subject:"Review Request 74232\: RANGER\-3999\: Implement more efficient way to handle

Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization

2022-12-06 Thread Madhan Neethiraj


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74232/#review224966
---


Ship it!




Ship It!

- Madhan Neethiraj


On Dec. 6, 2022, 10:28 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74232/
> ---
> 
> (Updated Dec. 6, 2022, 10:28 p.m.)
> 
> 
> Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, Sailaja 
> Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3999
> https://issues.apache.org/jira/browse/RANGER-3999
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> If a user-initiated operation requires checking if more than one permission 
> is granted, then currently, each permission requires a call to internal 
> Policy Engine API for the same accessed resource. This leads to many 
> repetitive computations which may be avoided if the policy engine API 
> supports multiple permissions. In that case, optimization may be achieved by 
> pushing authorization for multiple permissions down to the lowest possible 
> level.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  23db18f3a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  520ddf865 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  d3fc27d7d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  df03ed1c4 
> 
> 
> Diff: https://reviews.apache.org/r/74232/diff/3/
> 
> 
> Testing
> ---
> 
> Passed all existing unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization

2022-12-06 Thread Abhay Kulkarni


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74232/
---

(Updated Dec. 6, 2022, 10:28 p.m.)


Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, Sailaja 
Polavarapu, and Velmurugan Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-3999
https://issues.apache.org/jira/browse/RANGER-3999


Repository: ranger


Description
---

If a user-initiated operation requires checking if more than one permission is 
granted, then currently, each permission requires a call to internal Policy 
Engine API for the same accessed resource. This leads to many repetitive 
computations which may be avoided if the policy engine API supports multiple 
permissions. In that case, optimization may be achieved by pushing 
authorization for multiple permissions down to the lowest possible level.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 23db18f3a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 520ddf865 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
 d3fc27d7d 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 df03ed1c4 


Diff: https://reviews.apache.org/r/74232/diff/3/

Changes: https://reviews.apache.org/r/74232/diff/2-3/


Testing
---

Passed all existing unit tests.


Thanks,

Abhay Kulkarni

Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization

2022-12-06 Thread Madhan Neethiraj


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74232/#review224965
---




agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Line 704 (original), 700 (patched)


"all" seems to be an accessType in Hive. Is this special handling necessary 
in policy engine?



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Lines 838 (patched)


if request is not RangerAccessRequestImpl, #838 would result in cast error. 
Please consider handling this case - perhaps by a request-wrapper class like:

public class RangerAccessRequestWrapper implements RangerAccessRequest {
  private final RangerAccessRequest request;
  private final String  accessType;
  private final boolean isAccessTypeAny;
  private final boolean isAccessTypeDelegatedAdmin;

  public RangerAccessRequestWrapper(RangerAccessRequest request, String 
accessType) {
this.request= request;
this.accessType = accessType;
this.isAccessTypeAny= StringUtils.equals(accessType, 
RangerPolicyEngine.ANY_ACCESS)
this.isAccessTypeDelegatedAdmin = StringUtils.equals(accessType, 
RangerPolicyEngine.ADMIN_ACCESS);
  }

  @Override
  public String getAccessType() { return accessType; }

  @Override
  public boolean isAccessTypeAny() { return isAccessTypeAny; }

  @Override
  public boolean isAccessTypeDelegatedAdmin() { return 
isAccessTypeDelegatedAdmin; }

  // other methods simply call corresponding method on request, like:
  @Override
  public RangerAccessResource getResource() { return request.getResource(); 
}

  ...
}



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
Lines 262 (patched)


Consider adding following method to have all type casting in one place:

class RangerAccessRequestUtil {
  ...

  public static Set getAllRequestedAccessTypes(Map 
context) {
return (Set) context.get(KEY_CONTEXT_ACCESSTYPES);
  }
}


- Madhan Neethiraj


On Dec. 6, 2022, 5:58 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74232/
> ---
> 
> (Updated Dec. 6, 2022, 5:58 p.m.)
> 
> 
> Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, Sailaja 
> Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3999
> https://issues.apache.org/jira/browse/RANGER-3999
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> If a user-initiated operation requires checking if more than one permission 
> is granted, then currently, each permission requires a call to internal 
> Policy Engine API for the same accessed resource. This leads to many 
> repetitive computations which may be avoided if the policy engine API 
> supports multiple permissions. In that case, optimization may be achieved by 
> pushing authorization for multiple permissions down to the lowest possible 
> level.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  23db18f3a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  520ddf865 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  d3fc27d7d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  df03ed1c4 
> 
> 
> Diff: https://reviews.apache.org/r/74232/diff/2/
> 
> 
> Testing
> ---
> 
> Passed all existing unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization

2022-12-06 Thread Abhay Kulkarni


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74232/
---

(Updated Dec. 6, 2022, 5:58 p.m.)


Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, Sailaja 
Polavarapu, and Velmurugan Periasamy.


Changes
---

Updated with the JIRA details


Summary (updated)
-

RANGER-3999: Implement more efficient way to handle _any access authorization


Bugs: RANGER-3999
https://issues.apache.org/jira/browse/RANGER-3999


Repository: ranger


Description (updated)
---

If a user-initiated operation requires checking if more than one permission is 
granted, then currently, each permission requires a call to internal Policy 
Engine API for the same accessed resource. This leads to many repetitive 
computations which may be avoided if the policy engine API supports multiple 
permissions. In that case, optimization may be achieved by pushing 
authorization for multiple permissions down to the lowest possible level.


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 23db18f3a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 520ddf865 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
 d3fc27d7d 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 df03ed1c4 


Diff: https://reviews.apache.org/r/74232/diff/2/


Testing
---

Passed all existing unit tests.


Thanks,

Abhay Kulkarni

Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization

Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization

Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization

Re: Review Request 74232: RANGER-3999: Implement more efficient way to handle _any access authorization

4 matches

Site Navigation

Mail list logo

Footer information