You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/08/29 23:57:55 UTC
incubator-ranger git commit: RANGER-1161: Policy evaluation
optimization: updating ranger-0.5 branch with relevant changes in master
branch for RANGER-1162
Repository: incubator-ranger
Updated Branches:
refs/heads/ranger-0.5 410e04701 -> 987d959c3
RANGER-1161: Policy evaluation optimization: updating ranger-0.5 branch with relevant changes in master branch for RANGER-1162
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/987d959c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/987d959c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/987d959c
Branch: refs/heads/ranger-0.5
Commit: 987d959c3a790ef7c7c9884599e8eef028b39fb1
Parents: 410e047
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Mon Aug 29 16:43:11 2016 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Aug 29 16:56:53 2016 -0700
----------------------------------------------------------------------
.../RangerAbstractPolicyEvaluator.java | 19 +++--
.../RangerDefaultPolicyResourceMatcher.java | 5 ++
.../RangerPolicyResourceEvaluator.java | 2 +
.../RangerPolicyResourceMatcher.java | 2 +
.../ranger/plugin/util/RangerResourceTrie.java | 6 +-
.../ranger/plugin/util/ServiceDefUtil.java | 73 ++++++++++++++++++++
6 files changed, 101 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index f3c2de6..dfde51d 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -29,6 +29,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import org.apache.ranger.plugin.util.ServiceDefUtil;
import java.util.Map;
@@ -37,9 +38,10 @@ import java.util.Map;
public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerAbstractPolicyEvaluator.class);
- private RangerPolicy policy = null;
- private RangerServiceDef serviceDef = null;
- private int evalOrder = 0;
+ private RangerPolicy policy = null;
+ private RangerServiceDef serviceDef = null;
+ private Integer leafResourceLevel = null;
+ private int evalOrder = 0;
@Override
@@ -48,8 +50,9 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu
LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")");
}
- this.policy = policy;
- this.serviceDef = serviceDef;
+ this.policy = policy;
+ this.serviceDef = serviceDef;
+ this.leafResourceLevel = ServiceDefUtil.getLeafResourceLevel(serviceDef, getPolicyResource());
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")");
@@ -77,6 +80,12 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu
}
@Override
+ public Integer getLeafResourceLevel() {
+ return leafResourceLevel;
+ }
+
+
+ @Override
public int getEvalOrder() {
return evalOrder;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 5e0b54c..f6b15f6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -87,6 +87,11 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
@Override
+ public RangerServiceDef getServiceDef() {
+ return serviceDef;
+ }
+
+ @Override
public RangerResourceMatcher getResourceMatcher(String resourceName) {
return matchers != null ? matchers.get(resourceName) : null;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java
index 799e8b3..eed58e1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java
@@ -33,4 +33,6 @@ public interface RangerPolicyResourceEvaluator extends Comparable<RangerPolicyRe
Map<String, RangerPolicy.RangerPolicyResource> getPolicyResource();
RangerResourceMatcher getResourceMatcher(String resourceName);
+
+ Integer getLeafResourceLevel();
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
index bcfc017..49d5364 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
@@ -33,6 +33,8 @@ public interface RangerPolicyResourceMatcher {
void init();
+ RangerServiceDef getServiceDef();
+
RangerResourceMatcher getResourceMatcher(String resourceName);
boolean isMatch(RangerAccessResource resource);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
index 982d249..2079487 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
@@ -58,7 +58,7 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
this.resourceName = resourceDef.getName();
this.optIgnoreCase = strIgnoreCase != null ? Boolean.parseBoolean(strIgnoreCase) : false;
- this.optWildcard = strWildcard != null ? Boolean.parseBoolean(strWildcard) : false;;
+ this.optWildcard = strWildcard != null ? Boolean.parseBoolean(strWildcard) : false;
this.wildcardChars = optWildcard ? DEFAULT_WILDCARD_CHARS : "";
this.root = new TrieNode(Character.valueOf((char)0));
@@ -67,6 +67,10 @@ public class RangerResourceTrie<T extends RangerPolicyResourceEvaluator> {
RangerPolicyResource policyResource = policyResources != null ? policyResources.get(resourceName) : null;
if(policyResource == null) {
+ if(evaluator.getLeafResourceLevel() != null && resourceDef.getLevel() != null && evaluator.getLeafResourceLevel() < resourceDef.getLevel()) {
+ root.addWildcardEvaluator(evaluator);
+ }
+
continue;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/987d959c/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
new file mode 100644
index 0000000..f26ac44
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.util;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.HashMap;
+import java.util.Map;
+
+public class ServiceDefUtil {
+
+ public static RangerResourceDef getResourceDef(RangerServiceDef serviceDef, String resource) {
+ RangerResourceDef ret = null;
+
+ if(serviceDef != null && resource != null && CollectionUtils.isNotEmpty(serviceDef.getResources())) {
+ for(RangerResourceDef resourceDef : serviceDef.getResources()) {
+ if(StringUtils.equalsIgnoreCase(resourceDef.getName(), resource)) {
+ ret = resourceDef;
+ break;
+ }
+ }
+ }
+
+ return ret;
+ }
+
+ public static Integer getLeafResourceLevel(RangerServiceDef serviceDef, Map<String, RangerPolicy.RangerPolicyResource> policyResource) {
+ Integer ret = null;
+
+ if(serviceDef != null && policyResource != null) {
+ for(Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : policyResource.entrySet()) {
+ String resource = entry.getKey();
+ RangerResourceDef resourceDef = ServiceDefUtil.getResourceDef(serviceDef, resource);
+
+ if(resourceDef != null && resourceDef.getLevel() != null) {
+ if(ret == null) {
+ ret = resourceDef.getLevel();
+ } else if(ret < resourceDef.getLevel()) {
+ ret = resourceDef.getLevel();
+ }
+ }
+ }
+ }
+
+ return ret;
+ }
+}