This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 5b075e6 RANGER-3343: Ranger policy cache is incorrect in some scenario 5b075e6 is described below commit 5b075e6ca77f387b9e094b8f45947f90902e20d5 Author: Abhay Kulkarni <ab...@apache.org> AuthorDate: Tue Jul 20 07:14:53 2021 -0700 RANGER-3343: Ranger policy cache is incorrect in some scenario --- .../RangerAbstractPolicyEvaluator.java | 62 ++++++++++++++++++++-- .../RangerDefaultPolicyEvaluator.java | 12 ----- 2 files changed, 59 insertions(+), 15 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java index 99ae598..5c6083e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java @@ -19,8 +19,6 @@ package org.apache.ranger.plugin.policyevaluator; - - import org.apache.commons.collections.CollectionUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -32,7 +30,9 @@ import org.apache.ranger.plugin.policyengine.RangerPluginContext; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions; import org.apache.ranger.plugin.util.ServiceDefUtil; +import java.util.List; import java.util.Map; +import java.util.stream.Collectors; public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator { private static final Log LOG = LogFactory.getLog(RangerAbstractPolicyEvaluator.class); @@ -54,7 +54,7 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")"); } - this.policy = policy; + this.policy = getPrunedPolicy(policy); this.serviceDef = serviceDef; this.leafResourceDef = ServiceDefUtil.getLeafResourceDef(serviceDef, getPolicyResource()); @@ -105,6 +105,62 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu return policy != null && (policy.getIsDenyAllElse() || CollectionUtils.isNotEmpty(policy.getDenyPolicyItems())); } + private RangerPolicy getPrunedPolicy(final RangerPolicy policy) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAbstractPolicyEvaluator.getPrunedPolicy(" + policy + ")"); + } + + final RangerPolicy ret; + + final boolean isPruningNeeded; + final List<RangerPolicy.RangerPolicyItem> prunedAllowItems; + final List<RangerPolicy.RangerPolicyItem> prunedDenyItems; + final List<RangerPolicy.RangerPolicyItem> prunedAllowExceptions; + final List<RangerPolicy.RangerPolicyItem> prunedDenyExceptions; + + final RangerPluginContext pluginContext = getPluginContext(); + + if (pluginContext != null && pluginContext.getConfig().getPolicyEngineOptions().evaluateDelegateAdminOnly) { + prunedAllowItems = policy.getPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + prunedDenyItems = policy.getDenyPolicyItems().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + prunedAllowExceptions = policy.getAllowExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + prunedDenyExceptions = policy.getDenyExceptions().stream().filter(RangerPolicy.RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList()); + + isPruningNeeded = prunedAllowItems.size() != policy.getPolicyItems().size() + || prunedDenyItems.size() != policy.getDenyPolicyItems().size() + || prunedAllowExceptions.size() != policy.getAllowExceptions().size() + || prunedDenyExceptions.size() != policy.getDenyExceptions().size(); + } else { + prunedAllowItems = null; + prunedDenyItems = null; + prunedAllowExceptions = null; + prunedDenyExceptions = null; + isPruningNeeded = false; + } + + if (!isPruningNeeded) { + ret = policy; + } else { + ret = new RangerPolicy(); + ret.updateFrom(policy); + + ret.setId(policy.getId()); + ret.setGuid(policy.getGuid()); + ret.setVersion(policy.getVersion()); + ret.setServiceType(policy.getServiceType()); + + ret.setPolicyItems(prunedAllowItems); + ret.setDenyPolicyItems(prunedDenyItems); + ret.setAllowExceptions(prunedAllowExceptions); + ret.setDenyExceptions(prunedDenyExceptions); + } + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAbstractPolicyEvaluator.getPrunedPolicy(isPruningNeeded=" + isPruningNeeded + ") : " + ret); + } + + return ret; + } + @Override public int getEvalOrder() { return evalOrder; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 03e37fe..014fe6f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -28,7 +28,6 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; -import java.util.stream.Collectors; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; @@ -902,8 +901,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return; } - prunePolicyItems(policy); - preprocessPolicyItems(policy.getPolicyItems(), impliedAccessGrants); preprocessPolicyItems(policy.getDenyPolicyItems(), impliedAccessGrants); preprocessPolicyItems(policy.getAllowExceptions(), impliedAccessGrants); @@ -973,15 +970,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator return ret; } - private void prunePolicyItems(RangerPolicy policy) { - if (getPluginContext().getConfig().getPolicyEngineOptions().evaluateDelegateAdminOnly) { - policy.setPolicyItems(policy.getPolicyItems().stream().filter(RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList())); - policy.setDenyPolicyItems(policy.getDenyPolicyItems().stream().filter(RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList())); - policy.setAllowExceptions(policy.getAllowExceptions().stream().filter(RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList())); - policy.setDenyExceptions(policy.getDenyExceptions().stream().filter(RangerPolicyItem::getDelegateAdmin).collect(Collectors.toList())); - } - } - private RangerPolicyItemAccess getAccess(RangerPolicyItem policyItem, String accessType) { RangerPolicyItemAccess ret = null;