[jira] [Comment Edited] (RANGER-3377) Improve ranger plugin performance for ignore deny conditions

Sun, 22 Aug 2021 18:15:07 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-3377?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17402900#comment-17402900
 ] 

Madhan Neethiraj edited comment on RANGER-3377 at 8/23/21, 1:14 AM:
--------------------------------------------------------------------

[~caozhiqiang] - thank you for the improvements in policy evaluation 
performance.

Did you observe 5 to 10% improvement even when policies don't have any deny 
items i.e., {{RangerDefaultPolicyEvaluator.denyEvaluators}} is empty? If the 
improvement is seen only when {{denyEvaluators}} is not empty, I suggest to 
update {{RangerDefaultPolicyEvaluator.init()}} to initialize 
{{denyEvaluators/allowExceptionEvaluators/denyExceptionEvaluators}} to {{null}} 
when {{ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies()}} is true. 
This will help reuse existing service-def option 
[{{enableDenyAndExceptionsInPolicies}}|https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies],
 and avoid additional configuration at plugin side 
({{policyengine.option.disable.policy.deny.conditions}}) to disable deny.


{code:java}
@Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef, 
RangerPolicyEngineOptions options) {

  ...

  allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, 
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);

  if (ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies(serviceDef, 
getPluginContext())) {
    denyEvaluators           = createPolicyItemEvaluators(policy, serviceDef, 
options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
    allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, 
options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
    denyExceptionEvaluators  = createPolicyItemEvaluators(policy, serviceDef, 
options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
  } else {
    denyEvaluators           = Collections.emptyList();
    allowExceptionEvaluators = Collections.emptyList();
    denyExceptionEvaluators  = Collections.emptyList();
  }

  ...

}

{code}



was (Author: madhan.neethiraj):
[~caozhiqiang] - thank you for the improvements in policy evaluation 
performance.

Did you observe 5 to 10% improvement even when policies don't have any deny 
items i.e., {{RangerDefaultPolicyEvaluator.denyEvaluators}} is empty? If the 
improvement is seen only when {{denyEvaluators}} is not empty, I suggest to 
update {{RangerDefaultPolicyEvaluator.init()}} to initialize 
{{denyEvaluators/allowExceptionEvaluators/denyExceptionEvaluators}} to {{null}} 
when {{ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies()}} is true. 
This will help reuse existing service-def option 
[{{enableDenyAndExceptionsInPolicies}}|https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies],
 and avoid additional configuration at plugin side 
({{policyengine.option.disable.policy.deny.conditions}}) to disable deny.

> Improve ranger plugin performance for ignore deny conditions
> ------------------------------------------------------------
>
>                 Key: RANGER-3377
>                 URL: https://issues.apache.org/jira/browse/RANGER-3377
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>    Affects Versions: 2.0.1, 3.0.0
>            Reporter: caozhiqiang
>            Priority: Major
>         Attachments: RANGER-3377-branch-2.0.1.001.patch, RANGER-3377.001.patch
>
>
> In performance sensitive scenario, for example hdfs namenode, ranger plugin 
> slow down the overall performance. We can add a configure to ignore deny 
> conditions to improve the ranger plugin performance.
> In namenode benchmark, ignore the deny conditions and improve performance 
> about from 5% to 10%.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to