You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/03/20 19:30:04 UTC
[1/8] incubator-ranger git commit: RANGER-794 - commit id
fbf4f3533d0c39d018d2ac92538f77761ca461d3
Repository: incubator-ranger
Updated Branches:
refs/heads/ranger-0.5 9578a683a -> 9e49cc688
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/src/main/assembly/ranger-tools.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/ranger-tools.xml b/src/main/assembly/ranger-tools.xml
new file mode 100644
index 0000000..283891a
--- /dev/null
+++ b/src/main/assembly/ranger-tools.xml
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<assembly>
+ <id>ranger-tools</id>
+ <formats>
+ <format>tar.gz</format>
+ <format>zip</format>
+ </formats>
+ <baseDirectory>${project.name}-${project.version}-ranger-tools</baseDirectory>
+ <includeBaseDirectory>true</includeBaseDirectory>
+ <moduleSets>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>true</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>/lib</outputDirectory>
+ <includes>
+ <include>commons-cli:commons-cli</include>
+ <include>commons-logging:commons-logging:jar:${commons.logging.version}</include>
+ <include>commons-lang:commons-lang</include>
+ <include>com.google.code.gson:gson</include>
+ <include>log4j:log4j</include>
+ <include>commons-configuration:commons-configuration:jar:${commons.configuration.version}</include>
+ <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include>
+ <include>org.apache.hadoop:hadoop-common-plus:jar:${hadoop-common.version}</include>
+ <include>org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version}</include>
+ <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include>
+ <include>org.eclipse.persistence:eclipselink</include>
+ <include>org.eclipse.persistence:javax.persistence</include>
+ <include>commons-collections:commons-collections</include>
+ <include>com.sun.jersey:jersey-bundle</include>
+ <include>commons-io:commons-io</include>
+ <include>com.google.guava:guava:jar:${google.guava.version}</include>
+ <include>org.apache.httpcomponents:httpclient:jar:${httpcomponent.httpclient.version}</include>
+ <include>org.apache.httpcomponents:httpcore:jar:${httpcomponent.httpcore.version}</include>
+ <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include>
+ <include>org.noggit:noggit:jar:${noggit.version}</include>
+ <include>org.codehaus.jackson:jackson-core-asl</include>
+ <include>org.codehaus.jackson:jackson-jaxrs</include>
+ <include>org.codehaus.jackson:jackson-mapper-asl</include>
+ <include>org.codehaus.jackson:jackson-xc</include>
+ <include>org.apache.ranger:ranger-plugins-common</include>
+ <include>org.apache.ranger:ranger-plugins-audit</include>
+
+ </includes>
+ <unpack>false</unpack>
+ </dependencySet>
+ </dependencySets>
+ <outputDirectory>/dist</outputDirectory>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-tools</include>
+ </includes>
+ </moduleSet>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>/lib</outputDirectory>
+ <includes>
+ <include>org.apache.ranger:credentialbuilder</include>
+ <include>org.apache.ranger:ranger-util</include>
+ </includes>
+ <unpack>false</unpack>
+ </dependencySet>
+ </dependencySets>
+ <outputDirectory>/lib</outputDirectory>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:credentialbuilder</include>
+ <include>org.apache.ranger:ranger-util</include>
+ </includes>
+ </moduleSet>
+ </moduleSets>
+ <fileSets>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/conf</outputDirectory>
+ <directory>ranger-tools/conf</directory>
+ </fileSet>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/testdata</outputDirectory>
+ <directory>ranger-tools/testdata</directory>
+ </fileSet>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <outputDirectory>/</outputDirectory>
+ <directory>${project.build.directory}</directory>
+ <includes>
+ <include>version</include>
+ </includes>
+ <fileMode>444</fileMode>
+ </fileSet>
+ </fileSets>
+ <files>
+ <file>
+ <source>ranger-tools/scripts/ranger-perftester.sh</source>
+ <outputDirectory>/</outputDirectory>
+ <destName>ranger-perftester.sh</destName>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>ranger-tools/scripts/README.txt</source>
+ <outputDirectory>/</outputDirectory>
+ <destName>README.txt</destName>
+ <fileMode>644</fileMode>
+ </file>
+ </files>
+</assembly>
[7/8] incubator-ranger git commit: RANGER-836: commit id
4e2e83eef660fae5287d4d1dc7bbea68015445ee
Posted by ma...@apache.org.
RANGER-836: commit id 4e2e83eef660fae5287d4d1dc7bbea68015445ee
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d3a2964f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d3a2964f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d3a2964f
Branch: refs/heads/ranger-0.5
Commit: d3a2964fb7001ddc526d2d3eff9445ebc736c4d2
Parents: 36fbb78
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Sun Mar 20 10:50:21 2016 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Sun Mar 20 11:16:49 2016 -0700
----------------------------------------------------------------------
.../policyengine/RangerPolicyEngineImpl.java | 25 ++
.../policyengine/RangerPolicyEngineOptions.java | 2 +-
.../policyengine/RangerPolicyRepository.java | 91 +++++-
.../policyevaluator/RangerPolicyEvaluator.java | 2 +-
.../ranger/plugin/service/RangerBasePlugin.java | 2 +-
.../ranger/plugin/store/ServiceStore.java | 5 +
.../plugin/store/file/ServiceFileStore.java | 17 +-
.../plugin/store/rest/ServiceRESTStore.java | 16 +
.../org/apache/ranger/biz/ServiceDBStore.java | 93 ++++--
.../common/RangerServicePoliciesCache.java | 298 +++++++++++++++++++
.../org/apache/ranger/rest/ServiceREST.java | 2 +-
11 files changed, 515 insertions(+), 38 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index c276d5a..55ae785 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -20,8 +20,10 @@
package org.apache.ranger.plugin.policyengine;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -45,6 +47,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private static final Log PERF_POLICYENGINE_AUDIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.audit");
private static final Log PERF_CONTEXTENRICHER_REQUEST_LOG = RangerPerfTracer.getPerfLogger("contextenricher.request");
+ private static final int MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR = 500;
+
private final RangerPolicyRepository policyRepository;
@@ -67,6 +71,27 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
options = new RangerPolicyEngineOptions();
}
+ if(StringUtils.isBlank(options.evaluatorType) || StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) {
+
+ String serviceType = servicePolicies.getServiceDef().getName();
+ String propertyName = "ranger.plugin." + serviceType + ".policyengine.evaluator.auto.maximum.policycount.for.cache.type";
+
+ int thresholdForUsingOptimizedEvaluator = RangerConfiguration.getInstance().getInt(propertyName, MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR);
+
+ int servicePoliciesCount = servicePolicies.getPolicies().size();
+
+ if (servicePoliciesCount > thresholdForUsingOptimizedEvaluator) {
+ options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
+ } else {
+ options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED;
+ }
+ } else if (StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED)) {
+ options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED;
+ } else {
+ // All other cases
+ options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
+ }
+
policyRepository = new RangerPolicyRepository(servicePolicies, options);
RangerPerfTracer.log(perf);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index a5c1dfb..3289661 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -23,7 +23,7 @@ import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
public class RangerPolicyEngineOptions {
- public String evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED;
+ public String evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO;
public boolean cacheAuditResults = true;
public boolean disableContextEnrichers = false;
public boolean disableCustomConditions = false;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 1f422c5..595c324 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -49,8 +49,8 @@ public class RangerPolicyRepository {
private final RangerServiceDef serviceDef;
private final List<RangerPolicy> policies;
private final long policyVersion;
- private final List<RangerContextEnricher> contextEnrichers;
- private final List<RangerPolicyEvaluator> policyEvaluators;
+ private List<RangerContextEnricher> contextEnrichers;
+ private List<RangerPolicyEvaluator> policyEvaluators;
private final Map<String, Boolean> accessAuditCache;
private static int RANGER_POLICYENGINE_AUDITRESULT_CACHE_SIZE = 64*1024;
@@ -130,6 +130,85 @@ public class RangerPolicyRepository {
return policyEvaluators;
}
+ public static boolean isDelegateAdminPolicy(RangerPolicy policy) {
+ boolean ret = false;
+
+ ret = hasDelegateAdminItems(policy.getPolicyItems());
+
+ return ret;
+ }
+
+ private static boolean hasDelegateAdminItems(List<RangerPolicy.RangerPolicyItem> items) {
+ boolean ret = false;
+
+ if (CollectionUtils.isNotEmpty(items)) {
+ for (RangerPolicy.RangerPolicyItem item : items) {
+ if(item.getDelegateAdmin()) {
+ ret = true;
+
+ break;
+ }
+ }
+ }
+ return ret;
+ }
+
+ private static boolean skipBuildingPolicyEvaluator(RangerPolicy policy, RangerPolicyEngineOptions options) {
+ boolean ret = false;
+ if (!policy.getIsEnabled()) {
+ ret = true;
+ }
+ return ret;
+ }
+
+ private void init(RangerPolicyEngineOptions options) {
+
+ List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<RangerPolicyEvaluator>();
+
+ for (RangerPolicy policy : policies) {
+ if (skipBuildingPolicyEvaluator(policy, options)) {
+ continue;
+ }
+
+ RangerPolicyEvaluator evaluator = buildPolicyEvaluator(policy, serviceDef, options);
+
+ if (evaluator != null) {
+ policyEvaluators.add(evaluator);
+ }
+ }
+ Collections.sort(policyEvaluators);
+ this.policyEvaluators = Collections.unmodifiableList(policyEvaluators);
+
+ List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>();
+ if (CollectionUtils.isNotEmpty(this.policyEvaluators)) {
+ if (!options.disableContextEnrichers && !CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) {
+ for (RangerServiceDef.RangerContextEnricherDef enricherDef : serviceDef.getContextEnrichers()) {
+ if (enricherDef == null) {
+ continue;
+ }
+
+ RangerContextEnricher contextEnricher = buildContextEnricher(enricherDef);
+
+ if (contextEnricher != null) {
+ contextEnrichers.add(contextEnricher);
+ }
+ }
+ }
+ }
+ this.contextEnrichers = Collections.unmodifiableList(contextEnrichers);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("policy evaluation order: " + this.policyEvaluators.size() + " policies");
+
+ int order = 0;
+ for(RangerPolicyEvaluator policyEvaluator : this.policyEvaluators) {
+ RangerPolicy policy = policyEvaluator.getPolicy();
+
+ LOG.debug("policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder());
+ }
+ }
+ }
+
private RangerContextEnricher buildContextEnricher(RangerServiceDef.RangerContextEnricherDef enricherDef) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.buildContextEnricher(" + enricherDef + ")");
@@ -178,14 +257,10 @@ public class RangerPolicyRepository {
scrubPolicy(policy);
RangerPolicyEvaluator ret = null;
- if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_DEFAULT)) {
- ret = new RangerDefaultPolicyEvaluator();
- } else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED)) {
- ret = new RangerOptimizedPolicyEvaluator();
- } else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED)) {
+ if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED)) {
ret = new RangerCachedPolicyEvaluator();
} else {
- ret = new RangerDefaultPolicyEvaluator();
+ ret = new RangerOptimizedPolicyEvaluator();
}
ret.init(policy, serviceDef, options);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 624ff1c..e6ec2ad 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -32,7 +32,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
public interface RangerPolicyEvaluator extends Comparable<RangerPolicyEvaluator> {
- public static final String EVALUATOR_TYPE_DEFAULT = "default";
+ public static final String EVALUATOR_TYPE_AUTO = "auto";
public static final String EVALUATOR_TYPE_OPTIMIZED = "optimized";
public static final String EVALUATOR_TYPE_CACHED = "cached";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 2afe0e6..5f98b79 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -94,7 +94,7 @@ public class RangerBasePlugin {
serviceName = RangerConfiguration.getInstance().get(propertyPrefix + ".service.name");
- policyEngineOptions.evaluatorType = RangerConfiguration.getInstance().get(propertyPrefix + ".policyengine.option.evaluator.type", RangerPolicyEvaluator.EVALUATOR_TYPE_CACHED);
+ policyEngineOptions.evaluatorType = RangerConfiguration.getInstance().get(propertyPrefix + ".policyengine.option.evaluator.type", RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO);
policyEngineOptions.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", true);
policyEngineOptions.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", false);
policyEngineOptions.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", false);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
index 7957dbf..37108b1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
@@ -74,6 +74,11 @@ public interface ServiceStore {
ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long lastKnownVersion) throws Exception;
+
+ Long getServicePolicyVersion(String serviceName);
+
+ ServicePolicies getServicePolicies(String serviceName) throws Exception;
+
void setPopulateExistingBaseFields(Boolean populateExistingBaseFields);
Boolean getPopulateExistingBaseFields();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
index 751c3b3..f040bd1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
@@ -758,6 +758,10 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore {
return ret;
}
+ @Override
+ public ServicePolicies getServicePolicies(String serviceName) throws Exception {
+ return getServicePoliciesIfUpdated(serviceName, -1L);
+ }
private void handleServiceRename(RangerService service, String oldName) throws Exception {
List<RangerPolicy> policies = getAllPolicies();
@@ -766,7 +770,6 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore {
for(RangerPolicy policy : policies) {
if(StringUtils.equalsIgnoreCase(policy.getService(), oldName)) {
policy.setService(service.getName());
-
preUpdate(policy);
saveToFile(policy, service.getId(), true);
@@ -954,4 +957,16 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore {
public Boolean getPopulateExistingBaseFields() {
return populateExistingBaseFields;
}
+
+ @Override
+ public Long getServicePolicyVersion(String serviceName) {
+ RangerService service = null;
+ try {
+ service = getServiceByName(serviceName);
+ } catch (Exception exception) {
+ LOG.error("Failed to get service object for service:" + serviceName);
+ }
+ return service != null ? service.getPolicyVersion() : null;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
index 6c4804d..05c0c76 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
@@ -596,6 +596,11 @@ public class ServiceRESTStore implements ServiceStore {
return ret;
}
+ @Override
+ public ServicePolicies getServicePolicies(String serviceName) throws Exception {
+ return getServicePoliciesIfUpdated(serviceName, -1L);
+ }
+
private WebResource createWebResource(String url) {
return createWebResource(url, null);
}
@@ -629,4 +634,15 @@ public class ServiceRESTStore implements ServiceStore {
public Boolean getPopulateExistingBaseFields() {
return populateExistingBaseFields;
}
+
+ @Override
+ public Long getServicePolicyVersion(String serviceName) {
+ RangerService service = null;
+ try {
+ service = getServiceByName(serviceName);
+ } catch (Exception exception) {
+ LOG.error("Failed to get service object for service:" + serviceName);
+ }
+ return service != null ? service.getPolicyVersion() : null;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 199d041..6774170 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -19,12 +19,7 @@
package org.apache.ranger.biz;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
import java.util.Map.Entry;
import javax.annotation.PostConstruct;
@@ -39,7 +34,7 @@ import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.PasswordUtils;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerCommonEnums;
-import org.apache.ranger.common.RangerConstants;
+import org.apache.ranger.common.*;
import org.apache.ranger.common.RangerFactory;
import org.apache.ranger.common.StringUtil;
import org.apache.ranger.common.UserSessionBase;
@@ -190,7 +185,8 @@ public class ServiceDBStore implements ServiceStore {
public static final String CONFIG_KEY_PASSWORD = "password";
private ServicePredicateUtil predicateUtil = null;
-
+
+
@Override
public void init() throws Exception {
if (LOG.isDebugEnabled()) {
@@ -1493,7 +1489,7 @@ public class ServiceDBStore implements ServiceStore {
bizUtil.createTrxLog(trxLogList);
- LOG.info("Policy Deleted Successfully. PolicyName : " +policyName);
+ LOG.info("Policy Deleted Successfully. PolicyName : " + policyName);
}
@Override
@@ -1642,7 +1638,7 @@ public class ServiceDBStore implements ServiceStore {
@Override
public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long lastKnownVersion) throws Exception {
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ")");
}
@@ -1650,31 +1646,78 @@ public class ServiceDBStore implements ServiceStore {
XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName);
+ if (serviceDbObj == null) {
+ throw new Exception("service does not exist. name=" + serviceName);
+ }
+
+ if (lastKnownVersion == null || serviceDbObj.getPolicyVersion() == null || !lastKnownVersion.equals(serviceDbObj.getPolicyVersion())) {
+ ret = RangerServicePoliciesCache.getInstance().getServicePolicies(serviceName, this);
+ }
+
+ if (ret != null && lastKnownVersion != null && lastKnownVersion.equals(ret.getPolicyVersion())) {
+ // ServicePolicies are not changed
+ ret = null;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ RangerServicePoliciesCache.getInstance().dump();
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceDBStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()));
+ }
+
+ return ret;
+ }
+
+ @Override
+ public Long getServicePolicyVersion(String serviceName) {
+
+ XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName);
+
+ return serviceDbObj != null ? serviceDbObj.getPolicyVersion() : null;
+ }
+
+ @Override
+ public ServicePolicies getServicePolicies(String serviceName) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceDBStore.getServicePolicies(" + serviceName + ")");
+ }
+
+ ServicePolicies ret = null;
+
+ XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName);
+
if(serviceDbObj == null) {
throw new Exception("service does not exist. name=" + serviceName);
}
- if(lastKnownVersion == null || serviceDbObj.getPolicyVersion() == null || !lastKnownVersion.equals(serviceDbObj.getPolicyVersion())) {
- RangerServiceDef serviceDef = getServiceDef(serviceDbObj.getType());
+ RangerServiceDef serviceDef = getServiceDef(serviceDbObj.getType());
- if(serviceDef == null) {
- throw new Exception("service-def does not exist. id=" + serviceDbObj.getType());
- }
+ if (serviceDef == null) {
+ throw new Exception("service-def does not exist. id=" + serviceDbObj.getType());
+ }
+ List<RangerPolicy> policies = null;
- List<RangerPolicy> policies = getServicePolicies(serviceDbObj);
+ if (serviceDbObj.getIsenabled()) {
- ret = new ServicePolicies();
+ policies = getServicePolicies(serviceDbObj);
- ret.setServiceId(serviceDbObj.getId());
- ret.setServiceName(serviceDbObj.getName());
- ret.setPolicyVersion(serviceDbObj.getPolicyVersion());
- ret.setPolicyUpdateTime(serviceDbObj.getPolicyUpdateTime());
- ret.setPolicies(policies);
- ret.setServiceDef(serviceDef);
+ } else {
+ policies = new ArrayList<RangerPolicy>();
}
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== ServiceDBStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()));
+ ret = new ServicePolicies();
+
+ ret.setServiceId(serviceDbObj.getId());
+ ret.setServiceName(serviceDbObj.getName());
+ ret.setPolicyVersion(serviceDbObj.getPolicyVersion());
+ ret.setPolicyUpdateTime(serviceDbObj.getPolicyUpdateTime());
+ ret.setPolicies(policies);
+ ret.setServiceDef(serviceDef);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceName + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()));
}
return ret;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
new file mode 100644
index 0000000..6c8cbff
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
@@ -0,0 +1,298 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.common;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.store.ServiceStore;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.util.ServicePolicies;
+
+import java.util.*;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.locks.ReentrantLock;
+
+public class RangerServicePoliciesCache {
+ private static final Log LOG = LogFactory.getLog(RangerServicePoliciesCache.class);
+
+ private static volatile RangerServicePoliciesCache sInstance = null;
+ private final boolean useServicePoliciesCache;
+ private final int waitTimeInSeconds;
+
+ private final Map<String, ServicePoliciesWrapper> servicePoliciesMap = new HashMap<String, ServicePoliciesWrapper>();
+
+ public static RangerServicePoliciesCache getInstance() {
+ if (sInstance == null) {
+ synchronized (RangerServicePoliciesCache.class) {
+ if (sInstance == null) {
+ sInstance = new RangerServicePoliciesCache();
+ }
+ }
+ }
+ return sInstance;
+ }
+
+ private RangerServicePoliciesCache() {
+ useServicePoliciesCache = RangerConfiguration.getInstance().getBoolean("ranger.admin.policy.download.usecache", true);
+ waitTimeInSeconds = RangerConfiguration.getInstance().getInt("ranger.admin.policy.download.cache.max.waittime.for.update", 20);
+ }
+
+ public void dump() {
+
+ if (useServicePoliciesCache) {
+ Set<String> serviceNames = null;
+
+ synchronized (this) {
+ serviceNames = servicePoliciesMap.keySet();
+ }
+
+ if (CollectionUtils.isNotEmpty(serviceNames)) {
+ ServicePoliciesWrapper cachedServicePoliciesWrapper = null;
+
+ for (String serviceName : serviceNames) {
+ cachedServicePoliciesWrapper = servicePoliciesMap.get(serviceName);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("serviceName:" + serviceName + ", Cached-MetaData:" + cachedServicePoliciesWrapper);
+ }
+ }
+ }
+ }
+ }
+
+ public ServicePolicies getServicePolicies(String serviceName) {
+
+ ServicePolicies ret = null;
+
+ if (useServicePoliciesCache && StringUtils.isNotBlank(serviceName)) {
+ ServicePoliciesWrapper cachedServicePoliciesWrapper = null;
+ synchronized (this) {
+ cachedServicePoliciesWrapper = servicePoliciesMap.get(serviceName);
+ }
+ if (cachedServicePoliciesWrapper != null) {
+ ret = cachedServicePoliciesWrapper.getServicePolicies();
+ }
+ }
+
+ return ret;
+ }
+
+ public ServicePolicies getServicePolicies(String serviceName, ServiceStore serviceStore) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServicePoliciesCache.getServicePolicies(" + serviceName + ")");
+ }
+
+ ServicePolicies ret = null;
+
+ if (StringUtils.isNotBlank(serviceName)) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("useServicePoliciesCache=" + useServicePoliciesCache);
+ }
+
+ ServicePolicies servicePolicies = null;
+
+ if (!useServicePoliciesCache) {
+ if (serviceStore != null) {
+ try {
+ servicePolicies = serviceStore.getServicePolicies(serviceName);
+ } catch (Exception exception) {
+ LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies from service-store", exception);
+ }
+ } else {
+ LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies as service-store is null!");
+ }
+ } else {
+ ServicePoliciesWrapper servicePoliciesWrapper = null;
+
+ synchronized (this) {
+ servicePoliciesWrapper = servicePoliciesMap.get(serviceName);
+
+ if (servicePoliciesWrapper == null) {
+ servicePoliciesWrapper = new ServicePoliciesWrapper();
+ servicePoliciesMap.put(serviceName, servicePoliciesWrapper);
+ }
+ }
+
+ if (serviceStore != null) {
+ boolean refreshed = servicePoliciesWrapper.getLatestOrCached(serviceName, serviceStore);
+ LOG.info("tryRefreshFromStore returned " + refreshed);
+ } else {
+ LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies as service-store is null!");
+ }
+
+ servicePolicies = servicePoliciesWrapper.getServicePolicies();
+ }
+
+ ret = servicePolicies;
+
+ } else {
+ LOG.error("getServicePolicies() failed to get policies as serviceName is null or blank!");
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServicePoliciesCache.getServicePolicies(" + serviceName + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()));
+ }
+
+ return ret;
+ }
+
+ private class ServicePoliciesWrapper {
+ ServicePolicies servicePolicies;
+ Date updateTime = null;
+ long longestDbLoadTimeInMs = -1;
+
+ ReentrantLock lock = new ReentrantLock();
+
+ ServicePoliciesWrapper() {
+ servicePolicies = null;
+ }
+
+ ServicePolicies getServicePolicies() {
+ return servicePolicies;
+ }
+
+ Date getUpdateTime() {
+ return updateTime;
+ }
+
+ long getLongestDbLoadTimeInMs() {
+ return longestDbLoadTimeInMs;
+ }
+
+ boolean getLatestOrCached(String serviceName, ServiceStore serviceStore) {
+ boolean ret = false;
+
+ try {
+ ret = lock.tryLock(waitTimeInSeconds, TimeUnit.SECONDS);
+ if (ret) {
+ getLatest(serviceName, serviceStore);
+ }
+ } catch (InterruptedException exception) {
+ LOG.error("tryRefreshFromStore:lock got interrupted..", exception);
+ } finally {
+ if (ret) {
+ lock.unlock();
+ }
+ }
+
+ return ret;
+ }
+
+ void getLatest(String serviceName, ServiceStore serviceStore) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ServicePoliciesWrapper.getLatest(" + serviceName + ")");
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Found ServicePolicies in-cache : " + (servicePolicies != null));
+ }
+
+ Long servicePolicyVersionInDb = serviceStore.getServicePolicyVersion(serviceName);
+
+
+ if (servicePolicies == null || servicePolicyVersionInDb == null || !servicePolicyVersionInDb.equals(servicePolicies.getPolicyVersion())) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("loading servicePolicies from db ... cachedServicePoliciesVersion=" + (servicePolicies != null ? servicePolicies.getPolicyVersion() : null) + ", servicePolicyVersionInDb=" + servicePolicyVersionInDb);
+ }
+
+ ServicePolicies servicePoliciesFromDb = null;
+
+ try {
+ long startTimeMs = System.currentTimeMillis();
+
+ servicePoliciesFromDb = serviceStore.getServicePolicies(serviceName);
+
+ long dbLoadTime = System.currentTimeMillis() - startTimeMs;
+
+ if (dbLoadTime > longestDbLoadTimeInMs) {
+ longestDbLoadTimeInMs = dbLoadTime;
+ }
+ updateTime = new Date();
+ } catch (Exception exception) {
+ LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies from service-store", exception);
+ }
+
+ if (servicePoliciesFromDb != null) {
+ if (servicePoliciesFromDb.getPolicyVersion() == null) {
+ servicePoliciesFromDb.setPolicyVersion(0L);
+ }
+ servicePolicies = servicePoliciesFromDb;
+ pruneUnusedAttributes();
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== ServicePoliciesWrapper.getLatest(" + serviceName + ")");
+ }
+ }
+
+ private void pruneUnusedAttributes() {
+ if (servicePolicies != null) {
+ pruneUnusedPolicyAttributes(servicePolicies.getPolicies());
+ }
+ }
+
+ private void pruneUnusedPolicyAttributes(List<RangerPolicy> policies) {
+
+ // Null out attributes not required by plug-ins
+ if (CollectionUtils.isNotEmpty(policies)) {
+ for (RangerPolicy policy : policies) {
+ policy.setCreatedBy(null);
+ policy.setCreateTime(null);
+ policy.setUpdatedBy(null);
+ policy.setUpdateTime(null);
+ policy.setGuid(null);
+ policy.setName(null);
+ policy.setDescription(null);
+ policy.setResourceSignature(null);
+ }
+ }
+ }
+
+ StringBuilder toString(StringBuilder sb) {
+ sb.append("RangerServicePoliciesWrapper={");
+
+ sb.append("updateTime=").append(updateTime)
+ .append(", longestDbLoadTimeInMs=").append(longestDbLoadTimeInMs)
+ .append(", Service-Version:").append(servicePolicies != null ? servicePolicies.getPolicyVersion() : "null")
+ .append(", Number-Of-Policies:").append(servicePolicies != null ? servicePolicies.getPolicies().size() : 0);
+
+ sb.append("} ");
+
+ return sb;
+ }
+
+ @Override
+ public String toString() {
+ StringBuilder sb = new StringBuilder();
+
+ toString(sb);
+
+ return sb.toString();
+ }
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d3a2964f/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index f744684..40628bb 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1906,7 +1906,7 @@ public class ServiceREST {
String propertyPrefix = "ranger.admin";
- options.evaluatorType = RangerConfiguration.getInstance().get(propertyPrefix + ".policyengine.option.evaluator.type", RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED);
+ options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
options.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false);
options.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
[4/8] incubator-ranger git commit: RANGER-794: ranger-perf tool: fix
README.txt and location of the logfile used in unit test - commit id
5f79eec5097b0d7688159ccc579ae1117273686f
Posted by ma...@apache.org.
RANGER-794: ranger-perf tool: fix README.txt and location of the logfile used in unit test - commit id 5f79eec5097b0d7688159ccc579ae1117273686f
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e72cb201
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e72cb201
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e72cb201
Branch: refs/heads/ranger-0.5
Commit: e72cb201db7d7f8cefb6cb30cfacc161c5629dd1
Parents: 927b0b5
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Dec 21 18:41:32 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Sun Mar 20 10:34:24 2016 -0700
----------------------------------------------------------------------
ranger-tools/scripts/README.txt | 8 ++++----
ranger-tools/src/test/resources/log4j.properties | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e72cb201/ranger-tools/scripts/README.txt
----------------------------------------------------------------------
diff --git a/ranger-tools/scripts/README.txt b/ranger-tools/scripts/README.txt
index 282a306..dda6fd1 100644
--- a/ranger-tools/scripts/README.txt
+++ b/ranger-tools/scripts/README.txt
@@ -13,7 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-This file describes how to build, unpackage and run the performance testing tool.
+This file describes how to build, setup, configure and run the performance testing tool.
1. Build Apache Ranger using the following command.
% mvn clean compile package assembly:assembly
@@ -42,7 +42,7 @@ This file describes how to build, unpackage and run the performance testing tool
4. % cd ranger-0.5.0-ranger-tools
-5. Setup configuration
+5. Configure the policies and requests to use in the test run
Following sample data files are packaged with the perf-tool:
service-policies - testdata/test_servicepolicies_hive.json
@@ -53,12 +53,12 @@ This file describes how to build, unpackage and run the performance testing tool
Update conf/log4j.properties to specify the filename where perf run results will be written to. Property to update is 'ranger.perf.logger'.
-5. Run the tool with the command,
+6. Run the tool with the following command
% ./ranger-perftester.sh -s <service-policies-file> -r <requests-file> -p <profiled-modules-file> -c <number-of-concurrent-clients> -n <number-of-times-requests-file-to-be-run>
Example:
% ./ranger-perftester.sh -s testdata/test_servicepolicies_hive.json -r testdata/test_requests_hive.json -p testdata/test_modules.txt -c 2 -n 1
-6. At the end of the run, the performance-statistics are printed in the log file in conf/log4j.properties file.
+7. At the end of the run, the performance-statistics are printed on the console and in the log specified file in conf/log4j.properties file.
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e72cb201/ranger-tools/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/ranger-tools/src/test/resources/log4j.properties b/ranger-tools/src/test/resources/log4j.properties
index a9a8881..abf617e 100644
--- a/ranger-tools/src/test/resources/log4j.properties
+++ b/ranger-tools/src/test/resources/log4j.properties
@@ -38,7 +38,7 @@ log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %L
# ranger.perf log level
#
ranger.perf.logger=DEBUG,PERF
-ranger.perf.log.file=/tmp/ranger-perf-test.log
+ranger.perf.log.file=${java.io.tmpdir}/ranger-perf-test.log
log4j.logger.ranger.perf=${ranger.perf.logger}
log4j.additivity.ranger.perf=false
[3/8] incubator-ranger git commit: RANGER-794 - commit id
fbf4f3533d0c39d018d2ac92538f77761ca461d3
Posted by ma...@apache.org.
RANGER-794 - commit id fbf4f3533d0c39d018d2ac92538f77761ca461d3
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/927b0b5a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/927b0b5a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/927b0b5a
Branch: refs/heads/ranger-0.5
Commit: 927b0b5aeb868747c55f023a96daafb4f7923789
Parents: 9578a68
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Dec 21 17:53:51 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Sun Mar 20 10:34:09 2016 -0700
----------------------------------------------------------------------
.../ranger/plugin/util/PerfDataRecorder.java | 113 +
.../plugin/util/RangerPerfCollectorTracer.java | 36 +
.../ranger/plugin/util/RangerPerfTracer.java | 34 +-
.../plugin/util/RangerPerfTracerFactory.java | 39 +
pom.xml | 3 +
ranger-tools/.gitignore | 2 +
ranger-tools/conf/log4j.properties | 50 +
ranger-tools/pom.xml | 69 +
ranger-tools/scripts/README.txt | 64 +
ranger-tools/scripts/ranger-perftester.sh | 32 +
ranger-tools/scripts/summary.awk | 17 +
.../ranger/policyengine/CommandLineParser.java | 275 +
.../ranger/policyengine/PerfTestClient.java | 161 +
.../ranger/policyengine/PerfTestEngine.java | 124 +
.../ranger/policyengine/PerfTestOptions.java | 60 +
.../RangerPolicyenginePerfTester.java | 140 +
.../ranger/policyengine/PerfTesterTest.java | 112 +
ranger-tools/src/test/resources/commandline | 20 +
.../src/test/resources/log4j.properties | 50 +
.../test/resources/testdata/test_modules.txt | 23 +
.../resources/testdata/test_requests_hive.json | 10 +
.../testdata/test_servicepolicies_hive.json | 294 +
ranger-tools/testdata/test_modules.txt | 22 +
ranger-tools/testdata/test_requests_hive.json | 257 +
.../testdata/test_servicepolicies_hive.json | 252239 ++++++++++++++++
src/main/assembly/ranger-tools.xml | 135 +
26 files changed, 254372 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
new file mode 100644
index 0000000..72da8e8
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.util;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicLong;
+
+public class PerfDataRecorder {
+ private static final Log LOG = LogFactory.getLog(PerfDataRecorder.class);
+ private static final Log PERF = RangerPerfTracer.getPerfLogger(PerfDataRecorder.class);
+
+ static PerfDataRecorder instance = null;
+ private Map<String, PerfStatistic> perfStatistics = new HashMap<String, PerfStatistic>();
+
+ public static void initialize(List<String> names) {
+ if (getPerfDataRecorder() == null) {
+ instance = new PerfDataRecorder();
+ }
+ instance.init(names);
+ }
+
+ public static PerfDataRecorder getPerfDataRecorder() {
+ return instance;
+ }
+
+ public void dumpStatistics() {
+ for (Map.Entry<String, PerfStatistic> entry : perfStatistics.entrySet()) {
+
+ String tag = entry.getKey();
+ PerfStatistic perfStatistic = entry.getValue();
+
+ long averageTimeSpent = 0L;
+ long minTimeSpent = 0L;
+ long maxTimeSpent = 0L;
+ if (perfStatistic.numberOfInvocations.get() != 0L) {
+ averageTimeSpent = perfStatistic.millisecondsSpent.get()/perfStatistic.numberOfInvocations.get();
+ minTimeSpent = perfStatistic.minTimeSpent.get();
+ maxTimeSpent = perfStatistic.maxTimeSpent.get();
+ }
+
+ String logMsg = "[" + tag + "]" +
+ " execCount:" + perfStatistic.numberOfInvocations +
+ ", totalTimeTaken:" + perfStatistic.millisecondsSpent +
+ ", maxTimeTaken:" + maxTimeSpent +
+ ", minTimeTaken:" + minTimeSpent +
+ ", avgTimeTaken:" + averageTimeSpent;
+
+ LOG.info(logMsg);
+ PERF.debug(logMsg);
+ }
+ }
+
+ void record(String tag, long elapsedTime) {
+ PerfStatistic perfStatistic = perfStatistics.get(tag);
+ if (perfStatistic != null) {
+ perfStatistic.addPerfDataItem(elapsedTime);
+ }
+ }
+
+ private void init(List<String> names) {
+ if (CollectionUtils.isNotEmpty(names)) {
+ for (String name : names) {
+ // Create structure
+ perfStatistics.put(name, new PerfStatistic());
+ }
+ }
+ }
+
+ private class PerfStatistic {
+ private AtomicLong numberOfInvocations = new AtomicLong(0L);
+ private AtomicLong millisecondsSpent = new AtomicLong(0L);
+ private AtomicLong minTimeSpent = new AtomicLong(Long.MAX_VALUE);
+ private AtomicLong maxTimeSpent = new AtomicLong(Long.MIN_VALUE);
+
+ void addPerfDataItem(final long timeTaken) {
+ numberOfInvocations.getAndIncrement();
+ millisecondsSpent.getAndAdd(timeTaken);
+
+ long min = minTimeSpent.get();
+ if (timeTaken < min) {
+ minTimeSpent.compareAndSet(min, timeTaken);
+ }
+
+ long max = maxTimeSpent.get();
+ if (timeTaken > max) {
+ maxTimeSpent.compareAndSet(max, timeTaken);
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java
new file mode 100644
index 0000000..d092859
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.util;
+
+import org.apache.commons.logging.Log;
+
+public class RangerPerfCollectorTracer extends RangerPerfTracer {
+ private final PerfDataRecorder recorder;
+
+ public RangerPerfCollectorTracer(Log logger, String tag, String data, PerfDataRecorder recorder) {
+ super(logger, tag, data);
+ this.recorder = recorder;
+ }
+
+ @Override
+ public void log() {
+ recorder.record(tag, getElapsedTime());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java
index fc84bcd..175c4e4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java
@@ -24,10 +24,13 @@ import org.apache.commons.logging.LogFactory;
import org.apache.commons.lang.StringUtils;
public class RangerPerfTracer {
- private final Log logger;
- private final String tag;
+ protected final Log logger;
+ protected final String tag;
+ protected final String data;
private final long startTimeMs;
+ private final static String tagEndMarker = "(";
+
public static Log getPerfLogger(String name) {
return LogFactory.getLog("ranger.perf." + name);
}
@@ -37,15 +40,27 @@ public class RangerPerfTracer {
}
public static boolean isPerfTraceEnabled(Log logger) {
- return logger.isInfoEnabled();
+ return logger.isDebugEnabled();
}
public static RangerPerfTracer getPerfTracer(Log logger, String tag) {
- return logger.isInfoEnabled() ? new RangerPerfTracer(logger, tag) : null;
+ String data = "";
+ String realTag = "";
+
+ if (tag != null) {
+ int indexOfTagEndMarker = StringUtils.indexOf(tag, tagEndMarker);
+ if (indexOfTagEndMarker != -1) {
+ realTag = StringUtils.substring(tag, 0, indexOfTagEndMarker);
+ data = StringUtils.substring(tag, indexOfTagEndMarker);
+ } else {
+ realTag = tag;
+ }
+ }
+ return RangerPerfTracerFactory.getPerfTracer(logger, realTag, data);
}
- public static RangerPerfTracer getPerfTracer(Log logger, Object... tagParts) {
- return logger.isInfoEnabled() ? new RangerPerfTracer(logger, StringUtils.join(tagParts)) : null;
+ public static RangerPerfTracer getPerfTracer(Log logger, String tag, String data) {
+ return RangerPerfTracerFactory.getPerfTracer(logger, tag, data);
}
public static void log(RangerPerfTracer tracer) {
@@ -54,9 +69,10 @@ public class RangerPerfTracer {
}
}
- public RangerPerfTracer(Log logger, String tag) {
+ public RangerPerfTracer(Log logger, String tag, String data) {
this.logger = logger;
this.tag = tag;
+ this.data = data;
startTimeMs = System.currentTimeMillis();
}
@@ -73,8 +89,8 @@ public class RangerPerfTracer {
}
public void log() {
- if(logger.isInfoEnabled()) {
- logger.info("[PERF] " + tag + ": " + getElapsedTime());
+ if(logger.isDebugEnabled()) {
+ logger.debug("[PERF] " + tag + data + ": " + getElapsedTime());
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracerFactory.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracerFactory.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracerFactory.java
new file mode 100644
index 0000000..8db2d45
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracerFactory.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.util;
+
+import org.apache.commons.logging.Log;
+
+public class RangerPerfTracerFactory {
+
+ private static PerfDataRecorder perfDataRecorder = PerfDataRecorder.getPerfDataRecorder();
+
+ static RangerPerfTracer getPerfTracer(Log logger, String tag, String data) {
+
+ RangerPerfTracer ret = null;
+
+ if (perfDataRecorder != null) {
+ ret = new RangerPerfCollectorTracer(logger, tag, data, perfDataRecorder);
+ } else if (logger.isDebugEnabled()) {
+ ret = new RangerPerfTracer(logger, tag, data);
+ }
+ return ret;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index d360b2e..0f67672 100644
--- a/pom.xml
+++ b/pom.xml
@@ -106,6 +106,7 @@
<module>ranger-storm-plugin-shim</module>
<module>ranger-kafka-plugin-shim</module>
<module>ranger-examples</module>
+ <module>ranger-tools</module>
</modules>
<properties>
<javac.source.version>1.7</javac.source.version>
@@ -387,6 +388,7 @@
<descriptor>src/main/assembly/usersync.xml</descriptor>
<descriptor>src/main/assembly/migration-util.xml</descriptor>
<descriptor>src/main/assembly/kms.xml</descriptor>
+ <descriptor>src/main/assembly/ranger-tools.xml</descriptor>
<descriptor>src/main/assembly/ranger-src.xml</descriptor>
</descriptors>
</configuration>
@@ -491,6 +493,7 @@
<exclude>**/main/resources/**/*.json</exclude>
<exclude>**/.externalToolBuilders/*</exclude>
<exclude>*.patch</exclude>
+ <exclude>**/testdata/*.json</exclude>
<exclude>atlassian-ide-plugin.xml</exclude>
<exclude>**/.pydevproject</exclude>
</excludes>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/.gitignore
----------------------------------------------------------------------
diff --git a/ranger-tools/.gitignore b/ranger-tools/.gitignore
new file mode 100644
index 0000000..5ac84b1
--- /dev/null
+++ b/ranger-tools/.gitignore
@@ -0,0 +1,2 @@
+/target/
+ranger-perftester.iml
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/conf/log4j.properties
----------------------------------------------------------------------
diff --git a/ranger-tools/conf/log4j.properties b/ranger-tools/conf/log4j.properties
new file mode 100644
index 0000000..ccb9db4
--- /dev/null
+++ b/ranger-tools/conf/log4j.properties
@@ -0,0 +1,50 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+##-- To prevent junits from cluttering the build run by default all test runs send output to null appender
+log4j.appender.devnull=org.apache.log4j.varia.NullAppender
+# ranger.root.logger=FATAL,devnull
+
+##-- uncomment the following line during during development/debugging so see debug messages during test run to be emitted to console
+ranger.root.logger=INFO,console
+
+log4j.rootLogger=${ranger.root.logger}
+
+# Logging Threshold
+log4j.threshold=ALL
+
+#
+# console
+# Add "console" to rootlogger above if you want to use this
+#
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.target=System.err
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %L %m%n
+
+#
+# ranger.perf log level
+#
+ranger.perf.logger=DEBUG,PERF
+ranger.perf.log.file=ranger-perf-test.log
+
+log4j.logger.ranger.perf=${ranger.perf.logger}
+log4j.additivity.ranger.perf=false
+
+log4j.appender.PERF=org.apache.log4j.DailyRollingFileAppender
+log4j.appender.PERF.File=${ranger.perf.log.file}
+log4j.appender.PERF.layout=org.apache.log4j.PatternLayout
+log4j.appender.PERF.layout.ConversionPattern=%m%n
+log4j.appender.PERF.DatePattern=.yyyy-MM-dd
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/pom.xml
----------------------------------------------------------------------
diff --git a/ranger-tools/pom.xml b/ranger-tools/pom.xml
new file mode 100644
index 0000000..1285b2c
--- /dev/null
+++ b/ranger-tools/pom.xml
@@ -0,0 +1,69 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <parent>
+ <artifactId>ranger</artifactId>
+ <groupId>org.apache.ranger</groupId>
+ <version>0.5.0</version>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+
+ <artifactId>ranger-tools</artifactId>
+ <packaging>jar</packaging>
+
+ <name>Ranger Tools</name>
+ <url>http://maven.apache.org</url>
+
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>${junit.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>commons-cli</groupId>
+ <artifactId>commons-cli</artifactId>
+ <version>1.3.1</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <version>${commons.logging.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ <version>${commons.lang.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.google.code.gson</groupId>
+ <artifactId>gson</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+
+</project>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/scripts/README.txt
----------------------------------------------------------------------
diff --git a/ranger-tools/scripts/README.txt b/ranger-tools/scripts/README.txt
new file mode 100644
index 0000000..282a306
--- /dev/null
+++ b/ranger-tools/scripts/README.txt
@@ -0,0 +1,64 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+This file describes how to build, unpackage and run the performance testing tool.
+
+1. Build Apache Ranger using the following command.
+ % mvn clean compile package assembly:assembly
+
+ The following artifact will be created under target directory.
+
+ target/ranger-0.5.0-ranger-tools.tar.gz
+
+2. Copy this artifact to the directory where you want to run the tool.
+
+ % cp target/ranger-0.5.0-ranger-tools.tar.gz <perf-tool-run-dir>
+ % cd <perf-tool-run-dir>
+
+3. Unzip the artifact.
+
+ % tar xvfz ranger-0.5.0-ranger-tools.tar.gz
+
+ This will create the following directory structure under <perf-tool-run-dir>
+
+ ranger-0.5.0-ranger-tools
+ ranger-0.5.0-ranger-tools/conf
+ ranger-0.5.0-ranger-tools/dist
+ ranger-0.5.0-ranger-tools/lib
+ ranger-0.5.0-ranger-tools/scripts
+ ranger-0.5.0-ranger-tools/testdata
+
+4. % cd ranger-0.5.0-ranger-tools
+
+5. Setup configuration
+
+ Following sample data files are packaged with the perf-tool:
+ service-policies - testdata/test_servicepolicies_hive.json
+ requests - testdata/test_requests_hive.json
+ modules-to-profile - testdata/test_modules.txt
+
+ Please review the contents of these files and modify (or copy/modify) to suite your policy and request needs.
+
+ Update conf/log4j.properties to specify the filename where perf run results will be written to. Property to update is 'ranger.perf.logger'.
+
+5. Run the tool with the command,
+
+ % ./ranger-perftester.sh -s <service-policies-file> -r <requests-file> -p <profiled-modules-file> -c <number-of-concurrent-clients> -n <number-of-times-requests-file-to-be-run>
+
+ Example:
+ % ./ranger-perftester.sh -s testdata/test_servicepolicies_hive.json -r testdata/test_requests_hive.json -p testdata/test_modules.txt -c 2 -n 1
+
+6. At the end of the run, the performance-statistics are printed in the log file in conf/log4j.properties file.
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/scripts/ranger-perftester.sh
----------------------------------------------------------------------
diff --git a/ranger-tools/scripts/ranger-perftester.sh b/ranger-tools/scripts/ranger-perftester.sh
new file mode 100755
index 0000000..46c8e0e
--- /dev/null
+++ b/ranger-tools/scripts/ranger-perftester.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+cdir=$(cd "$(dirname "$0")"; pwd)
+cp="${cdir}/dist/*:${cdir}/lib/*:${cdir}/conf:."
+
+if [ "${JAVA_HOME}" != "" ]
+then
+ export JAVA_HOME
+ PATH="${JAVA_HOME}/bin:${PATH}"
+ export PATH
+fi
+
+JAVA_CMD="java -cp ${cp} org.apache.ranger.policyengine.RangerPolicyenginePerfTester"
+
+cd ${cdir}
+
+echo "JAVA command = $JAVA_CMD " "$@"
+$JAVA_CMD "$@"
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/scripts/summary.awk
----------------------------------------------------------------------
diff --git a/ranger-tools/scripts/summary.awk b/ranger-tools/scripts/summary.awk
new file mode 100755
index 0000000..16e49f3
--- /dev/null
+++ b/ranger-tools/scripts/summary.awk
@@ -0,0 +1,17 @@
+#!/bin/sh
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+awk '{ORS=" "; print $NF; for (i=6; i<NF; i++) print $i;print "\n" }' $1 | sort -n -r
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
new file mode 100644
index 0000000..a45d71a
--- /dev/null
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
@@ -0,0 +1,275 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.policyengine;
+
+import org.apache.commons.cli.*;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Arrays;
+
+public class CommandLineParser
+{
+ static final Log LOG = LogFactory.getLog(CommandLineParser.class);
+
+ private String servicePoliciesFileName;
+ private String[] requestFileNames;
+ private String statCollectionFileName;
+
+ private URL servicePoliciesFileURL;
+ private URL[] requestFileURLs;
+ private URL statCollectionFileURL;
+
+
+ private int concurrentClientCount = 1;
+ private int iterationsCount = 1;
+
+ private Options options = new Options();
+
+ CommandLineParser() {}
+
+ final PerfTestOptions parse(final String[] args) {
+ PerfTestOptions ret = null;
+ if (parseArguments(args) && validateInputFiles()) {
+ // Instantiate a data-object and return
+ ret = new PerfTestOptions(servicePoliciesFileURL, requestFileURLs, statCollectionFileURL, concurrentClientCount, iterationsCount);
+ } else {
+ showUsage(-1);
+ }
+ return ret;
+ }
+
+ // Parse the arguments
+
+ /* Arguments :
+ -s servicePolicies-file-name
+ -c concurrent-client-count
+ -r request-file-name-list
+ -n number-of-iterations
+ -p modules-to-collect-stats
+
+ If the concurrent-client-count is more than the number of files in the request-file-name-list,
+ then reuse the request-file-names in a round-robin way
+
+ */
+
+ final boolean parseArguments(final String[] args) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> parseArguments()");
+ }
+ boolean ret = false;
+
+ options.addOption("h", "help", false, "show help.");
+ options.addOption("s", "service-policies", true, "Policies File Name");
+ options.addOption("r", "requests", true, "Request Definition File Name");
+ options.addOption("p", "statistics", true, "Modules for stat collection File Name");
+ options.addOption("c", "clients", true, "Number of concurrent clients");
+ options.addOption("n", "cycles", true, "Number of iterations");
+
+ org.apache.commons.cli.CommandLineParser commandLineParser = new DefaultParser();
+
+ try {
+ CommandLine commandLine = commandLineParser.parse(options, args);
+
+ if (commandLine.hasOption("h")) {
+ showUsage(0);
+ }
+
+ servicePoliciesFileName = commandLine.getOptionValue("s");
+ requestFileNames = commandLine.getOptionValues("r");
+ statCollectionFileName = commandLine.getOptionValue("p");
+
+ concurrentClientCount = 1;
+ String clientOptionValue = commandLine.getOptionValue("c");
+ if (clientOptionValue != null) {
+ concurrentClientCount = Integer.parseInt(clientOptionValue);
+ }
+
+ iterationsCount = 1;
+ String iterationsOptionValue = commandLine.getOptionValue("n");
+ if (iterationsOptionValue != null) {
+ iterationsCount = Integer.parseInt(iterationsOptionValue);
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("servicePoliciesFileName=" + servicePoliciesFileName + ", requestFileName=" + Arrays.toString(requestFileNames));
+ LOG.debug("concurrentClientCount=" + concurrentClientCount + ", iterationsCount=" + iterationsCount);
+ }
+
+ ret = true;
+ } catch (Exception exception) {
+ LOG.error("Error processing command-line arguments: ", exception);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== parseArguments() : " + ret);
+ }
+
+ return ret;
+ }
+
+ final boolean validateInputFiles() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> validateInputFiles()");
+ }
+
+ boolean ret = false;
+
+ if (servicePoliciesFileName != null) {
+ this.servicePoliciesFileURL = getInputFileURL(servicePoliciesFileName);
+ if (servicePoliciesFileURL != null) {
+ if (requestFileNames != null) {
+ if (validateRequestFiles()) {
+ if (statCollectionFileName != null) {
+ statCollectionFileURL = getInputFileURL(statCollectionFileName);
+ ret = statCollectionFileURL != null;
+ } else {
+ LOG.error("Error processing stat-collection-module file");
+ }
+ }
+ } else {
+ LOG.error("Error processing requests file: No requests files provided.");
+ }
+ } else {
+ LOG.error("Error processing service-policies file: unreadable service-policies file: " + servicePoliciesFileName);
+ }
+ } else {
+ LOG.error("Error processing service-policies file: null service-policies file");
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== validateInputFiles(): " + ret);
+ }
+
+ return ret;
+ }
+
+ final boolean validateRequestFiles() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> validateRequestFiles()");
+ }
+ boolean ret = requestFileNames.length > 0;
+
+ if (ret) {
+ requestFileURLs = new URL[requestFileNames.length];
+
+ for (int i = 0; ret && i < requestFileNames.length; i++) {
+ if (requestFileNames[i] != null) {
+ if ((requestFileURLs[i] = getInputFileURL(requestFileNames[i])) == null) {
+ LOG.error("Cannot read file: " + requestFileNames[i]);
+ ret = false;
+ }
+ } else {
+ LOG.error("Error processing request-file: null input file-name for request-file");
+ ret = false;
+ }
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== validateRequestFiles(): " + ret);
+ }
+ return ret;
+ }
+
+ public static URL getInputFileURL(final String name) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> getResourceFileURL(" + name + ")");
+ }
+ URL ret = null;
+ InputStream in = null;
+
+
+ if (StringUtils.isNotBlank(name)) {
+
+ File f = new File(name);
+
+ if (f.exists() && f.isFile() && f.canRead()) {
+ try {
+
+ in = new FileInputStream(f);
+ ret = f.toURI().toURL();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("URL:" + ret);
+ }
+
+ } catch (FileNotFoundException exception) {
+ LOG.error("Error processing input file:" + name + " or no privilege for reading file " + name, exception);
+ } catch (MalformedURLException malformedException) {
+ LOG.error("Error processing input file:" + name + " cannot be converted to URL " + name, malformedException);
+ }
+ } else {
+
+ URL fileURL = CommandLineParser.class.getResource(name);
+ if (fileURL == null) {
+ if (!name.startsWith("/")) {
+ fileURL = CommandLineParser.class.getResource("/" + name);
+ }
+ }
+
+ if (fileURL == null) {
+ fileURL = ClassLoader.getSystemClassLoader().getResource(name);
+ if (fileURL == null) {
+ if (!name.startsWith("/")) {
+ fileURL = ClassLoader.getSystemClassLoader().getResource("/" + name);
+ }
+ }
+ }
+
+ if (fileURL != null) {
+ try {
+ in = fileURL.openStream();
+ ret = fileURL;
+ } catch (Exception exception) {
+ LOG.error(name + " cannot be opened:", exception);
+ }
+ } else {
+ LOG.warn("Error processing input file: URL not found for " + name + " or no privilege for reading file " + name);
+ }
+ }
+ }
+ if (in != null) {
+ try {
+ in.close();
+ } catch (Exception e) {
+ // Ignore
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== getResourceFileURL(" + name + ", URL=" + ret + ")");
+ }
+ return ret;
+ }
+
+ void showUsage(int exitCode) {
+ HelpFormatter formater = new HelpFormatter();
+ formater.printHelp("perfTester", options);
+
+ LOG.info("Exiting...");
+
+ System.exit(exitCode);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestClient.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestClient.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestClient.java
new file mode 100644
index 0000000..b88d670
--- /dev/null
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestClient.java
@@ -0,0 +1,161 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.policyengine;
+
+import com.google.gson.*;
+import com.google.gson.reflect.TypeToken;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.policyengine.*;
+
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.lang.reflect.Type;
+import java.net.URL;
+import java.util.List;
+
+public class PerfTestClient extends Thread {
+ static final Log LOG = LogFactory.getLog(PerfTestClient.class);
+
+ final PerfTestEngine perfTestEngine;
+ final int clientId;
+ final URL requestFileURL;
+ final int maxCycles;
+
+ List<RequestData> requests = null;
+ static Gson gsonBuilder = null;
+
+ static {
+
+ gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
+ .setPrettyPrinting()
+ .registerTypeAdapter(RangerAccessRequest.class, new RangerAccessRequestDeserializer())
+ .registerTypeAdapter(RangerAccessResource.class, new RangerResourceDeserializer())
+ .create();
+ }
+
+ public PerfTestClient(final PerfTestEngine perfTestEngine, final int clientId, final URL requestFileURL, final int maxCycles) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> PerfTestClient(clientId=" + clientId + ", maxCycles=" + maxCycles +")" );
+ }
+
+ this.perfTestEngine = perfTestEngine;
+ this.clientId = clientId;
+ this.requestFileURL = requestFileURL;
+ this.maxCycles = maxCycles;
+
+ setName("PerfTestClient-" + clientId);
+ setDaemon(true);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== PerfTestClient(clientId=" + clientId + ", maxCycles=" + maxCycles +")" );
+ }
+ }
+
+ public boolean init() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> init()" );
+ }
+
+ boolean ret = false;
+
+ Reader reader = null;
+
+ try {
+
+ InputStream in = requestFileURL.openStream();
+
+ reader = new InputStreamReader(in);
+
+ Type listType = new TypeToken<List<RequestData>>() {
+ }.getType();
+
+ requests = gsonBuilder.fromJson(reader, listType);
+
+ ret = true;
+ }
+ catch (Exception excp) {
+ LOG.error("Error opening request data stream or loading load request data from file, URL=" + requestFileURL, excp);
+ }
+ finally {
+ if (reader != null) {
+ try {
+ reader.close();
+ } catch (Exception excp) {
+ LOG.error("Error closing file ", excp);
+ }
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== init() : " + ret );
+ }
+ return ret;
+ }
+
+ @Override
+ public void run() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> run()" );
+ }
+
+ try {
+ for (int i = 0; i < maxCycles; i++) {
+ for (RequestData data : requests) {
+ perfTestEngine.execute(data.request);
+ }
+ }
+ } catch (Exception excp) {
+ LOG.error("PerfTestClient.run() : interrupted! Exiting thread", excp);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== run()" );
+ }
+ }
+
+ private class RequestData {
+ public String name;
+ public RangerAccessRequest request;
+ public RangerAccessResult result;
+ }
+
+ static class RangerAccessRequestDeserializer implements JsonDeserializer<RangerAccessRequest> {
+ @Override
+ public RangerAccessRequest deserialize(JsonElement jsonObj, Type type,
+ JsonDeserializationContext context) throws JsonParseException {
+ RangerAccessRequestImpl ret = gsonBuilder.fromJson(jsonObj, RangerAccessRequestImpl.class);
+
+ ret.setAccessType(ret.getAccessType()); // to force computation of isAccessTypeAny and isAccessTypeDelegatedAdmin
+
+ return ret;
+ }
+ }
+
+ static class RangerResourceDeserializer implements JsonDeserializer<RangerAccessResource> {
+ @Override
+ public RangerAccessResource deserialize(JsonElement jsonObj, Type type,
+ JsonDeserializationContext context) throws JsonParseException {
+ return gsonBuilder.fromJson(jsonObj, RangerAccessResourceImpl.class);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
new file mode 100644
index 0000000..dfd8191
--- /dev/null
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.policyengine;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.*;
+import org.apache.ranger.plugin.util.ServicePolicies;
+
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.net.URL;
+
+public class PerfTestEngine {
+ static final Log LOG = LogFactory.getLog(PerfTestEngine.class);
+
+ private final URL servicePoliciesFileURL;
+ private RangerPolicyEngine policyEvaluationEngine;
+
+ public PerfTestEngine(final URL servicePoliciesFileURL) {
+ this.servicePoliciesFileURL = servicePoliciesFileURL;
+ }
+
+ public boolean init() {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> init()");
+ }
+
+ boolean ret = false;
+
+ Gson gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z")
+ .setPrettyPrinting()
+ .create();
+
+ Reader reader = null;
+ ServicePolicies servicePolicies;
+
+ try {
+ InputStream in = servicePoliciesFileURL.openStream();
+
+ reader = new InputStreamReader(in);
+
+ servicePolicies = gsonBuilder.fromJson(reader, ServicePolicies.class);
+
+ RangerPolicyEngineOptions engineOptions = new RangerPolicyEngineOptions();
+
+ policyEvaluationEngine = new RangerPolicyEngineImpl(servicePolicies, engineOptions);
+
+ ret = true;
+
+ } catch (Exception excp) {
+ LOG.error("Error opening service-policies file or loading service-policies from file, URL=" + servicePoliciesFileURL, excp);
+ } finally {
+ if (reader != null) {
+ try {
+ reader.close();
+ } catch (Exception excp) {
+ LOG.error("Error closing file", excp);
+ }
+ }
+ }
+
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== init() : " + ret);
+ }
+
+ return ret;
+
+ }
+ public boolean execute(final RangerAccessRequest request) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> execute(" + request + ")");
+ }
+
+ boolean ret = true;
+
+ if (policyEvaluationEngine != null) {
+
+ RangerAccessResultProcessor auditHandler = null;
+
+ policyEvaluationEngine.preProcess(request);
+
+ RangerAccessResult result = policyEvaluationEngine.isAccessAllowed(request, auditHandler);
+ } else {
+ LOG.error("Error executing request: PolicyEngine is null!");
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== execute(" + request + ") : " + ret);
+ }
+
+ return ret;
+ }
+
+ public void cleanup() {
+ if (policyEvaluationEngine != null) {
+ policyEvaluationEngine = null;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java
new file mode 100644
index 0000000..f30cbd7
--- /dev/null
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestOptions.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.policyengine;
+
+
+import java.net.URL;
+
+public class PerfTestOptions {
+ private final URL servicePoliciesFileURL;
+ private final URL[] requestFileURLs;
+ private final URL statCollectionFileURL;
+
+
+ private final int concurrentClientCount;
+ private final int iterationsCount;
+
+ PerfTestOptions(URL servicePoliciesFileURL, URL[] requestFileURLs, URL statCollectionFileURL, int concurrentClientCount, int iterationsCount) {
+ this.servicePoliciesFileURL = servicePoliciesFileURL;
+ this.requestFileURLs = requestFileURLs;
+ this.statCollectionFileURL = statCollectionFileURL;
+ this.iterationsCount = iterationsCount;
+ this.concurrentClientCount = concurrentClientCount;
+ }
+
+ public URL getServicePoliciesFileURL() {
+ return this.servicePoliciesFileURL;
+ }
+
+ public URL[] getRequestFileURLs() {
+ return this.requestFileURLs;
+ }
+
+ public URL getStatCollectionFileURL() {
+ return this.statCollectionFileURL;
+ }
+
+ public int getConcurrentClientCount() {
+ return concurrentClientCount;
+ }
+
+ public int getIterationsCount() {
+ return iterationsCount;
+ }}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
new file mode 100644
index 0000000..28cc558
--- /dev/null
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
@@ -0,0 +1,140 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.policyengine;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.util.PerfDataRecorder;
+
+import java.io.BufferedReader;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.URL;
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.List;
+
+public class RangerPolicyenginePerfTester {
+ static final Log LOG = LogFactory.getLog(RangerPolicyenginePerfTester.class);
+
+ public static void main(String[] args) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerPolicyenginePerfTester.main()");
+ }
+
+ CommandLineParser commandLineParser = new CommandLineParser();
+
+ PerfTestOptions perfTestOptions = commandLineParser.parse(args);
+
+ URL statCollectionFileURL = perfTestOptions.getStatCollectionFileURL();
+
+ List<String> perfModuleNames = buildPerfModuleNames(statCollectionFileURL);
+
+ PerfDataRecorder.initialize(perfModuleNames);
+
+ URL servicePoliciesFileURL = perfTestOptions.getServicePoliciesFileURL();
+
+ PerfTestEngine perfTestEngine = new PerfTestEngine(servicePoliciesFileURL);
+ if (!perfTestEngine.init()) {
+ LOG.error("Error initializing test data. Existing...");
+ System.exit(1);
+ }
+
+ URL[] requestFileURLs = perfTestOptions.getRequestFileURLs();
+ int requestFilesCount = requestFileURLs.length;
+
+ int clientsCount = perfTestOptions.getConcurrentClientCount();
+ List<PerfTestClient> perfTestClients = new ArrayList<PerfTestClient>(clientsCount);
+
+ for (int i = 0; i < clientsCount; i++) {
+
+ URL requestFileURL = requestFileURLs[i % requestFilesCount];
+
+ PerfTestClient perfTestClient = new PerfTestClient(perfTestEngine, i, requestFileURL, perfTestOptions.getIterationsCount());
+
+ if (!perfTestClient.init()) {
+ LOG.error("Error initializing PerfTestClient: (id=" + i + ")");
+ } else {
+ perfTestClients.add(perfTestClient);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Number of perfTestClients=" + perfTestClients.size());
+ }
+
+ for (PerfTestClient client : perfTestClients) {
+ try {
+ client.start();
+ } catch (Throwable t) {
+ LOG.error("Error in starting client: " + client.getName(), t);
+ }
+ }
+
+ LOG.info("Waiting for " + perfTestClients.size() + " clients to finish up");
+
+ for (PerfTestClient client : perfTestClients) {
+ try {
+ if (client.isAlive()) {
+ LOG.info("Waiting for " + client.getName() + " to finish up.");
+ client.join();
+ }
+ } catch (InterruptedException interruptedException) {
+ LOG.error("PerfTestClient.join() was interrupted");
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerPolicyenginePerfTester.main()");
+ }
+
+ LOG.info("Completed performance-run");
+
+ perfTestEngine.cleanup();
+
+ PerfDataRecorder.getPerfDataRecorder().dumpStatistics();
+ }
+
+ private static List<String> buildPerfModuleNames(URL statCollectionFileURL) {
+ List<String> perfModuleNames = new ArrayList<String>();
+
+ try (
+ InputStream inStream = statCollectionFileURL.openStream();
+ InputStreamReader reader = new InputStreamReader(inStream, Charset.forName("UTF-8"));
+ BufferedReader br = new BufferedReader(reader);
+ ) {
+
+ String line;
+
+ while ((line = br.readLine()) != null) {
+ line = line.trim();
+ if (!line.isEmpty() && !line.startsWith("#")) {
+ String[] moduleNames = line.split(" ");
+ for (int i = 0; i < moduleNames.length; i++) {
+ perfModuleNames.add(moduleNames[i]);
+ }
+ }
+ }
+ } catch (Exception exception) {
+ System.out.println("Error reading arguments:" + exception);
+ }
+
+ return perfModuleNames;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/test/java/org/apache/ranger/policyengine/PerfTesterTest.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/test/java/org/apache/ranger/policyengine/PerfTesterTest.java b/ranger-tools/src/test/java/org/apache/ranger/policyengine/PerfTesterTest.java
new file mode 100644
index 0000000..2d7c52e
--- /dev/null
+++ b/ranger-tools/src/test/java/org/apache/ranger/policyengine/PerfTesterTest.java
@@ -0,0 +1,112 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.policyengine;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+
+import java.io.BufferedReader;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.URL;
+import java.nio.charset.Charset;
+
+/**
+ * Unit test for simple App.
+ */
+public class PerfTesterTest
+ extends TestCase
+
+{
+ /**
+ * Create the test case
+ *
+ * @param testName name of the test case
+ */
+ public PerfTesterTest( String testName )
+ {
+ super( testName );
+ }
+
+ /**
+ * @return the suite of tests being tested
+ */
+ public static Test suite()
+ {
+ return new TestSuite( PerfTesterTest.class );
+ }
+
+ /**
+ * Rigourous Test :-)
+ */
+
+ public void testMain() {
+
+ String[] args = readCommandLine();
+
+ if (args != null) {
+ RangerPolicyenginePerfTester.main(args);
+ }
+ }
+
+
+ public void testArgParsing() {
+ String[] args = readCommandLine();
+
+ if (args != null) {
+ CommandLineParser commandLineParser = new CommandLineParser();
+ PerfTestOptions parseResult = commandLineParser.parse(args);
+ assertNotNull(parseResult);
+ }
+ }
+
+ String[] readCommandLine() {
+ // Read arguments from a file - with hardcoded name 'commandline'
+
+ String[] ret = null;
+
+ URL commandLineFileURL = CommandLineParser.getInputFileURL("/commandline");
+ if (commandLineFileURL != null) {
+ try (
+ InputStream inStream = commandLineFileURL.openStream();
+ InputStreamReader reader = new InputStreamReader(inStream, Charset.forName("UTF-8"));
+ BufferedReader br = new BufferedReader(reader);
+ ) {
+
+
+ String line;
+
+ while ((line = br.readLine()) != null) {
+ line = line.trim();
+ if (!line.isEmpty() && !line.startsWith("#")) {
+ ret = line.split(" ");
+ break;
+ }
+ }
+
+ } catch (Exception exception) {
+ System.out.println("Error reading arguments:" + exception);
+ }
+ }
+ return ret;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/test/resources/commandline
----------------------------------------------------------------------
diff --git a/ranger-tools/src/test/resources/commandline b/ranger-tools/src/test/resources/commandline
new file mode 100644
index 0000000..9ea690e
--- /dev/null
+++ b/ranger-tools/src/test/resources/commandline
@@ -0,0 +1,20 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+-s /testdata/test_servicepolicies_hive.json -r /testdata/test_requests_hive.json -p /testdata/test_modules.txt -c 3 -n 1
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/ranger-tools/src/test/resources/log4j.properties b/ranger-tools/src/test/resources/log4j.properties
new file mode 100644
index 0000000..a9a8881
--- /dev/null
+++ b/ranger-tools/src/test/resources/log4j.properties
@@ -0,0 +1,50 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+##-- To prevent junits from cluttering the build run by default all test runs send output to null appender
+log4j.appender.devnull=org.apache.log4j.varia.NullAppender
+# ranger.root.logger=FATAL,devnull
+
+##-- uncomment the following line during during development/debugging so see debug messages during test run to be emitted to console
+ranger.root.logger=INFO,console
+
+log4j.rootLogger=${ranger.root.logger}
+
+# Logging Threshold
+log4j.threshold=ALL
+
+#
+# console
+# Add "console" to rootlogger above if you want to use this
+#
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.target=System.err
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %L %m%n
+
+#
+# ranger.perf log level
+#
+ranger.perf.logger=DEBUG,PERF
+ranger.perf.log.file=/tmp/ranger-perf-test.log
+
+log4j.logger.ranger.perf=${ranger.perf.logger}
+log4j.additivity.ranger.perf=false
+
+log4j.appender.PERF=org.apache.log4j.DailyRollingFileAppender
+log4j.appender.PERF.File=${ranger.perf.log.file}
+log4j.appender.PERF.layout=org.apache.log4j.PatternLayout
+log4j.appender.PERF.layout.ConversionPattern=%m%n
+log4j.appender.PERF.DatePattern=.yyyy-MM-dd
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/test/resources/testdata/test_modules.txt
----------------------------------------------------------------------
diff --git a/ranger-tools/src/test/resources/testdata/test_modules.txt b/ranger-tools/src/test/resources/testdata/test_modules.txt
new file mode 100644
index 0000000..8637bf2
--- /dev/null
+++ b/ranger-tools/src/test/resources/testdata/test_modules.txt
@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+RangerPolicyEngine.init
+RangerPolicyEngine.preProcess
+RangerPolicyEngine.isAccessAllowedNoAudit
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/test/resources/testdata/test_requests_hive.json
----------------------------------------------------------------------
diff --git a/ranger-tools/src/test/resources/testdata/test_requests_hive.json b/ranger-tools/src/test/resources/testdata/test_requests_hive.json
new file mode 100644
index 0000000..0db7207
--- /dev/null
+++ b/ranger-tools/src/test/resources/testdata/test_requests_hive.json
@@ -0,0 +1,10 @@
+ [
+ {"name":"'select default/tbl-0/col-2;' for hrt_1",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-0","column":"col-2"}},
+ "accessType":"select","user":"hrt_1","userGroups":[],"requestData":"use default"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ]
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/src/test/resources/testdata/test_servicepolicies_hive.json
----------------------------------------------------------------------
diff --git a/ranger-tools/src/test/resources/testdata/test_servicepolicies_hive.json b/ranger-tools/src/test/resources/testdata/test_servicepolicies_hive.json
new file mode 100644
index 0000000..8fcd840
--- /dev/null
+++ b/ranger-tools/src/test/resources/testdata/test_servicepolicies_hive.json
@@ -0,0 +1,294 @@
+{
+ "serviceName": "cl1_hive",
+ "serviceId": 2,
+ "policies": [
+ {
+ "service": "cl1_hive",
+ "name": "cl1_hive-1-20151212014502",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ },
+ {
+ "type": "lock",
+ "isAllowed": true
+ },
+ {
+ "type": "all",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "ambari-qa"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": true,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "id": 2,
+ "isEnabled": true
+ }
+ ],
+ "serviceDef": {
+ "name": "hive",
+ "implClass": "org.apache.ranger.services.hive.RangerServiceHive",
+ "label": "Hive Server2",
+ "options": {},
+ "configs": [
+ {
+ "itemId": 1,
+ "name": "username",
+ "type": "string",
+ "mandatory": true,
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Username"
+ },
+ {
+ "itemId": 2,
+ "name": "password",
+ "type": "password",
+ "mandatory": true,
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Password"
+ },
+ {
+ "itemId": 3,
+ "name": "jdbc.driverClassName",
+ "type": "string",
+ "mandatory": true,
+ "defaultValue": "org.apache.hive.jdbc.HiveDriver",
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": ""
+ },
+ {
+ "itemId": 4,
+ "name": "jdbc.url",
+ "type": "string",
+ "mandatory": true,
+ "defaultValue": "",
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": ""
+ },
+ {
+ "itemId": 5,
+ "name": "commonNameForCertificate",
+ "type": "string",
+ "mandatory": false,
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Common Name for Certificate"
+ }
+ ],
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "database",
+ "type": "string",
+ "level": 10,
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "true"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Hive Database"
+ },
+ {
+ "itemId": 2,
+ "name": "table",
+ "type": "string",
+ "level": 20,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "true"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Hive Table"
+ },
+ {
+ "itemId": 3,
+ "name": "udf",
+ "type": "string",
+ "level": 20,
+ "parent": "database",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "true"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Hive UDF"
+ },
+ {
+ "itemId": 4,
+ "name": "column",
+ "type": "string",
+ "level": 30,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "true"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Hive Column"
+ }
+ ],
+ "accessTypes": [
+ {
+ "itemId": 1,
+ "name": "select",
+ "label": "select",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 2,
+ "name": "update",
+ "label": "update",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 3,
+ "name": "create",
+ "label": "Create",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 4,
+ "name": "drop",
+ "label": "Drop",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 5,
+ "name": "alter",
+ "label": "Alter",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 6,
+ "name": "index",
+ "label": "Index",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 7,
+ "name": "lock",
+ "label": "Lock",
+ "impliedGrants": []
+ },
+ {
+ "itemId": 8,
+ "name": "all",
+ "label": "All",
+ "impliedGrants": [
+ "select",
+ "update",
+ "create",
+ "drop",
+ "alter",
+ "index",
+ "lock"
+ ]
+ }
+ ],
+ "policyConditions": [
+ {
+ "itemId": 1,
+ "name": "resources-accessed-together",
+ "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesAccessedTogetherCondition",
+ "evaluatorOptions": {},
+ "label": "Hive Resources Accessed Together?"
+ }
+ ],
+ "contextEnrichers": [],
+ "enums": [],
+ "id": 3,
+ "isEnabled": true
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/testdata/test_modules.txt
----------------------------------------------------------------------
diff --git a/ranger-tools/testdata/test_modules.txt b/ranger-tools/testdata/test_modules.txt
new file mode 100644
index 0000000..33432ed
--- /dev/null
+++ b/ranger-tools/testdata/test_modules.txt
@@ -0,0 +1,22 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+RangerPolicyEngine.init
+RangerPolicyEngine.preProcess
+RangerPolicyEngine.isAccessAllowedNoAudit
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/testdata/test_requests_hive.json
----------------------------------------------------------------------
diff --git a/ranger-tools/testdata/test_requests_hive.json b/ranger-tools/testdata/test_requests_hive.json
new file mode 100644
index 0000000..6b07762
--- /dev/null
+++ b/ranger-tools/testdata/test_requests_hive.json
@@ -0,0 +1,257 @@
+ [
+ {"name":"'select default/tbl-0/col-2;' for hrt_1",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-0","column":"col-2"}},
+ "accessType":"select","user":"hrt_1","userGroups":[],"requestData":"use default"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'select default/tbl-1/col-3;' for hrt_2",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-1","column":"col-3"}},
+ "accessType":"select","user":"hrt_2","userGroups":[],"requestData":"use default"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'select default/tbl-2/col-4;' to hrt_3",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-2","column":"col-4"}},
+ "accessType":"select","user":"hrt_3","userGroups":["users"],"requestData":"use default"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'select default/tbl-3/col-5;' to hrt_4",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-3","column":"col-5"}},
+ "accessType":"select","user":"hrt_4","userGroups":["users", "group1"],"requestData":"use default"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'select default/tbl-4/col-6;' to hrt_5",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-4","column":"col-6"}},
+ "accessType":"select","user":"hrt_5","userGroups":["users", "group2"],"requestData":"use default"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'select default/tbl-5/col-7;' to hrt_6",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-5","column":"col-7"}},
+ "accessType":"select","user":"hrt_6","userGroups":["users", "group3"],"requestData":"use default"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'select default/tbl-6/col-8;' to hrt_7",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-6","column":"col-8"}},
+ "accessType":"select","user":"hrt_7","userGroups":["users"],"requestData":"use finance"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'select default/tbl-7/col-9 ' to hrt_8",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-7","column":"col-9"}},
+ "accessType":"select","user":"hrt_8","userGroups":["users"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'select default/tbl-8/col-10' to hrt_9",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-8","column":"col-10"}},
+ "accessType":"select","user":"hrt_9","userGroups":["users"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'select default/tbl-9/col-1;' to hrt_10",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-9","column":"col-1"}},
+ "accessType":"select","user":"hrt_10","userGroups":["users"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'lock default/tbl-0/col-2;' to hrt_1",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-0","column":"col-2"}},
+ "accessType":"lock","user":"hrt_1","userGroups":["users","group1"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'lock default/tbl-1/col-3;' to hrt_2",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-1","column":"col-3"}},
+ "accessType":"lock","user":"hrt_2","userGroups":["users","group2"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'lock default/tbl-2/col-4;' to hrt_3",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-2","column":"col-4"}},
+ "accessType":"lock","user":"hrt_3","userGroups":["users","group3"],"requestData":"select col1 from default.testtable"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'lock default/tbl-3/col-5;' to hrt_4",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-3","column":"col-5"}},
+ "accessType":"lock","user":"hrt_4","userGroups":["users"],"requestData":"select col1 from default.table1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'lock default/tbl-4/col-6;' to hrt_5",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-4","column":"col-6"}},
+ "accessType":"lock","user":"hrt_5","userGroups":["users"],"requestData":"create table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'lock default/tbl-5/col-7;' to hrt_6",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-5","column":"col-7"}},
+ "accessType":"lock","user":"hrt_6","userGroups":["users","group1"],"requestData":"create table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'lock default/tbl-6/col-8;' to hrt_7",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-6","column":"col-8"}},
+ "accessType":"lock","user":"hrt_7","userGroups":["users"],"requestData":"create table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'lock default/tbl-7/col-9;' to hrt_8",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-7","column":"col-9"}},
+ "accessType":"lock","user":"hrt_8","userGroups":["users","admin"],"requestData":"create table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'lock default/tbl-8/col-10;' to hrt_9",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-8","column":"col-10"}},
+ "accessType":"lock","user":"hrt_9","userGroups":["users"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'lock default/tbl-9/col-1;' to hrt_20",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-9","column":"col-1"}},
+ "accessType":"lock","user":"hrt_20","userGroups":["users","group1"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'drop table default/tbl-0;' to hrt_1",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-0"}},
+ "accessType":"drop","user":"hrt_1","userGroups":["users"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'drop table default/tbl-1;' to hrt_2",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-1"}},
+ "accessType":"drop","user":"hrt_2","userGroups":["users","admin"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"'drop table default/tbl-2;' to hrt_3",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-2"}},
+ "accessType":"drop","user":"hrt_3","userGroups":["users"],"requestData":"create table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'drop table default/tbl-3;' to hrt_4",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-3"}},
+ "accessType":"drop","user":"hrt_4","userGroups":["users","admin"],"requestData":"create table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'drop table default/tbl-4;' to hrt_5",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-4"}},
+ "accessType":"drop","user":"hrt_5","userGroups":["users"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'drop table default/tbl-5;' to hrt_6",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-5"}},
+ "accessType":"drop","user":"hrt_6","userGroups":["users","admin"],"requestData":"drop table default.testtable1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'drop tabl default/tbl-6;' to hrt_7",
+ "request":{
+ "resource":{"elements":{"database":"default","table":"tbl-6"}},
+ "accessType":"drop","user":"hrt_7","userGroups":["users"],"requestData":"select col1 from default.table1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'drop table to default/tbl-7' for hrt_8",
+ "request":{
+ "resource":{"elements":{"database":"default", "table":"tbl-7"}},
+ "accessType":"drop","user":"hrt_8","userGroups":["users"],"requestData":"show columns in table1 from db1;"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'_any access to default/tbl-0' for hrt_1",
+ "request":{
+ "resource":{"elements":{"database":"default", "table":"tbl-0"}},
+ "accessType":"","user":"hrt_1","userGroups":["users"],"requestData":"fictional use case when request specified a lower level resource by skipping intermediate resource"
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"'_any access to default' for hrt_2",
+ "request":{
+ "resource":{"elements":{"database":"default"}},
+ "accessType":"","user":"hrt_2","userGroups":["users"],"requestData":"use db1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+ }
+ ,
+ {"name":"'_any access to default/tbl-1' for hrt_20",
+ "request":{
+ "resource":{"elements":{"database":"default", "table":"tbl-1"}},
+ "accessType":"","user":"hrt_20","userGroups":["users"],"requestData":"describe db1.tbl1"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+ }
+ ,
+ {"name":"'_any access to default/tbl-2/col-4' for hrt_0",
+ "request":{
+ "resource":{"elements":{"database":"default", "table":"tbl-2", "column":"col-4"}},
+ "accessType":"","user":"hrt_0","userGroups":["users"],"requestData":"fictional case: request for any match today happens only at a higher levels"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+ }
+ ]
[2/8] incubator-ranger git commit: RANGER-794 - commit id
fbf4f3533d0c39d018d2ac92538f77761ca461d3
Posted by ma...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/927b0b5a/ranger-tools/testdata/test_servicepolicies_hive.json
----------------------------------------------------------------------
diff --git a/ranger-tools/testdata/test_servicepolicies_hive.json b/ranger-tools/testdata/test_servicepolicies_hive.json
new file mode 100644
index 0000000..83c0e9f
--- /dev/null
+++ b/ranger-tools/testdata/test_servicepolicies_hive.json
@@ -0,0 +1,252239 @@
+{
+ "serviceName": "cl1_hive",
+ "serviceId": 2,
+ "policies": [
+ {
+ "service": "cl1_hive",
+ "name": "cl1_hive-1-20151212014502",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ },
+ {
+ "type": "lock",
+ "isAllowed": true
+ },
+ {
+ "type": "all",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "ambari-qa"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": true,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "id": 2,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "cl1_hive-2-20151212014503",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "udf": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ },
+ {
+ "type": "lock",
+ "isAllowed": true
+ },
+ {
+ "type": "all",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "ambari-qa"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": true,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "id": 3,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-1",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?0",
+ "tbl-1-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 5,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-2",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-3"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?1",
+ "tbl-2-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 6,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-3",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-4"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?2",
+ "tbl-3-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3",
+ "hrt_4"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 7,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-4",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-5"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?3",
+ "tbl-4-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_2",
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 8,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-5",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-6"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?4",
+ "tbl-5-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 9,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-6",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-7"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?5",
+ "tbl-6-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 10,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-7",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-8"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?6",
+ "tbl-7-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3",
+ "hrt_4"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 11,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-8",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-9"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?7",
+ "tbl-8-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_2",
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 12,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-9",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-10"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?8",
+ "tbl-9-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 13,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-10",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-1"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?9",
+ "tbl-10-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 14,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-11",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?0",
+ "tbl-11-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3",
+ "hrt_4"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 15,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-12",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-3"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?1",
+ "tbl-12-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_2",
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 16,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-13",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-4"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?2",
+ "tbl-13-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 17,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-14",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-5"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?3",
+ "tbl-14-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 18,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-15",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-6"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?4",
+ "tbl-15-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3",
+ "hrt_4"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 19,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-16",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-7"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?5",
+ "tbl-16-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_2",
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 20,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-17",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-8"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?6",
+ "tbl-17-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 21,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-18",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-9"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?7",
+ "tbl-18-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 22,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-19",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-10"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?8",
+ "tbl-19-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3",
+ "hrt_4"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 23,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-20",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-1"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?9",
+ "tbl-20-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_2",
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 24,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-21",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?0",
+ "tbl-21-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 25,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-22",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-3"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?1",
+ "tbl-22-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 26,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-23",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-4"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?2",
+ "tbl-23-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3",
+ "hrt_4"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 27,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-24",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-5"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?3",
+ "tbl-24-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_2",
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 28,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-25",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-6"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?4",
+ "tbl-25-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 29,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-26",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-7"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?5",
+ "tbl-26-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 30,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-27",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-8"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?6",
+ "tbl-27-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3",
+ "hrt_4"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 31,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-28",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-9"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?7",
+ "tbl-28-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_2",
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 32,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-29",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-10"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?8",
+ "tbl-29-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_3",
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 33,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-30",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-1"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?9",
+ "tbl-30-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_4",
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_20"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "id": 34,
+ "isEnabled": true
+ },
+ {
+ "service": "cl1_hive",
+ "name": "test-policy-31",
+ "isAuditEnabled": false,
+ "resources": {
+ "database": {
+ "values": [
+ "default"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "col-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "tbl?0",
+ "tbl-31-2"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "update",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "index",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_1",
+ "hrt_2",
+ "hrt_3",
+ "hrt_4"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "denyPolicyItems": [
+ {
+ "accesses": [
+ {
+ "type": "lock",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "hrt_5",
+ "hrt_6",
+ "hrt_7",
+ "hrt_8",
+ "hrt_9"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": false,
+ "isEnabled": true
+ }
+ ],
+ "allowExceptions": [
+ {
+ "accesses": [
+ {
+ "type": "drop",
+ "isAllowe
<TRUNCATED>
[6/8] incubator-ranger git commit: RANGER-794: commit id
fc5314e8b79e9d754c12a63bb67a0f0190ddfe9f
Posted by ma...@apache.org.
RANGER-794: commit id fc5314e8b79e9d754c12a63bb67a0f0190ddfe9f
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/36fbb78f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/36fbb78f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/36fbb78f
Branch: refs/heads/ranger-0.5
Commit: 36fbb78f0bb41e4a1f3e25c050b079f09ed4f668
Parents: bec2fef
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Jan 18 15:31:34 2016 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Sun Mar 20 10:34:46 2016 -0700
----------------------------------------------------------------------
.../ranger/plugin/util/PerfDataRecorder.java | 58 ++++++++++++++++----
.../plugin/util/RangerPerfCollectorTracer.java | 6 +-
.../plugin/util/RangerPerfTracerFactory.java | 6 +-
ranger-tools/conf/log4j.properties | 11 +---
ranger-tools/scripts/README.txt | 21 +++----
.../ranger/policyengine/CommandLineParser.java | 4 +-
.../RangerPolicyenginePerfTester.java | 29 +++++++---
ranger-tools/testdata/test_modules.txt | 25 +++++++++
8 files changed, 111 insertions(+), 49 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/36fbb78f/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
index 72da8e8..9b29075 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
@@ -23,6 +23,8 @@ import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -32,25 +34,43 @@ public class PerfDataRecorder {
private static final Log LOG = LogFactory.getLog(PerfDataRecorder.class);
private static final Log PERF = RangerPerfTracer.getPerfLogger(PerfDataRecorder.class);
- static PerfDataRecorder instance = null;
+ private static volatile PerfDataRecorder instance = null;
private Map<String, PerfStatistic> perfStatistics = new HashMap<String, PerfStatistic>();
+ private boolean initPerfStatisticsOnce = true;
public static void initialize(List<String> names) {
- if (getPerfDataRecorder() == null) {
- instance = new PerfDataRecorder();
+ if (instance == null) {
+ synchronized (PerfDataRecorder.class) {
+ if (instance == null) {
+ instance = new PerfDataRecorder(names);
+ }
+ }
}
- instance.init(names);
}
- public static PerfDataRecorder getPerfDataRecorder() {
- return instance;
+ public static boolean collectStatistics() {
+ return instance != null;
+ }
+
+ public static void printStatistics() {
+ if (instance != null) {
+ instance.dumpStatistics();
+ }
}
+ public static void recordStatistic(String tag, long elapsedTime) {
+ if (instance != null) {
+ instance.record(tag, elapsedTime);
+ }
+ }
+
+ private void dumpStatistics() {
+ List<String> tags = new ArrayList<String>(perfStatistics.keySet());
- public void dumpStatistics() {
- for (Map.Entry<String, PerfStatistic> entry : perfStatistics.entrySet()) {
+ Collections.sort(tags);
- String tag = entry.getKey();
- PerfStatistic perfStatistic = entry.getValue();
+ for (String tag : tags) {
+
+ PerfStatistic perfStatistic = perfStatistics.get(tag);
long averageTimeSpent = 0L;
long minTimeSpent = 0L;
@@ -73,19 +93,33 @@ public class PerfDataRecorder {
}
}
- void record(String tag, long elapsedTime) {
+ private void record(String tag, long elapsedTime) {
PerfStatistic perfStatistic = perfStatistics.get(tag);
+
+ if (perfStatistic == null && !initPerfStatisticsOnce) {
+ synchronized (PerfDataRecorder.class) {
+ perfStatistic = perfStatistics.get(tag);
+ if (perfStatistic == null) {
+ perfStatistic = new PerfStatistic();
+ perfStatistics.put(tag, perfStatistic);
+ }
+ }
+ }
+
if (perfStatistic != null) {
perfStatistic.addPerfDataItem(elapsedTime);
}
+
}
- private void init(List<String> names) {
+ private PerfDataRecorder(List<String> names) {
if (CollectionUtils.isNotEmpty(names)) {
for (String name : names) {
// Create structure
perfStatistics.put(name, new PerfStatistic());
}
+ } else {
+ initPerfStatisticsOnce = false;
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/36fbb78f/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java
index d092859..d899c6f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java
@@ -22,15 +22,13 @@ package org.apache.ranger.plugin.util;
import org.apache.commons.logging.Log;
public class RangerPerfCollectorTracer extends RangerPerfTracer {
- private final PerfDataRecorder recorder;
- public RangerPerfCollectorTracer(Log logger, String tag, String data, PerfDataRecorder recorder) {
+ public RangerPerfCollectorTracer(Log logger, String tag, String data) {
super(logger, tag, data);
- this.recorder = recorder;
}
@Override
public void log() {
- recorder.record(tag, getElapsedTime());
+ PerfDataRecorder.recordStatistic(tag, getElapsedTime());
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/36fbb78f/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracerFactory.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracerFactory.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracerFactory.java
index 8db2d45..1153091 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracerFactory.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracerFactory.java
@@ -23,14 +23,12 @@ import org.apache.commons.logging.Log;
public class RangerPerfTracerFactory {
- private static PerfDataRecorder perfDataRecorder = PerfDataRecorder.getPerfDataRecorder();
-
static RangerPerfTracer getPerfTracer(Log logger, String tag, String data) {
RangerPerfTracer ret = null;
- if (perfDataRecorder != null) {
- ret = new RangerPerfCollectorTracer(logger, tag, data, perfDataRecorder);
+ if (PerfDataRecorder.collectStatistics()) {
+ ret = new RangerPerfCollectorTracer(logger, tag, data);
} else if (logger.isDebugEnabled()) {
ret = new RangerPerfTracer(logger, tag, data);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/36fbb78f/ranger-tools/conf/log4j.properties
----------------------------------------------------------------------
diff --git a/ranger-tools/conf/log4j.properties b/ranger-tools/conf/log4j.properties
index 86f5c18..21f7fad 100644
--- a/ranger-tools/conf/log4j.properties
+++ b/ranger-tools/conf/log4j.properties
@@ -13,11 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-##-- To prevent junits from cluttering the build run by default all test runs send output to null appender
-log4j.appender.devnull=org.apache.log4j.varia.NullAppender
-# ranger.root.logger=FATAL,devnull
-
-##-- uncomment the following line during during development/debugging so see debug messages during test run to be emitted to console
ranger.root.logger=INFO,console
log4j.rootLogger=${ranger.root.logger}
@@ -25,14 +20,10 @@ log4j.rootLogger=${ranger.root.logger}
# Logging Threshold
log4j.threshold=ALL
-#
-# console
-# Add "console" to rootlogger above if you want to use this
-#
log4j.appender.console=org.apache.log4j.ConsoleAppender
log4j.appender.console.target=System.err
log4j.appender.console.layout=org.apache.log4j.PatternLayout
-log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %L %m%n
+log4j.appender.console.layout.ConversionPattern=%m%n
#
# ranger.perf log level
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/36fbb78f/ranger-tools/scripts/README.txt
----------------------------------------------------------------------
diff --git a/ranger-tools/scripts/README.txt b/ranger-tools/scripts/README.txt
index dda6fd1..53a3a8b 100644
--- a/ranger-tools/scripts/README.txt
+++ b/ranger-tools/scripts/README.txt
@@ -37,28 +37,29 @@ This file describes how to build, setup, configure and run the performance testi
ranger-0.5.0-ranger-tools/conf
ranger-0.5.0-ranger-tools/dist
ranger-0.5.0-ranger-tools/lib
- ranger-0.5.0-ranger-tools/scripts
- ranger-0.5.0-ranger-tools/testdata
4. % cd ranger-0.5.0-ranger-tools
5. Configure the policies and requests to use in the test run
Following sample data files are packaged with the perf-tool:
- service-policies - testdata/test_servicepolicies_hive.json
- requests - testdata/test_requests_hive.json
- modules-to-profile - testdata/test_modules.txt
- Please review the contents of these files and modify (or copy/modify) to suite your policy and request needs.
+ testdata/test_servicepolicies_hive.json - Contains service-policies used to initialize the policy-engine;
- Update conf/log4j.properties to specify the filename where perf run results will be written to. Property to update is 'ranger.perf.logger'.
+ testdata/test_requests_hive.json - Contains access requests to be made to the policy-engine;
+
+ Please review the contents of these files and modify to suit your profiling needs.
+
+ Update conf/log4j.properties to specify the filename where perf run results will be written to. Property to update is 'log4j.appender.PERF.File'.
6. Run the tool with the following command
- % ./ranger-perftester.sh -s <service-policies-file> -r <requests-file> -p <profiled-modules-file> -c <number-of-concurrent-clients> -n <number-of-times-requests-file-to-be-run>
+ % ./ranger-perftester.sh -s <service-policies-file> -r <requests-file> -c <number-of-concurrent-clients> -n <number-of-times-requests-file-to-be-run>
Example:
- % ./ranger-perftester.sh -s testdata/test_servicepolicies_hive.json -r testdata/test_requests_hive.json -p testdata/test_modules.txt -c 2 -n 1
+ % ./ranger-perftester.sh -s testdata/test_servicepolicies_hive.json -r testdata/test_requests_hive.json -c 2 -n 1
+
+7. At the end of the run, the performance-statistics are printed on the console and in the log specified file in conf/log4j.properties file as shown below. This is for time spent in evaluating access by Ranger Policy Engine during the course of a test run. The time values shown are in milliseconds.
-7. At the end of the run, the performance-statistics are printed on the console and in the log specified file in conf/log4j.properties file.
+[RangerPolicyEngine.isAccessAllowed] execCount:64, totalTimeTaken:1873, maxTimeTaken:276, minTimeTaken:4, avgTimeTaken:29
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/36fbb78f/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
index a45d71a..0dc79a0 100644
--- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/CommandLineParser.java
@@ -147,8 +147,8 @@ public class CommandLineParser
if (statCollectionFileName != null) {
statCollectionFileURL = getInputFileURL(statCollectionFileName);
ret = statCollectionFileURL != null;
- } else {
- LOG.error("Error processing stat-collection-module file");
+ } else {
+ ret = true;
}
}
} else {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/36fbb78f/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
index 28cc558..bcd1c68 100644
--- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/RangerPolicyenginePerfTester.java
@@ -45,7 +45,7 @@ public class RangerPolicyenginePerfTester {
URL statCollectionFileURL = perfTestOptions.getStatCollectionFileURL();
- List<String> perfModuleNames = buildPerfModuleNames(statCollectionFileURL);
+ List<String> perfModuleNames = statCollectionFileURL != null ? buildPerfModuleNames(statCollectionFileURL) : new ArrayList<String>();
PerfDataRecorder.initialize(perfModuleNames);
@@ -108,17 +108,19 @@ public class RangerPolicyenginePerfTester {
perfTestEngine.cleanup();
- PerfDataRecorder.getPerfDataRecorder().dumpStatistics();
+ PerfDataRecorder.printStatistics();
}
private static List<String> buildPerfModuleNames(URL statCollectionFileURL) {
List<String> perfModuleNames = new ArrayList<String>();
- try (
- InputStream inStream = statCollectionFileURL.openStream();
- InputStreamReader reader = new InputStreamReader(inStream, Charset.forName("UTF-8"));
- BufferedReader br = new BufferedReader(reader);
- ) {
+ InputStream inStream = null;
+ InputStreamReader reader = null;
+ BufferedReader br = null;
+ try {
+ inStream = statCollectionFileURL.openStream();
+ reader = new InputStreamReader(inStream, Charset.forName("UTF-8"));
+ br = new BufferedReader(reader);
String line;
@@ -132,6 +134,19 @@ public class RangerPolicyenginePerfTester {
}
}
} catch (Exception exception) {
+ try {
+ if (br != null) {
+ br.close();
+ }
+ if (reader != null) {
+ reader.close();
+ }
+ if (inStream != null) {
+ inStream.close();
+ }
+ } catch (Exception e) {
+ // Ignore
+ }
System.out.println("Error reading arguments:" + exception);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/36fbb78f/ranger-tools/testdata/test_modules.txt
----------------------------------------------------------------------
diff --git a/ranger-tools/testdata/test_modules.txt b/ranger-tools/testdata/test_modules.txt
index 9ffcbfc..f317aaf 100644
--- a/ranger-tools/testdata/test_modules.txt
+++ b/ranger-tools/testdata/test_modules.txt
@@ -19,6 +19,7 @@
PolicyRefresher.loadPolicy
RangerPolicyEngine.init
+RangerPolicyEngine.cleanUp
RangerContextEnricher.init
RangerPolicyEvaluator.init
RangerPolicyItemEvaluator.init
@@ -34,3 +35,27 @@ RangerTagRefresher.populateTags
RangerPolicyEvaluator.isAccessAllowed
RangerPolicyRetriever.getServicePolicies
RangerTagDBReceiver.getTags
+ServiceREST.createServiceDef
+ServiceREST.updateServiceDef
+ServiceREST.deleteServiceDef
+ServiceREST.getServiceDef
+ServiceREST.getServiceDefByName
+ServiceREST.getServiceDefs
+ServiceREST.createService
+ServiceREST.updateService
+ServiceREST.deleteService
+ServiceREST.getService
+ServiceREST.getServices
+ServiceREST.countService
+ServiceREST.validateConfig
+ServiceREST.lookupResource
+ServiceREST.grantAccess
+ServiceREST.revokeAccess
+ServiceREST.createPolicy
+ServiceREST.updatePolicy
+ServiceREST.deletePolicy
+ServiceREST.getPolicy
+ServiceREST.getPolicies
+ServiceREST.countPolicies
+ServiceREST.getServicePolicies
+ServiceREST.getServicePoliciesIfUpdated
\ No newline at end of file
[5/8] incubator-ranger git commit: RANGER-794: commit id
f79bc59a0b4756ca5195a2ffb30759b4a82175ef
Posted by ma...@apache.org.
RANGER-794: commit id f79bc59a0b4756ca5195a2ffb30759b4a82175ef
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/bec2fefe
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/bec2fefe
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/bec2fefe
Branch: refs/heads/ranger-0.5
Commit: bec2fefe1b0101a2be17e57ab3ecfeeb91837bde
Parents: e72cb20
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed Jan 13 11:56:04 2016 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Sun Mar 20 10:34:39 2016 -0700
----------------------------------------------------------------------
.../policyengine/RangerPolicyEngineImpl.java | 61 +++++++++++++++++-
.../policyengine/RangerPolicyRepository.java | 12 ++++
.../RangerCachedPolicyEvaluator.java | 2 +-
.../RangerDefaultPolicyEvaluator.java | 65 ++++++++++++++++----
.../RangerDefaultPolicyItemEvaluator.java | 50 ++++++++++++++-
.../ranger/plugin/util/PolicyRefresher.java | 12 +++-
.../ranger/plugin/util/RangerPerfTracer.java | 9 ++-
ranger-tools/conf/log4j.properties | 4 +-
.../src/test/resources/log4j.properties | 4 +-
ranger-tools/testdata/test_modules.txt | 18 +++++-
10 files changed, 210 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bec2fefe/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index d2b3a5c..c276d5a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -27,6 +27,7 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServicePolicies;
import java.util.ArrayList;
@@ -39,6 +40,11 @@ import java.util.Set;
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class);
+ private static final Log PERF_POLICYENGINE_INIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.init");
+ private static final Log PERF_POLICYENGINE_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policyengine.request");
+ private static final Log PERF_POLICYENGINE_AUDIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.audit");
+ private static final Log PERF_CONTEXTENRICHER_REQUEST_LOG = RangerPerfTracer.getPerfLogger("contextenricher.request");
+
private final RangerPolicyRepository policyRepository;
@@ -51,12 +57,20 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl(" + servicePolicies + ", " + options + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "RangerPolicyEngine.init(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
+ }
+
if(options == null) {
options = new RangerPolicyEngineOptions();
}
policyRepository = new RangerPolicyRepository(servicePolicies, options);
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl()");
}
@@ -93,9 +107,20 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
List<RangerContextEnricher> enrichers = policyRepository.getContextEnrichers();
if(!CollectionUtils.isEmpty(enrichers)) {
+
for(RangerContextEnricher enricher : enrichers) {
+
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_CONTEXTENRICHER_REQUEST_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_CONTEXTENRICHER_REQUEST_LOG, "RangerContextEnricher.enrich(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ")");
+ }
+
enricher.enrich(request);
+
+ RangerPerfTracer.log(perf);
}
+
}
if(LOG.isDebugEnabled()) {
@@ -136,12 +161,28 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ")");
+ }
+
RangerAccessResult ret = isAccessAllowedNoAudit(request);
- if(resultProcessor != null) {
+ if (resultProcessor != null) {
+
+ RangerPerfTracer perfAuditTracer = null;
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_AUDIT_LOG)) {
+ perfAuditTracer = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_AUDIT_LOG, "RangerPolicyEngine.processAudit(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ")");
+ }
+
resultProcessor.processResult(ret);
+
+ RangerPerfTracer.log(perfAuditTracer);
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret);
}
@@ -182,6 +223,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + ",accessType=" + accessType + "resource=" + resource.getAsString() + ")");
+ }
boolean ret = false;
for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
@@ -192,6 +238,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
@@ -206,6 +254,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + ",accessType=" + accessType + ")");
+ }
boolean ret = false;
for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
@@ -216,7 +269,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
- if(LOG.isDebugEnabled()) {
+ RangerPerfTracer.log(perf);
+
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
@@ -300,7 +355,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
- if(LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + "): " + ret);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bec2fefe/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 45bc792..1f422c5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -31,6 +31,7 @@ import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServicePolicies;
import java.util.ArrayList;
@@ -42,6 +43,8 @@ import java.util.Map;
public class RangerPolicyRepository {
private static final Log LOG = LogFactory.getLog(RangerPolicyRepository.class);
+ private static final Log PERF_CONTEXTENRICHER_INIT_LOG = RangerPerfTracer.getPerfLogger("contextenricher.init");
+
private final String serviceName;
private final RangerServiceDef serviceDef;
private final List<RangerPolicy> policies;
@@ -84,6 +87,7 @@ public class RangerPolicyRepository {
RangerPolicyEvaluator evaluator = buildPolicyEvaluator(policy, serviceDef, options);
+
if (evaluator != null) {
policyEvaluators.add(evaluator);
}
@@ -133,6 +137,12 @@ public class RangerPolicyRepository {
RangerContextEnricher ret = null;
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_CONTEXTENRICHER_INIT_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_CONTEXTENRICHER_INIT_LOG, "RangerContextEnricher.init(name=" + enricherDef.getName() + ")");
+ }
+
String name = enricherDef != null ? enricherDef.getName() : null;
String clsName = enricherDef != null ? enricherDef.getEnricher() : null;
@@ -152,6 +162,8 @@ public class RangerPolicyRepository {
ret.init();
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.buildContextEnricher(" + enricherDef + "): " + ret);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bec2fefe/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
index d67777c..91a53d8 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
@@ -40,7 +40,7 @@ public class RangerCachedPolicyEvaluator extends RangerOptimizedPolicyEvaluator
super.init(policy, serviceDef, options);
cache = RangerResourceAccessCacheImpl.getInstance(serviceDef, policy);
-
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerCachedPolicyEvaluator.init()");
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bec2fefe/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 9f60b7b..d570c6c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -44,14 +44,19 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyEvaluator.class);
+ private static final Log PERF_POLICY_INIT_LOG = RangerPerfTracer.getPerfLogger("policy.init");
+ private static final Log PERF_POLICY_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policy.request");
+
private RangerPolicyResourceMatcher resourceMatcher = null;
private List<RangerPolicyItemEvaluator> policyItemEvaluators = null;
private int customConditionsCount = 0;
+ private String perfTag;
@Override
public int getCustomConditionsCount() {
@@ -65,6 +70,18 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
preprocessPolicy(policy, serviceDef);
+ StringBuffer perfTagBuffer = new StringBuffer();
+ if (policy != null) {
+ perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
+ }
+
+ perfTag = perfTagBuffer.toString();
+
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_INIT_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_INIT_LOG, "RangerPolicyEvaluator.init(" + perfTag + ")");
+ }
super.init(policy, serviceDef, options);
@@ -92,6 +109,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
policyItemEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
}
@@ -103,6 +122,13 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ","
+ + perfTag + ")");
+ }
+
if (request != null && result != null) {
boolean isMatchAttempted = false;
boolean matchResult = false;
@@ -147,18 +173,21 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
headMatchResult = matchResourceHead(request.getResource());
isHeadMatchAttempted = true;
}
- }
- // Go further to evaluate access only if match or head match was found at this point
- if (matchResult || headMatchResult) {
- evaluatePolicyItemsForAccess(request, result);
- }
- }
- }
+ }
+ // Go further to evaluate access only if match or head match was found at this point
+ if (matchResult || headMatchResult) {
+ evaluatePolicyItemsForAccess(request, result);
+ }
+ }
+ }
- if(LOG.isDebugEnabled()) {
+ RangerPerfTracer.log(perf);
+
+ if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
}
- }
+
+ }
protected void evaluatePolicyItemsForAccess(RangerAccessRequest request, RangerAccessResult result) {
if(LOG.isDebugEnabled()) {
@@ -188,10 +217,18 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
boolean ret = false;
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isMatch(resource=" + resource.getAsString() + "," + perfTag + ")");
+ }
+
if(resourceMatcher != null) {
ret = resourceMatcher.isMatch(resource);
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + resource + "): " + ret);
}
@@ -292,6 +329,11 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
boolean ret = false;
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isAccessAllowed(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + "," + perfTag + ")");
+ }
if(CollectionUtils.isNotEmpty(policyItemEvaluators)) {
for (RangerPolicyItemEvaluator policyItemEvaluator : policyItemEvaluators) {
ret = policyItemEvaluator.matchUserGroup(user, userGroups) &&
@@ -303,6 +345,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
@@ -415,6 +459,3 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
}
-
-
-
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bec2fefe/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
index bf9b243..e8d90fa 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
@@ -37,11 +37,16 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEvaluator {
private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyItemEvaluator.class);
+ private static final Log PERF_POLICYITEM_INIT_LOG = RangerPerfTracer.getPerfLogger("policyitem.init");
+ private static final Log PERF_POLICYITEM_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policyitem.request");
+ private static final Log PERF_POLICYCONDITION_INIT_LOG = RangerPerfTracer.getPerfLogger("policycondition.init");
+ private static final Log PERF_POLICYCONDITION_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policycondition.request");
public RangerDefaultPolicyItemEvaluator(RangerServiceDef serviceDef, RangerPolicy policy, RangerPolicyItem policyItem, RangerPolicyEngineOptions options) {
super(serviceDef, policy, policyItem, options);
@@ -55,6 +60,12 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
if (!getConditionsDisabledOption() && policyItem != null && CollectionUtils.isNotEmpty(policyItem.getConditions())) {
conditionEvaluators = new ArrayList<RangerConditionEvaluator>();
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_INIT_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_INIT_LOG, "RangerPolicyItemEvaluator.init(policyId=" + policyId + ")");
+ }
+
for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
RangerPolicyConditionDef conditionDef = getConditionDef(condition.getType());
@@ -69,13 +80,23 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
if (conditionEvaluator != null) {
conditionEvaluator.setConditionDef(conditionDef);
conditionEvaluator.setPolicyItemCondition(condition);
+
+ RangerPerfTracer perfConditionInit = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_INIT_LOG)) {
+ perfConditionInit = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_INIT_LOG, "RangerConditionEvaluator.init(policyId=" + policyId + ",policyConditionType=" + condition.getType() + ")");
+ }
+
conditionEvaluator.init();
+ RangerPerfTracer.log(perfConditionInit);
+
conditionEvaluators.add(conditionEvaluator);
} else {
LOG.error("RangerDefaultPolicyItemEvaluator(policyId=" + policyId + "): failed to instantiate condition evaluator '" + condition.getType() + "'; evaluatorClassName='" + conditionDef.getEvaluator() + "'");
}
}
+ RangerPerfTracer.log(perf);
}
if(LOG.isDebugEnabled()) {
@@ -89,6 +110,14 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
LOG.debug("==> RangerDefaultPolicyItemEvaluator.evaluate(" + request + ", " + result + ")");
}
+ boolean ret = false;
+
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYITEM_REQUEST_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYITEM_REQUEST_LOG, "RangerPolicyItemEvaluator.isMatch(resource=" + request.getResource().getAsString() + ")");
+ }
+
if(policyItem != null) {
if(matchUserGroup(request.getUser(), request.getUserGroups())) {
if (request.isAccessTypeDelegatedAdmin()) { // used only in grant/revoke scenario
@@ -125,6 +154,8 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
}
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyItemEvaluator.evaluate(" + request + ", " + result + ")");
}
@@ -209,7 +240,24 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
if (CollectionUtils.isNotEmpty(conditionEvaluators)) {
for(RangerConditionEvaluator conditionEvaluator : conditionEvaluators) {
- if(!conditionEvaluator.isMatched(request)) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("evaluating condition: " + conditionEvaluator);
+ }
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYCONDITION_REQUEST_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYCONDITION_REQUEST_LOG, "RangerConditionEvaluator.matchCondition(policyId=" + policyId + ")");
+ }
+
+ boolean conditionEvalResult = conditionEvaluator.isMatched(request);
+
+ RangerPerfTracer.log(perf);
+
+ if (!conditionEvalResult) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug(conditionEvaluator + " returned false");
+ }
+
ret = false;
break;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bec2fefe/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
index 0729339..27968eb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
@@ -38,6 +38,8 @@ import com.google.gson.GsonBuilder;
public class PolicyRefresher extends Thread {
private static final Log LOG = LogFactory.getLog(PolicyRefresher.class);
+ private static final Log PERF_POLICYENGINE_INIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.init");
+
private final RangerBasePlugin plugIn;
private final String serviceType;
private final String serviceName;
@@ -171,7 +173,13 @@ public class PolicyRefresher extends Thread {
LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").loadPolicy()");
}
- //load policy from PolicyAmdin
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "PolicyRefresher.loadPolicy(serviceName=" + serviceName + ")");
+ }
+
+ //load policy from PolicyAdmin
ServicePolicies svcPolicies = loadPolicyfromPolicyAdmin();
if ( svcPolicies == null) {
@@ -183,6 +191,8 @@ public class PolicyRefresher extends Thread {
saveToCache(svcPolicies);
}
+ RangerPerfTracer.log(perf);
+
if (svcPolicies != null) {
plugIn.setPolicies(svcPolicies);
policiesSetInPlugin = true;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bec2fefe/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java
index 175c4e4..e130cc7 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java
@@ -29,10 +29,12 @@ public class RangerPerfTracer {
protected final String data;
private final long startTimeMs;
+ private static long reportingThresholdMs = 0L;
+
private final static String tagEndMarker = "(";
public static Log getPerfLogger(String name) {
- return LogFactory.getLog("ranger.perf." + name);
+ return LogFactory.getLog("org.apache.ranger.perf." + name);
}
public static Log getPerfLogger(Class<?> cls) {
@@ -89,8 +91,9 @@ public class RangerPerfTracer {
}
public void log() {
- if(logger.isDebugEnabled()) {
- logger.debug("[PERF] " + tag + data + ": " + getElapsedTime());
+ long elapsedTime = getElapsedTime();
+ if (elapsedTime > reportingThresholdMs) {
+ logger.debug("[PERF] " + tag + data + ": " + elapsedTime);
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bec2fefe/ranger-tools/conf/log4j.properties
----------------------------------------------------------------------
diff --git a/ranger-tools/conf/log4j.properties b/ranger-tools/conf/log4j.properties
index ccb9db4..86f5c18 100644
--- a/ranger-tools/conf/log4j.properties
+++ b/ranger-tools/conf/log4j.properties
@@ -40,8 +40,8 @@ log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %L
ranger.perf.logger=DEBUG,PERF
ranger.perf.log.file=ranger-perf-test.log
-log4j.logger.ranger.perf=${ranger.perf.logger}
-log4j.additivity.ranger.perf=false
+log4j.logger.org.apache.ranger.perf=${ranger.perf.logger}
+log4j.additivity.org.apache.ranger.perf=false
log4j.appender.PERF=org.apache.log4j.DailyRollingFileAppender
log4j.appender.PERF.File=${ranger.perf.log.file}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bec2fefe/ranger-tools/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/ranger-tools/src/test/resources/log4j.properties b/ranger-tools/src/test/resources/log4j.properties
index abf617e..4ea9d85 100644
--- a/ranger-tools/src/test/resources/log4j.properties
+++ b/ranger-tools/src/test/resources/log4j.properties
@@ -40,8 +40,8 @@ log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %L
ranger.perf.logger=DEBUG,PERF
ranger.perf.log.file=${java.io.tmpdir}/ranger-perf-test.log
-log4j.logger.ranger.perf=${ranger.perf.logger}
-log4j.additivity.ranger.perf=false
+log4j.logger.org.apache.ranger.perf=${ranger.perf.logger}
+log4j.additivity.org.apache.ranger.perf=false
log4j.appender.PERF=org.apache.log4j.DailyRollingFileAppender
log4j.appender.PERF.File=${ranger.perf.log.file}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bec2fefe/ranger-tools/testdata/test_modules.txt
----------------------------------------------------------------------
diff --git a/ranger-tools/testdata/test_modules.txt b/ranger-tools/testdata/test_modules.txt
index 33432ed..9ffcbfc 100644
--- a/ranger-tools/testdata/test_modules.txt
+++ b/ranger-tools/testdata/test_modules.txt
@@ -17,6 +17,20 @@
# under the License.
#
+PolicyRefresher.loadPolicy
RangerPolicyEngine.init
-RangerPolicyEngine.preProcess
-RangerPolicyEngine.isAccessAllowedNoAudit
+RangerContextEnricher.init
+RangerPolicyEvaluator.init
+RangerPolicyItemEvaluator.init
+RangerConditionEvaluator.init
+RangerContextEnricher.enrich
+RangerPolicyEngine.isAccessAllowed
+RangerPolicyEvaluator.evaluate
+RangerPolicyEvaluator.isMatch
+RangerPolicyItemEvaluator.isMatch
+RangerConditionEvaluator.matchCondition
+RangerPolicyEngine.processAudit
+RangerTagRefresher.populateTags
+RangerPolicyEvaluator.isAccessAllowed
+RangerPolicyRetriever.getServicePolicies
+RangerTagDBReceiver.getTags
[8/8] incubator-ranger git commit: RANGER-844: commit id
c20a0d1ad1995c404c0d32e85f820397226ea882
Posted by ma...@apache.org.
RANGER-844: commit id c20a0d1ad1995c404c0d32e85f820397226ea882
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9e49cc68
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9e49cc68
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9e49cc68
Branch: refs/heads/ranger-0.5
Commit: 9e49cc688ac4a9bf23d40ff3c8abf29adba322e6
Parents: d3a2964
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Feb 1 12:07:41 2016 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Sun Mar 20 11:18:22 2016 -0700
----------------------------------------------------------------------
.../policyengine/RangerPolicyEngineImpl.java | 7 +-
.../policyengine/RangerPolicyEngineOptions.java | 1 +
.../policyengine/RangerPolicyRepository.java | 63 ++-------
.../org/apache/ranger/biz/ServiceDBStore.java | 78 +++++++----
.../common/RangerServicePoliciesCache.java | 37 +++---
.../apache/ranger/common/UserSessionBase.java | 1 +
.../org/apache/ranger/db/XXGroupUserDao.java | 22 ++++
.../org/apache/ranger/rest/ServiceREST.java | 129 ++++++++++++-------
.../resources/META-INF/jpa_named_queries.xml | 10 +-
.../src/main/webapp/WEB-INF/log4j.xml | 4 +-
10 files changed, 203 insertions(+), 149 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 55ae785..1cfdc4f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -47,7 +47,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private static final Log PERF_POLICYENGINE_AUDIT_LOG = RangerPerfTracer.getPerfLogger("policyengine.audit");
private static final Log PERF_CONTEXTENRICHER_REQUEST_LOG = RangerPerfTracer.getPerfLogger("contextenricher.request");
- private static final int MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR = 500;
+ private static final int MAX_POLICIES_FOR_CACHE_TYPE_EVALUATOR = 100;
private final RangerPolicyRepository policyRepository;
@@ -279,12 +279,13 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
+ boolean ret = false;
+
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_REQUEST_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + ",accessType=" + accessType + ")");
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_REQUEST_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + "," + userGroups + ",accessType=" + accessType + ")");
}
- boolean ret = false;
for(RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
ret = evaluator.isAccessAllowed(resources, user, userGroups, accessType);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index 3289661..7cacfa8 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -27,4 +27,5 @@ public class RangerPolicyEngineOptions {
public boolean cacheAuditResults = true;
public boolean disableContextEnrichers = false;
public boolean disableCustomConditions = false;
+ public boolean evaluateDelegateAdminOnly = false;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 595c324..f522cfb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -81,7 +81,7 @@ public class RangerPolicyRepository {
List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<RangerPolicyEvaluator>();
for (RangerPolicy policy : servicePolicies.getPolicies()) {
- if (!policy.getIsEnabled()) {
+ if (skipBuildingPolicyEvaluator(policy, options)) {
continue;
}
@@ -95,6 +95,17 @@ public class RangerPolicyRepository {
Collections.sort(policyEvaluators);
this.policyEvaluators = Collections.unmodifiableList(policyEvaluators);
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("policy evaluation order: " + this.policyEvaluators.size() + " policies");
+
+ int order = 0;
+ for(RangerPolicyEvaluator policyEvaluator : this.policyEvaluators) {
+ RangerPolicy policy = policyEvaluator.getPolicy();
+
+ LOG.debug("policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder());
+ }
+ }
+
String propertyName = "ranger.plugin." + serviceName + ".policyengine.auditcachesize";
if(options.cacheAuditResults) {
@@ -157,58 +168,12 @@ public class RangerPolicyRepository {
boolean ret = false;
if (!policy.getIsEnabled()) {
ret = true;
+ } else if (options.evaluateDelegateAdminOnly && !isDelegateAdminPolicy(policy)) {
+ ret = true;
}
return ret;
}
- private void init(RangerPolicyEngineOptions options) {
-
- List<RangerPolicyEvaluator> policyEvaluators = new ArrayList<RangerPolicyEvaluator>();
-
- for (RangerPolicy policy : policies) {
- if (skipBuildingPolicyEvaluator(policy, options)) {
- continue;
- }
-
- RangerPolicyEvaluator evaluator = buildPolicyEvaluator(policy, serviceDef, options);
-
- if (evaluator != null) {
- policyEvaluators.add(evaluator);
- }
- }
- Collections.sort(policyEvaluators);
- this.policyEvaluators = Collections.unmodifiableList(policyEvaluators);
-
- List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>();
- if (CollectionUtils.isNotEmpty(this.policyEvaluators)) {
- if (!options.disableContextEnrichers && !CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) {
- for (RangerServiceDef.RangerContextEnricherDef enricherDef : serviceDef.getContextEnrichers()) {
- if (enricherDef == null) {
- continue;
- }
-
- RangerContextEnricher contextEnricher = buildContextEnricher(enricherDef);
-
- if (contextEnricher != null) {
- contextEnrichers.add(contextEnricher);
- }
- }
- }
- }
- this.contextEnrichers = Collections.unmodifiableList(contextEnrichers);
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("policy evaluation order: " + this.policyEvaluators.size() + " policies");
-
- int order = 0;
- for(RangerPolicyEvaluator policyEvaluator : this.policyEvaluators) {
- RangerPolicy policy = policyEvaluator.getPolicy();
-
- LOG.debug("policy evaluation order: #" + (++order) + " - policy id=" + policy.getId() + "; name=" + policy.getName() + "; evalOrder=" + policyEvaluator.getEvalOrder());
- }
- }
- }
-
private RangerContextEnricher buildContextEnricher(RangerServiceDef.RangerContextEnricherDef enricherDef) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyRepository.buildContextEnricher(" + enricherDef + ")");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 6774170..1720063 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -1549,31 +1549,15 @@ public class ServiceDBStore implements ServiceStore {
if (service == null) {
throw new Exception("service does not exist - id='" + serviceId);
}
- RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr);
- List<RangerPolicy> ret = policyRetriever.getServicePolicies(service);
- if(filter != null) {
- predicateUtil.applyFilter(ret, filter);
- }
- return ret;
- }
- private List<RangerPolicy> getServicePolicies(XXService service) throws Exception {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> ServiceDBStore.getServicePolicies(" + service.getName() + ")");
- }
-
- RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr);
-
- List<RangerPolicy> ret = policyRetriever.getServicePolicies(service);
+ List<RangerPolicy> ret = getServicePolicies(service, filter);
if(LOG.isDebugEnabled()) {
- LOG.debug("<== ServiceDBStore.getServicePolicies(" + service.getName() + "): count=" + ((ret == null) ? 0 : ret.size()));
+ LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceId + ") : policy-count=" + (ret == null ? 0 : ret.size()));
}
-
return ret;
}
-
public RangerPolicyList getPaginatedServicePolicies(Long serviceId, SearchFilter filter) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getPaginatedServicePolicies(" + serviceId + ")");
@@ -1598,18 +1582,62 @@ public class ServiceDBStore implements ServiceStore {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServicePolicies(" + serviceName + ")");
}
+
+ List<RangerPolicy> ret = null;
+
XXService service = daoMgr.getXXService().findByName(serviceName);
if (service == null) {
throw new Exception("service does not exist - name='" + serviceName);
}
- RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr);
- List<RangerPolicy> ret = policyRetriever.getServicePolicies(service);
- if(filter != null) {
+
+ ret = getServicePolicies(service, filter);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceName + "): count=" + ((ret == null) ? 0 : ret.size()));
+ }
+
+ return ret;
+ }
+
+ private List<RangerPolicy> getServicePolicies(XXService service, SearchFilter filter) throws Exception {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceDBStore.getServicePolicies()");
+ }
+
+ if (service == null) {
+ throw new Exception("service does not exist");
+ }
+
+ List<RangerPolicy> ret = null;
+
+ ServicePolicies servicePolicies = RangerServicePoliciesCache.getInstance().getServicePolicies(service.getName(), this);
+ List<RangerPolicy> policies = servicePolicies != null ? servicePolicies.getPolicies() : null;
+
+ if(policies != null && filter != null) {
+ ret = new ArrayList<RangerPolicy>(policies);
predicateUtil.applyFilter(ret, filter);
+ } else {
+ ret = policies;
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== ServiceDBStore.getServicePolicies(" + serviceName + "): count=" + ((ret == null) ? 0 : ret.size()));
+ LOG.debug("<== ServiceDBStore.getServicePolicies(): count=" + ((ret == null) ? 0 : ret.size()));
+ }
+
+ return ret;
+ }
+
+ private List<RangerPolicy> getServicePoliciesFromDb(XXService service) throws Exception {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceDBStore.getServicePoliciesFromDb(" + service.getName() + ")");
+ }
+
+ RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr);
+
+ List<RangerPolicy> ret = policyRetriever.getServicePolicies(service);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceDBStore.getServicePoliciesFromDb(" + service.getName() + "): count=" + ((ret == null) ? 0 : ret.size()));
}
return ret;
@@ -1688,7 +1716,7 @@ public class ServiceDBStore implements ServiceStore {
XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName);
- if(serviceDbObj == null) {
+ if (serviceDbObj == null) {
throw new Exception("service does not exist. name=" + serviceName);
}
@@ -1701,7 +1729,7 @@ public class ServiceDBStore implements ServiceStore {
if (serviceDbObj.getIsenabled()) {
- policies = getServicePolicies(serviceDbObj);
+ policies = getServicePoliciesFromDb(serviceDbObj);
} else {
policies = new ArrayList<RangerPolicy>();
@@ -1773,7 +1801,7 @@ public class ServiceDBStore implements ServiceStore {
}
Map<String, RangerPolicyResource> createDefaultPolicyResource(List<RangerResourceDef> resourceHierarchy) throws Exception {
- Map<String, RangerPolicyResource> resourceMap = new HashMap<>();
+ Map<String, RangerPolicyResource> resourceMap = new HashMap<String, RangerPolicyResource>();
for (RangerResourceDef resourceDef : resourceHierarchy) {
RangerPolicyResource polRes = new RangerPolicyResource();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
index 6c8cbff..f6c599e 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
@@ -36,6 +36,8 @@ import java.util.concurrent.locks.ReentrantLock;
public class RangerServicePoliciesCache {
private static final Log LOG = LogFactory.getLog(RangerServicePoliciesCache.class);
+ private static final int MAX_WAIT_TIME_FOR_UPDATE = 10;
+
private static volatile RangerServicePoliciesCache sInstance = null;
private final boolean useServicePoliciesCache;
private final int waitTimeInSeconds;
@@ -55,7 +57,7 @@ public class RangerServicePoliciesCache {
private RangerServicePoliciesCache() {
useServicePoliciesCache = RangerConfiguration.getInstance().getBoolean("ranger.admin.policy.download.usecache", true);
- waitTimeInSeconds = RangerConfiguration.getInstance().getInt("ranger.admin.policy.download.cache.max.waittime.for.update", 20);
+ waitTimeInSeconds = RangerConfiguration.getInstance().getInt("ranger.admin.policy.download.cache.max.waittime.for.update", MAX_WAIT_TIME_FOR_UPDATE);
}
public void dump() {
@@ -97,7 +99,7 @@ public class RangerServicePoliciesCache {
return ret;
}
- public ServicePolicies getServicePolicies(String serviceName, ServiceStore serviceStore) {
+ public ServicePolicies getServicePolicies(String serviceName, ServiceStore serviceStore) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerServicePoliciesCache.getServicePolicies(" + serviceName + ")");
@@ -137,7 +139,10 @@ public class RangerServicePoliciesCache {
if (serviceStore != null) {
boolean refreshed = servicePoliciesWrapper.getLatestOrCached(serviceName, serviceStore);
- LOG.info("tryRefreshFromStore returned " + refreshed);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("getLatestOrCached returned " + refreshed);
+ }
} else {
LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies as service-store is null!");
}
@@ -181,7 +186,7 @@ public class RangerServicePoliciesCache {
return longestDbLoadTimeInMs;
}
- boolean getLatestOrCached(String serviceName, ServiceStore serviceStore) {
+ boolean getLatestOrCached(String serviceName, ServiceStore serviceStore) throws Exception {
boolean ret = false;
try {
@@ -190,7 +195,7 @@ public class RangerServicePoliciesCache {
getLatest(serviceName, serviceStore);
}
} catch (InterruptedException exception) {
- LOG.error("tryRefreshFromStore:lock got interrupted..", exception);
+ LOG.error("getLatestOrCached:lock got interrupted..", exception);
} finally {
if (ret) {
lock.unlock();
@@ -200,7 +205,7 @@ public class RangerServicePoliciesCache {
return ret;
}
- void getLatest(String serviceName, ServiceStore serviceStore) {
+ void getLatest(String serviceName, ServiceStore serviceStore) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServicePoliciesWrapper.getLatest(" + serviceName + ")");
@@ -218,22 +223,16 @@ public class RangerServicePoliciesCache {
LOG.debug("loading servicePolicies from db ... cachedServicePoliciesVersion=" + (servicePolicies != null ? servicePolicies.getPolicyVersion() : null) + ", servicePolicyVersionInDb=" + servicePolicyVersionInDb);
}
- ServicePolicies servicePoliciesFromDb = null;
+ long startTimeMs = System.currentTimeMillis();
- try {
- long startTimeMs = System.currentTimeMillis();
+ ServicePolicies servicePoliciesFromDb = serviceStore.getServicePolicies(serviceName);
- servicePoliciesFromDb = serviceStore.getServicePolicies(serviceName);
+ long dbLoadTime = System.currentTimeMillis() - startTimeMs;
- long dbLoadTime = System.currentTimeMillis() - startTimeMs;
-
- if (dbLoadTime > longestDbLoadTimeInMs) {
- longestDbLoadTimeInMs = dbLoadTime;
- }
- updateTime = new Date();
- } catch (Exception exception) {
- LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies from service-store", exception);
+ if (dbLoadTime > longestDbLoadTimeInMs) {
+ longestDbLoadTimeInMs = dbLoadTime;
}
+ updateTime = new Date();
if (servicePoliciesFromDb != null) {
if (servicePoliciesFromDb.getPolicyVersion() == null) {
@@ -265,7 +264,7 @@ public class RangerServicePoliciesCache {
policy.setUpdatedBy(null);
policy.setUpdateTime(null);
policy.setGuid(null);
- policy.setName(null);
+ // policy.setName(null); /* this is used by GUI in policy list page */
policy.setDescription(null);
policy.setResourceSignature(null);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
index 175459c..ce865cf 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
@@ -22,6 +22,7 @@
import java.io.Serializable;
import java.util.ArrayList;
import java.util.List;
+import java.util.Set;
import java.util.concurrent.CopyOnWriteArraySet;
import org.apache.ranger.entity.XXAuthSession;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
index ffc3c32..b437656 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
@@ -21,7 +21,9 @@
import java.util.ArrayList;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
import javax.persistence.NoResultException;
@@ -81,6 +83,26 @@ public class XXGroupUserDao extends BaseDao<XXGroupUser> {
return null;
}
+ public Set<String> findGroupNamesByUserName(String userName) {
+ List<String> groupList = null;
+
+ if (userName != null) {
+ try {
+ groupList = getEntityManager().createNamedQuery("XXGroupUser.findGroupNamesByUserName", String.class).setParameter("userName", userName).getResultList();
+ } catch (NoResultException e) {
+ logger.debug(e.getMessage());
+ }
+ } else {
+ logger.debug("UserId not provided.");
+ }
+
+ if(groupList != null) {
+ return new HashSet<String>(groupList);
+ }
+
+ return new HashSet<String>();
+ }
+
public List<XXGroupUser> findByGroupId(Long groupId) {
if (groupId == null) {
return new ArrayList<XXGroupUser>();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 40628bb..a6187ba 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -405,6 +405,8 @@ public class ServiceREST {
throw restErrorUtil.createRESTException(excp.getMessage());
}
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getServiceDefs(): count=" + (ret == null ? 0 : ret.getListSize()));
}
@@ -782,7 +784,11 @@ public class ServiceREST {
}
try {
- ret = serviceMgr.lookupResource(serviceName,context, svcStore);
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.lookupResource(serviceName=" + serviceName + ")");
+ }
+ ret = serviceMgr.lookupResource(serviceName, context, svcStore);
} catch(WebApplicationException excp) {
throw excp;
} catch(Throwable excp) {
@@ -974,7 +980,7 @@ public class ServiceREST {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")");
}
- if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) {
+ if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
try {
String userName = revokeRequest.getGrantor();
@@ -1274,7 +1280,7 @@ public class ServiceREST {
filter.setMaxRows(savedMaxRows);
}
- applyAdminAccessFilter(policies);
+ policies = applyAdminAccessFilter(policies);
ret = toRangerPolicyList(policies, filter);
}
@@ -1310,7 +1316,7 @@ public class ServiceREST {
try {
ret = svcStore.getPolicies(filter);
- applyAdminAccessFilter(ret);
+ ret = applyAdminAccessFilter(ret);
} catch(WebApplicationException excp) {
throw excp;
} catch(Throwable excp) {
@@ -1346,7 +1352,7 @@ public class ServiceREST {
try {
List<RangerPolicy> policies = getPolicies(request).getPolicies();
- applyAdminAccessFilter(policies);
+ policies = applyAdminAccessFilter(policies);
ret = new Long(policies == null ? 0 : policies.size());
} catch(WebApplicationException excp) {
@@ -1402,7 +1408,7 @@ public class ServiceREST {
filter.setMaxRows(savedMaxRows);
}
- applyAdminAccessFilter(servicePolicies);
+ servicePolicies = applyAdminAccessFilter(servicePolicies);
ret = toRangerPolicyList(servicePolicies, filter);
}
@@ -1433,7 +1439,7 @@ public class ServiceREST {
LOG.debug("==> ServiceREST.getServicePolicies(" + serviceName + ")");
}
- RangerPolicyList ret = new RangerPolicyList();;
+ RangerPolicyList ret = new RangerPolicyList();
RangerPerfTracer perf = null;
SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields);
@@ -1449,25 +1455,26 @@ public class ServiceREST {
} else {
// get all policies from the store; pick the page to return after applying filter
int savedStartIndex = filter == null ? 0 : filter.getStartIndex();
- int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows();
+ int savedMaxRows = filter == null ? Integer.MAX_VALUE : filter.getMaxRows();
- if(filter != null) {
+ if (filter != null) {
filter.setStartIndex(0);
filter.setMaxRows(Integer.MAX_VALUE);
}
List<RangerPolicy> servicePolicies = svcStore.getServicePolicies(serviceName, filter);
- if(filter != null) {
+ if (filter != null) {
filter.setStartIndex(savedStartIndex);
filter.setMaxRows(savedMaxRows);
}
- applyAdminAccessFilter(servicePolicies);
+ servicePolicies = applyAdminAccessFilter(servicePolicies);
ret = toRangerPolicyList(servicePolicies, filter);
}
+
} catch(WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
@@ -1484,7 +1491,7 @@ public class ServiceREST {
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getServicePolicies(" + serviceName + "): count="
- + ret.getListSize());
+ + ret != null ? ret.getListSize() : ret);
}
return ret;
@@ -1792,59 +1799,80 @@ public class ServiceREST {
return svcStore.getPolicyForVersionNumber(policyId, versionNo);
}
+ private List<RangerPolicy> applyAdminAccessFilter(List<RangerPolicy> policies) {
+ List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
+ RangerPerfTracer perf = null;
- private void applyAdminAccessFilter(List<RangerPolicy> policies) {
- boolean isAdmin = bizUtil.isAdmin();
- boolean isKeyAdmin = bizUtil.isKeyAdmin();
-
- if(!isAdmin && !isKeyAdmin && !CollectionUtils.isEmpty(policies)) {
- String userName = bizUtil.getCurrentUserLoginId();
- Set<String> userGroups = userMgr.getGroupsForUser(userName);
- Map<String, RangerPolicyEngine> policyEngines = new HashMap<String, RangerPolicyEngine>();
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.applyAdminAccessFilter(policyCount=" + (policies == null ? 0 : policies.size()) + ")");
+ }
- for(int i = 0; i < policies.size(); i++) {
- RangerPolicy policy = policies.get(i);
- String serviceName = policy.getService();
- RangerPolicyEngine policyEngine = policyEngines.get(serviceName);
+ if (CollectionUtils.isNotEmpty(policies)) {
+ boolean isAdmin = bizUtil.isAdmin();
+ boolean isKeyAdmin = bizUtil.isKeyAdmin();
+ String userName = bizUtil.getCurrentUserLoginId();
+ Set<String> userGroups = null;
- if(policyEngine == null) {
- policyEngine = getPolicyEngine(policy.getService());
+ Map<String, List<RangerPolicy>> servicePoliciesMap = new HashMap<String, List<RangerPolicy>>();
- if(policyEngine != null) {
- policyEngines.put(serviceName, policyEngine);
- }
- }
+ for (int i = 0; i < policies.size(); i++) {
+ RangerPolicy policy = policies.get(i);
+ String serviceName = policy.getService();
+ List<RangerPolicy> policyList = servicePoliciesMap.get(serviceName);
- boolean hasAdminAccess = hasAdminAccess(policyEngine, userName, userGroups, policy.getResources());
+ if (policyList == null) {
+ policyList = new ArrayList<RangerPolicy>();
- if(!hasAdminAccess) {
- policies.remove(i);
- i--;
+ servicePoliciesMap.put(serviceName, policyList);
}
+
+ policyList.add(policy);
}
- } else if (isAdmin && !CollectionUtils.isEmpty(policies)) {
- for (int i = 0; i < policies.size(); i++) {
- XXService xService = daoManager.getXXService().findByName(policies.get(i).getService());
- XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+ for (Map.Entry<String, List<RangerPolicy>> entry : servicePoliciesMap.entrySet()) {
+ String serviceName = entry.getKey();
+ List<RangerPolicy> listToFilter = entry.getValue();
- if (xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
- policies.remove(i);
- i--;
- }
- }
- } else if (isKeyAdmin && !CollectionUtils.isEmpty(policies)) {
- for (int i = 0; i < policies.size(); i++) {
+ if (CollectionUtils.isNotEmpty(listToFilter)) {
+ if (isAdmin || isKeyAdmin) {
+ XXService xService = daoManager.getXXService().findByName(serviceName);
+ Long serviceDefId = xService.getType();
+ boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId());
+
+ if (isAdmin) {
+ if (!isKmsService) {
+ ret.addAll(listToFilter);
+ }
+ } else { // isKeyAdmin
+ if (isKmsService) {
+ ret.addAll(listToFilter);
+ }
+ }
- XXService xService = daoManager.getXXService().findByName(policies.get(i).getService());
- XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+ continue;
+ }
+
+ RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
+
+ if (policyEngine != null) {
+ if(userGroups == null) {
+ userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName);
+ }
+
+ for (RangerPolicy policy : listToFilter) {
+ if (policyEngine.isAccessAllowed(policy.getResources(), userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS)) {
+ ret.add(policy);
+ }
+ }
+ }
- if (!xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
- policies.remove(i);
- i--;
}
}
}
+
+ RangerPerfTracer.log(perf);
+
+ return ret;
}
void ensureAdminAccess(String serviceName, Map<String, RangerPolicyResource> resources) {
@@ -1910,6 +1938,7 @@ public class ServiceREST {
options.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false);
options.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
+ options.evaluateDelegateAdminOnly = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.evaluate.delegateadmin.only", true);
RangerPolicyEngineCache.getInstance().setPolicyEngineOptions(options);;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 6af938e..3826a37 100644
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor
+<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor
license agreements. See the NOTICE file distributed with this work for additional
information regarding copyright ownership. The ASF licenses this file to
You under the Apache License, Version 2.0 (the "License"); you may not use
@@ -177,6 +177,13 @@
</query>
</named-query>
+ <named-query name="XXGroupUser.findGroupNamesByUserName">
+ <query>SELECT obj.name FROM XXGroup obj
+ WHERE obj.id IN (SELECT gu.parentGroupId FROM XXGroupUser gu, XXUser u
+ WHERE gu.userId = u.id AND u.name=:userName)
+ </query>
+ </named-query>
+
<named-query name="XXGroupUser.findByGroupId">
<query>SELECT obj FROM XXGroupUser obj WHERE obj.parentGroupId=:groupId
</query>
@@ -656,6 +663,7 @@
xpu.id=:userId and gmp.isAllowed=:isAllowed
</query>
</named-query>
+
<named-query name="XXTrxLog.getMaxIdOfXXTrxLog">
<query>select max(obj.id) from XXTrxLog obj</query>
</named-query>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e49cc68/security-admin/src/main/webapp/WEB-INF/log4j.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/WEB-INF/log4j.xml b/security-admin/src/main/webapp/WEB-INF/log4j.xml
index 3510d02..f7d40bb 100644
--- a/security-admin/src/main/webapp/WEB-INF/log4j.xml
+++ b/security-admin/src/main/webapp/WEB-INF/log4j.xml
@@ -84,8 +84,8 @@
</category>
<!--
- <category name="ranger.perf" additivity="false">
- <priority value="info" />
+ <category name="org.apache.ranger.perf" additivity="false">
+ <priority value="debug" />
<appender-ref ref="perf_appender" />
</category>
-->