This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 5b075e6 RANGER-3343: Ranger policy cache is incorrect in some scenario
5b075e6 is described below
commit 5b075e6ca77f387b9e094b8f45947f90902e20d5
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Tue Jul 20 07:14:53 2021 -0700
RANGER-3343: Ranger policy cache is incorrect in some scenario
---
.../RangerAbstractPolicyEvaluator.java | 62 ++++++++++++++++++++--
.../RangerDefaultPolicyEvaluator.java | 12 -----
2 files changed, 59 insertions(+), 15 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 99ae598..5c6083e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -19,8 +19,6 @@
package org.apache.ranger.plugin.policyevaluator;
-
-
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -32,7 +30,9 @@ import
org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.util.ServiceDefUtil;
+import java.util.List;
import java.util.Map;
+import java.util.stream.Collectors;
public abstract class RangerAbstractPolicyEvaluator implements
RangerPolicyEvaluator {
private static final Log LOG =
LogFactory.getLog(RangerAbstractPolicyEvaluator.class);
@@ -54,7 +54,7 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
LOG.debug("==> RangerAbstractPolicyEvaluator.init(" +
policy + ", " + serviceDef + ")");
}
- this.policy = policy;
+ this.policy = getPrunedPolicy(policy);
this.serviceDef = serviceDef;
this.leafResourceDef =
ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource());
@@ -105,6 +105,62 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
return policy != null && (policy.getIsDenyAllElse() ||
CollectionUtils.isNotEmpty(policy.getDenyPolicyItems()));
}
+ private RangerPolicy getPrunedPolicy(final RangerPolicy policy) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAbstractPolicyEvaluator.getPrunedPolicy(" + policy + ")");
+ }
+
+ final RangerPolicy ret;
+
+ final boolean isPruningNeeded;
+ final List<RangerPolicy.RangerPolicyItem> prunedAllowItems;
+ final List<RangerPolicy.RangerPolicyItem> prunedDenyItems;
+ final List<RangerPolicy.RangerPolicyItem> prunedAllowExceptions;
+ final List<RangerPolicy.RangerPolicyItem> prunedDenyExceptions;
+
+ final RangerPluginContext pluginContext = getPluginContext();
+
+ if (pluginContext != null &&
pluginContext.getConfig().getPolicyEngineOptions().evaluateDelegateAdminOnly) {
+ prunedAllowItems =
policy.getPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+ prunedDenyItems =
policy.getDenyPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+ prunedAllowExceptions =
policy.getAllowExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+ prunedDenyExceptions =
policy.getDenyExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList());
+
+ isPruningNeeded = prunedAllowItems.size() !=
policy.getPolicyItems().size()
+ || prunedDenyItems.size() !=
policy.getDenyPolicyItems().size()
+ || prunedAllowExceptions.size() !=
policy.getAllowExceptions().size()
+ || prunedDenyExceptions.size() !=
policy.getDenyExceptions().size();
+ } else {
+ prunedAllowItems = null;
+ prunedDenyItems = null;
+ prunedAllowExceptions = null;
+ prunedDenyExceptions = null;
+ isPruningNeeded = false;
+ }
+
+ if (!isPruningNeeded) {
+ ret = policy;
+ } else {
+ ret = new RangerPolicy();
+ ret.updateFrom(policy);
+
+ ret.setId(policy.getId());
+ ret.setGuid(policy.getGuid());
+ ret.setVersion(policy.getVersion());
+ ret.setServiceType(policy.getServiceType());
+
+ ret.setPolicyItems(prunedAllowItems);
+ ret.setDenyPolicyItems(prunedDenyItems);
+ ret.setAllowExceptions(prunedAllowExceptions);
+ ret.setDenyExceptions(prunedDenyExceptions);
+ }
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAbstractPolicyEvaluator.getPrunedPolicy(isPruningNeeded=" +
isPruningNeeded + ") : " + ret);
+ }
+
+ return ret;
+ }
+
@Override
public int getEvalOrder() {
return evalOrder;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 03e37fe..014fe6f 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -28,7 +28,6 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
-import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
@@ -902,8 +901,6 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
return;
}
- prunePolicyItems(policy);
-
preprocessPolicyItems(policy.getPolicyItems(),
impliedAccessGrants);
preprocessPolicyItems(policy.getDenyPolicyItems(),
impliedAccessGrants);
preprocessPolicyItems(policy.getAllowExceptions(),
impliedAccessGrants);
@@ -973,15 +970,6 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
return ret;
}
- private void prunePolicyItems(RangerPolicy policy) {
- if
(getPluginContext().getConfig().getPolicyEngineOptions().evaluateDelegateAdminOnly)
{
-
policy.setPolicyItems(policy.getPolicyItems().stream().filter(RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()));
-
policy.setDenyPolicyItems(policy.getDenyPolicyItems().stream().filter(RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()));
-
policy.setAllowExceptions(policy.getAllowExceptions().stream().filter(RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()));
-
policy.setDenyExceptions(policy.getDenyExceptions().stream().filter(RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()));
- }
- }
-
private RangerPolicyItemAccess getAccess(RangerPolicyItem policyItem,
String accessType) {
RangerPolicyItemAccess ret = null;
