You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/08/11 22:31:03 UTC
incubator-ranger git commit: RANGER-1144: Policy engine optimization:
quick skip of policy based on user/groups, accessTypes
Repository: incubator-ranger
Updated Branches:
refs/heads/ranger-0.5 5f778cf82 -> 087a7c859
RANGER-1144: Policy engine optimization: quick skip of policy based on user/groups, accessTypes
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/087a7c85
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/087a7c85
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/087a7c85
Branch: refs/heads/ranger-0.5
Commit: 087a7c859f04de4188f75172370fdb9bc28b6abb
Parents: 5f778cf
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed Aug 10 12:00:46 2016 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Aug 11 15:17:41 2016 -0700
----------------------------------------------------------------------
.../RangerAbstractPolicyEvaluator.java | 10 +++
.../RangerDefaultPolicyEvaluator.java | 7 ++-
.../RangerOptimizedPolicyEvaluator.java | 65 ++++++++++++++------
3 files changed, 60 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/087a7c85/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 178b9d8..14a003b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -21,11 +21,13 @@ package org.apache.ranger.plugin.policyevaluator;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator {
@@ -93,6 +95,14 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu
this.evalOrder = evalOrder;
}
+ public boolean hasAllow() {
+ return policy != null && CollectionUtils.isNotEmpty(policy.getPolicyItems());
+ }
+
+ protected boolean hasMatchablePolicyItem(RangerAccessRequest request) {
+ return hasAllow();
+ }
+
@Override
public String toString( ) {
StringBuilder sb = new StringBuilder();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/087a7c85/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index efc9f92..67ea9b2 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -152,8 +152,11 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if (!result.getIsAccessDetermined()) {
// Try Match only if it was not attempted as part of evaluating Audit requirement
if (!isMatchAttempted) {
- matchResult = isResourceMatch(request);
- isMatchAttempted = true;
+ // Attempt matching only if there may be a matchable policyItem
+ if (hasMatchablePolicyItem(request)) {
+ matchResult = isResourceMatch(request);
+ isMatchAttempted = true;
+ }
}
// Go further to evaluate access only if match or head match was found at this point
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/087a7c85/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index 4abc1bf..6953a7d 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -202,33 +202,58 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
return priorityLevel;
}
- @Override
- protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")");
- }
+ @Override
+ protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")");
+ }
- boolean ret = false;
+ boolean ret = hasMatchablePolicyItem(user, userGroups, accessType) && super.isAccessAllowed(user, userGroups, accessType);
- if (hasPublicGroup || users.contains(user) || CollectionUtils.containsAny(groups, userGroups)) {
- if (StringUtils.isEmpty(accessType)) {
- accessType = RangerPolicyEngine.ANY_ACCESS;
- }
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
+ }
- boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS);
- boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS);
+ return ret;
+ }
- if (isAnyAccess || (isAdminAccess && delegateAdmin) || hasAllPerms || accessPerms.contains(accessType)) {
- ret = super.isAccessAllowed(user, userGroups, accessType);
- }
- }
+ @Override
+ protected boolean hasMatchablePolicyItem(RangerAccessRequest request) {
+ boolean ret = false;
+
+ if (hasPublicGroup || users.contains(request.getUser()) || CollectionUtils.containsAny(groups, request.getUserGroups())) {
+ if(request.isAccessTypeDelegatedAdmin()) {
+ ret = delegateAdmin;
+ } else if(hasAllPerms) {
+ ret = true;
+ } else {
+ ret = request.isAccessTypeAny() || accessPerms.contains(request.getAccessType());
+ }
+ }
+
+ return ret;
+ }
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
+
+ private boolean hasMatchablePolicyItem(String user, Set<String> userGroups, String accessType) {
+ boolean ret = false;
+
+ if (hasPublicGroup || users.contains(user) || CollectionUtils.containsAny(groups, userGroups)) {
+ boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS);
+
+ if(isAdminAccess) {
+ ret = delegateAdmin;
+ } else if(hasAllPerms) {
+ ret = true;
+ } else {
+ boolean isAccessTypeAny = StringUtils.isEmpty(accessType) || StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS);
+
+ ret = isAccessTypeAny || accessPerms.contains(accessType);
+ }
}
- return ret;
- }
+ return ret;
+ }
@Override
protected void evaluatePolicyItemsForAccess(RangerAccessRequest request, RangerAccessResult result) {