This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 27c36c1 RANGER-2547: Good coding practices: minimize use of
static/unnecessary class members
27c36c1 is described below
commit 27c36c1daedd28ef20872cb786afca177c0a6e23
Author: Abhay Kulkarni <akulka...@cloudera.com>
AuthorDate: Mon Sep 9 11:22:01 2019 -0700
RANGER-2547: Good coding practices: minimize use of static/unnecessary
class members
---
.../RangerAbstractContextEnricher.java | 28 ++-
.../plugin/contextenricher/RangerTagEnricher.java | 12 +-
.../plugin/policyengine/RangerPluginContext.java | 6 +
.../policyengine/RangerPolicyEngineImpl.java | 47 +++--
.../policyengine/RangerPolicyRepository.java | 17 +-
.../ranger/plugin/service/RangerAuthContext.java | 217 +++++++++++++--------
.../ranger/plugin/service/RangerBasePlugin.java | 22 ++-
.../plugin/policyengine/TestRangerAuthContext.java | 2 +
.../hive/authorizer/RangerHiveAuthorizer.java | 5 +-
9 files changed, 211 insertions(+), 145 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
index 0712bfc..737ce04 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
@@ -35,7 +35,6 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
import
org.apache.ranger.plugin.model.RangerServiceDef.RangerContextEnricherDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.service.RangerAuthContext;
-import org.apache.ranger.plugin.service.RangerBasePlugin;
public abstract class RangerAbstractContextEnricher implements
RangerContextEnricher {
@@ -45,6 +44,7 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
protected String serviceName;
protected String appId;
protected RangerServiceDef serviceDef;
+ protected RangerAuthContext authContext;
@Override
public void setEnricherDef(RangerContextEnricherDef enricherDef) {
@@ -71,13 +71,8 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAbstractContextEnricher.init(" +
enricherDef + ")");
}
- Map<String, RangerBasePlugin> servicePluginMap =
RangerBasePlugin.getServicePluginMap();
- RangerBasePlugin plugin = servicePluginMap != null ?
servicePluginMap.get(getServiceName()) : null;
- if (plugin != null) {
- RangerAuthContext currentAuthContext =
plugin.getCurrentRangerAuthContext();
- if (currentAuthContext != null) {
-
currentAuthContext.addOrReplaceRequestContextEnricher(this, null);
- }
+ if (authContext != null) {
+ authContext.addOrReplaceRequestContextEnricher(this,
null);
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerAbstractContextEnricher.init(" +
enricherDef + ")");
@@ -94,13 +89,8 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
if(LOG.isDebugEnabled()) {
LOG.debug("==>
RangerAbstractContextEnricher.preCleanup(" + enricherDef + ")");
}
- Map<String, RangerBasePlugin> servicePluginMap =
RangerBasePlugin.getServicePluginMap();
- RangerBasePlugin plugin = servicePluginMap != null ?
servicePluginMap.get(getServiceName()) : null;
- if (plugin != null) {
- RangerAuthContext currentAuthContext =
plugin.getCurrentRangerAuthContext();
- if (currentAuthContext != null) {
-
currentAuthContext.cleanupRequestContextEnricher(this);
- }
+ if (authContext != null) {
+ authContext.cleanupRequestContextEnricher(this);
}
if(LOG.isDebugEnabled()) {
LOG.debug("<==
RangerAbstractContextEnricher.preCleanup(" + enricherDef + ")");
@@ -157,6 +147,14 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
return ret;
}
+ public void setAuthContext(RangerAuthContext authContext) {
+ this.authContext = authContext;
+ }
+
+ public RangerAuthContext getAuthContext() {
+ return authContext;
+ }
+
public String getOption(String name, String defaultValue) {
String ret = defaultValue;
String val = getOption(name);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index fbf0360..b596992 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -314,17 +314,19 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
}
enrichedServiceTags = new
EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie,
tagsForEmptyResourceAndAnyAccess);
+ }
+
+ RangerAuthContext authContext = getAuthContext();
+ if (authContext != null) {
+ authContext.addOrReplaceRequestContextEnricher(this,
enrichedServiceTags);
Map<String, RangerBasePlugin> servicePluginMap =
RangerBasePlugin.getServicePluginMap();
RangerBasePlugin plugin = servicePluginMap != null ?
servicePluginMap.get(getServiceName()) : null;
if (plugin != null) {
- RangerAuthContext currentAuthContext =
plugin.getCurrentRangerAuthContext();
- if (currentAuthContext != null) {
-
currentAuthContext.addOrReplaceRequestContextEnricher(this,
enrichedServiceTags);
- plugin.contextChanged();
- }
+ plugin.contextChanged();
}
}
+
}
protected Long getServiceTagsVersion() {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
index e596b2a..df21c5d 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
@@ -23,6 +23,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.authorization.utils.StringUtil;
+import org.apache.ranger.plugin.service.RangerAuthContext;
import org.apache.ranger.plugin.service.RangerBasePlugin;
public class RangerPluginContext {
@@ -30,6 +31,7 @@ public class RangerPluginContext {
private static final Log LOG =
LogFactory.getLog(RangerBasePlugin.class);
private String clusterName;
private String clusterType;
+ private RangerAuthContext authContext;
public RangerPluginContext(String serviceType){
this.clusterName = findClusterName(serviceType);
@@ -52,6 +54,10 @@ public class RangerPluginContext {
this.clusterType = clusterType;
}
+ public RangerAuthContext getAuthContext() { return authContext; }
+
+ public void setAuthContext(RangerAuthContext authContext) {
this.authContext = authContext; }
+
private String findClusterName(String serviceType) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerPluginContext.findClusterName ,
serviceType = " + serviceType);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 51cd658..d33f5d3 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -36,6 +36,7 @@ import
org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import
org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.PolicyACLSummary;
import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.service.RangerAuthContext;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
@@ -82,17 +83,13 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
private Map<String, RangerPolicyRepository> policyRepositories = new
HashMap<>();
- private Map<String, RangerResourceTrie> trieMap;
- private Map<String, String> zoneTagServiceMap;
- private final Map<String, Set<String>> userRoleMapping;
- private final Map<String, Set<String>> groupRoleMapping;
- private final RangerPluginContext rangerPluginContext;
+ private Map<String, RangerResourceTrie> trieMap;
+ private Map<String, String> zoneTagServiceMap;
+ private final Map<String, Set<String>> userRoleMapping;
+ private final Map<String, Set<String>> groupRoleMapping;
+ private final RangerPluginContext pluginContext;
public RangerPolicyEngineImpl(final RangerPolicyEngineImpl other,
ServicePolicies servicePolicies) {
- this(other, servicePolicies, null);
- }
-
- public RangerPolicyEngineImpl(final RangerPolicyEngineImpl other,
ServicePolicies servicePolicies, RangerPluginContext rangerPluginContext) {
List<RangerPolicyDelta> deltas =
servicePolicies.getPolicyDeltas();
long policyVersion =
servicePolicies.getPolicyVersion();
@@ -100,6 +97,8 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
this.useForwardedIPAddress = other.useForwardedIPAddress;
this.trustedProxyAddresses = other.trustedProxyAddresses;
+ this.pluginContext = other.pluginContext;
+
List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>();
List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies = new
ArrayList<>();
@@ -146,7 +145,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
servicePolicies.getSecurityZones().get(zoneName).setPolicies(policies);
- policyRepository = new
RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies,
other.policyRepository.getOptions(), zoneName);
+ policyRepository = new
RangerPolicyRepository(other.policyRepository.getAppId(), servicePolicies,
other.policyRepository.getOptions(), this.pluginContext, zoneName);
} else {
policyRepository = new
RangerPolicyRepository(otherRepository, zoneDeltas, policyVersion);
}
@@ -192,7 +191,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
}
servicePolicies.getTagPolicies().setPolicies(tagPolicies);
- this.tagPolicyRepository = new
RangerPolicyRepository(other.policyRepository.getAppId(),
servicePolicies.getTagPolicies(), other.policyRepository.getOptions(),
servicePolicies.getServiceDef(), servicePolicies.getServiceName());
+ this.tagPolicyRepository = new
RangerPolicyRepository(other.policyRepository.getAppId(),
servicePolicies.getTagPolicies(), other.policyRepository.getOptions(),
this.pluginContext, servicePolicies.getServiceDef(),
servicePolicies.getServiceName());
}
} else {
this.tagPolicyRepository =
other.tagPolicyRepository;
@@ -200,8 +199,6 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
}
- this.rangerPluginContext = (rangerPluginContext != null) ?
rangerPluginContext : null;
-
List<RangerContextEnricher> tmpList;
List<RangerContextEnricher> tagContextEnrichers =
tagPolicyRepository == null ? null :tagPolicyRepository.getContextEnrichers();
List<RangerContextEnricher> resourceContextEnrichers =
policyRepository.getContextEnrichers();
@@ -224,10 +221,6 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
- public RangerPolicyEngineImpl(String appId, ServicePolicies
servicePolicies, RangerPolicyEngineOptions options) {
- this(appId, servicePolicies, options, null);
- }
-
public RangerPolicyEngineImpl(String appId, ServicePolicies
servicePolicies, RangerPolicyEngineOptions options, RangerPluginContext
rangerPluginContext) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl(" + appId + ", "
+ servicePolicies + ", " + options + ", " + rangerPluginContext + ")");
@@ -246,7 +239,11 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
options = new RangerPolicyEngineOptions();
}
- this.rangerPluginContext = (rangerPluginContext != null) ?
rangerPluginContext : null;
+ this.pluginContext = (rangerPluginContext != null) ?
rangerPluginContext : new
RangerPluginContext(servicePolicies.getServiceDef().getName());
+
+ RangerAuthContext authContext = new RangerAuthContext(this,
null, this.pluginContext);
+ this.pluginContext.setAuthContext(authContext);
+
if(StringUtils.isBlank(options.evaluatorType) ||
StringUtils.equalsIgnoreCase(options.evaluatorType,
RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO)) {
@@ -269,7 +266,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
options.evaluatorType =
RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
}
- policyRepository = new RangerPolicyRepository(appId,
servicePolicies, options);
+ policyRepository = new RangerPolicyRepository(appId,
servicePolicies, options, this.pluginContext);
ServicePolicies.TagPolicies tagPolicies =
servicePolicies.getTagPolicies();
@@ -282,7 +279,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerPolicyEngineImpl : Building
tag-policy-repository for tag-service " + tagPolicies.getServiceName());
}
- tagPolicyRepository = new RangerPolicyRepository(appId,
tagPolicies, options, servicePolicies.getServiceDef(),
servicePolicies.getServiceName());
+ tagPolicyRepository = new RangerPolicyRepository(appId,
tagPolicies, options, this.pluginContext, servicePolicies.getServiceDef(),
servicePolicies.getServiceName());
} else {
if (LOG.isDebugEnabled()) {
@@ -310,7 +307,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if (MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
buildZoneTrie(servicePolicies);
for (Map.Entry<String,
ServicePolicies.SecurityZoneInfo> zone :
servicePolicies.getSecurityZones().entrySet()) {
- RangerPolicyRepository policyRepository = new
RangerPolicyRepository(appId, servicePolicies, options, zone.getKey());
+ RangerPolicyRepository policyRepository = new
RangerPolicyRepository(appId, servicePolicies, options, this.pluginContext,
zone.getKey());
policyRepositories.put(zone.getKey(),
policyRepository);
}
}
@@ -347,7 +344,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
RangerServiceDef serviceDef = this.getServiceDef();
String serviceType = (serviceDef != null) ?
serviceDef.getName() : "";
if
(CollectionUtils.isNotEmpty(servicePolicies.getPolicyDeltas()) &&
RangerPolicyDeltaUtil.isValidDeltas(servicePolicies.getPolicyDeltas(),
serviceType)) {
- ret = new RangerPolicyEngineImpl(this, servicePolicies,
this.rangerPluginContext);
+ ret = new RangerPolicyEngineImpl(this, servicePolicies);
} else {
ret = null;
}
@@ -425,9 +422,9 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
RangerAccessRequestImpl reqImpl =
(RangerAccessRequestImpl) request;
reqImpl.extractAndSetClientIPAddress(useForwardedIPAddress,
trustedProxyAddresses);
- if(rangerPluginContext != null) {
-
reqImpl.setClusterName(rangerPluginContext.getClusterName());
-
reqImpl.setClusterType(rangerPluginContext.getClusterType());
+ if(pluginContext != null) {
+
reqImpl.setClusterName(pluginContext.getClusterName());
+
reqImpl.setClusterType(pluginContext.getClusterType());
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 3a954f3..aec325c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -24,6 +24,7 @@ import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.plugin.contextenricher.RangerAbstractContextEnricher;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
import org.apache.ranger.plugin.contextenricher.RangerTagEnricher;
import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
@@ -81,6 +82,7 @@ class RangerPolicyRepository {
private final String zoneName;
private final String appId;
private final RangerPolicyEngineOptions options;
+ private final RangerPluginContext pluginContext;
private final RangerServiceDef serviceDef;
private final List<RangerPolicy> policies;
private final long policyVersion;
@@ -106,6 +108,7 @@ class RangerPolicyRepository {
this.zoneName = other.zoneName;
this.appId = other.appId;
this.options = other.options;
+ this.pluginContext = other.pluginContext;
this.serviceDef = other.serviceDef;
this.policies = new ArrayList<>(other.policies);
this.policyEvaluators = new ArrayList<>(other.policyEvaluators);
@@ -252,11 +255,11 @@ class RangerPolicyRepository {
}
- RangerPolicyRepository(String appId, ServicePolicies servicePolicies,
RangerPolicyEngineOptions options) {
- this(appId, servicePolicies, options, null);
+ RangerPolicyRepository(String appId, ServicePolicies servicePolicies,
RangerPolicyEngineOptions options, RangerPluginContext pluginContext) {
+ this(appId, servicePolicies, options, pluginContext, null);
}
- RangerPolicyRepository(String appId, ServicePolicies servicePolicies,
RangerPolicyEngineOptions options, String zoneName) {
+ RangerPolicyRepository(String appId, ServicePolicies servicePolicies,
RangerPolicyEngineOptions options, RangerPluginContext pluginContext, String
zoneName) {
super();
this.componentServiceName = this.serviceName =
servicePolicies.getServiceName();
@@ -266,6 +269,7 @@ class RangerPolicyRepository {
this.appId = appId;
this.options = new RangerPolicyEngineOptions(options);
+ this.pluginContext = pluginContext;
if (StringUtils.isEmpty(zoneName)) {
this.policies =
Collections.unmodifiableList(servicePolicies.getPolicies());
@@ -322,7 +326,7 @@ class RangerPolicyRepository {
}
}
- RangerPolicyRepository(String appId, ServicePolicies.TagPolicies
tagPolicies, RangerPolicyEngineOptions options,
+ RangerPolicyRepository(String appId, ServicePolicies.TagPolicies
tagPolicies, RangerPolicyEngineOptions options, RangerPluginContext
pluginContext,
RangerServiceDef componentServiceDef, String
componentServiceName) {
super();
@@ -336,6 +340,7 @@ class RangerPolicyRepository {
this.appId = appId;
this.options = options;
+ this.pluginContext = pluginContext;
this.policies =
Collections.unmodifiableList(normalizeAndPrunePolicies(tagPolicies.getPolicies(),
componentServiceDef.getName()));
this.policyVersion = tagPolicies.getPolicyVersion() != null ?
tagPolicies.getPolicyVersion() : -1;
@@ -1023,6 +1028,10 @@ class RangerPolicyRepository {
ret.setServiceName(componentServiceName);
ret.setServiceDef(componentServiceDef);
ret.setAppId(appId);
+ if (ret instanceof RangerAbstractContextEnricher) {
+ RangerAbstractContextEnricher abstractContextEnricher =
(RangerAbstractContextEnricher) ret;
+
abstractContextEnricher.setAuthContext(pluginContext.getAuthContext());
+ }
ret.init();
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index 3d0f107..842c58b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -50,137 +50,153 @@ import java.util.concurrent.ConcurrentHashMap;
public class RangerAuthContext implements RangerPolicyEngine {
private static final Log LOG =
LogFactory.getLog(RangerAuthContext.class);
private final RangerPluginContext rangerPluginContext;
- private RangerPolicyEngine policyEngine;
- private Map<RangerContextEnricher, Object> requestContextEnrichers;
+ private final RangerPolicyEngine policyEngine;
+ private final Map<RangerContextEnricher, Object> requestContextEnrichers;
- protected RangerAuthContext() {
- this(null, null, null);
- }
-
- protected RangerAuthContext(RangerPluginContext rangerPluginContext) {
- this(null, null, rangerPluginContext);
- }
-
- RangerAuthContext(RangerPolicyEngine policyEngine,
Map<RangerContextEnricher, Object> requestContextEnrichers, RangerPluginContext
rangerPluginContext) {
+ public RangerAuthContext(RangerPolicyEngine policyEngine,
Map<RangerContextEnricher, Object> requestContextEnrichers, RangerPluginContext
rangerPluginContext) {
this.policyEngine = policyEngine;
- this.requestContextEnrichers = requestContextEnrichers;
+ this.requestContextEnrichers = requestContextEnrichers != null ?
requestContextEnrichers : new ConcurrentHashMap<>();
this.rangerPluginContext = rangerPluginContext;
}
- RangerAuthContext(RangerAuthContext other) {
- this(other, null);
- }
+ RangerAuthContext(RangerAuthContext other) {
+ if (other != null) {
+ this.policyEngine = other.getPolicyEngine();
+
+ Map<RangerContextEnricher, Object> localReference =
other.requestContextEnrichers;
+ if (MapUtils.isNotEmpty(localReference)) {
+ this.requestContextEnrichers = new
ConcurrentHashMap<>(localReference);
+ } else {
+ this.requestContextEnrichers = new ConcurrentHashMap<>();
+ }
- RangerAuthContext(RangerAuthContext other, RangerPluginContext
rangerPluginContext) {
- if (other != null) {
- this.policyEngine = other.getPolicyEngine();
- Map<RangerContextEnricher, Object> localReference =
other.requestContextEnrichers;
- if (MapUtils.isNotEmpty(localReference)) {
- this.requestContextEnrichers = new
ConcurrentHashMap<>(localReference);
- }
- }
- this.rangerPluginContext = rangerPluginContext;
+ this.rangerPluginContext = other.rangerPluginContext;
+ } else {
+ this.policyEngine = null;
+ this.requestContextEnrichers = new ConcurrentHashMap<>();
+ this.rangerPluginContext = null;
+ }
}
public RangerPolicyEngine getPolicyEngine() {
return policyEngine;
}
- void setPolicyEngine(RangerPolicyEngine policyEngine) { this.policyEngine
= policyEngine; }
-
public Map<RangerContextEnricher, Object> getRequestContextEnrichers() {
return requestContextEnrichers;
}
public void addOrReplaceRequestContextEnricher(RangerContextEnricher
enricher, Object database) {
- if (requestContextEnrichers == null) {
- requestContextEnrichers = new ConcurrentHashMap<>();
- }
// concurrentHashMap does not allow null to be inserted into it, so
insert a dummy which is checked
// when enrich() is called
requestContextEnrichers.put(enricher, database != null ? database :
enricher);
}
public void cleanupRequestContextEnricher(RangerContextEnricher enricher) {
- if (requestContextEnrichers != null) {
- requestContextEnrichers.remove(enricher);
- }
+ requestContextEnrichers.remove(enricher);
+
}
@Override
public void setUseForwardedIPAddress(boolean useForwardedIPAddress) {
- policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
+ if (policyEngine != null) {
+ policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
+ }
}
@Override
public void setTrustedProxyAddresses(String[] trustedProxyAddresses) {
- policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
+ if (policyEngine != null) {
+ policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
+ }
}
@Override
public boolean getUseForwardedIPAddress() {
- return policyEngine.getUseForwardedIPAddress();
+ if (policyEngine != null) {
+ return policyEngine.getUseForwardedIPAddress();
+ }
+ return false;
}
@Override
public String[] getTrustedProxyAddresses() {
- return policyEngine.getTrustedProxyAddresses();
+ if (policyEngine != null) {
+ return policyEngine.getTrustedProxyAddresses();
+ }
+ return null;
}
@Override
public RangerServiceDef getServiceDef() {
- return policyEngine.getServiceDef();
+ if (policyEngine != null) {
+ return policyEngine.getServiceDef();
+ }
+ return null;
}
@Override
public long getPolicyVersion() {
- return policyEngine.getPolicyVersion();
+ if (policyEngine != null) {
+ return policyEngine.getPolicyVersion();
+ }
+ return 0L;
}
public Collection<RangerAccessResult>
isAccessAllowed(Collection<RangerAccessRequest> requests,
RangerAccessResultProcessor resultProcessor) {
- preProcess(requests);
- return policyEngine.evaluatePolicies(requests,
RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
+ if (policyEngine != null) {
+ preProcess(requests);
+ return policyEngine.evaluatePolicies(requests,
RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
+ }
+ return null;
}
public RangerAccessResult isAccessAllowed(RangerAccessRequest request,
RangerAccessResultProcessor resultProcessor) {
- preProcess(request);
- return policyEngine.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
+ if (policyEngine != null) {
+ preProcess(request);
+ return policyEngine.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
+ }
+ return null;
}
public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest
request, RangerAccessResultProcessor resultProcessor) {
- preProcess(request);
- return policyEngine.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_DATAMASK, resultProcessor);
+ if (policyEngine != null) {
+ preProcess(request);
+ return policyEngine.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_DATAMASK, resultProcessor);
+ }
+ return null;
}
public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest
request, RangerAccessResultProcessor resultProcessor) {
- preProcess(request);
- return policyEngine.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_ROWFILTER, resultProcessor);
+ if (policyEngine != null) {
+ preProcess(request);
+ return policyEngine.evaluatePolicies(request,
RangerPolicy.POLICY_TYPE_ROWFILTER, resultProcessor);
+ }
+ return null;
}
@Override
public void preProcess(RangerAccessRequest request) {
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerAuthContext.preProcess");
- }
-
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerAuthContext.preProcess");
+ }
RangerAccessResource resource = request.getResource();
if (resource.getServiceDef() == null) {
- if (resource instanceof RangerMutableResource) {
- RangerMutableResource mutable = (RangerMutableResource)
resource;
- mutable.setServiceDef(getServiceDef());
- }
+ if (resource instanceof RangerMutableResource) {
+ RangerMutableResource mutable = (RangerMutableResource)
resource;
+ mutable.setServiceDef(getServiceDef());
+ }
+ }
+ if (request instanceof RangerAccessRequestImpl) {
+ RangerAccessRequestImpl reqImpl = (RangerAccessRequestImpl)
request;
+ reqImpl.extractAndSetClientIPAddress(getUseForwardedIPAddress(),
getTrustedProxyAddresses());
+ if (rangerPluginContext != null) {
+ reqImpl.setClusterName(rangerPluginContext.getClusterName());
+ reqImpl.setClusterType(rangerPluginContext.getClusterType());
+ }
}
- if (request instanceof RangerAccessRequestImpl) {
- RangerAccessRequestImpl reqImpl = (RangerAccessRequestImpl)
request;
-
reqImpl.extractAndSetClientIPAddress(getUseForwardedIPAddress(),
getTrustedProxyAddresses());
- if(rangerPluginContext != null) {
-
reqImpl.setClusterName(rangerPluginContext.getClusterName());
-
reqImpl.setClusterType(rangerPluginContext.getClusterType());
- }
- }
-
RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(),
request.getUser());
+ RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(),
request.getUser());
Set<String> roles = getRolesFromUserAndGroups(request.getUser(),
request.getUserGroups());
@@ -194,7 +210,7 @@ public class RangerAuthContext implements
RangerPolicyEngine {
RangerAccessRequestUtil.setOwnerInContext(request.getContext(),
owner);
}
- if (MapUtils.isNotEmpty(requestContextEnrichers)) {
+ if (MapUtils.isNotEmpty(requestContextEnrichers)) {
for (Map.Entry<RangerContextEnricher, Object> entry :
requestContextEnrichers.entrySet()) {
if (entry.getValue() instanceof RangerContextEnricher &&
entry.getKey().equals(entry.getValue())) {
// This entry was a result of
addOrReplaceRequestContextEnricher() API called with null database value
@@ -204,10 +220,9 @@ public class RangerAuthContext implements
RangerPolicyEngine {
}
}
}
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerAuthContext.preProcess");
- }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerAuthContext.preProcess");
+ }
}
@Override
@@ -221,51 +236,77 @@ public class RangerAuthContext implements
RangerPolicyEngine {
@Override
public RangerAccessResult evaluatePolicies(RangerAccessRequest request,
int policyType, RangerAccessResultProcessor resultProcessor) {
- return policyEngine.evaluatePolicies(request, policyType,
resultProcessor);
+ if (policyEngine != null) {
+ return policyEngine.evaluatePolicies(request, policyType,
resultProcessor);
+ }
+ return null;
}
@Override
public Collection<RangerAccessResult>
evaluatePolicies(Collection<RangerAccessRequest> requests, int policyType,
RangerAccessResultProcessor resultProcessor) {
- return policyEngine.evaluatePolicies(requests, policyType,
resultProcessor);
+ if (policyEngine != null) {
+ return policyEngine.evaluatePolicies(requests, policyType,
resultProcessor);
+ }
+ return null;
}
@Override
public RangerResourceACLs getResourceACLs(RangerAccessRequest request) {
- preProcess(request);
- return policyEngine.getResourceACLs(request);
+ if (policyEngine != null) {
+ preProcess(request);
+ return policyEngine.getResourceACLs(request);
+ }
+ return null;
}
@Override
public String getMatchedZoneName(GrantRevokeRequest grantRevokeRequest)
{
- return policyEngine.getMatchedZoneName(grantRevokeRequest);
+ if (policyEngine != null) {
+ return policyEngine.getMatchedZoneName(grantRevokeRequest);
+ }
+ return null;
}
@Override
public boolean preCleanup() {
- return policyEngine.preCleanup();
+ if (policyEngine != null) {
+ return policyEngine.preCleanup();
+ }
+ return false;
}
@Override
public void cleanup() {
- policyEngine.cleanup();
+ if (policyEngine != null) {
+ policyEngine.cleanup();
+ }
}
@Override
public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest
request) {
- preProcess(request);
- return policyEngine.getResourceAccessInfo(request);
+ if (policyEngine != null) {
+ preProcess(request);
+ return policyEngine.getResourceAccessInfo(request);
+ }
+ return null;
}
@Override
public List<RangerPolicy> getMatchingPolicies(RangerAccessResource
resource) {
- RangerAccessRequestImpl request = new
RangerAccessRequestImpl(resource, RangerPolicyEngine.ANY_ACCESS, null, null);
- preProcess(request);
- return getMatchingPolicies(request);
+ if (policyEngine != null) {
+ RangerAccessRequestImpl request = new
RangerAccessRequestImpl(resource, RangerPolicyEngine.ANY_ACCESS, null, null);
+ preProcess(request);
+ return getMatchingPolicies(request);
+ }
+ return null;
}
@Override
public List<RangerPolicy> getMatchingPolicies(RangerAccessRequest request)
{
- return policyEngine.getMatchingPolicies(request);
+ if (policyEngine != null) {
+ return policyEngine.getMatchingPolicies(request);
+ }
+ return null;
}
/* This API is called for a long running policy-engine. Not needed here */
@@ -285,7 +326,7 @@ public class RangerAuthContext implements
RangerPolicyEngine {
}
@Override
- public boolean isAccessAllowed(RangerPolicy policy, String user,
Set<String> userGroups, Set<String> roles, String accessType) {
+ public boolean isAccessAllowed(RangerPolicy policy, String user,
Set<String> userGroups, Set<String> roles, String accessType) {
return false;
}
@@ -311,12 +352,18 @@ public class RangerAuthContext implements
RangerPolicyEngine {
@Override
public RangerPolicyEngine cloneWithDelta(ServicePolicies servicePolicies) {
- return policyEngine.cloneWithDelta(servicePolicies);
+ if (policyEngine != null) {
+ return policyEngine.cloneWithDelta(servicePolicies);
+ }
+ return null;
}
@Override
public Set<String> getRolesFromUserAndGroups(String user, Set<String>
groups) {
- return policyEngine.getRolesFromUserAndGroups(user, groups);
+ if (policyEngine != null) {
+ return policyEngine.getRolesFromUserAndGroups(user, groups);
+ }
+ return null;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 8d89a18..8de0329 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -70,7 +70,6 @@ public class RangerBasePlugin {
private RangerPolicyEngineOptions policyEngineOptions = new
RangerPolicyEngineOptions();
private RangerPluginContext rangerPluginContext;
private RangerAuthContext currentAuthContext;
- private RangerAuthContext readOnlyAuthContext;
private RangerAccessResultProcessor resultProcessor;
private boolean useForwardedIPAddress;
private String[] trustedProxyAddresses;
@@ -143,7 +142,7 @@ public class RangerBasePlugin {
}
public RangerAuthContext createRangerAuthContext() {
- return new RangerAuthContext(readOnlyAuthContext);
+ return new RangerAuthContext(currentAuthContext);
}
public RangerAuthContext getCurrentRangerAuthContext() { return
currentAuthContext; }
@@ -216,6 +215,8 @@ public class RangerBasePlugin {
auditProviderFactory = null;
}
+ rangerPluginContext = new RangerPluginContext(serviceType);
+
policyEngineOptions.configureForPlugin(configuration,
propertyPrefix);
LOG.info(policyEngineOptions);
@@ -314,8 +315,6 @@ public class RangerBasePlugin {
if (LOG.isDebugEnabled()) {
LOG.debug("policies are not
null. Creating engine from policies");
}
- rangerPluginContext = new
RangerPluginContext(serviceType);
- currentAuthContext = new
RangerAuthContext(rangerPluginContext);
newPolicyEngine = new
RangerPolicyEngineImpl(appId, policies, policyEngineOptions,
rangerPluginContext);
} else {
if (LOG.isDebugEnabled()) {
@@ -335,8 +334,6 @@ public class RangerBasePlugin {
LOG.debug("Failed to apply policyDeltas=" +
Arrays.toString(policies.getPolicyDeltas().toArray()) + "), Creating engine
from policies");
LOG.debug("Creating new engine from servicePolicies:[" + servicePolicies + "]");
}
- rangerPluginContext =
new RangerPluginContext(serviceType);
- currentAuthContext =
new RangerAuthContext(rangerPluginContext);
newPolicyEngine = new
RangerPolicyEngineImpl(appId, servicePolicies, policyEngineOptions,
rangerPluginContext);
}
} else {
@@ -351,8 +348,7 @@ public class RangerBasePlugin {
newPolicyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
newPolicyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
this.policyEngine = newPolicyEngine;
-
currentAuthContext.setPolicyEngine(this.policyEngine);
- readOnlyAuthContext = new
RangerAuthContext(currentAuthContext);
+ this.currentAuthContext = new
RangerAuthContext(rangerPluginContext.getAuthContext());
contextChanged();
@@ -363,6 +359,7 @@ public class RangerBasePlugin {
this.refresher.saveToCache(usePolicyDeltas ? servicePolicies : policies);
}
}
+
} else {
LOG.error("Returning without saving policies to
cache. Leaving current policy engine as-is");
}
@@ -699,6 +696,15 @@ public class RangerBasePlugin {
}
}
+
+ /*
+ This API is provided only for unit testing
+ */
+
+ public void setPluginContext(RangerPluginContext pluginContext) {
+ this.rangerPluginContext = pluginContext;
+ }
+
private void auditGrantRevoke(GrantRevokeRequest request, String
action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {
if(request != null && resultProcessor != null) {
RangerAccessRequestImpl accessRequest = new
RangerAccessRequestImpl();
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java
index 49dba88..061b392 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerAuthContext.java
@@ -87,6 +87,8 @@ public class TestRangerAuthContext {
for(RangerAuthContextTests.TestCase testCase :
testCases.testCases) {
String testName = testCase.name;
+ RangerPluginContext pluginContext = new
RangerPluginContext(testCase.servicePolicies.getServiceDef().getName());
+ plugin.setPluginContext(pluginContext);
plugin.setPolicies(testCase.servicePolicies);
RangerAuthContext ctx =
plugin.createRangerAuthContext();
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index bb015c5..0c5449d 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -97,8 +97,6 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
private static volatile RangerHivePlugin hivePlugin = null;
- private static RangerAuthContext authContext;
-
private static final String ROLE_ALL = "ALL", ROLE_DEFAULT = "DEFAULT",
ROLE_NONE = "NONE";
private static final Set<String> RESERVED_ROLE_NAMES;
@@ -2016,7 +2014,6 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
}
try {
- authContext =
hivePlugin.createRangerAuthContext();
HiveObjectRef msObjRef =
AuthorizationUtils.getThriftHiveObjectRef(privObj);
if (msObjRef.getObjectName() == null) {
@@ -2335,6 +2332,8 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
RangerHiveResource hiveResource =
createHiveResource(hiveObject);
RangerAccessRequestImpl request = new
RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null,
null);
+ final RangerAuthContext authContext =
hivePlugin.createRangerAuthContext();
+
ret = authContext.getResourceACLs(request);
if (LOG.isDebugEnabled()) {
