[ranger] branch master updated: RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher - Part 2
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new fb63f21cf RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher - Part 2 fb63f21cf is described below commit fb63f21cf6f5007f178eef8f11f68cf2c9a57279 Author: Abhay Kulkarni AuthorDate: Mon Apr 17 09:50:42 2023 -0700 RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher - Part 2 --- .../plugin/contextenricher/RangerTagEnricher.java | 64 +++--- .../org/apache/ranger/plugin/util/ServiceTags.java | 3 + 2 files changed, 47 insertions(+), 20 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index 198d24d97..e0a86c398 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -385,6 +385,9 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { this.tagRefresher = null; if (tagRefresher != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("Trying to clean up RangerTagRefresher(" + tagRefresher.getName() + ")"); + } tagRefresher.cleanup(); } @@ -473,20 +476,16 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { List changedServiceResources = deltas.getServiceResources(); for (RangerServiceResource serviceResource : changedServiceResources) { - final boolean removedOldServiceResource = MapUtils.isEmpty(serviceResource.getResourceElements()) || removeOldServiceResource(serviceResource, resourceMatchers, serviceResourceTrie); - if (removedOldServiceResource) { + if (removedOldServiceResource) { if (!StringUtils.isEmpty(serviceResource.getResourceSignature())) { - RangerServiceResourceMatcher resourceMatcher = createRangerServiceResourceMatcher(serviceResource, serviceDefHelper, hierarchies); if (resourceMatcher != null) { for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { - - RangerPolicy.RangerPolicyResource policyResource = serviceResource.getResourceElements().get(resourceDef.getName()); - - RangerResourceTrie trie = serviceResourceTrie.get(resourceDef.getName()); + RangerPolicy.RangerPolicyResourcepolicyResource = serviceResource.getResourceElements().get(resourceDef.getName()); + RangerResourceTrie trie = serviceResourceTrie.get(resourceDef.getName()); if (LOG.isDebugEnabled()) { LOG.debug("Trying to add resource-matcher to " + (trie == null ? "new" : "existing") + " trie for " + resourceDef.getName()); @@ -495,6 +494,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { if (trie != null) { trie.add(policyResource, resourceMatcher); trie.wrapUpUpdate(); + if (LOG.isDebugEnabled()) { LOG.debug("Added resource-matcher for policy-resource:[" + policyResource + "]"); } @@ -521,6 +521,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { break; } } + if (isInError) { LOG.error("Error in processing tag-deltas. Will continue to use old tags"); deltas.setTagVersion(-1L); @@ -530,44 +531,61 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { } enrichedServiceTags = new EnrichedServiceTags(allServiceTags, resourceMatchers, serviceResourceTrie); } - } private boolean removeOldServiceReso
[ranger] branch master updated: RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 2e224cf9d RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher 2e224cf9d is described below commit 2e224cf9d4d28f3e23b5f8462a92024993a104bc Author: Abhay Kulkarni AuthorDate: Wed Mar 22 11:28:51 2023 -0700 RANGER-4136: Incorrect processing of tag-deltas by RangerTagEnricher --- .../plugin/contextenricher/RangerTagEnricher.java | 19 ++- .../plugin/policyengine/RangerAccessRequestImpl.java | 10 +- .../plugin/service/RangerDefaultRequestProcessor.java | 19 ++- .../util/RangerResourceEvaluatorsRetriever.java | 2 +- 4 files changed, 42 insertions(+), 8 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index efb885a74..198d24d97 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -78,9 +78,8 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { private static final Logger PERF_SET_SERVICETAGS_LOG = RangerPerfTracer.getPerfLogger("tagenricher.setservicetags"); private static final Logger PERF_SERVICETAGS_RETRIEVAL_LOG = RangerPerfTracer.getPerfLogger("tagenricher.tags.retrieval"); - private static final String TAG_REFRESHER_POLLINGINTERVAL_OPTION = "tagRefresherPollingInterval"; - public static final String TAG_RETRIEVER_CLASSNAME_OPTION = "tagRetrieverClassName"; + public static final String TAG_RETRIEVER_CLASSNAME_OPTION= "tagRetrieverClassName"; private static final String TAG_DISABLE_TRIE_PREFILTER_OPTION= "disableTrieLookupPrefilter"; private RangerTagRefresher tagRefresher; @@ -485,12 +484,19 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { if (resourceMatcher != null) { for (RangerServiceDef.RangerResourceDef resourceDef : serviceDef.getResources()) { + RangerPolicy.RangerPolicyResource policyResource = serviceResource.getResourceElements().get(resourceDef.getName()); + RangerResourceTrie trie = serviceResourceTrie.get(resourceDef.getName()); + if (LOG.isDebugEnabled()) { + LOG.debug("Trying to add resource-matcher to " + (trie == null ? "new" : "existing") + " trie for " + resourceDef.getName()); + } + if (trie != null) { - trie.add(serviceResource.getResourceElements().get(resourceDef.getName()), resourceMatcher); + trie.add(policyResource, resourceMatcher); + trie.wrapUpUpdate(); if (LOG.isDebugEnabled()) { - LOG.debug("Added resource-matcher for service-resource:[" + serviceResource + "]"); + LOG.debug("Added resource-matcher for policy-resource:[" + policyResource + "]"); } } else { trie = new RangerResourceTrie<>(resourceDef, Collections.singletonList(resourceMatcher), getPolicyEngineOptions().optimizeTagTrieForRetrieval, getPolicyEngineOptions().optimizeTagTrieForSpace, null); @@ -541,7 +547,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { RangerAccessResourceImpl accessResource = new RangerAccessResourceImpl(); for (Map.Entry entry : serviceResource.getResourceElements().entrySet()) { - accessResource.setValue(entry.getKey(), entry.getValue()); + accessResource.setValue(entry.getKey(), entry.getValue().getValues()); } if (LOG.isDebugEnabled()) { LOG.debug("RangerAccessResource:[" + accessRes