You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by co...@apache.org on 2017/04/25 09:46:38 UTC
ranger git commit: RANGER-1478 : Small refactor in
RangerPolicyEngineCache and RangerPolicyEngineOptions,
to avoid looking up RangerConfiguration everytime,
and try to write the RPEO fields only from that class (OOP)
Repository: ranger
Updated Branches:
refs/heads/master 3bc1229ff -> 9a1d5b49b
RANGER-1478 : Small refactor in RangerPolicyEngineCache and RangerPolicyEngineOptions, to avoid looking up RangerConfiguration everytime, and try to write the RPEO fields only from that class (OOP)
Change-Id: Ic84c01ca80dc08eb2876dcb235eacabb88616fd1
Signed-off-by: Colm O hEigeartaigh <co...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/9a1d5b49
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/9a1d5b49
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/9a1d5b49
Branch: refs/heads/master
Commit: 9a1d5b49bf4c22b8a7847b4637e86bdbe9de9a0c
Parents: 3bc1229
Author: Zsombor Gegesy <gz...@gmail.com>
Authored: Sat Mar 11 19:38:00 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Apr 25 10:38:59 2017 +0100
----------------------------------------------------------------------
.../policyengine/RangerPolicyEngineCache.java | 17 ++-------
.../policyengine/RangerPolicyEngineOptions.java | 27 +++++++++++++
.../ranger/plugin/service/RangerBasePlugin.java | 25 +++++-------
.../org/apache/ranger/rest/ServiceREST.java | 40 ++++++++------------
4 files changed, 57 insertions(+), 52 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/9a1d5b49/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
index 5376b52..56dfcdf 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
@@ -35,13 +35,11 @@ public class RangerPolicyEngineCache {
private final Map<String, RangerPolicyEngine> policyEngineCache = Collections.synchronizedMap(new HashMap<String, RangerPolicyEngine>());
- private RangerPolicyEngineOptions options;
-
public static RangerPolicyEngineCache getInstance() {
return sInstance;
}
- public RangerPolicyEngine getPolicyEngine(String serviceName, ServiceStore svcStore) {
+ public synchronized RangerPolicyEngine getPolicyEngine(String serviceName, ServiceStore svcStore, RangerPolicyEngineOptions options) {
RangerPolicyEngine ret = null;
if(serviceName != null) {
@@ -55,9 +53,9 @@ public class RangerPolicyEngineCache {
if(policies != null) {
if(ret == null) {
- ret = addPolicyEngine(policies);
+ ret = addPolicyEngine(policies, options);
} else if(policies.getPolicyVersion() != null && !policies.getPolicyVersion().equals(policyVersion)) {
- ret = addPolicyEngine(policies);
+ ret = addPolicyEngine(policies, options);
}
}
} catch(Exception excp) {
@@ -69,15 +67,8 @@ public class RangerPolicyEngineCache {
return ret;
}
- public RangerPolicyEngineOptions getPolicyEngineOptions() {
- return options;
- }
-
- public void setPolicyEngineOptions(RangerPolicyEngineOptions options) {
- this.options = options;
- }
- private RangerPolicyEngine addPolicyEngine(ServicePolicies policies) {
+ private RangerPolicyEngine addPolicyEngine(ServicePolicies policies, RangerPolicyEngineOptions options) {
RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, options);
policyEngineCache.put(policies.getServiceName(), ret);
http://git-wip-us.apache.org/repos/asf/ranger/blob/9a1d5b49/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index a9027bc..7ca4bd6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -18,6 +18,7 @@
*/
package org.apache.ranger.plugin.policyengine;
+import org.apache.hadoop.conf.Configuration;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
public class RangerPolicyEngineOptions {
@@ -28,4 +29,30 @@ public class RangerPolicyEngineOptions {
public boolean disableTagPolicyEvaluation = true;
public boolean evaluateDelegateAdminOnly;
public boolean disableTrieLookupPrefilter;
+
+ public void configureForPlugin(Configuration conf, String propertyPrefix) {
+ evaluatorType = conf.get(propertyPrefix + ".policyengine.option.evaluator.type", RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO);
+ cacheAuditResults = conf.getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", true);
+ disableContextEnrichers = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", false);
+ disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", false);
+ disableTagPolicyEvaluation = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", false);
+ disableTrieLookupPrefilter = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+ }
+
+ public void configureDefaultRangerAdmin(Configuration conf, String propertyPrefix) {
+ evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
+ cacheAuditResults = conf.getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false);
+ disableContextEnrichers = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
+ disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
+ evaluateDelegateAdminOnly = false;
+ disableTrieLookupPrefilter = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+ }
+
+ public void configureDelegateAdmin(Configuration conf, String propertyPrefix) {
+ evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
+ cacheAuditResults = conf.getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false);
+ disableContextEnrichers = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
+ disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
+ evaluateDelegateAdminOnly = conf.getBoolean(propertyPrefix + ".policyengine.option.evaluate.delegateadmin.only", true);
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9a1d5b49/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 7010b43..272e133 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -43,7 +43,6 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
import org.apache.ranger.plugin.policyengine.RangerRowFilterResult;
-import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.PolicyRefresher;
import org.apache.ranger.plugin.util.ServicePolicies;
@@ -101,16 +100,17 @@ public class RangerBasePlugin {
public void init() {
cleanup();
- RangerConfiguration.getInstance().addResourcesForServiceType(serviceType);
- RangerConfiguration.getInstance().initAudit(appId);
+ RangerConfiguration configuration = RangerConfiguration.getInstance();
+ configuration.addResourcesForServiceType(serviceType);
+ configuration.initAudit(appId);
String propertyPrefix = "ranger.plugin." + serviceType;
- long pollingIntervalMs = RangerConfiguration.getInstance().getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000);
- String cacheDir = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.cache.dir");
- serviceName = RangerConfiguration.getInstance().get(propertyPrefix + ".service.name");
+ long pollingIntervalMs = configuration.getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000);
+ String cacheDir = configuration.get(propertyPrefix + ".policy.cache.dir");
+ serviceName = configuration.get(propertyPrefix + ".service.name");
- useForwardedIPAddress = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".use.x-forwarded-for.ipaddress", false);
- String trustedProxyAddressString = RangerConfiguration.getInstance().get(propertyPrefix + ".trusted.proxy.ipaddresses");
+ useForwardedIPAddress = configuration.getBoolean(propertyPrefix + ".use.x-forwarded-for.ipaddress", false);
+ String trustedProxyAddressString = configuration.get(propertyPrefix + ".trusted.proxy.ipaddresses");
trustedProxyAddresses = StringUtils.split(trustedProxyAddressString, RANGER_TRUSTED_PROXY_IPADDRESSES_SEPARATOR_CHAR);
if (trustedProxyAddresses != null) {
for (int i = 0; i < trustedProxyAddresses.length; i++) {
@@ -128,12 +128,7 @@ public class RangerBasePlugin {
LOG.warn("Ranger plugin will trust RemoteIPAddress and treat first X-Forwarded-Address in the access-request as the clientIPAddress");
}
- policyEngineOptions.evaluatorType = RangerConfiguration.getInstance().get(propertyPrefix + ".policyengine.option.evaluator.type", RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO);
- policyEngineOptions.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", true);
- policyEngineOptions.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", false);
- policyEngineOptions.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", false);
- policyEngineOptions.disableTagPolicyEvaluation = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", false);
- policyEngineOptions.disableTrieLookupPrefilter = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+ policyEngineOptions.configureForPlugin(configuration, propertyPrefix);
RangerAdminClient admin = createAdminClient(serviceName, appId, propertyPrefix);
@@ -141,7 +136,7 @@ public class RangerBasePlugin {
refresher.setDaemon(true);
refresher.startRefresher();
- long policyReorderIntervalMs = RangerConfiguration.getInstance().getLong(propertyPrefix + ".policy.policyReorderInterval", 60 * 1000);
+ long policyReorderIntervalMs = configuration.getLong(propertyPrefix + ".policy.policyReorderInterval", 60 * 1000);
if (policyReorderIntervalMs >= 0 && policyReorderIntervalMs < 15 * 1000) {
policyReorderIntervalMs = 15 * 1000;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9a1d5b49/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index b9f1832..8e539e7 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -95,7 +95,6 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineCache;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
-import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.service.ResourceLookupContext;
import org.apache.ranger.plugin.store.PList;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
@@ -201,6 +200,8 @@ public class ServiceREST {
@Autowired
JSONUtil jsonUtil;
+ private RangerPolicyEngineOptions delegateAdminOptions;
+
public ServiceREST() {
}
@@ -2805,6 +2806,18 @@ public class ServiceREST {
}
}
+ private synchronized RangerPolicyEngineOptions getDelegatedAdminPolicyEngineOptions() {
+ if (delegateAdminOptions == null) {
+ RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions();
+
+ final String propertyPrefix = "ranger.admin";
+
+ opts.configureDelegateAdmin(RangerConfiguration.getInstance(), propertyPrefix);
+ this.delegateAdminOptions = opts;
+ }
+ return delegateAdminOptions;
+ }
+
private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, Map<String, RangerPolicyResource> resources) {
boolean isAllowed = false;
@@ -2830,23 +2843,7 @@ public class ServiceREST {
}
private RangerPolicyEngine getDelegatedAdminPolicyEngine(String serviceName) {
- if(RangerPolicyEngineCache.getInstance().getPolicyEngineOptions() == null) {
- RangerPolicyEngineOptions options = new RangerPolicyEngineOptions();
-
- String propertyPrefix = "ranger.admin";
-
- options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
- options.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false);
- options.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
- options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
- options.evaluateDelegateAdminOnly = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.evaluate.delegateadmin.only", true);
-
- RangerPolicyEngineCache.getInstance().setPolicyEngineOptions(options);
- }
-
- RangerPolicyEngine ret = RangerPolicyEngineCache.getInstance().getPolicyEngine(serviceName, svcStore);
-
- return ret;
+ return RangerPolicyEngineCache.getInstance().getPolicyEngine(serviceName, svcStore, getDelegatedAdminPolicyEngineOptions());
}
private RangerPolicyEngine getPolicyEngine(String serviceName) throws Exception {
@@ -2854,12 +2851,7 @@ public class ServiceREST {
String propertyPrefix = "ranger.admin";
- options.evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
- options.cacheAuditResults = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false);
- options.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
- options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
- options.evaluateDelegateAdminOnly = false;
- options.disableTrieLookupPrefilter = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+ options.configureDefaultRangerAdmin(RangerConfiguration.getInstance(), propertyPrefix);
ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L);