This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 04f5f639a RANGER-4284: Additional logging messages to help with debugging when policy deltas are enabled 04f5f639a is described below commit 04f5f639aab36135c18652ab183350080c37ecd4 Author: Abhay Kulkarni <ab...@apache.org> AuthorDate: Fri Jun 16 09:41:10 2023 -0700 RANGER-4284: Additional logging messages to help with debugging when policy deltas are enabled --- .../ranger/plugin/policyengine/PolicyEngine.java | 4 +- .../plugin/policyengine/RangerResourceTrie.java | 4 +- .../ranger/plugin/service/RangerBasePlugin.java | 12 +- .../apache/ranger/plugin/store/ServiceStore.java | 2 +- .../apache/ranger/plugin/util/PolicyRefresher.java | 36 +++++- .../java/org/apache/ranger/biz/ServiceDBStore.java | 23 ++-- .../ranger/common/RangerServicePoliciesCache.java | 131 ++++++++++++++++----- .../org/apache/ranger/db/XXPolicyChangeLogDao.java | 6 +- .../main/resources/META-INF/jpa_named_queries.xml | 11 +- 9 files changed, 174 insertions(+), 55 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java index f1dc03944..1e99b5824 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java @@ -680,8 +680,10 @@ public class PolicyEngine { LOG.debug("Built matchers for all Zones"); } + RangerPolicyEngineOptions options = pluginContext.getConfig().getPolicyEngineOptions(); + for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { - resourceZoneTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, matchers)); + resourceZoneTrie.put(resourceDef.getName(), new RangerResourceTrie<>(resourceDef, matchers, options.optimizeTrieForSpace, options.optimizeTrieForRetrieval, pluginContext)); } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java index 07eb5815c..647059203 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java @@ -87,11 +87,13 @@ public class RangerResourceTrie<T extends RangerResourceEvaluator> { this.optWildcard = other.optWildcard; this.wildcardChars = other.wildcardChars; this.isOptimizedForSpace = other.isOptimizedForSpace; - this.isOptimizedForRetrieval = false; + this.isOptimizedForRetrieval = other.isOptimizedForRetrieval; this.separatorChar = other.separatorChar; this.inheritedEvaluators = other.inheritedEvaluators != null ? new HashSet<>(other.inheritedEvaluators) : null; this.root = copyTrieSubtree(other.root, null); + wrapUpUpdate(); + RangerPerfTracer.logAlways(perf); if (PERF_TRIE_INIT_LOG.isDebugEnabled()) { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index b1e2ecbcc..9249b3295 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -421,7 +421,17 @@ public class RangerBasePlugin { } if (this.refresher != null) { - this.refresher.saveToCache(usePolicyDeltas ? servicePolicies : policies); + boolean doPreserveDeltas = pluginConfig.getBoolean (pluginConfig.getPropertyPrefix() + ".preserve.deltas", false); + if (!doPreserveDeltas) { + this.refresher.saveToCache(usePolicyDeltas ? servicePolicies : policies); + } else { + // Save both deltas and all policies to cache for verification + this.refresher.saveToCache(policies); + + if (usePolicyDeltas) { + this.refresher.saveToCache(servicePolicies); + } + } } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java index aecde05fb..8ad3e12c8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java @@ -105,7 +105,7 @@ public interface ServiceStore { ServicePolicies getServicePolicyDeltasOrPolicies(String serviceName, Long lastKnownVersion) throws Exception; - ServicePolicies getServicePolicyDeltas(String serviceName, Long lastKnownVersion) throws Exception; + ServicePolicies getServicePolicyDeltas(String serviceName, Long lastKnownVersion, Long cachedPolicyVersion) throws Exception; ServicePolicies getServicePolicies(String serviceName, Long lastKnownVersion) throws Exception; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java index b2e5429ab..c130309ea 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java @@ -28,6 +28,7 @@ import java.util.Timer; import java.util.concurrent.BlockingQueue; import java.util.concurrent.LinkedBlockingQueue; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.admin.client.RangerAdminClient; import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig; @@ -404,22 +405,31 @@ public class PolicyRefresher extends Thread { if(LOG.isDebugEnabled()) { LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").saveToCache()"); } + boolean doPreserveDeltas = plugIn.getConfig().getBoolean(plugIn.getConfig().getPropertyPrefix() + ".preserve.deltas", false); if(policies != null) { File cacheFile = null; + File backupCacheFile = null; if (cacheDir != null) { + String realCacheDirName = CollectionUtils.isNotEmpty(policies.getPolicyDeltas()) ? cacheDir + File.separator + "deltas" : cacheDir; + String backupCacheFileName = cacheFileName + "_" + policies.getPolicyVersion(); + String realCacheFileName = CollectionUtils.isNotEmpty(policies.getPolicyDeltas()) ? backupCacheFileName : cacheFileName; + // Create the cacheDir if it doesn't already exist - File cacheDirTmp = new File(cacheDir); + File cacheDirTmp = new File(realCacheDirName); if (cacheDirTmp.exists()) { - cacheFile = new File(cacheDir + File.separator + cacheFileName); + cacheFile = new File(realCacheDirName + File.separator + realCacheFileName); } else { try { cacheDirTmp.mkdirs(); - cacheFile = new File(cacheDir + File.separator + cacheFileName); + cacheFile = new File(realCacheDirName + File.separator + realCacheFileName); } catch (SecurityException ex) { LOG.error("Cannot create cache directory", ex); } } + if (CollectionUtils.isEmpty(policies.getPolicyDeltas())) { + backupCacheFile = new File(realCacheDirName + File.separator + backupCacheFileName); + } } if(cacheFile != null) { @@ -451,6 +461,26 @@ public class PolicyRefresher extends Thread { RangerPerfTracer.log(perf); } + + if (doPreserveDeltas) { + if (backupCacheFile != null) { + + RangerPerfTracer perf = null; + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_POLICYENGINE_INIT_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_POLICYENGINE_INIT_LOG, "PolicyRefresher.saveToCache(serviceName=" + serviceName + ")"); + } + + try (Writer writer = new FileWriter(backupCacheFile)) { + gson.toJson(policies, writer); + } catch (Exception excp) { + LOG.error("failed to save policies to cache file '" + backupCacheFile.getAbsolutePath() + "'", excp); + } + + RangerPerfTracer.log(perf); + + } + } } else { LOG.info("policies is null. Nothing to save in cache"); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 356b01f3c..7030542d9 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -2936,18 +2936,18 @@ public class ServiceDBStore extends AbstractServiceStore { if (LOG.isDebugEnabled()) { LOG.debug("Support for incremental policy updates enabled using \"ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA + "\" configuation parameter :[" + SUPPORTS_POLICY_DELTAS +"]"); } - return getServicePolicies(serviceName, lastKnownVersion, getOnlyDeltas, SUPPORTS_POLICY_DELTAS); + return getServicePolicies(serviceName, lastKnownVersion, getOnlyDeltas, SUPPORTS_POLICY_DELTAS, Long.MAX_VALUE); } @Override - public ServicePolicies getServicePolicyDeltas(String serviceName, Long lastKnownVersion) throws Exception { + public ServicePolicies getServicePolicyDeltas(String serviceName, Long lastKnownVersion, Long cachedPolicyVersion) throws Exception { ServicePolicies ret = null; if (SUPPORTS_POLICY_DELTAS) { if (LOG.isDebugEnabled()) { LOG.debug("Support for incremental policy updates enabled using \"ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA + "\" configuation parameter :[" + SUPPORTS_POLICY_DELTAS + "]"); } - ret = getServicePolicies(serviceName, lastKnownVersion, true, SUPPORTS_POLICY_DELTAS); + ret = getServicePolicies(serviceName, lastKnownVersion, true, SUPPORTS_POLICY_DELTAS, cachedPolicyVersion); } return ret; @@ -2956,10 +2956,10 @@ public class ServiceDBStore extends AbstractServiceStore { @Override public ServicePolicies getServicePolicies(String serviceName, Long lastKnownVersion) throws Exception { boolean getOnlyDeltas = false; - return getServicePolicies(serviceName, lastKnownVersion, getOnlyDeltas, false); + return getServicePolicies(serviceName, lastKnownVersion, getOnlyDeltas, false, Long.MAX_VALUE); } - private ServicePolicies getServicePolicies(String serviceName, Long lastKnownVersion, boolean getOnlyDeltas, boolean isDeltaEnabled) throws Exception { + private ServicePolicies getServicePolicies(String serviceName, Long lastKnownVersion, boolean getOnlyDeltas, boolean isDeltaEnabled, Long maxNeededVersion) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceDBStore.getServicePolicies(" + serviceName + ", " + lastKnownVersion + ")"); } @@ -3010,7 +3010,7 @@ public class ServiceDBStore extends AbstractServiceStore { } if (isDeltaEnabled) { - ret = getServicePoliciesWithDeltas(serviceDef, serviceDbObj, tagServiceDef, tagServiceDbObj, lastKnownVersion); + ret = getServicePoliciesWithDeltas(serviceDef, serviceDbObj, tagServiceDef, tagServiceDbObj, lastKnownVersion, maxNeededVersion); } if (ret != null) { @@ -3200,10 +3200,7 @@ public class ServiceDBStore extends AbstractServiceStore { } if (policyDeltasForPolicy != null) { if (LOG.isDebugEnabled()) { - LOG.debug("Processed multiple deltas for policy:[" + entry.getKey() + "], compressed-deltas:[" + policyDeltasForPolicy + "]"); - } - if (policyDeltasForPolicy.size() > 1) { - LOG.error("More than one Compressed-deltas for policy:[" + entry.getKey() + "], compressed-deltas:[" + policyDeltasForPolicy + "].. Should not have come here!!"); + LOG.debug("Processed deltas for policy:[" + entry.getKey() + "], compressed-deltas:[" + policyDeltasForPolicy + "]"); } ret.addAll(policyDeltasForPolicy); } else { @@ -3222,7 +3219,7 @@ public class ServiceDBStore extends AbstractServiceStore { } - ServicePolicies getServicePoliciesWithDeltas(RangerServiceDef serviceDef, XXService service, RangerServiceDef tagServiceDef, XXService tagService, Long lastKnownVersion) { + ServicePolicies getServicePoliciesWithDeltas(RangerServiceDef serviceDef, XXService service, RangerServiceDef tagServiceDef, XXService tagService, Long lastKnownVersion, Long maxNeededVersion) { ServicePolicies ret = null; // if lastKnownVersion != -1L : try and get deltas. Get delta for serviceName first. Find id of the delta @@ -3242,7 +3239,7 @@ public class ServiceDBStore extends AbstractServiceStore { boolean isValid; - resourcePolicyDeltas = daoMgr.getXXPolicyChangeLog().findLaterThan(lastKnownVersion, service.getId()); + resourcePolicyDeltas = daoMgr.getXXPolicyChangeLog().findLaterThan(lastKnownVersion, maxNeededVersion, service.getId()); if (CollectionUtils.isNotEmpty(resourcePolicyDeltas)) { isValid = RangerPolicyDeltaUtil.isValidDeltas(resourcePolicyDeltas, componentServiceType); @@ -3254,7 +3251,7 @@ public class ServiceDBStore extends AbstractServiceStore { if (isValid && tagService != null) { Long id = resourcePolicyDeltas.get(0).getId(); - tagPolicyDeltas = daoMgr.getXXPolicyChangeLog().findGreaterThan(id, tagService.getId()); + tagPolicyDeltas = daoMgr.getXXPolicyChangeLog().findGreaterThan(id, maxNeededVersion, tagService.getId()); if (CollectionUtils.isNotEmpty(tagPolicyDeltas)) { diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java index 70d01e57e..9fda659ac 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java @@ -19,6 +19,8 @@ package org.apache.ranger.common; +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig; @@ -30,6 +32,9 @@ import org.apache.ranger.plugin.util.ServicePolicies; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.io.File; +import java.io.FileWriter; +import java.io.Writer; import java.util.ArrayList; import java.util.Date; import java.util.HashMap; @@ -49,6 +54,7 @@ public class RangerServicePoliciesCache { private final int waitTimeInSeconds; private final boolean dedupStrings; + private Gson gson; private final Map<String, ServicePoliciesWrapper> servicePoliciesMap = new HashMap<>(); @@ -68,6 +74,11 @@ public class RangerServicePoliciesCache { waitTimeInSeconds = config.getInt("ranger.admin.policy.download.cache.max.waittime.for.update", MAX_WAIT_TIME_FOR_UPDATE); dedupStrings = config.getBoolean("ranger.admin.policy.dedup.strings", Boolean.TRUE); + try { + gson = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").create(); + } catch(Throwable excp) { + LOG.error("PolicyRefresher(): failed to create GsonBuilder object", excp); + } } public void dump() { @@ -130,7 +141,6 @@ public class RangerServicePoliciesCache { LOG.error("getServicePolicies(" + serviceName + "): failed to get latest policies as service-store is null! Returning cached servicePolicies!"); ret = servicePoliciesWrapper.getServicePolicies(); } - } else { LOG.error("getServicePolicies() failed to get policies as serviceName is null or blank and/or serviceId is null!"); } @@ -186,6 +196,58 @@ public class RangerServicePoliciesCache { return ret; } + public void saveToCache(ServicePolicies policies) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerServicePoliciesCache(serviceName=" + policies.getServiceName() + ").saveToCache()"); + } + if (policies != null) { + RangerAdminConfig config = RangerAdminConfig.getInstance(); + boolean doSaveToDisk = config.getBoolean("ranger.admin.policy.save.to.disk", false); + + if (doSaveToDisk) { + File cacheFile = null; + + String cacheDir = config.get("ranger.admin.policy.cache.dir"); + if (cacheDir != null) { + String appId = policies.getServiceDef().getName(); + String serviceName = policies.getServiceName(); + String cacheFileName = String.format("%s_%s.json", appId, serviceName); + + cacheFileName = cacheFileName.replace(File.separatorChar, '_'); + cacheFileName = cacheFileName.replace(File.pathSeparatorChar, '_'); + cacheFileName = cacheFileName + "_" + policies.getPolicyVersion(); + + // Create the cacheDir if it doesn't already exist + File cacheDirTmp = new File(cacheDir); + if (cacheDirTmp.exists()) { + cacheFile = new File(cacheDir + File.separator + cacheFileName); + } else { + try { + cacheDirTmp.mkdirs(); + cacheFile = new File(cacheDir + File.separator + cacheFileName); + } catch (SecurityException ex) { + LOG.error("Cannot create cache directory", ex); + } + } + } + + if (cacheFile != null) { + try (Writer writer = new FileWriter(cacheFile)) { + gson.toJson(policies, writer); + } catch (Exception excp) { + LOG.error("failed to save policies to cache file '" + cacheFile.getAbsolutePath() + "'", excp); + } + } + } + } else { + LOG.error("ServicePolicies is null object!!"); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerServicePoliciesCache(serviceName=" + policies.getServiceName() + ").saveToCache()"); + } + } + private class ServicePoliciesWrapper { final Long serviceId; ServicePolicies servicePolicies; @@ -229,6 +291,7 @@ public class RangerServicePoliciesCache { } ServicePolicies ret = null; boolean lockResult = false; + boolean doSaveToCache = false; try { final boolean isCacheReloadedByDQEvent; @@ -238,49 +301,61 @@ public class RangerServicePoliciesCache { if (lockResult) { isCacheReloadedByDQEvent = getLatest(serviceName, serviceStore, lastKnownVersion); - if (isCacheReloadedByDQEvent) { - if (LOG.isDebugEnabled()) { - LOG.debug("ServicePolicies cache was completely loaded from database because of a disqualifying event - such as service-definition change!"); + if (this.servicePolicies != null) { + if (isCacheReloadedByDQEvent) { + if (LOG.isDebugEnabled()) { + LOG.debug("ServicePolicies cache was completely loaded from database because of a disqualifying event - such as service-definition change!"); + } } - } - - if (needsBackwardCompatibility || isCacheReloadedByDQEvent - || lastKnownVersion == -1L || lastKnownVersion.equals(servicePolicies.getPolicyVersion())) { - // Looking for all policies, or Some disqualifying change encountered - if (LOG.isDebugEnabled()) { - LOG.debug("All policies were requested, returning cached ServicePolicies"); + if (!lastKnownVersion.equals(servicePolicies.getPolicyVersion()) || isCacheReloadedByDQEvent) { + doSaveToCache = true; } - ret = this.servicePolicies; - } else { - boolean isDeltaCacheReinitialized = false; - ServicePolicies servicePoliciesForDeltas = this.deltaCache != null ? this.deltaCache.getServicePolicyDeltasFromVersion(lastKnownVersion) : null; - if (servicePoliciesForDeltas == null) { - servicePoliciesForDeltas = serviceStore.getServicePolicyDeltas(serviceName, lastKnownVersion); - isDeltaCacheReinitialized = true; - } - if (servicePoliciesForDeltas != null && servicePoliciesForDeltas.getPolicyDeltas() != null) { + if (needsBackwardCompatibility || isCacheReloadedByDQEvent + || lastKnownVersion == -1L || lastKnownVersion.equals(servicePolicies.getPolicyVersion())) { + // Looking for all policies, or Some disqualifying change encountered if (LOG.isDebugEnabled()) { - LOG.debug("Deltas were requested. Returning deltas from lastKnownVersion:[" + lastKnownVersion + "]"); - } - if (isDeltaCacheReinitialized) { - this.deltaCache = new ServicePolicyDeltasCache(lastKnownVersion, servicePoliciesForDeltas); + LOG.debug("All policies were requested, returning cached ServicePolicies"); } - ret = servicePoliciesForDeltas; + ret = this.servicePolicies; } else { - LOG.warn("Deltas were requested for service:[" + serviceName + "], but could not get them!! lastKnownVersion:[" + lastKnownVersion + "]; Returning cached ServicePolicies:[" + (servicePolicies != null ? servicePolicies.getPolicyVersion() : -1L) + "]"); + boolean isDeltaCacheReinitialized = false; + ServicePolicies servicePoliciesForDeltas = this.deltaCache != null ? this.deltaCache.getServicePolicyDeltasFromVersion(lastKnownVersion) : null; - this.deltaCache = null; - ret = this.servicePolicies; + if (servicePoliciesForDeltas == null) { + servicePoliciesForDeltas = serviceStore.getServicePolicyDeltas(serviceName, lastKnownVersion, servicePolicies.getPolicyVersion()); + isDeltaCacheReinitialized = true; + } + if (servicePoliciesForDeltas != null && servicePoliciesForDeltas.getPolicyDeltas() != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("Deltas were requested. Returning deltas from lastKnownVersion:[" + lastKnownVersion + "]"); + } + if (isDeltaCacheReinitialized) { + this.deltaCache = new ServicePolicyDeltasCache(lastKnownVersion, servicePoliciesForDeltas); + } + ret = servicePoliciesForDeltas; + } else { + LOG.warn("Deltas were requested for service:[" + serviceName + "], but could not get them!! lastKnownVersion:[" + lastKnownVersion + "]; Returning cached ServicePolicies:[" + (servicePolicies != null ? servicePolicies.getPolicyVersion() : -1L) + "]"); + + this.deltaCache = null; + ret = this.servicePolicies; + } } + } else { + LOG.error("ServicePolicies object is null!"); } } else { LOG.error("Could not get lock in [" + waitTimeInSeconds + "] seconds, returning cached ServicePolicies and wait Queue Length:[" +lock.getQueueLength() + "], servicePolicies version:[" + (servicePolicies != null ? servicePolicies.getPolicyVersion() : -1L) + "]"); ret = this.servicePolicies; + doSaveToCache = true; } } catch (InterruptedException exception) { LOG.error("getLatestOrCached:lock got interrupted..", exception); } finally { + // Dump cached policies to disk + if (doSaveToCache) { + saveToCache(this.servicePolicies); + } if (lockResult) { lock.unlock(); } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java index 483a7a04e..bdf05cdb7 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java @@ -56,12 +56,13 @@ public class XXPolicyChangeLogDao extends BaseDao<XXPolicyChangeLog> { super(daoManager); } - public List<RangerPolicyDelta> findLaterThan(Long version, Long serviceId) { + public List<RangerPolicyDelta> findLaterThan(Long version, Long maxVersion, Long serviceId) { final List<RangerPolicyDelta> ret; if (version != null) { List<Object[]> logs = getEntityManager() .createNamedQuery("XXPolicyChangeLog.findSinceVersion", Object[].class) .setParameter("version", version) + .setParameter("maxVersion", maxVersion) .setParameter("serviceId", serviceId) .getResultList(); @@ -94,12 +95,13 @@ public class XXPolicyChangeLogDao extends BaseDao<XXPolicyChangeLog> { return ret; } - public List<RangerPolicyDelta> findGreaterThan(Long id, Long serviceId) { + public List<RangerPolicyDelta> findGreaterThan(Long id, Long maxVersion, Long serviceId) { final List<RangerPolicyDelta> ret; if (id != null) { List<Object[]> logs = getEntityManager() .createNamedQuery("XXPolicyChangeLog.findGreaterThan", Object[].class) .setParameter("id", id) + .setParameter("maxVersion", maxVersion) .setParameter("serviceId", serviceId) .getResultList(); ret = convert(logs); diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 14eca878f..1e8e4e2c5 100755 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -1781,16 +1781,17 @@ </named-query> <named-query name="XXPolicyChangeLog.findSinceVersion"> <query> - select obj.id, obj.changeType, obj.policyVersion, obj.serviceType, obj.policyType, obj.policyId, obj.zoneName from - XXPolicyChangeLog obj where obj.serviceId = :serviceId and obj.policyVersion >= :version order by - obj.policyVersion + <![CDATA[select obj.id, obj.changeType, obj.policyVersion, obj.serviceType, obj.policyType, obj.policyId, obj.zoneName from + XXPolicyChangeLog obj where obj.serviceId = :serviceId and obj.policyVersion >= :version and obj.policyVersion <= :maxVersion order by + obj.policyVersion]]> </query> </named-query> <named-query name="XXPolicyChangeLog.findGreaterThan"> <query> - select obj.id, obj.changeType, obj.policyVersion, obj.serviceType, obj.policyType, obj.policyId, obj.zoneName from - XXPolicyChangeLog obj where obj.serviceId = :serviceId and obj.serviceType = 'tag' and obj.id > :id order by obj.id + <![CDATA[select obj.id, obj.changeType, obj.policyVersion, obj.serviceType, obj.policyType, obj.policyId, obj.zoneName from + XXPolicyChangeLog obj where obj.serviceId = :serviceId and obj.serviceType = 'tag' and obj.id > :id and obj.policyVersion <= :maxVersion + order by obj.id]]> </query> </named-query>