RANGER-4824: Remove ACL-based policy engine unit test code
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index f5f4127..f881eaa 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -37,6 +37,7 @@ public class RangerPolicyEngineOptions {
public boolean evaluateDelegateAdminOnly = false;
public boolean enableTagEnricherWithLocalRefresher = false;
public boolean enableUserStoreEnricherWithLocalRefresher = false;
+ @Deprecated
public boolean disableAccessEvaluationWithPolicyACLSummary = true;
public boolean optimizeTrieForRetrieval = false;
public boolean disableRoleResolution = true;
@@ -62,7 +63,6 @@ public RangerPolicyEngineOptions(final RangerPolicyEngineOptions other) {
this.evaluateDelegateAdminOnly = other.evaluateDelegateAdminOnly;
this.enableTagEnricherWithLocalRefresher = other.enableTagEnricherWithLocalRefresher;
this.enableUserStoreEnricherWithLocalRefresher = other.enableUserStoreEnricherWithLocalRefresher;
- this.disableAccessEvaluationWithPolicyACLSummary = other.disableAccessEvaluationWithPolicyACLSummary;
this.optimizeTrieForRetrieval = other.optimizeTrieForRetrieval;
this.disableRoleResolution = other.disableRoleResolution;
this.serviceDefHelper = null;
@@ -95,7 +95,6 @@ public void configureForPlugin(Configuration conf, String propertyPrefix) {
evaluateDelegateAdminOnly = false;
enableTagEnricherWithLocalRefresher = false;
enableUserStoreEnricherWithLocalRefresher = false;
- disableAccessEvaluationWithPolicyACLSummary = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.access.evaluation.with.policy.acl.summary", true);
optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.retrieval", false);
disableRoleResolution = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.role.resolution", true);
optimizeTrieForSpace = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.space", false);
@@ -118,7 +117,6 @@ public void configureDefaultRangerAdmin(Configuration conf, String propertyPrefi
evaluateDelegateAdminOnly = false;
enableTagEnricherWithLocalRefresher = false;
enableUserStoreEnricherWithLocalRefresher = false;
- disableAccessEvaluationWithPolicyACLSummary = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.access.evaluation.with.policy.acl.summary", true);
optimizeTrieForRetrieval = conf.getBoolean(propertyPrefix + ".policyengine.option.optimize.trie.for.retrieval", false);
disableRoleResolution = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.role.resolution", true);
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 33d56ec..be6cd55 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -78,7 +78,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
private List<RangerConditionEvaluator> conditionEvaluators;
private String perfTag;
private PolicyACLSummary aclSummary = null;
- private boolean useAclSummaryForEvaluation = false;
private boolean disableRoleResolution = true;
List<RangerPolicyItemEvaluator> getAllowEvaluators() { return allowEvaluators; }
@@ -88,8 +87,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
List<RangerDataMaskPolicyItemEvaluator> getDataMaskEvaluators() { return dataMaskEvaluators; }
List<RangerRowFilterPolicyItemEvaluator> getRowFilterEvaluators() { return rowFilterEvaluators; }
- boolean isUseAclSummaryForEvaluation() { return useAclSummaryForEvaluation; }
-
@Override
public int getPolicyConditionsCount() {
return conditionEvaluators.size();
@@ -135,29 +132,16 @@ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyE
this.disableRoleResolution = options.disableRoleResolution;
- if (!options.disableAccessEvaluationWithPolicyACLSummary) {
- aclSummary = createPolicyACLSummary(options.getServiceDefHelper().getImpliedAccessGrants());
- }
+ allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
- useAclSummaryForEvaluation = aclSummary != null;
-
- if (useAclSummaryForEvaluation) {
- allowEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
+ if (ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies(serviceDef, getPluginContext())) {
+ denyEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
+ allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
+ denyExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
+ } else {
denyEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
allowExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
denyExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
- } else {
- allowEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
-
- if (ServiceDefUtil.getOption_enableDenyAndExceptionsInPolicies(serviceDef, getPluginContext())) {
- denyEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
- allowExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
- denyExceptionEvaluators = createPolicyItemEvaluators(policy, serviceDef, options, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
- } else {
- denyEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
- allowExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
- denyExceptionEvaluators = Collections.<RangerPolicyItemEvaluator>emptyList();
- }
}
dataMaskEvaluators = createDataMaskPolicyItemEvaluators(policy, serviceDef, options, policy.getDataMaskPolicyItems());
@@ -187,10 +171,6 @@ public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyE
RangerPerfTracer.log(perf);
- if (useAclSummaryForEvaluation && (policy.getPolicyType() == null || policy.getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
- LOG.info("PolicyEvaluator for policy:[" + policy.getId() + "] is set up to use ACL Summary to evaluate access");
- }
-
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
}
@@ -548,10 +528,8 @@ public void getResourceAccessInfo(RangerAccessRequest request, RangerResourceAcc
@Override
public PolicyACLSummary getPolicyACLSummary() {
if (aclSummary == null) {
- boolean forceCreation = true;
- aclSummary = createPolicyACLSummary(ServiceDefUtil.getExpandedImpliedGrants(getServiceDef()), forceCreation);
+ aclSummary = createPolicyACLSummary(ServiceDefUtil.getExpandedImpliedGrants(getServiceDef()), true);
}
-
return aclSummary;
}
@@ -590,10 +568,6 @@ PolicyACLSummary for access evaluation (that is, if disableAccessEvaluationWithP
is set to false). It may return null object if all accesses for all user/groups cannot be determined statically.
*/
- private PolicyACLSummary createPolicyACLSummary(Map<String, Collection<String>> impliedAccessGrants) {
- boolean forceCreation = false;
- return createPolicyACLSummary(impliedAccessGrants, forceCreation);
- }
private PolicyACLSummary createPolicyACLSummary(Map<String, Collection<String>> impliedAccessGrants, boolean isCreationForced) {
PolicyACLSummary ret = null;
@@ -830,229 +804,99 @@ private boolean hasPublicGroupAndUserInException(List<RangerPolicyItem> grants,
return ret;
}
- private Integer getAccessACLForOneGroup(RangerAccessRequest request, Set<String> accessesInGroup) {
- Integer ret = null;
- Map<String, Integer> accessTypeResults = RangerAccessRequestUtil.getAccessTypeACLResults(request);
-
- boolean isAccessDetermined = true;
- boolean isAccessDenied = false;
- Integer deniedAccessResult = null;
-
- for (String accessType : accessesInGroup) {
- Integer accessResult = accessTypeResults.get(accessType);
- if (accessResult != null) {
- if (accessResult.equals(ACCESS_ALLOWED)) {
- // Allow
- isAccessDenied = false;
- ret = accessResult;
- break;
- } else {
- isAccessDenied = true;
- if (deniedAccessResult == null) {
- deniedAccessResult = accessResult;
- }
- }
- } else {
- isAccessDetermined = false;
- }
- }
- if (isAccessDetermined && isAccessDenied) {
- ret = deniedAccessResult;
- }
- return ret;
- }
-
- private Integer getCompositeACLResult(RangerAccessRequest request) {
- Integer ret = null;
- Set<Set<String>> allAccessTypeGroups = RangerAccessRequestUtil.getAllRequestedAccessTypeGroups(request);
-
- if (CollectionUtils.isEmpty(allAccessTypeGroups)) {
- Set<String> allAccessTypes = RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
- ret = getAccessACLForOneGroup(request, allAccessTypes);
- } else {
- boolean isAccessDetermined = true;
- boolean isAccessAllowed = false;
- Integer allowResult = null;
-
- for (Set<String> accessesInGroup : allAccessTypeGroups) {
- Integer groupResult = getAccessACLForOneGroup(request, accessesInGroup);
- if (groupResult != null) {
- if (!groupResult.equals(ACCESS_ALLOWED)) {
- // Deny
- isAccessAllowed = false;
- ret = groupResult;
- break;
- } else {
- isAccessAllowed = true;
- if (allowResult == null) {
- allowResult = groupResult;
- }
- }
- } else {
- // Some group is not completely authorized yet
- isAccessDetermined = false;
- }
- }
- if (isAccessDetermined && isAccessAllowed) {
- ret = allowResult;
- }
- }
- return ret;
- }
-
protected void evaluatePolicyItems(RangerAccessRequest request, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult result) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
}
- if (useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Using ACL Summary for access evaluation. PolicyId=[" + getPolicyId() + "]");
- }
- Integer accessResult = null;
- if (request.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
- accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(), RangerPolicyEngine.ANY_ACCESS);
- } else {
- Map<String, Integer> accessTypeACLResults = RangerAccessRequestUtil.getAccessTypeACLResults(request);
- Set<String> allRequestedAccesses = RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
+ Set<String> allRequestedAccesses = RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
- if (allRequestedAccesses.size() > 1) {
- for (String accessType : allRequestedAccesses) {
+ if (CollectionUtils.isNotEmpty(allRequestedAccesses)) {
+ Map<String, RangerAccessResult> accessTypeResults = RangerAccessRequestUtil.getAccessTypeResults(request);
- Integer denyResult = null;
- Integer allowResult = null;
+ for (String accessType : allRequestedAccesses) {
- Integer oneAccessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(), accessType);
- if (oneAccessResult != null) {
- if (oneAccessResult.equals(ACCESS_DENIED)) {
- denyResult = oneAccessResult;
- }
- if (oneAccessResult.equals(ACCESS_ALLOWED)) {
- allowResult = oneAccessResult;
- }
- Integer oldResult = accessTypeACLResults.get(accessType);
- if (oldResult == null) {
- accessTypeACLResults.put(accessType, allowResult != null ? allowResult : denyResult);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking for accessType:[" + accessType + "]");
+ }
+ RangerAccessResult denyResult = null;
+ RangerAccessResult allowResult = null;
+ boolean noResult = false;
+
+ RangerAccessRequestWrapper oneRequest = new RangerAccessRequestWrapper(request, accessType);
+ RangerAccessResult oneResult = new RangerAccessResult(result.getPolicyType(), result.getServiceName(), result.getServiceDef(), oneRequest);
+
+ oneResult.setAuditResultFrom(result);
+
+ RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(oneRequest, oneResult);
+
+ if (matchedPolicyItem != null) {
+ matchedPolicyItem.updateAccessResult(this, oneResult, matchType);
+ } else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
+ updateAccessResult(oneResult, matchType, false, "matched deny-all-else policy");
+ }
+
+ if (oneResult.getIsAllowed()) {
+ allowResult = oneResult;
+ } else if (oneResult.getIsAccessDetermined()) {
+ denyResult = oneResult;
+ } else {
+ noResult = true;
+ }
+
+ if (!noResult) {
+ RangerAccessResult oldResult = accessTypeResults.get(accessType);
+ if (oldResult == null) {
+ accessTypeResults.put(accessType, allowResult != null ? allowResult : denyResult);
+ } else {
+ int oldPriority = oldResult.getPolicyPriority();
+ if (oldResult.getIsAllowed()) {
+ if (denyResult != null) {
+ if (getPolicyPriority() >= oldPriority) {
+ accessTypeResults.put(accessType, denyResult);
+ }
} else {
- if (oldResult.equals(ACCESS_ALLOWED)) {
- if (denyResult != null) {
- accessTypeACLResults.put(accessType, denyResult);
- } else {
- accessTypeACLResults.put(accessType, allowResult);
+ if (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) {
+ if (getPolicyPriority() > oldPriority) {
+ accessTypeResults.put(accessType, allowResult);
}
} else {
- accessTypeACLResults.put(accessType, denyResult);
+ if (getPolicyPriority() >= oldPriority) {
+ accessTypeResults.put(accessType, allowResult);
+ }
+ }
+ }
+ } else { // Earlier evaluator denied this access
+ if (getPolicyPriority() >= oldPriority && allowResult != null && (oneRequest.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(oneRequest.getContext()))) {
+ accessTypeResults.put(accessType, allowResult);
+ } else {
+ if (getPolicyPriority() > oldPriority && denyResult != null) {
+ accessTypeResults.put(accessType, denyResult);
}
}
}
}
- Integer compositeACLResult = getCompositeACLResult(request);
- if (compositeACLResult != null) {
- accessResult = compositeACLResult;
+ /* At least one access is allowed - this evaluator need not be checked for other accesses as the test below
+ * implies that there is only one access group in the request
+ */
+ if (oneRequest.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(oneRequest.getContext())) {
+ if (allowResult != null) {
+ break;
+ }
}
- } else {
- accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(), request.getAccessType());
}
}
- if (accessResult != null) {
- updateAccessResult(result, matchType, accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED), null);
- } else if (getPolicy().getIsDenyAllElse()) {
- updateAccessResult(result, matchType, false, "matched deny-all-else policy");
+ RangerAccessResult compositeAccessResult = getCompositeAccessResult(request);
+ if (compositeAccessResult != null) {
+ result.setAccessResultFrom(compositeAccessResult);
}
} else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Using policyItemEvaluators for access evaluation. PolicyId=[" + getPolicyId() + "]");
- }
- Set<String> allRequestedAccesses = RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
-
- if (CollectionUtils.isNotEmpty(allRequestedAccesses) ) {
- Map<String, RangerAccessResult> accessTypeResults = RangerAccessRequestUtil.getAccessTypeResults(request);
-
- for (String accessType : allRequestedAccesses) {
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking for accessType:[" + accessType + "]");
- }
- RangerAccessResult denyResult = null;
- RangerAccessResult allowResult = null;
- boolean noResult = false;
-
- RangerAccessRequestWrapper oneRequest = new RangerAccessRequestWrapper(request, accessType);
- RangerAccessResult oneResult = new RangerAccessResult(result.getPolicyType(), result.getServiceName(), result.getServiceDef(), oneRequest);
-
- oneResult.setAuditResultFrom(result);
-
- RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(oneRequest, oneResult);
-
- if (matchedPolicyItem != null) {
- matchedPolicyItem.updateAccessResult(this, oneResult, matchType);
- } else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
- updateAccessResult(oneResult, matchType, false, "matched deny-all-else policy");
- }
-
- if (oneResult.getIsAllowed()) {
- allowResult = oneResult;
- } else if (oneResult.getIsAccessDetermined()) {
- denyResult = oneResult;
- } else {
- noResult = true;
- }
-
- if (!noResult) {
- RangerAccessResult oldResult = accessTypeResults.get(accessType);
- if (oldResult == null) {
- accessTypeResults.put(accessType, allowResult != null ? allowResult : denyResult);
- } else {
- int oldPriority = oldResult.getPolicyPriority();
- if (oldResult.getIsAllowed()) {
- if (denyResult != null) {
- if (getPolicyPriority() >= oldPriority) {
- accessTypeResults.put(accessType, denyResult);
- }
- } else {
- if (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) {
- if (getPolicyPriority() > oldPriority) {
- accessTypeResults.put(accessType, allowResult);
- }
- } else {
- if (getPolicyPriority() >= oldPriority) {
- accessTypeResults.put(accessType, allowResult);
- }
- }
- }
- } else { // Earlier evaluator denied this access
- if (getPolicyPriority() >= oldPriority && allowResult != null && (oneRequest.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(oneRequest.getContext()))) {
- accessTypeResults.put(accessType, allowResult);
- } else {
- if (getPolicyPriority() > oldPriority && denyResult != null) {
- accessTypeResults.put(accessType, denyResult);
- }
- }
- }
- }
- /* At least one access is allowed - this evaluator need not be checked for other accesses as the test below
- * implies that there is only one access group in the request
- */
- if (oneRequest.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(oneRequest.getContext())) {
- if (allowResult != null) {
- break;
- }
- }
- }
- }
-
- RangerAccessResult compositeAccessResult = getCompositeAccessResult(request);
- if (compositeAccessResult != null) {
- result.setAccessResultFrom(compositeAccessResult);
- }
- } else {
- RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, result);
- if (matchedPolicyItem != null) {
- matchedPolicyItem.updateAccessResult(this, result, matchType);
- } else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
- updateAccessResult(result, matchType, false, "matched deny-all-else policy");
- }
+ RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, result);
+ if (matchedPolicyItem != null) {
+ matchedPolicyItem.updateAccessResult(this, result, matchType);
+ } else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
+ updateAccessResult(result, matchType, false, "matched deny-all-else policy");
}
}
@@ -1131,95 +975,6 @@ private RangerAccessResult getCompositeAccessResult(RangerAccessRequest request)
return ret;
}
- private Integer lookupPolicyACLSummary(String user, Set<String> userGroups, Set<String> userRoles, String accessType) {
- Integer accessResult = null;
-
- Map<String, PolicyACLSummary.AccessResult> accesses = aclSummary.getUsersAccessInfo().get(user);
-
- accessResult = lookupAccess(user, accessType, accesses);
-
- if (accessResult == null) {
-
- Set<String> groups = new HashSet<>();
- groups.add(RangerPolicyEngine.GROUP_PUBLIC);
- groups.addAll(userGroups);
-
- for (String userGroup : groups) {
- accesses = aclSummary.getGroupsAccessInfo().get(userGroup);
- accessResult = lookupAccess(userGroup, accessType, accesses);
- if (accessResult != null) {
- break;
- }
- }
-
- if (accessResult == null) {
- if (userRoles != null) {
- for (String userRole : userRoles) {
- accesses = aclSummary.getRolesAccessInfo().get(userRole);
- accessResult = lookupAccess(userRole, accessType, accesses);
- if (accessResult != null) {
- break;
- }
- }
- }
- }
- }
-
- return accessResult;
- }
-
- private Integer lookupAccess(String userOrGroup, String accessType, Map<String, PolicyACLSummary.AccessResult> accesses) {
- Integer ret = null;
- if (accesses != null) {
- if (accessType.equals(RangerPolicyEngine.ANY_ACCESS)) {
- ret = getAccessResultForAnyAccess(accesses);
- } else {
- PolicyACLSummary.AccessResult accessResult = accesses.get(accessType);
- if (accessResult != null) {
- if (accessResult.getResult() == RangerPolicyEvaluator.ACCESS_CONDITIONAL) {
- LOG.error("Access should not be conditional at this point! user=[" + userOrGroup + "], " + "accessType=[" + accessType + "]");
- } else {
- ret = accessResult.getResult();
- }
- }
- }
- }
- return ret;
- }
-
- private Integer getAccessResultForAnyAccess(Map<String, PolicyACLSummary.AccessResult> accesses) {
- final Integer ret;
-
- int allowedAccessCount = 0;
- int deniedAccessCount = 0;
-
- for (Map.Entry<String, PolicyACLSummary.AccessResult> entry : accesses.entrySet()) {
- if (StringUtils.equals(entry.getKey(), RangerPolicyEngine.ADMIN_ACCESS)) {
- // Don't count admin access if present
- continue;
- }
- PolicyACLSummary.AccessResult accessResult = entry.getValue();
- if (accessResult.getResult() == RangerPolicyEvaluator.ACCESS_ALLOWED) {
- allowedAccessCount++;
- break;
- } else if (accessResult.getResult() == RangerPolicyEvaluator.ACCESS_DENIED) {
- deniedAccessCount++;
- }
- }
-
- if (allowedAccessCount > 0) {
- // At least one access allowed
- ret = RangerPolicyEvaluator.ACCESS_ALLOWED;
- } else if (deniedAccessCount == getServiceDef().getAccessTypes().size()) {
- // All accesses explicitly denied
- ret = RangerPolicyEvaluator.ACCESS_DENIED;
- } else {
- ret = null;
- }
-
- return ret;
- }
-
protected RangerPolicyItemEvaluator getDeterminingPolicyItem(String user, Set<String> userGroups, Set<String> roles, String owner, String accessType) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + ")");
@@ -1319,25 +1074,14 @@ protected boolean isAccessAllowed(String user, Set<String> userGroups, Set<Strin
perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.isAccessAllowed(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + "," + perfTag + ")");
}
- if (useAclSummaryForEvaluation && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Using ACL Summary for checking if access is allowed. PolicyId=[" + getPolicyId() +"]");
- }
-
- Integer accessResult = StringUtils.isEmpty(accessType) ? null : lookupPolicyACLSummary(user, userGroups, roles, accessType);
- if (accessResult != null && accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED)) {
- ret = true;
- }
- } else {
- if (LOG.isDebugEnabled()) {
+ if (LOG.isDebugEnabled()) {
LOG.debug("Using policyItemEvaluators for checking if access is allowed. PolicyId=[" + getPolicyId() +"]");
- }
+ }
- RangerPolicyItemEvaluator item = this.getDeterminingPolicyItem(user, userGroups, roles, owner, accessType);
+ RangerPolicyItemEvaluator item = this.getDeterminingPolicyItem(user, userGroups, roles, owner, accessType);
- if (item != null && item.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
- ret = true;
- }
+ if (item != null && item.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
+ ret = true;
}
RangerPerfTracer.log(perf);
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index b62fdfb..665ee3c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -254,9 +254,7 @@ protected boolean isAccessAllowed(String user, Set<String> userGroups, Set<Strin
protected boolean hasMatchablePolicyItem(RangerAccessRequest request) {
boolean ret = false;
- if (isUseAclSummaryForEvaluation()) {
- ret = true;
- } else if (checkIfAllEvaluatorsInitialized()) {
+ if (checkIfAllEvaluatorsInitialized()) {
if (hasPublicGroup || hasCurrentUser || isOwnerMatch(request) || users.contains(request.getUser()) || CollectionUtils.containsAny(groups, request.getUserGroups()) || (CollectionUtils.isNotEmpty(roles) && CollectionUtils.containsAny(roles, RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext())))) {
if (hasAllPerms || request.isAccessTypeAny()) {
ret = true;
@@ -301,9 +299,7 @@ private boolean isOwnerMatch(RangerAccessRequest request) {
private boolean hasMatchablePolicyItem(String user, Set<String> userGroups, Set<String> rolesFromContext, String owner, String accessType) {
boolean ret = false;
- if (isUseAclSummaryForEvaluation()) {
- ret = true;
- } else if (checkIfAllEvaluatorsInitialized()) {
+ if (checkIfAllEvaluatorsInitialized()) {
boolean hasRole = false;
if (CollectionUtils.isNotEmpty(roles)) {
if (CollectionUtils.isNotEmpty(rolesFromContext)) {
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index d780845..34f1f07 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -606,8 +606,6 @@ private void runTests(InputStreamReader reader, String testName) {
RangerPolicyEngineOptions policyEngineOptions = config.getPolicyEngineOptions();
- policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
-
setPluginConfig(config, ".super.users", testCase.superUsers);
setPluginConfig(config, ".super.groups", testCase.superGroups);
setPluginConfig(config, ".audit.exclude.users", testCase.auditExcludedUsers);
@@ -622,25 +620,17 @@ private void runTests(InputStreamReader reader, String testName) {
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
- policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false;
-
- RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
-
- policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
- policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
-
- runTestCaseTests(policyEngine, policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testCase.tests);
+ runTestCaseTests(policyEngine, testCase.serviceDef, testName, testCase.tests);
if (testCase.updatedPolicies != null) {
servicePolicies.setPolicyDeltas(testCase.updatedPolicies.policyDeltas);
servicePolicies.setSecurityZones(testCase.updatedPolicies.securityZones);
RangerPolicyEngine updatedPolicyEngine = RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
- RangerPolicyEngine updatedPolicyEngineForEvaluatingWithACLs = RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs, servicePolicies);
- runTestCaseTests(updatedPolicyEngine, updatedPolicyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testCase.updatedTests);
+ runTestCaseTests(updatedPolicyEngine, testCase.serviceDef, testName, testCase.updatedTests);
}
}
- private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerPolicyEngine policyEngineForEvaluatingWithACLs, RangerServiceDef serviceDef, String testName, List<TestData> tests) {
+ private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerServiceDef serviceDef, String testName, List<TestData> tests) {
RangerAccessRequest request = null;
for(TestData test : tests) {
@@ -734,14 +724,6 @@ private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerPolicyEngin
assertNotNull("result was null! - " + test.name, result);
assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
-
- result = policyEngineForEvaluatingWithACLs.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " + test.name, result);
- assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
- assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
}
if(test.dataMaskResult != null) {
@@ -757,17 +739,6 @@ private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerPolicyEngin
assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition());
assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
-
- result = policyEngineForEvaluatingWithACLs.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " + test.name, result);
- assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType());
- assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition());
- assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
- assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
-
}
if(test.rowFilterResult != null) {
@@ -781,15 +752,6 @@ private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerPolicyEngin
assertNotNull("result was null! - " + test.name, result);
assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
-
- result = policyEngineForEvaluatingWithACLs.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " + test.name, result);
- assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
- assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
-
}
if(test.resourceAccessInfo != null) {
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java
index 3e5086c..961fde2 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngineForDeltas.java
@@ -275,8 +275,6 @@ private void runTests(InputStreamReader reader, String testName) {
RangerPolicyEngineOptions policyEngineOptions = config.getPolicyEngineOptions();
- policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true;
-
setPluginConfig(config, ".super.users", testCase.superUsers);
setPluginConfig(config, ".super.groups", testCase.superGroups);
setPluginConfig(config, ".audit.exclude.users", testCase.auditExcludedUsers);
@@ -291,16 +289,9 @@ private void runTests(InputStreamReader reader, String testName) {
policyEngine.setUseForwardedIPAddress(useForwardedIPAddress);
policyEngine.setTrustedProxyAddresses(trustedProxyAddresses);
- policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false;
-
- RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles);
-
- policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress);
- policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses);
-
PolicyEngineTestCase.TestsInfo testsInfo = testCase.testsInfo;
do {
- runTestCaseTests(policyEngine, policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testsInfo.tests);
+ runTestCaseTests(policyEngine, testCase.serviceDef, testName, testsInfo.tests);
if (testsInfo.updatedPolicies != null && CollectionUtils.isNotEmpty(testsInfo.updatedPolicies.policyDeltas)) {
servicePolicies.setPolicyDeltas(testsInfo.updatedPolicies.policyDeltas);
servicePolicies.setPolicies(null);
@@ -308,12 +299,8 @@ private void runTests(InputStreamReader reader, String testName) {
servicePolicies.setSecurityZones(testsInfo.updatedPolicies.securityZones);
}
policyEngine = (RangerPolicyEngineImpl) RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies);
- policyEngineForEvaluatingWithACLs = (RangerPolicyEngineImpl) RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs, servicePolicies);
- if (policyEngine != null && policyEngineForEvaluatingWithACLs != null) {
- testsInfo = testsInfo.updatedTestsInfo;
- } else {
- testsInfo = null;
- }
+
+ testsInfo = null;
} else {
testsInfo = null;
}
@@ -322,7 +309,7 @@ private void runTests(InputStreamReader reader, String testName) {
}
- private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerPolicyEngine policyEngineForEvaluatingWithACLs, RangerServiceDef serviceDef, String testName, List<TestData> tests) {
+ private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerServiceDef serviceDef, String testName, List<TestData> tests) {
RangerAccessRequest request;
for(TestData test : tests) {
@@ -408,14 +395,6 @@ private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerPolicyEngin
assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
assertEquals("policy-id mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited() && result.getIsAuditedDetermined());
-
- result = policyEngineForEvaluatingWithACLs.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " + test.name, result);
- assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
- assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited());
}
if(test.dataMaskResult != null) {
@@ -431,17 +410,6 @@ private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerPolicyEngin
assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition());
assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
-
- result = policyEngineForEvaluatingWithACLs.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " + test.name, result);
- assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType());
- assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition());
- assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue());
- assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
-
}
if(test.rowFilterResult != null) {
@@ -455,15 +423,6 @@ private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerPolicyEngin
assertNotNull("result was null! - " + test.name, result);
assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
-
- result = policyEngineForEvaluatingWithACLs.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
-
- policyEngine.evaluateAuditPolicies(result);
-
- assertNotNull("result was null! - " + test.name, result);
- assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
- assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId());
-
}
if(test.resourceAccessInfo != null) {
