Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 46C81200BC5 for ; Tue, 8 Nov 2016 04:00:56 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 45646160AF9; Tue, 8 Nov 2016 03:00:56 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 65673160AEC for ; Tue, 8 Nov 2016 04:00:55 +0100 (CET) Received: (qmail 1862 invoked by uid 500); 8 Nov 2016 03:00:54 -0000 Mailing-List: contact commits-help@ranger.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.incubator.apache.org Delivered-To: mailing list commits@ranger.incubator.apache.org Received: (qmail 1852 invoked by uid 99); 8 Nov 2016 03:00:54 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Nov 2016 03:00:54 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id C25AA189B43 for ; Tue, 8 Nov 2016 03:00:53 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -6.218 X-Spam-Level: X-Spam-Status: No, score=-6.218 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.999, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id fMO85KSLhFZR for ; Tue, 8 Nov 2016 03:00:50 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP id 0DE1C5F1BE for ; Tue, 8 Nov 2016 03:00:48 +0000 (UTC) Received: (qmail 1796 invoked by uid 99); 8 Nov 2016 03:00:48 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Nov 2016 03:00:48 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 38E88E07EF; Tue, 8 Nov 2016 03:00:48 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: madhan@apache.org To: commits@ranger.incubator.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: incubator-ranger git commit: RANGER-1208: Optimize tag enricher for requests containing empty resource (2) Date: Tue, 8 Nov 2016 03:00:48 +0000 (UTC) archived-at: Tue, 08 Nov 2016 03:00:56 -0000 Repository: incubator-ranger Updated Branches: refs/heads/master 3c395a53e -> ebc63ac3f RANGER-1208: Optimize tag enricher for requests containing empty resource (2) Signed-off-by: Madhan Neethiraj Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ebc63ac3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ebc63ac3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ebc63ac3 Branch: refs/heads/master Commit: ebc63ac3ff26f36e577e333f022459bc44c142a0 Parents: 3c395a5 Author: Abhay Kulkarni Authored: Mon Nov 7 14:04:39 2016 -0800 Committer: Madhan Neethiraj Committed: Mon Nov 7 18:59:55 2016 -0800 ---------------------------------------------------------------------- .../contextenricher/RangerTagEnricher.java | 22 ++++++++++++-------- .../RangerDefaultPolicyResourceMatcher.java | 4 +--- .../test_defaultpolicyresourcematcher.json | 12 +++++------ 3 files changed, 20 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebc63ac3/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index 274d6be..43d501a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -39,7 +39,11 @@ import org.apache.ranger.plugin.util.RangerPerfTracer; import org.apache.ranger.plugin.util.RangerResourceTrie; import org.apache.ranger.plugin.util.ServiceTags; -import java.io.*; +import java.io.File; +import java.io.FileReader; +import java.io.FileWriter; +import java.io.Reader; +import java.io.Writer; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; @@ -178,12 +182,12 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { } } - Set allTagsForEval = new HashSet(); + Set tagsForEmptyResourceAndAnyAccess = new HashSet(); for (Map.Entry entry : serviceTags.getTags().entrySet()) { - allTagsForEval.add(new RangerTagForEval(entry.getValue(), RangerPolicyResourceMatcher.MatchType.ANCESTOR)); + tagsForEmptyResourceAndAnyAccess.add(new RangerTagForEval(entry.getValue(), RangerPolicyResourceMatcher.MatchType.ANCESTOR)); } - enrichedServiceTags = new EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie, allTagsForEval); + enrichedServiceTags = new EnrichedServiceTags(serviceTags, resourceMatchers, serviceResourceTrie, tagsForEmptyResourceAndAnyAccess); } @Override @@ -218,7 +222,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { RangerAccessResource resource = request.getResource(); if ((resource == null || resource.getKeys() == null || resource.getKeys().size() == 0) && request.isAccessTypeAny()) { - ret = enrichedServiceTags.getAllTagsForEval(); + ret = enrichedServiceTags.getTagsForEmptyResourceAndAnyAccess(); } else { final List serviceResourceMatchers = getEvaluators(resource, enrichedServiceTags); @@ -368,19 +372,19 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { final private ServiceTags serviceTags; final private List serviceResourceMatchers; final private Map> serviceResourceTrie; - final private Set allTagsForEval; + final private Set tagsForEmptyResourceAndAnyAccess; // Used only when accessed resource is empty and access type is 'any' EnrichedServiceTags(ServiceTags serviceTags, List serviceResourceMatchers, - Map> serviceResourceTrie, Set allTagsForEval) { + Map> serviceResourceTrie, Set tagsForEmptyResourceAndAnyAccess) { this.serviceTags = serviceTags; this.serviceResourceMatchers = serviceResourceMatchers; this.serviceResourceTrie = serviceResourceTrie; - this.allTagsForEval = allTagsForEval; + this.tagsForEmptyResourceAndAnyAccess = tagsForEmptyResourceAndAnyAccess; } ServiceTags getServiceTags() {return serviceTags;} List getServiceResourceMatchers() { return serviceResourceMatchers;} Map> getServiceResourceTrie() { return serviceResourceTrie;} - Set getAllTagsForEval() { return allTagsForEval;} + Set getTagsForEmptyResourceAndAnyAccess() { return tagsForEmptyResourceAndAnyAccess;} } static class RangerTagRefresher extends Thread { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebc63ac3/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java index 7b1fb8b..5e2fa74 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java @@ -415,10 +415,8 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM if (!isValid(resource)) { ret = MatchType.NONE; - } else if (matchersSize == 0) { + } else if (matchersSize == 0 || lastNonAnyMatcherIndex == 0) { ret = resourceKeysSize == 0 ? MatchType.SELF : MatchType.ANCESTOR; - } else if (lastNonAnyMatcherIndex == 0) { - ret = MatchType.ANCESTOR; } else if (resourceKeysSize == 0) { ret = MatchType.DESCENDANT; } else { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ebc63ac3/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json ---------------------------------------------------------------------- diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json index 1ca9161..71995dc 100644 --- a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json +++ b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json @@ -133,8 +133,8 @@ } , { - "name": "MATCH for parent ''", - "type": "ancestorMatch", + "name": "MATCH for exact ''", + "type": "exactMatch", "resource": { "elements": {} }, @@ -371,8 +371,8 @@ } , { - "name": "MATCH for parent ''", - "type": "ancestorMatch", + "name": "MATCH for exact ''", + "type": "exactMatch", "resource": { "elements": {} }, @@ -420,8 +420,8 @@ } , { - "name": "MATCH for parent ''", - "type": "ancestorMatch", + "name": "MATCH for exact ''", + "type": "exactMatch", "resource": { "elements": {} },