You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2021/05/05 23:42:06 UTC
[ranger] branch master updated: RANGER-3270: updated
RangerBasePlugin with configurations to optionally disable dynamic
refreshing of policies/tags/roles
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new e44d547 RANGER-3270: updated RangerBasePlugin with configurations to optionally disable dynamic refreshing of policies/tags/roles
e44d547 is described below
commit e44d5472a2da7b67a73e32d0bcb44362b197005e
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Fri Apr 30 14:25:14 2021 -0700
RANGER-3270: updated RangerBasePlugin with configurations to optionally disable dynamic refreshing of policies/tags/roles
---
.../plugin/contextenricher/RangerTagEnricher.java | 4 +-
.../apache/ranger/plugin/model/RangerPolicy.java | 3 +-
.../apache/ranger/plugin/model/RangerService.java | 6 ++-
.../ranger/plugin/model/RangerServiceDef.java | 5 +-
.../policyengine/RangerPolicyEngineOptions.java | 20 ++++++++
.../policyengine/RangerPolicyRepository.java | 15 +++++-
.../ranger/plugin/service/RangerBasePlugin.java | 56 +++++++++++++++++++---
7 files changed, 97 insertions(+), 12 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index f457460..a78b484 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -77,7 +77,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
private static final String TAG_REFRESHER_POLLINGINTERVAL_OPTION = "tagRefresherPollingInterval";
- private static final String TAG_RETRIEVER_CLASSNAME_OPTION = "tagRetrieverClassName";
+ public static final String TAG_RETRIEVER_CLASSNAME_OPTION = "tagRetrieverClassName";
private static final String TAG_DISABLE_TRIE_PREFILTER_OPTION = "disableTrieLookupPrefilter";
private RangerTagRefresher tagRefresher;
@@ -349,7 +349,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
}
- protected Long getServiceTagsVersion() {
+ public Long getServiceTagsVersion() {
EnrichedServiceTags localEnrichedServiceTags = enrichedServiceTags;
return localEnrichedServiceTags != null ? localEnrichedServiceTags.getServiceTags().getTagVersion() : -1L;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index 6444fe9..3a6f416 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -155,17 +155,18 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
setResourceSignature(other.getResourceSignature());
setIsAuditEnabled(other.getIsAuditEnabled());
setResources(other.getResources());
+ setConditions(other.getConditions());
setPolicyItems(other.getPolicyItems());
setDenyPolicyItems(other.getDenyPolicyItems());
setAllowExceptions(other.getAllowExceptions());
setDenyExceptions(other.getDenyExceptions());
setDataMaskPolicyItems(other.getDataMaskPolicyItems());
setRowFilterPolicyItems(other.getRowFilterPolicyItems());
+ setServiceType(other.getServiceType());
setOptions(other.getOptions());
setValiditySchedules(other.getValiditySchedules());
setPolicyLabels(other.getPolicyLabels());
setZoneName(other.getZoneName());
- setConditions(other.getConditions());
setIsDenyAllElse(other.getIsDenyAllElse());
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
index 8bd4586..c185962 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java
@@ -87,8 +87,12 @@ public class RangerService extends RangerBaseModelObject implements java.io.Seri
setName(other.getName());
setDisplayName(other.getDisplayName());
setDescription(other.getDescription());
+ setTagService(other.getTagService());
setConfigs(other.getConfigs());
- setTagService(other.tagService);
+ setPolicyVersion(other.getPolicyVersion());
+ setPolicyUpdateTime(other.getPolicyUpdateTime());
+ setTagVersion(other.getTagVersion());
+ setTagUpdateTime(other.getTagUpdateTime());
}
/**
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
index 1ac45f1..db13b7b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
@@ -124,11 +124,14 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
setImplClass(other.getImplClass());
setLabel(other.getLabel());
setDescription(other.getDescription());
- setConfigs(other.getConfigs());
+ setRbKeyLabel(other.getRbKeyLabel());
+ setRbKeyDescription(other.getRbKeyDescription());
setOptions(other.getOptions());
+ setConfigs(other.getConfigs());
setResources(other.getResources());
setAccessTypes(other.getAccessTypes());
setPolicyConditions(other.getPolicyConditions());
+ setContextEnrichers(other.getContextEnrichers());
setEnums(other.getEnums());
setDataMaskDef(other.getDataMaskDef());
setRowFilterDef(other.getRowFilterDef());
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index 1f6aed9..0816ec1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -29,6 +29,8 @@ public class RangerPolicyEngineOptions {
public boolean disableCustomConditions = false;
public boolean disableTagPolicyEvaluation = false;
public boolean disableTrieLookupPrefilter = false;
+ public boolean disablePolicyRefresher = false;
+ public boolean disableTagRetriever = false;
public boolean cacheAuditResults = true;
public boolean evaluateDelegateAdminOnly = false;
public boolean enableTagEnricherWithLocalRefresher = false;
@@ -44,6 +46,8 @@ public class RangerPolicyEngineOptions {
this.disableCustomConditions = other.disableCustomConditions;
this.disableTagPolicyEvaluation = other.disableTagPolicyEvaluation;
this.disableTrieLookupPrefilter = other.disableTrieLookupPrefilter;
+ this.disablePolicyRefresher = other.disablePolicyRefresher;
+ this.disableTagRetriever = other.disableTagRetriever;
this.cacheAuditResults = other.cacheAuditResults;
this.evaluateDelegateAdminOnly = other.evaluateDelegateAdminOnly;
this.enableTagEnricherWithLocalRefresher = other.enableTagEnricherWithLocalRefresher;
@@ -57,6 +61,8 @@ public class RangerPolicyEngineOptions {
disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", false);
disableTagPolicyEvaluation = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", false);
disableTrieLookupPrefilter = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+ disablePolicyRefresher = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.policy.refresher", false);
+ disableTagRetriever = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tag.retriever", false);
cacheAuditResults = conf.getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", true);
@@ -75,6 +81,8 @@ public class RangerPolicyEngineOptions {
disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
disableTagPolicyEvaluation = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", true);
disableTrieLookupPrefilter = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+ disablePolicyRefresher = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.policy.refresher", true);
+ disableTagRetriever = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tag.retriever", true);
cacheAuditResults = false;
evaluateDelegateAdminOnly = false;
@@ -89,6 +97,8 @@ public class RangerPolicyEngineOptions {
disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
disableTagPolicyEvaluation = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", true);
disableTrieLookupPrefilter = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+ disablePolicyRefresher = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.policy.refresher", true);
+ disableTagRetriever = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tag.retriever", true);
optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.retrieval", false);
@@ -103,6 +113,8 @@ public class RangerPolicyEngineOptions {
disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
disableTagPolicyEvaluation = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", false);
disableTrieLookupPrefilter = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+ disablePolicyRefresher = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.policy.refresher", true);
+ disableTagRetriever = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tag.retriever", false);
optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.retrieval", false);
@@ -133,6 +145,8 @@ public class RangerPolicyEngineOptions {
&& this.disableCustomConditions == that.disableCustomConditions
&& this.disableTagPolicyEvaluation == that.disableTagPolicyEvaluation
&& this.disableTrieLookupPrefilter == that.disableTrieLookupPrefilter
+ && this.disablePolicyRefresher == that.disablePolicyRefresher
+ && this.disableTagRetriever == that.disableTagRetriever
&& this.cacheAuditResults == that.cacheAuditResults
&& this.evaluateDelegateAdminOnly == that.evaluateDelegateAdminOnly
&& this.enableTagEnricherWithLocalRefresher == that.enableTagEnricherWithLocalRefresher
@@ -152,6 +166,10 @@ public class RangerPolicyEngineOptions {
ret *= 2;
ret += disableTrieLookupPrefilter ? 1 : 0;
ret *= 2;
+ ret += disablePolicyRefresher ? 1 : 0;
+ ret *= 2;
+ ret += disableTagRetriever ? 1 : 0;
+ ret *= 2;
ret += cacheAuditResults ? 1 : 0;
ret *= 2;
ret += evaluateDelegateAdminOnly ? 1 : 0;
@@ -171,6 +189,8 @@ public class RangerPolicyEngineOptions {
", disableContextEnrichers: " + disableContextEnrichers +
", disableCustomConditions: " + disableContextEnrichers +
", disableTagPolicyEvaluation: " + disableTagPolicyEvaluation +
+ ", disablePolicyRefresher: " + disablePolicyRefresher +
+ ", disableTagRetriever: " + disableTagRetriever +
", enableTagEnricherWithLocalRefresher: " + enableTagEnricherWithLocalRefresher +
", disableTrieLookupPrefilter: " + disableTrieLookupPrefilter +
", optimizeTrieForRetrieval: " + optimizeTrieForRetrieval +
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 3a06497..008ee77 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -20,6 +20,7 @@
package org.apache.ranger.plugin.policyengine;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -55,6 +56,7 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
+import static org.apache.ranger.plugin.contextenricher.RangerTagEnricher.TAG_RETRIEVER_CLASSNAME_OPTION;
import static org.apache.ranger.plugin.policyengine.RangerPolicyEngine.PLUGIN_AUDIT_FILTER;
public class RangerPolicyRepository {
@@ -174,7 +176,7 @@ public class RangerPolicyRepository {
this.policyVersion = policyVersion;
}
- RangerPolicyRepository(ServicePolicies servicePolicies, RangerPluginContext pluginContext) {
+ public RangerPolicyRepository(ServicePolicies servicePolicies, RangerPluginContext pluginContext) {
this(servicePolicies, pluginContext, null);
}
@@ -1006,6 +1008,17 @@ public class RangerPolicyRepository {
if (enricherDef == null) {
continue;
}
+
+ if (options.disableTagRetriever && StringUtils.equals(enricherDef.getEnricher(), RangerTagEnricher.class.getName())) {
+ if (MapUtils.isNotEmpty(enricherDef.getEnricherOptions())) {
+ Map<String, String> enricherOptions = new HashMap<>(enricherDef.getEnricherOptions());
+
+ enricherOptions.remove(TAG_RETRIEVER_CLASSNAME_OPTION);
+
+ enricherDef = new RangerServiceDef.RangerContextEnricherDef(enricherDef.getItemId(), enricherDef.getName(), enricherDef.getEnricher(), enricherOptions);
+ }
+ }
+
if (!options.disableContextEnrichers || options.enableTagEnricherWithLocalRefresher && StringUtils.equals(enricherDef.getEnricher(), RangerTagEnricher.class.getName())) {
// This will be true only if the engine is initialized within ranger-admin
RangerServiceDef.RangerContextEnricherDef contextEnricherDef = enricherDef;
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index a1247bc..0aab809 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -95,6 +95,25 @@ public class RangerBasePlugin {
this.chainedPlugins = initChainedPlugins();
}
+ public RangerBasePlugin(RangerPluginConfig pluginConfig, ServicePolicies policies, ServiceTags tags, RangerRoles roles) {
+ this(pluginConfig);
+
+ init();
+
+ setPolicies(policies);
+ setRoles(roles);
+
+ if (tags != null) {
+ RangerTagEnricher tagEnricher = getTagEnricher();
+
+ if (tagEnricher != null) {
+ tagEnricher.setServiceTags(tags);
+ } else {
+ LOG.warn("RangerBasePlugin(tagsVersion=" + tags.getTagVersion() + "): no tag enricher found. Plugin will not enforce tag-based policies");
+ }
+ }
+ }
+
public static AuditHandler getAuditProvider(String serviceName) {
AuditProviderFactory providerFactory = RangerBasePlugin.getAuditProviderFactory(serviceName);
AuditHandler ret = providerFactory.getAuditProvider();
@@ -179,16 +198,39 @@ public class RangerBasePlugin {
}
}
- refresher = new PolicyRefresher(this);
- LOG.info("Created PolicyRefresher Thread(" + refresher.getName() + ")");
- refresher.setDaemon(true);
- refresher.startRefresher();
+ if (!pluginConfig.getPolicyEngineOptions().disablePolicyRefresher) {
+ refresher = new PolicyRefresher(this);
+ LOG.info("Created PolicyRefresher Thread(" + refresher.getName() + ")");
+ refresher.setDaemon(true);
+ refresher.startRefresher();
+ }
for (RangerChainedPlugin chainedPlugin : chainedPlugins) {
chainedPlugin.init();
}
}
+ public long getPoliciesVersion() {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+ Long ret = policyEngine != null ? policyEngine.getPolicyVersion() : null;
+
+ return ret != null ? ret : -1L;
+ }
+
+ public long getTagsVersion() {
+ RangerTagEnricher tagEnricher = getTagEnricher();
+ Long ret = tagEnricher != null ? tagEnricher.getServiceTagsVersion() : null;
+
+ return ret != null ? ret : -1L;
+ }
+
+ public long getRolesVersion() {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+ Long ret = policyEngine != null ? policyEngine.getRoleVersion() : null;
+
+ return ret != null ? ret : -1L;
+ }
+
public void setPolicies(ServicePolicies policies) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> setPolicies(" + policies + ")");
@@ -680,7 +722,9 @@ public class RangerBasePlugin {
// Synch-up policies
long oldPolicyVersion = policyEngine.getPolicyVersion();
- refresher.syncPoliciesWithAdmin(accessTrigger);
+ if (refresher != null) {
+ refresher.syncPoliciesWithAdmin(accessTrigger);
+ }
policyEngine = this.policyEngine; // might be updated in syncPoliciesWithAdmin()
@@ -795,7 +839,7 @@ public class RangerBasePlugin {
int counter;
}
- private RangerTagEnricher getTagEnricher() {
+ public RangerTagEnricher getTagEnricher() {
RangerTagEnricher ret = null;
RangerAuthContext authContext = getCurrentRangerAuthContext();