You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2022/12/06 17:58:02 UTC
Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74232/
-----------------------------------------------------------
(Updated Dec. 6, 2022, 5:58 p.m.)
Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Updated with the JIRA details
Summary (updated)
-----------------
RANGER-3999: Implement more efficient way to handle _any access authorization
Bugs: RANGER-3999
https://issues.apache.org/jira/browse/RANGER-3999
Repository: ranger
Description (updated)
-------
If a user-initiated operation requires checking if more than one permission is granted, then currently, each permission requires a call to internal Policy Engine API for the same accessed resource. This leads to many repetitive computations which may be avoided if the policy engine API supports multiple permissions. In that case, optimization may be achieved by pushing authorization for multiple permissions down to the lowest possible level.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 23db18f3a
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 520ddf865
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java d3fc27d7d
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java df03ed1c4
Diff: https://reviews.apache.org/r/74232/diff/2/
Testing
-------
Passed all existing unit tests.
Thanks,
Abhay Kulkarni
Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74232/#review224966
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Dec. 6, 2022, 10:28 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74232/
> -----------------------------------------------------------
>
> (Updated Dec. 6, 2022, 10:28 p.m.)
>
>
> Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3999
> https://issues.apache.org/jira/browse/RANGER-3999
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If a user-initiated operation requires checking if more than one permission is granted, then currently, each permission requires a call to internal Policy Engine API for the same accessed resource. This leads to many repetitive computations which may be avoided if the policy engine API supports multiple permissions. In that case, optimization may be achieved by pushing authorization for multiple permissions down to the lowest possible level.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 23db18f3a
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 520ddf865
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java d3fc27d7d
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java df03ed1c4
>
>
> Diff: https://reviews.apache.org/r/74232/diff/3/
>
>
> Testing
> -------
>
> Passed all existing unit tests.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74232/
-----------------------------------------------------------
(Updated Dec. 6, 2022, 10:28 p.m.)
Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Addressed review comments
Bugs: RANGER-3999
https://issues.apache.org/jira/browse/RANGER-3999
Repository: ranger
Description
-------
If a user-initiated operation requires checking if more than one permission is granted, then currently, each permission requires a call to internal Policy Engine API for the same accessed resource. This leads to many repetitive computations which may be avoided if the policy engine API supports multiple permissions. In that case, optimization may be achieved by pushing authorization for multiple permissions down to the lowest possible level.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 23db18f3a
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 520ddf865
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java d3fc27d7d
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java df03ed1c4
Diff: https://reviews.apache.org/r/74232/diff/3/
Changes: https://reviews.apache.org/r/74232/diff/2-3/
Testing
-------
Passed all existing unit tests.
Thanks,
Abhay Kulkarni
Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74232/#review224965
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Line 704 (original), 700 (patched)
<https://reviews.apache.org/r/74232/#comment313802>
"all" seems to be an accessType in Hive. Is this special handling necessary in policy engine?
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Lines 838 (patched)
<https://reviews.apache.org/r/74232/#comment313801>
if request is not RangerAccessRequestImpl, #838 would result in cast error. Please consider handling this case - perhaps by a request-wrapper class like:
public class RangerAccessRequestWrapper implements RangerAccessRequest {
private final RangerAccessRequest request;
private final String accessType;
private final boolean isAccessTypeAny;
private final boolean isAccessTypeDelegatedAdmin;
public RangerAccessRequestWrapper(RangerAccessRequest request, String accessType) {
this.request = request;
this.accessType = accessType;
this.isAccessTypeAny = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS)
this.isAccessTypeDelegatedAdmin = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS);
}
@Override
public String getAccessType() { return accessType; }
@Override
public boolean isAccessTypeAny() { return isAccessTypeAny; }
@Override
public boolean isAccessTypeDelegatedAdmin() { return isAccessTypeDelegatedAdmin; }
// other methods simply call corresponding method on request, like:
@Override
public RangerAccessResource getResource() { return request.getResource(); }
...
}
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
Lines 262 (patched)
<https://reviews.apache.org/r/74232/#comment313803>
Consider adding following method to have all type casting in one place:
class RangerAccessRequestUtil {
...
public static Set<String> getAllRequestedAccessTypes(Map<String, Object> context) {
return (Set<String>) context.get(KEY_CONTEXT_ACCESSTYPES);
}
}
- Madhan Neethiraj
On Dec. 6, 2022, 5:58 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74232/
> -----------------------------------------------------------
>
> (Updated Dec. 6, 2022, 5:58 p.m.)
>
>
> Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3999
> https://issues.apache.org/jira/browse/RANGER-3999
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If a user-initiated operation requires checking if more than one permission is granted, then currently, each permission requires a call to internal Policy Engine API for the same accessed resource. This leads to many repetitive computations which may be avoided if the policy engine API supports multiple permissions. In that case, optimization may be achieved by pushing authorization for multiple permissions down to the lowest possible level.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 23db18f3a
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 520ddf865
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java d3fc27d7d
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java df03ed1c4
>
>
> Diff: https://reviews.apache.org/r/74232/diff/2/
>
>
> Testing
> -------
>
> Passed all existing unit tests.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>