=" + iterationsCount);
- LOG.debug("isDynamicReorderingEnabled=" + isDynamicReorderingEnabled);
+ LOG.debug("isDynamicReorderingDisabled=" + isDynamicReorderingDisabled);
+ LOG.debug("isTrieLookupPrefixDisabled=" + isTrieLookupPrefixDisabled);
}
ret = true;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
index cf83260..8d89794 100644
--- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
@@ -24,7 +24,6 @@ import com.google.gson.GsonBuilder;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.policyengine.*;
-import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.ServicePolicies;
import java.io.InputStream;
@@ -39,13 +38,15 @@ public class PerfTestEngine {
static private final long POLICY_ENGINE_REORDER_AFTER_PROCESSING_REQUESTS_COUNT = 100;
private final URL servicePoliciesFileURL;
- private final boolean isDynamicReorderingEnabled;
+ private final RangerPolicyEngineOptions policyEngineOptions;
private RangerPolicyEngine policyEvaluationEngine;
+ private final boolean disableDynamicPolicyEvalReordering;
private AtomicLong requestCount = new AtomicLong();
- public PerfTestEngine(final URL servicePoliciesFileURL, boolean isDynamicReorderingEnabled) {
+ public PerfTestEngine(final URL servicePoliciesFileURL, RangerPolicyEngineOptions policyEngineOptions, boolean disableDynamicPolicyEvalReordering) {
this.servicePoliciesFileURL = servicePoliciesFileURL;
- this.isDynamicReorderingEnabled = isDynamicReorderingEnabled;
+ this.policyEngineOptions = policyEngineOptions;
+ this.disableDynamicPolicyEvalReordering = disableDynamicPolicyEvalReordering;
}
public boolean init() {
@@ -70,11 +71,7 @@ public class PerfTestEngine {
servicePolicies = gsonBuilder.fromJson(reader, ServicePolicies.class);
- RangerPolicyEngineOptions engineOptions = new RangerPolicyEngineOptions();
- engineOptions.disableTagPolicyEvaluation = false;
- engineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
-
- policyEvaluationEngine = new RangerPolicyEngineImpl("perf-test", servicePolicies, engineOptions);
+ policyEvaluationEngine = new RangerPolicyEngineImpl("perf-test", servicePolicies, policyEngineOptions);
requestCount.set(0L);
@@ -112,7 +109,7 @@ public class PerfTestEngine {
long processedRequestCount = requestCount.getAndIncrement();
- if (isDynamicReorderingEnabled && (processedRequestCount % POLICY_ENGINE_REORDER_AFTER_PROCESSING_REQUESTS_COUNT) == 0) {
+ if (!disableDynamicPolicyEvalReordering && (processedRequestCount % POLICY_ENGINE_REORDER_AFTER_PROCESSING_REQUESTS_COUNT) == 0) {
policyEvaluationEngine.reorderPolicyEvaluators();
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java
index 321ee69..d6e04ea 100644
--- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java
@@ -26,19 +26,21 @@ public class PerfTestOptions {
private final URL servicePoliciesFileURL;
private final URL[] requestFileURLs;
private final URL statCollectionFileURL;
- private final boolean isDynamicReorderingEnabled;
+ private final boolean isDynamicReorderingDisabled;
+ private final boolean isTrieLookupPrefixDisabled;
private final int concurrentClientCount;
private final int iterationsCount;
- PerfTestOptions(URL servicePoliciesFileURL, URL[] requestFileURLs, URL statCollectionFileURL, int concurrentClientCount, int iterationsCount, boolean isDynamicReorderingEnabled) {
+ PerfTestOptions(URL servicePoliciesFileURL, URL[] requestFileURLs, URL statCollectionFileURL, int concurrentClientCount, int iterationsCount, boolean isDynamicReorderingDisabled, boolean isTrieLookupPrefixDisabled) {
this.servicePoliciesFileURL = servicePoliciesFileURL;
this.requestFileURLs = requestFileURLs;
this.statCollectionFileURL = statCollectionFileURL;
this.iterationsCount = iterationsCount;
this.concurrentClientCount = concurrentClientCount;
- this.isDynamicReorderingEnabled = isDynamicReorderingEnabled;
+ this.isDynamicReorderingDisabled = isDynamicReorderingDisabled;
+ this.isTrieLookupPrefixDisabled = isTrieLookupPrefixDisabled;
}
public URL getServicePoliciesFileURL() {
@@ -61,5 +63,7 @@ public class PerfTestOptions {
return iterationsCount;
}
- public boolean getIsDynamicReorderingEnabled() { return isDynamicReorderingEnabled; }
+ public boolean getIsDynamicReorderingDisabled() { return isDynamicReorderingDisabled; }
+
+ public boolean getIsTrieLookupPrefixDisabled() { return isTrieLookupPrefixDisabled; }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
index 03ea6d0..056c548 100644
--- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
@@ -21,6 +21,8 @@ package org.apache.ranger.policyengine;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.PerfDataRecorder;
import java.io.BufferedReader;
@@ -54,7 +56,12 @@ public class RangerPolicyenginePerfTester {
URL servicePoliciesFileURL = perfTestOptions.getServicePoliciesFileURL();
- PerfTestEngine perfTestEngine = new PerfTestEngine(servicePoliciesFileURL, perfTestOptions.getIsDynamicReorderingEnabled());
+ RangerPolicyEngineOptions policyEngineOptions = new RangerPolicyEngineOptions();
+ policyEngineOptions.disableTagPolicyEvaluation = false;
+ policyEngineOptions.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
+ policyEngineOptions.disableTrieLookupPrefilter = perfTestOptions.getIsTrieLookupPrefixDisabled();
+
+ PerfTestEngine perfTestEngine = new PerfTestEngine(servicePoliciesFileURL, policyEngineOptions, perfTestOptions.getIsDynamicReorderingDisabled());
if (!perfTestEngine.init()) {
LOG.error("Error initializing test data. Existing...");
System.exit(1);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b265605f/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index c491021..eea2ad3 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -2263,6 +2263,7 @@ public class ServiceREST {
options.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
options.evaluateDelegateAdminOnly = false;
+ options.disableTrieLookupPrefilter = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L);