RANGER-4639: Provide an option to bypass evaluation of chained plugin if the parent plugin has applicable policy
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 5d6c3d9..9bf01b9 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -502,7 +502,13 @@
LOG.debug("BasePlugin.isAccessAllowed result=[" + ret + "]");
LOG.debug("Calling chainedPlugin.isAccessAllowed for service:[" + chainedPlugin.plugin.pluginConfig.getServiceName() + "]");
}
- RangerAccessResult chainedResult = chainedPlugin.isAccessAllowed(request);
+ RangerAccessResult chainedResult;
+
+ if (ret.getIsAccessDetermined() && chainedPlugin.skipAccessCheckIfAlreadyDetermined) {
+ chainedResult = null;
+ } else {
+ chainedResult = chainedPlugin.isAccessAllowed(request);
+ }
if (chainedResult != null) {
if (LOG.isDebugEnabled()) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
index b969fb6..5e52ce3 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
@@ -19,6 +19,7 @@
package org.apache.ranger.plugin.service;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
@@ -34,6 +35,7 @@
protected final String serviceType;
protected final String serviceName;
protected final RangerBasePlugin plugin;
+ protected final boolean skipAccessCheckIfAlreadyDetermined;
protected RangerChainedPlugin(RangerBasePlugin rootPlugin, String serviceType, String serviceName) {
LOG.info("RangerChainedPlugin(" + serviceType + ", " + serviceName + ")");
@@ -42,6 +44,8 @@
this.serviceType = serviceType;
this.serviceName = serviceName;
this.plugin = buildChainedPlugin(serviceType, serviceName, rootPlugin.getAppId());
+ RangerPluginConfig rootPluginConfig = rootPlugin.getPluginContext().getConfig();
+ skipAccessCheckIfAlreadyDetermined = rootPluginConfig.getBoolean(rootPluginConfig.getPropertyPrefix() + ".bypass.chained.plugin.evaluation.if.access.is.determined", false);
}
public void init() {