Fateh Singh created RANGER-4733:
-----------------------------------
Summary: Bug in tag policy cache computation for a given service -
irrelevant tag policies found
Key: RANGER-4733
URL: https://issues.apache.org/jira/browse/RANGER-4733
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Fateh Singh
Assignee: Fateh Singh
While testing the hasTagPolicies function of the policy engine, I observed that
even though for a given service, there are no tag based policies, still some
tag based policies are found in the policy cache for a given service.
{code:java}
PolicyEngine.java
public boolean hasTagPolicies(RangerPolicyRepository tagPolicyRepository) {
if (LOG.isDebugEnabled()){
LOG.debug("PolicyEngine.hasTagPolicies
tagPolicies="+tagPolicyRepository.getPolicies().toString());
}
return tagPolicyRepository != null &&
CollectionUtils.isNotEmpty(tagPolicyRepository.getPolicies());
}
{code}
Below scenarios were tested for analysis-
Scenario 1: If an existing policy which has base as a policy and is now
modified such that base is no longer a service mentioned in any of the
conditions in the tag based policy, then “policies” still has this tag based
policy but with various conditions and policy items as empty lists (this is
unexpected behavior because ideally, policies list should have been empty
instead of it existing but policy items being empty)
Scenario 2: If a new tag policy is created but hbase is not mentioned as a
service, then still “policies” list has this policy in the hbase policy cache
(with policy items list being empty) which is unexpected behavior (similar to
Scenario 1)
Scenario 3: If a tag policy is disabled (and there are no other tag policies),
then the tag repository exists but “policies” list does not exist in the
tagPolicies data structure (which is expected behavior i.e. policy is deleted
from policy cache)
Scenario 4: If all tag policies for cm_tag are either disabled or deleted then
“policies” list does not exist (expected behavior similar to Scenario 3)
Scenario 5: cm_tag is disassociated from hbase- tag policy respository I.e.
tagPolicies in policy cache is removed (which is the expected behavior)
Illustration of Scenario 1:
When Hbase is listed as a service in a tag based policy item:
{code:java}
2024-03-04 16:13:31,853 DEBUG
org.apache.ranger.plugin.policyengine.PolicyEngine: PolicyEngine.hasTagPolicies
tagPolicies=[RangerPolicy={id={4} guid={3d82d579-bce0-4527-a23e-53dbcda21f4d}
isEnabled={true} createdBy={null} updatedBy={null} createTime={null}
updateTime={null} version={3} service={cm_tag} name={EXPIRES_ON} policyType={0}
policyPriority={0} description={Policy for data with EXPIRES_ON tag}
resourceSignature={null} isAuditEnabled={true} serviceType={tag}
resources={tag={RangerPolicyResource={values={EXPIRES_ON } isExcludes={false}
isRecursive={false} }} } policyLabels={} policyConditions={} policyItems={}
denyPolicyItems={RangerPolicyItem={accessTypes={RangerPolicyItemAccess={type={read}
isAllowed={true} }RangerPolicyItemAccess={type={write} isAllowed={true}
}RangerPolicyItemAccess={type={create} isAllowed={true}
}RangerPolicyItemAccess={type={admin} isAllowed={true}
}RangerPolicyItemAccess={type={execute} isAllowed={true} }} users={}
groups={public } roles={}
conditions={RangerPolicyCondition={type={accessed-after-expiry} values={yes }
}} delegateAdmin={false} }} allowExceptions={} denyExceptions={}
dataMaskPolicyItems={} rowFilterPolicyItems={} options={} validitySchedules={,
zoneName=null, isDenyAllElse={false} }}]
{code}
When Hbase is removed from all tag based policies :
{code:java}
2024-03-04 16:25:01,584 DEBUG
org.apache.ranger.plugin.policyengine.PolicyEngine: PolicyEngine.hasTagPolicies
tagPolicies=[RangerPolicy={id={4} guid={3d82d579-bce0-4527-a23e-53dbcda21f4d}
isEnabled={true} createdBy={null} updatedBy={null} createTime={null}
updateTime={null} version={4} service={cm_tag} name={EXPIRES_ON} policyType={0}
policyPriority={0} description={Policy for data with EXPIRES_ON tag}
resourceSignature={null} isAuditEnabled={true} serviceType={tag}
resources={tag={RangerPolicyResource={values={EXPIRES_ON } isExcludes={false}
isRecursive={false} }} } policyLabels={} policyConditions={} policyItems={}
denyPolicyItems={} allowExceptions={} denyExceptions={} dataMaskPolicyItems={}
rowFilterPolicyItems={} options={} validitySchedules={, zoneName=null,
isDenyAllElse={false} }}]{code}
Note here that policy still exists but the items lists are empty here instead
of policy not existing in hbase policy cache
*Scenario 1 and Scenario 2* need to be fixed so that no tag based policies
should be there in policy cache of a service if there are no relevant policies
(instead of returning all policies relevant to other services but with empty
policy items in the data structure)
*Impact:* While no impact in policy evaluation, there could be performance
impact due to this because if there are tag policies found then various
computations are performed for every request such as finding relevant tags etc.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
