RANGER-1161: Policy evaluation optimization: updating ranger-0.5 branch with relevant changes in master branch for RANGER-1162
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index f3c2de6..dfde51d 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -29,6 +29,7 @@
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
+import org.apache.ranger.plugin.util.ServiceDefUtil;
import java.util.Map;
@@ -37,9 +38,10 @@
public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerAbstractPolicyEvaluator.class);
- private RangerPolicy policy = null;
- private RangerServiceDef serviceDef = null;
- private int evalOrder = 0;
+ private RangerPolicy policy = null;
+ private RangerServiceDef serviceDef = null;
+ private Integer leafResourceLevel = null;
+ private int evalOrder = 0;
@Override
@@ -48,8 +50,9 @@
LOG.debug("==> RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")");
}
- this.policy = policy;
- this.serviceDef = serviceDef;
+ this.policy = policy;
+ this.serviceDef = serviceDef;
+ this.leafResourceLevel = ServiceDefUtil.getLeafResourceLevel(serviceDef, getPolicyResource());
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerAbstractPolicyEvaluator.init(" + policy + ", " + serviceDef + ")");
@@ -77,6 +80,12 @@
}
@Override
+ public Integer getLeafResourceLevel() {
+ return leafResourceLevel;
+ }
+
+
+ @Override
public int getEvalOrder() {
return evalOrder;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index 5e0b54c..f6b15f6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -87,6 +87,11 @@
}
@Override
+ public RangerServiceDef getServiceDef() {
+ return serviceDef;
+ }
+
+ @Override
public RangerResourceMatcher getResourceMatcher(String resourceName) {
return matchers != null ? matchers.get(resourceName) : null;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java
index 799e8b3..eed58e1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceEvaluator.java
@@ -33,4 +33,6 @@
Map<String, RangerPolicy.RangerPolicyResource> getPolicyResource();
RangerResourceMatcher getResourceMatcher(String resourceName);
+
+ Integer getLeafResourceLevel();
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
index bcfc017..49d5364 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
@@ -33,6 +33,8 @@
void init();
+ RangerServiceDef getServiceDef();
+
RangerResourceMatcher getResourceMatcher(String resourceName);
boolean isMatch(RangerAccessResource resource);
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
index 982d249..2079487 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
@@ -58,7 +58,7 @@
this.resourceName = resourceDef.getName();
this.optIgnoreCase = strIgnoreCase != null ? Boolean.parseBoolean(strIgnoreCase) : false;
- this.optWildcard = strWildcard != null ? Boolean.parseBoolean(strWildcard) : false;;
+ this.optWildcard = strWildcard != null ? Boolean.parseBoolean(strWildcard) : false;
this.wildcardChars = optWildcard ? DEFAULT_WILDCARD_CHARS : "";
this.root = new TrieNode(Character.valueOf((char)0));
@@ -67,6 +67,10 @@
RangerPolicyResource policyResource = policyResources != null ? policyResources.get(resourceName) : null;
if(policyResource == null) {
+ if(evaluator.getLeafResourceLevel() != null && resourceDef.getLevel() != null && evaluator.getLeafResourceLevel() < resourceDef.getLevel()) {
+ root.addWildcardEvaluator(evaluator);
+ }
+
continue;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
new file mode 100644
index 0000000..f26ac44
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.util;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.HashMap;
+import java.util.Map;
+
+public class ServiceDefUtil {
+
+ public static RangerResourceDef getResourceDef(RangerServiceDef serviceDef, String resource) {
+ RangerResourceDef ret = null;
+
+ if(serviceDef != null && resource != null && CollectionUtils.isNotEmpty(serviceDef.getResources())) {
+ for(RangerResourceDef resourceDef : serviceDef.getResources()) {
+ if(StringUtils.equalsIgnoreCase(resourceDef.getName(), resource)) {
+ ret = resourceDef;
+ break;
+ }
+ }
+ }
+
+ return ret;
+ }
+
+ public static Integer getLeafResourceLevel(RangerServiceDef serviceDef, Map<String, RangerPolicy.RangerPolicyResource> policyResource) {
+ Integer ret = null;
+
+ if(serviceDef != null && policyResource != null) {
+ for(Map.Entry<String, RangerPolicy.RangerPolicyResource> entry : policyResource.entrySet()) {
+ String resource = entry.getKey();
+ RangerResourceDef resourceDef = ServiceDefUtil.getResourceDef(serviceDef, resource);
+
+ if(resourceDef != null && resourceDef.getLevel() != null) {
+ if(ret == null) {
+ ret = resourceDef.getLevel();
+ } else if(ret < resourceDef.getLevel()) {
+ ret = resourceDef.getLevel();
+ }
+ }
+ }
+ }
+
+ return ret;
+ }
+}
