You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/05/05 01:25:26 UTC
[ranger] branch master updated: RANGER-3253: Make incremental
policy change computation more resilient - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 8df4825 RANGER-3253: Make incremental policy change computation more resilient - Part 2
8df4825 is described below
commit 8df4825aef02364bdda05b3355a7da96e7840706
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Tue May 4 17:44:58 2021 -0700
RANGER-3253: Make incremental policy change computation more resilient - Part 2
---
.../plugin/policyengine/RangerPolicyRepository.java | 5 +----
.../apache/ranger/plugin/service/RangerBasePlugin.java | 4 +++-
.../ranger/plugin/util/RangerPolicyDeltaUtil.java | 4 ++--
.../org/apache/ranger/biz/RangerPolicyAdminCache.java | 2 +-
.../org/apache/ranger/db/XXPolicyChangeLogDao.java | 18 ++++++++----------
5 files changed, 15 insertions(+), 18 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 15b8fc7..3a06497 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -1473,10 +1473,7 @@ public class RangerPolicyRepository {
switch (changeType) {
case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE:
if (delta.getPolicy() == null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Could not find policy for policy-id:[" + policyId + "]");
- }
-
+ LOG.warn("Could not find policy for policy-id:[" + policyId + "]");
continue;
}
evaluator = getPolicyEvaluator(policyId);
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index a7c4c97..a1247bc 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -305,7 +305,9 @@ public class RangerBasePlugin {
}
} else {
- LOG.warn("Returning without saving policies to cache. Leaving current policy engine as-is");
+ LOG.warn("Leaving current policy engine as-is");
+ LOG.warn("Policies are not saved to cache. policyVersion in the policy-cache may be different than in Ranger-admin, even though the policies are the same!");
+ LOG.warn("Ranger-PolicyVersion:[" + (policies != null ? policies.getPolicyVersion() : -1L) + "], Cached-PolicyVersion:[" + (this.policyEngine != null ? this.policyEngine.getPolicyVersion() : -1L) + "]");
}
} catch (Exception e) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
index 7088e83..f040a66 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
@@ -228,9 +228,9 @@ public class RangerPolicyDeltaUtil {
LOG.warn("Downloaded ServicePolicies are [" + servicePolicies + "]");
ret = null;
} else if (!isPoliciesExist && !isPolicyDeltasExist) {
- LOG.warn("ServicePolicies do not contain any policies or policy-deltas!! There are no material changes in the policies. There may be service changes!");
+ LOG.warn("ServicePolicies do not contain any policies or policy-deltas!! There are no material changes in the policies.");
LOG.warn("Downloaded ServicePolicies are [" + servicePolicies + "]");
- ret = false;
+ ret = null;
} else {
ret = isPolicyDeltasExist;
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index 120a329..a6f0a1a 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -125,7 +125,7 @@ public class RangerPolicyAdminCache {
ret = addPolicyAdmin(policies, roles, options);
}
} else {
- LOG.warn("Provided policies are internally inconsistent!! [" + policies + "]. Please check code that computes policy-deltas! Keeping old policy-engine!");
+ LOG.warn("Provided policies do not require policy change !! [" + policies + "]. Keeping old policy-engine!");
ret = null;
}
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java
index 477129d..047228b 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java
@@ -150,18 +150,16 @@ public class XXPolicyChangeLogDao extends BaseDao<XXPolicyChangeLog> {
break;
}
} else {
- LOG.warn("Policy:[" + policyId + "] not found - log-record - id:[" + logRecordId + "], PolicyChangeType:[" + policyChangeType + "]");
if (policyChangeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE || policyChangeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE) {
- LOG.warn("Ignoring POLICY_CREATE or POLICY_UPDATE type change for policy-id:[" + policyId + "] as it was not found.. probably already deleted");
- continue;
- } else {
- // policyChangeType is DELETE
- policy = new RangerPolicy();
- policy.setId(policyId);
- policy.setServiceType(serviceType);
- policy.setPolicyType((Integer) log[POLICY_CHANGE_LOG_RECORD_POLICY_TYPE_COLUMN_NUMBER]);
- policy.setZoneName((String) log[POLICY_CHANGE_LOG_RECORD_ZONE_NAME_COLUMN_NUMBER]);
+ LOG.warn((policyChangeType == RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE ? "POLICY_CREATE" : "POLICY_UPDATE") + " type change for policy-id:[" + policyId + "], log-id:[" + logRecordId + "] was not found.. probably already deleted");
+ // Create a placeholder delta with a dummy policy as the created/updated policy cannot be found - If there is a subsequent POLICY_DELETE, this delta will be cleaned-up in ServiceDBStore.compressDeltas()
}
+ // Create a placeholder delta with a dummy policy
+ policy = new RangerPolicy();
+ policy.setId(policyId);
+ policy.setServiceType(serviceType);
+ policy.setPolicyType((Integer) log[POLICY_CHANGE_LOG_RECORD_POLICY_TYPE_COLUMN_NUMBER]);
+ policy.setZoneName((String) log[POLICY_CHANGE_LOG_RECORD_ZONE_NAME_COLUMN_NUMBER]);
}
ret.add(new RangerPolicyDelta(logRecordId, policyChangeType, policiesVersion, policy));