This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 2e224cf9d RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher 2e224cf9d is described below commit 2e224cf9d4d28f3e23b5f8462a92024993a104bc Author: Abhay Kulkarni <ab...@apache.org> AuthorDate: Wed Mar 22 11:28:51 2023 -0700 RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher --- .../plugin/contextenricher/RangerTagEnricher.java | 19 ++++++++++++++----- .../plugin/policyengine/RangerAccessRequestImpl.java | 10 +++++++++- .../plugin/service/RangerDefaultRequestProcessor.java | 19 ++++++++++++++++++- .../util/RangerResourceEvaluatorsRetriever.java | 2 +- 4 files changed, 42 insertions(+), 8 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index efb885a74..198d24d97 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -78,9 +78,8 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { private static final Logger PERF_SET_SERVICETAGS_LOG = RangerPerfTracer.getPerfLogger("tagenricher.setservicetags"); private static final Logger PERF_SERVICETAGS_RETRIEVAL_LOG = RangerPerfTracer.getPerfLogger("tagenricher.tags.retrieval"); - private static final String TAG_REFRESHER_POLLINGINTERVAL_OPTION = "tagRefresherPollingInterval"; - public static final String TAG_RETRIEVER_CLASSNAME_OPTION = "tagRetrieverClassName"; + public static final String TAG_RETRIEVER_CLASSNAME_OPTION = "tagRetrieverClassName"; private static final String TAG_DISABLE_TRIE_PREFILTER_OPTION = "disableTrieLookupPrefilter"; private RangerTagRefresher tagRefresher; @@ -485,12 +484,19 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { if (resourceMatcher != null) { for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { + RangerPolicy.RangerPolicyResource policyResource = serviceResource.getResourceElements().get(resourceDef.getName()); + RangerResourceTrie<RangerServiceResourceMatcher> trie = serviceResourceTrie.get(resourceDef.getName()); + if (LOG.isDebugEnabled()) { + LOG.debug("Trying to add resource-matcher to " + (trie == null ? "new" : "existing") + " trie for " + resourceDef.getName()); + } + if (trie != null) { - trie.add(serviceResource.getResourceElements().get(resourceDef.getName()), resourceMatcher); + trie.add(policyResource, resourceMatcher); + trie.wrapUpUpdate(); if (LOG.isDebugEnabled()) { - LOG.debug("Added resource-matcher for service-resource:[" + serviceResource + "]"); + LOG.debug("Added resource-matcher for policy-resource:[" + policyResource + "]"); } } else { trie = new RangerResourceTrie<>(resourceDef, Collections.singletonList(resourceMatcher), getPolicyEngineOptions().optimizeTagTrieForRetrieval, getPolicyEngineOptions().optimizeTagTrieForSpace, null); @@ -541,7 +547,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl(); for (Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : serviceResource.getResourceElements().entrySet()) { - accessResource.setValue(entry.getKey(), entry.getValue()); + accessResource.setValue(entry.getKey(), entry.getValue().getValues()); } if (LOG.isDebugEnabled()) { LOG.debug("RangerAccessResource:[" + accessResource + "] created to represent service-resource[" + serviceResource + "] to find evaluators from trie-map"); @@ -748,6 +754,9 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { RangerPerfTracer.logAlways(perf); } + if (ret == null) { + ret = new ArrayList<>(); + } if(LOG.isDebugEnabled()) { LOG.debug("<== RangerTagEnricher.getEvaluators(request=" + request + "): evaluatorCount=" + ret.size()); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java index fb7bcaada..e561c4c7c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java @@ -183,6 +183,9 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { public void setResource(RangerAccessResource resource) { this.resource = resource; + if (context != null) { + RangerAccessRequestUtil.setIsRequestPreprocessed(context, Boolean.FALSE); + } } public void setAccessType(String accessType) { @@ -255,7 +258,12 @@ public class RangerAccessRequestImpl implements RangerAccessRequest { this.clusterType = clusterType; } - public void setResourceMatchingScope(ResourceMatchingScope scope) { this.resourceMatchingScope = scope; } + public void setResourceMatchingScope(ResourceMatchingScope scope) { + this.resourceMatchingScope = scope; + if (context != null) { + RangerAccessRequestUtil.setIsRequestPreprocessed(context, Boolean.FALSE); + } + } public void setContext(Map<String, Object> context) { if (context == null) { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java index 80d27e8e8..c78dbbce3 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java @@ -31,6 +31,7 @@ import org.apache.ranger.plugin.policyengine.RangerMutableResource; import org.apache.ranger.plugin.util.RangerAccessRequestUtil; import org.apache.ranger.plugin.util.RangerPerfTracer; import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import java.util.List; import java.util.Set; @@ -38,6 +39,7 @@ import java.util.Set; public class RangerDefaultRequestProcessor implements RangerAccessRequestProcessor { private static final Logger PERF_CONTEXTENRICHER_REQUEST_LOG = RangerPerfTracer.getPerfLogger("contextenricher.request"); + private static final Logger LOG = LoggerFactory.getLogger(RangerDefaultRequestProcessor.class); protected final PolicyEngine policyEngine; @@ -48,10 +50,16 @@ public class RangerDefaultRequestProcessor implements RangerAccessRequestProcess @Override public void preProcess(RangerAccessRequest request) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> preProcess(" + request + ")"); + } + if (RangerAccessRequestUtil.getIsRequestPreprocessed(request.getContext())) { + if (LOG.isDebugEnabled()) { + LOG.debug("<== preProcess(" + request + ")"); + } return; } - RangerAccessRequestUtil.setIsRequestPreprocessed(request.getContext(), Boolean.TRUE); setResourceServiceDef(request); @@ -97,6 +105,13 @@ public class RangerDefaultRequestProcessor implements RangerAccessRequestProcess } enrich(request); + + RangerAccessRequestUtil.setIsRequestPreprocessed(request.getContext(), Boolean.TRUE); + + if (LOG.isDebugEnabled()) { + LOG.debug("<== preProcess(" + request + ")"); + } + } @Override @@ -115,6 +130,8 @@ public class RangerDefaultRequestProcessor implements RangerAccessRequestProcess RangerPerfTracer.log(perf); } + } else { + LOG.info("No context-enrichers!!!"); } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java index dfe591c59..e60fe055b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java @@ -112,7 +112,7 @@ public class RangerResourceEvaluatorsRetriever { } if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerResourceEvaluatorsRetriever.getEvaluators(" + resource + ") : evaluator:[" + ret + "]"); + LOG.debug("<== RangerResourceEvaluatorsRetriever.getEvaluators(" + resource + ") : evaluator:[" + ret + "]"); } return ret; }