ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ab...@apache.org
Subject ranger git commit: RANGER-1665: provide a way to get list of policies associated with given resource
Date Fri, 23 Jun 2017 23:49:14 GMT
Repository: ranger
Updated Branches:
  refs/heads/ranger-0.7 3e504e8b0 -> a219604a4


RANGER-1665: provide a way to get list of policies associated with given resource


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/a219604a
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/a219604a
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/a219604a

Branch: refs/heads/ranger-0.7
Commit: a219604a4ba44c64e401a70abbc25a1ada0cdb7e
Parents: 3e504e8
Author: Abhay Kulkarni <akulkarni@hortonworks.com>
Authored: Fri Jun 23 15:46:16 2017 -0700
Committer: Abhay Kulkarni <akulkarni@hortonworks.com>
Committed: Fri Jun 23 16:48:55 2017 -0700

----------------------------------------------------------------------
 .../contextenricher/RangerTagEnricher.java      |   4 +
 .../plugin/policyengine/RangerPolicyEngine.java |   2 +
 .../policyengine/RangerPolicyEngineCache.java   |  29 +--
 ...RangerPolicyEngineCacheForEngineOptions.java |  62 ++++++
 .../policyengine/RangerPolicyEngineImpl.java    |  76 ++++++-
 .../policyengine/RangerPolicyEngineOptions.java |  98 ++++++++-
 .../policyengine/RangerPolicyRepository.java    |  43 ++--
 .../ranger/plugin/store/AbstractTagStore.java   |   5 +
 .../apache/ranger/plugin/store/TagStore.java    |   1 +
 .../java/org/apache/ranger/biz/TagDBStore.java  |   7 +
 .../ranger/common/RangerAdminTagEnricher.java   | 112 ++++++++++
 .../org/apache/ranger/rest/PublicAPIsv2.java    |   9 +
 .../org/apache/ranger/rest/ServiceREST.java     | 203 ++++++++++++++++---
 13 files changed, 568 insertions(+), 83 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index 9a57719..5f0a422 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -199,6 +199,10 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
 		}
 	}
 
+	protected Long getServiceTagsVersion() {
+		return enrichedServiceTags != null ? enrichedServiceTags.getServiceTags().getTagVersion() : null;
+	}
+
 	@Override
 	public boolean preCleanup() {
 		boolean ret = true;

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index b758d69..d9b0298 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -75,6 +75,8 @@ public interface RangerPolicyEngine {
 
 	List<RangerPolicy> getAllowedPolicies(String user, Set<String> userGroups, String accessType);
 
+	List<RangerPolicy> getMatchingPolicies(RangerAccessResource resource);
+
 	RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request);
 
 	void reorderPolicyEvaluators();

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
index 51f2142..58fbffd 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
@@ -19,7 +19,6 @@
 
 package org.apache.ranger.plugin.policyengine;
 
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -28,20 +27,12 @@ import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.store.ServiceStore;
 import org.apache.ranger.plugin.util.ServicePolicies;
 
-public class RangerPolicyEngineCache {
+class RangerPolicyEngineCache {
 	private static final Log LOG = LogFactory.getLog(RangerPolicyEngineCache.class);
 
-	private static final RangerPolicyEngineCache sInstance = new RangerPolicyEngineCache();
+	private final Map<String, RangerPolicyEngine> policyEngineCache = new HashMap<String, RangerPolicyEngine>();
 
-	private final Map<String, RangerPolicyEngine> policyEngineCache = Collections.synchronizedMap(new HashMap<String, RangerPolicyEngine>());
-
-	private RangerPolicyEngineOptions options = null;
-
-	public static RangerPolicyEngineCache getInstance() {
-		return sInstance;
-	}
-
-	public RangerPolicyEngine getPolicyEngine(String serviceName, ServiceStore svcStore) {
+	synchronized final RangerPolicyEngine getPolicyEngine(String serviceName, ServiceStore svcStore, RangerPolicyEngineOptions options) {
 		RangerPolicyEngine ret = null;
 
 		if(serviceName != null) {
@@ -55,9 +46,9 @@ public class RangerPolicyEngineCache {
 
 					if(policies != null) {
 						if(ret == null) {
-							ret = addPolicyEngine(policies);
+							ret = addPolicyEngine(policies, options);
 						} else if(policies.getPolicyVersion() != null && !policies.getPolicyVersion().equals(policyVersion)) {
-							ret = addPolicyEngine(policies);
+							ret = addPolicyEngine(policies, options);
 						}
 					}
 				} catch(Exception excp) {
@@ -69,15 +60,7 @@ public class RangerPolicyEngineCache {
 		return ret;
 	}
 
-	public RangerPolicyEngineOptions getPolicyEngineOptions() {
-		return options;
-	}
-
-	public void setPolicyEngineOptions(RangerPolicyEngineOptions options) {
-		this.options = options;
-	}
-
-	private RangerPolicyEngine addPolicyEngine(ServicePolicies policies) {
+	private RangerPolicyEngine addPolicyEngine(ServicePolicies policies, RangerPolicyEngineOptions options) {
 		RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, options);
 
 		policyEngineCache.put(policies.getServiceName(), ret);

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
new file mode 100644
index 0000000..ca6a2a3
--- /dev/null
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.policyengine;
+
+import org.apache.ranger.plugin.store.ServiceStore;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+public class RangerPolicyEngineCacheForEngineOptions {
+
+    private static volatile RangerPolicyEngineCacheForEngineOptions sInstance = null;
+
+    private final Map<RangerPolicyEngineOptions, RangerPolicyEngineCache> policyEngineCacheForEngineOptions = Collections.synchronizedMap(new HashMap<RangerPolicyEngineOptions, RangerPolicyEngineCache>());
+
+    public static RangerPolicyEngineCacheForEngineOptions getInstance() {
+        RangerPolicyEngineCacheForEngineOptions ret = sInstance;
+        if (ret == null) {
+            synchronized (RangerPolicyEngineCacheForEngineOptions.class) {
+                ret = sInstance;
+                if (ret == null) {
+                    sInstance = new RangerPolicyEngineCacheForEngineOptions();
+                    ret = sInstance;
+                }
+            }
+        }
+        return ret;
+    }
+
+    public final RangerPolicyEngine getPolicyEngine(String serviceName, ServiceStore svcStore, RangerPolicyEngineOptions options) {
+
+        RangerPolicyEngineCache policyEngineCache;
+
+        synchronized (this) {
+            policyEngineCache = policyEngineCacheForEngineOptions.get(options);
+            if (policyEngineCache == null) {
+                policyEngineCache = new RangerPolicyEngineCache();
+                policyEngineCacheForEngineOptions.put(options, policyEngineCache);
+            }
+        }
+        return policyEngineCache.getPolicyEngine(serviceName, svcStore, options);
+    }
+}
+

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index a359d01..34ae416 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -417,7 +417,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 		}
 		boolean ret = false;
 
-		for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators(resource)) {
+		for (RangerPolicyEvaluator evaluator : policyRepository.getLikelyMatchPolicyEvaluators(resource)) {
 			ret = evaluator.isAccessAllowed(resource, user, userGroups, accessType);
 
 			if (ret) {
@@ -543,6 +543,64 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 	}
 
 	@Override
+	public List<RangerPolicy> getMatchingPolicies(RangerAccessResource resource) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> RangerPolicyEngineImpl.getMatchingPolicies(" + resource + ")");
+		}
+
+		List<RangerPolicy> ret = new ArrayList<>();
+
+		RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource, RangerPolicyEngine.ANY_ACCESS, null, null);
+
+		preProcess(request);
+
+		if (hasTagPolicies()) {
+			Set<RangerTagForEval> tags = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
+
+			if (CollectionUtils.isNotEmpty(tags)) {
+				for (RangerTagForEval tag : tags) {
+					RangerAccessRequest         tagEvalRequest            = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
+					RangerAccessResource        tagResource               = tagEvalRequest.getResource();
+					List<RangerPolicyEvaluator> accessPolicyEvaluators    = tagPolicyRepository.getLikelyMatchPolicyEvaluators(tagResource);
+					List<RangerPolicyEvaluator> dataMaskPolicyEvaluators  = tagPolicyRepository.getLikelyMatchDataMaskPolicyEvaluators(tagResource);
+					List<RangerPolicyEvaluator> rowFilterPolicyEvaluators = tagPolicyRepository.getLikelyMatchRowFilterPolicyEvaluators(tagResource);
+
+					List<RangerPolicyEvaluator>[] likelyEvaluators = new List[] { accessPolicyEvaluators, dataMaskPolicyEvaluators, rowFilterPolicyEvaluators };
+
+					for (List<RangerPolicyEvaluator> evaluators : likelyEvaluators) {
+						for (RangerPolicyEvaluator evaluator : evaluators) {
+							if (evaluator.isMatch(tagResource, null)) {
+								ret.add(evaluator.getPolicy());
+							}
+						}
+					}
+				}
+			}
+		}
+
+		if (hasResourcePolicies()) {
+			List<RangerPolicyEvaluator> accessPolicyEvaluators    = policyRepository.getLikelyMatchPolicyEvaluators(resource);
+			List<RangerPolicyEvaluator> dataMaskPolicyEvaluators  = policyRepository.getLikelyMatchDataMaskPolicyEvaluators(resource);
+			List<RangerPolicyEvaluator> rowFilterPolicyEvaluators = policyRepository.getLikelyMatchRowFilterPolicyEvaluators(resource);
+
+			List<RangerPolicyEvaluator>[] likelyEvaluators = new List[] { accessPolicyEvaluators, dataMaskPolicyEvaluators, rowFilterPolicyEvaluators };
+
+			for (List<RangerPolicyEvaluator> evaluators : likelyEvaluators) {
+				for (RangerPolicyEvaluator evaluator : evaluators) {
+					if (evaluator.isMatch(resource, null)) {
+						ret.add(evaluator.getPolicy());
+					}
+				}
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== RangerPolicyEngineImpl.getMatchingPolicies(" + resource + ") : " + ret.size());
+		}
+		return ret;
+	}
+
+	@Override
 	public RangerResourceAccessInfo getResourceAccessInfo(RangerAccessRequest request) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerPolicyEngineImpl.getResourceAccessInfo(" + request + ")");
@@ -558,7 +616,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 				for (RangerTagForEval tag : tags) {
 					RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
 
-					List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(tagEvalRequest.getResource());
+					List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getLikelyMatchPolicyEvaluators(tagEvalRequest.getResource());
 
 					for (RangerPolicyEvaluator evaluator : evaluators) {
 						evaluator.getResourceAccessInfo(tagEvalRequest, ret);
@@ -567,7 +625,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			}
 		}
 
-		List<RangerPolicyEvaluator> resPolicyEvaluators = policyRepository.getPolicyEvaluators(request.getResource());
+		List<RangerPolicyEvaluator> resPolicyEvaluators = policyRepository.getLikelyMatchPolicyEvaluators(request.getResource());
 
 		if(CollectionUtils.isNotEmpty(resPolicyEvaluators)) {
 			for (RangerPolicyEvaluator evaluator : resPolicyEvaluators) {
@@ -615,7 +673,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 					ret.setIsAccessDetermined(false); // discard allowed result by tag-policies, to evaluate resource policies for possible deny
 				}
 
-				List<RangerPolicyEvaluator> evaluators = policyRepository.getPolicyEvaluators(request.getResource());
+				List<RangerPolicyEvaluator> evaluators = policyRepository.getLikelyMatchPolicyEvaluators(request.getResource());
 				for (RangerPolicyEvaluator evaluator : evaluators) {
 					ret.incrementEvaluatedPoliciesCount();
 					evaluator.evaluate(request, ret);
@@ -673,7 +731,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 					}
 					tagEvalResult.setAuditResultFrom(result);
 
-					List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators(tagEvalRequest.getResource());
+					List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getLikelyMatchPolicyEvaluators(tagEvalRequest.getResource());
 
 					for (RangerPolicyEvaluator evaluator : evaluators) {
 						result.incrementEvaluatedPoliciesCount();
@@ -751,7 +809,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			if (evaluateResourcePolicies) {
 				boolean                     findAuditByResource = !ret.getIsAuditedDetermined();
 				boolean                     foundInCache        = findAuditByResource && policyRepository.setAuditEnabledFromCache(request, ret);
-				List<RangerPolicyEvaluator> evaluators          = policyRepository.getDataMaskPolicyEvaluators(request.getResource());
+				List<RangerPolicyEvaluator> evaluators          = policyRepository.getLikelyMatchDataMaskPolicyEvaluators(request.getResource());
 
 				for (RangerPolicyEvaluator evaluator : evaluators) {
 					ret.incrementEvaluatedPoliciesCount();
@@ -789,7 +847,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 
 		if (CollectionUtils.isNotEmpty(tagEvaluators)) {
 			Set<RangerTagForEval>       tags               = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
-			List<PolicyEvaluatorForTag> dataMaskEvaluators = tagPolicyRepository.getDataMaskPolicyEvaluators(tags);
+			List<PolicyEvaluatorForTag> dataMaskEvaluators = tagPolicyRepository.getLikelyMatchDataMaskPolicyEvaluators(tags);
 
 			if (CollectionUtils.isNotEmpty(dataMaskEvaluators)) {
 				for (PolicyEvaluatorForTag dataMaskEvaluator : dataMaskEvaluators) {
@@ -862,7 +920,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			if (evaluateResourcePolicies) {
 				boolean                     findAuditByResource = !ret.getIsAuditedDetermined();
 				boolean                     foundInCache        = findAuditByResource && policyRepository.setAuditEnabledFromCache(request, ret);
-				List<RangerPolicyEvaluator> evaluators          = policyRepository.getRowFilterPolicyEvaluators(request.getResource());
+				List<RangerPolicyEvaluator> evaluators          = policyRepository.getLikelyMatchRowFilterPolicyEvaluators(request.getResource());
 
 				for (RangerPolicyEvaluator evaluator : evaluators) {
 					ret.incrementEvaluatedPoliciesCount();
@@ -894,7 +952,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 
 		if (CollectionUtils.isNotEmpty(tagEvaluators)) {
 			Set<RangerTagForEval>       tags                = RangerAccessRequestUtil.getRequestTagsFromContext(request.getContext());
-			List<PolicyEvaluatorForTag> rowFilterEvaluators = tagPolicyRepository.getRowFilterPolicyEvaluators(tags);
+			List<PolicyEvaluatorForTag> rowFilterEvaluators = tagPolicyRepository.getLikelyMatchRowFilterPolicyEvaluators(tags);
 
 			if (CollectionUtils.isNotEmpty(rowFilterEvaluators)) {
 				for (PolicyEvaluatorForTag rowFilterEvaluator : rowFilterEvaluators) {

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
index 2b2cf9b..3505643 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineOptions.java
@@ -19,15 +19,105 @@
 
 package org.apache.ranger.plugin.policyengine;
 
+import org.apache.hadoop.conf.Configuration;
 import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
 
 
 public class RangerPolicyEngineOptions {
-	public String  evaluatorType           = RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO;
-	public boolean cacheAuditResults       = true;
+	public String evaluatorType = RangerPolicyEvaluator.EVALUATOR_TYPE_AUTO;
+
 	public boolean disableContextEnrichers = false;
 	public boolean disableCustomConditions = false;
-	public boolean disableTagPolicyEvaluation = true;
-	public boolean evaluateDelegateAdminOnly = false;
+	public boolean disableTagPolicyEvaluation = false;
 	public boolean disableTrieLookupPrefilter = false;
+	public boolean cacheAuditResults = true;
+	public boolean evaluateDelegateAdminOnly = false;
+	public boolean enableTagEnricherWithLocalRefresher = false;
+
+	public void configureForPlugin(Configuration conf, String propertyPrefix) {
+		disableContextEnrichers = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", false);
+		disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", false);
+		disableTagPolicyEvaluation = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", false);
+		disableTrieLookupPrefilter = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+
+		cacheAuditResults = conf.getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", true);
+
+		evaluateDelegateAdminOnly = false;
+		enableTagEnricherWithLocalRefresher = false;
+	}
+
+	public void configureDefaultRangerAdmin(Configuration conf, String propertyPrefix) {
+		disableContextEnrichers = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
+		disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
+		disableTagPolicyEvaluation = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", true);
+		disableTrieLookupPrefilter = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+
+		cacheAuditResults = false;
+		evaluateDelegateAdminOnly = false;
+		enableTagEnricherWithLocalRefresher = false;
+	}
+
+	public void configureDelegateAdmin(Configuration conf, String propertyPrefix) {
+		disableContextEnrichers = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
+		disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
+		disableTagPolicyEvaluation = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", true);
+		disableTrieLookupPrefilter = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+
+		cacheAuditResults = false;
+		evaluateDelegateAdminOnly = true;
+		enableTagEnricherWithLocalRefresher = false;
+
+	}
+
+	public void configureRangerAdminForPolicySearch(Configuration conf, String propertyPrefix) {
+		disableContextEnrichers = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
+		disableCustomConditions = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
+		disableTagPolicyEvaluation = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.tagpolicy.evaluation", false);
+		disableTrieLookupPrefilter = conf.getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
+
+		cacheAuditResults = false;
+		evaluateDelegateAdminOnly = false;
+		enableTagEnricherWithLocalRefresher = true;
+	}
+
+	/*
+	* There is no need to implement these, as the options are predefined in a component ServiceREST and hence
+	* guaranteed to be unique objects. That implies that the default equals and hashCode should suffice.
+	*/
+
+	@Override
+	public boolean equals(Object other) {
+		boolean ret = false;
+		if (other instanceof RangerPolicyEngineOptions) {
+			RangerPolicyEngineOptions that = (RangerPolicyEngineOptions) other;
+			ret = this.disableContextEnrichers == that.disableContextEnrichers
+					&& this.disableCustomConditions == that.disableCustomConditions
+					&& this.disableTagPolicyEvaluation == that.disableTagPolicyEvaluation
+					&& this.disableTrieLookupPrefilter == that.disableTrieLookupPrefilter
+					&& this.cacheAuditResults == that.cacheAuditResults
+					&& this.evaluateDelegateAdminOnly == that.evaluateDelegateAdminOnly
+					&& this.enableTagEnricherWithLocalRefresher == that.enableTagEnricherWithLocalRefresher;
+		}
+		return ret;
+	}
+
+	@Override
+	public int hashCode() {
+		int ret = 0;
+		ret += disableContextEnrichers ? 1 : 0;
+		ret *= 2;
+		ret += disableCustomConditions ? 1 : 0;
+		ret *= 2;
+		ret += disableTagPolicyEvaluation ? 1 : 0;
+		ret *= 2;
+		ret += disableTrieLookupPrefilter ? 1 : 0;
+		ret *= 2;
+		ret += cacheAuditResults ? 1 : 0;
+		ret *= 2;
+		ret += evaluateDelegateAdminOnly ? 1 : 0;
+		ret *= 2;
+		ret += enableTagEnricherWithLocalRefresher ? 1 : 0;
+		ret *= 2;
+		return ret;
+	}
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index bdbdd13..5631973 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -25,6 +25,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
 import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
+import org.apache.ranger.plugin.contextenricher.RangerTagEnricher;
 import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
@@ -216,23 +217,23 @@ class RangerPolicyRepository {
         return policyEvaluators;
     }
 
-    List<RangerPolicyEvaluator> getPolicyEvaluators(RangerAccessResource resource) {
+    List<RangerPolicyEvaluator> getLikelyMatchPolicyEvaluators(RangerAccessResource resource) {
        String resourceStr = resource == null ? null : resource.getAsString();
 
-       return policyResourceTrie == null || StringUtils.isEmpty(resourceStr)  ? getPolicyEvaluators() : getPolicyEvaluators(policyResourceTrie, resource);
+       return policyResourceTrie == null || StringUtils.isEmpty(resourceStr)  ? getPolicyEvaluators() : getLikelyMatchPolicyEvaluators(policyResourceTrie, resource);
     }
 
     List<RangerPolicyEvaluator> getDataMaskPolicyEvaluators() {
         return dataMaskPolicyEvaluators;
     }
 
-    List<RangerPolicyEvaluator> getDataMaskPolicyEvaluators(RangerAccessResource resource) {
+    List<RangerPolicyEvaluator> getLikelyMatchDataMaskPolicyEvaluators(RangerAccessResource resource) {
         String resourceStr = resource == null ? null : resource.getAsString();
 
-        return dataMaskResourceTrie == null || StringUtils.isEmpty(resourceStr)  ? getDataMaskPolicyEvaluators() : getPolicyEvaluators(dataMaskResourceTrie, resource);
+        return dataMaskResourceTrie == null || StringUtils.isEmpty(resourceStr)  ? getDataMaskPolicyEvaluators() : getLikelyMatchPolicyEvaluators(dataMaskResourceTrie, resource);
     }
 
-    List<PolicyEvaluatorForTag> getDataMaskPolicyEvaluators(Set<RangerTagForEval> tags) {
+    List<PolicyEvaluatorForTag> getLikelyMatchDataMaskPolicyEvaluators(Set<RangerTagForEval> tags) {
         return getSortedPolicyEvaluatorsForTags(tags, RangerPolicy.POLICY_TYPE_DATAMASK);
     }
 
@@ -240,19 +241,19 @@ class RangerPolicyRepository {
         return rowFilterPolicyEvaluators;
     }
 
-    List<RangerPolicyEvaluator> getRowFilterPolicyEvaluators(RangerAccessResource resource) {
+    List<RangerPolicyEvaluator> getLikelyMatchRowFilterPolicyEvaluators(RangerAccessResource resource) {
         String resourceStr = resource == null ? null : resource.getAsString();
 
-        return rowFilterResourceTrie == null || StringUtils.isEmpty(resourceStr)  ? getRowFilterPolicyEvaluators() : getPolicyEvaluators(rowFilterResourceTrie, resource);
+        return rowFilterResourceTrie == null || StringUtils.isEmpty(resourceStr)  ? getRowFilterPolicyEvaluators() : getLikelyMatchPolicyEvaluators(rowFilterResourceTrie, resource);
     }
 
-    List<PolicyEvaluatorForTag> getRowFilterPolicyEvaluators(Set<RangerTagForEval> tags) {
+    List<PolicyEvaluatorForTag> getLikelyMatchRowFilterPolicyEvaluators(Set<RangerTagForEval> tags) {
         return getSortedPolicyEvaluatorsForTags(tags, RangerPolicy.POLICY_TYPE_ROWFILTER);
     }
 
     AuditModeEnum getAuditModeEnum() { return auditModeEnum; }
 
-    private List<RangerPolicyEvaluator> getPolicyEvaluators(Map<String, RangerResourceTrie> resourceTrie, RangerAccessResource resource) {
+    private List<RangerPolicyEvaluator> getLikelyMatchPolicyEvaluators(Map<String, RangerResourceTrie> resourceTrie, RangerAccessResource resource) {
         List<RangerPolicyEvaluator> ret          = null;
         Set<String>                 resourceKeys = resource == null ? null : resource.getKeys();
 
@@ -305,7 +306,7 @@ class RangerPolicyRepository {
         }
 
         if(LOG.isDebugEnabled()) {
-            LOG.debug("<== RangerPolicyRepository.getPolicyEvaluators(" + resource.getAsString() + "): evaluatorCount=" + ret.size());
+            LOG.debug("<== RangerPolicyRepository.getLikelyMatchPolicyEvaluators(" + resource.getAsString() + "): evaluatorCount=" + ret.size());
         }
 
         return ret;
@@ -322,11 +323,11 @@ class RangerPolicyRepository {
                 RangerAccessResource resource = new RangerTagResource(tag.getType(), getServiceDef());
                 List<RangerPolicyEvaluator> evaluators = null;
                 if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
-                    evaluators = getDataMaskPolicyEvaluators(resource);
+                    evaluators = getLikelyMatchDataMaskPolicyEvaluators(resource);
                 } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
-                    evaluators = getRowFilterPolicyEvaluators(resource);
+                    evaluators = getLikelyMatchRowFilterPolicyEvaluators(resource);
                 } else {
-                    evaluators = getPolicyEvaluators(resource);
+                    evaluators = getLikelyMatchPolicyEvaluators(resource);
                 }
                 if (CollectionUtils.isNotEmpty(evaluators)) {
                     for (RangerPolicyEvaluator evaluator : evaluators) {
@@ -576,16 +577,24 @@ class RangerPolicyRepository {
 
         List<RangerContextEnricher> contextEnrichers = new ArrayList<RangerContextEnricher>();
         if (CollectionUtils.isNotEmpty(this.policyEvaluators)) {
-            if (!options.disableContextEnrichers && !CollectionUtils.isEmpty(serviceDef.getContextEnrichers())) {
+            if (CollectionUtils.isNotEmpty(serviceDef.getContextEnrichers())) {
                 for (RangerServiceDef.RangerContextEnricherDef enricherDef : serviceDef.getContextEnrichers()) {
                     if (enricherDef == null) {
                         continue;
                     }
+                    if (!options.disableContextEnrichers || options.enableTagEnricherWithLocalRefresher && StringUtils.equals(enricherDef.getEnricher(), RangerTagEnricher.class.getName())) {
+                        // This will be true only if the engine is initialized within ranger-admin
+                        RangerServiceDef.RangerContextEnricherDef contextEnricherDef = enricherDef;
 
-                    RangerContextEnricher contextEnricher = buildContextEnricher(enricherDef);
+                        if (options.enableTagEnricherWithLocalRefresher && StringUtils.equals(enricherDef.getEnricher(), RangerTagEnricher.class.getName())) {
+                            contextEnricherDef = new RangerServiceDef.RangerContextEnricherDef(enricherDef.getItemId(), enricherDef.getName(), "org.apache.ranger.common.RangerAdminTagEnricher", null);
+                        }
+
+                        RangerContextEnricher contextEnricher = buildContextEnricher(contextEnricherDef);
 
-                    if (contextEnricher != null) {
-                        contextEnrichers.add(contextEnricher);
+                        if (contextEnricher != null) {
+                            contextEnrichers.add(contextEnricher);
+                        }
                     }
                 }
             }

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
index 90c1da6..5750030 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
@@ -33,6 +33,11 @@ public abstract class AbstractTagStore implements TagStore {
 		this.svcStore = svcStore;
 	}
 
+	@Override
+	final public ServiceStore getServiceStore() {
+		return svcStore;
+	}
+
 }
 
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
index 3c5a43b..5918b12 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
@@ -34,6 +34,7 @@ public interface TagStore {
 
     void setServiceStore(ServiceStore svcStore);
 
+    ServiceStore getServiceStore();
 
     RangerTagDef createTagDef(RangerTagDef tagDef) throws Exception;
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java
index fa97bc9..a115bb7 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java
@@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.common.GUIDUtil;
 import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.common.RangerAdminTagEnricher;
 import org.apache.ranger.common.RangerServiceTagsCache;
 import org.apache.ranger.db.RangerDaoManager;
 import org.apache.ranger.entity.XXDBBase;
@@ -63,6 +64,7 @@ import org.apache.ranger.service.RangerServiceResourceService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
+import javax.annotation.PostConstruct;
 import javax.servlet.http.HttpServletResponse;
 
 @Component
@@ -96,6 +98,11 @@ public class TagDBStore extends AbstractTagStore {
 	@Autowired
 	RESTErrorUtil restErrorUtil;
 
+	@PostConstruct
+	public void initStore() {
+		RangerAdminTagEnricher.setTagStore(this);
+	}
+
 	@Override
 	public RangerTagDef createTagDef(RangerTagDef tagDef) throws Exception {
 		if (LOG.isDebugEnabled()) {

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/security-admin/src/main/java/org/apache/ranger/common/RangerAdminTagEnricher.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerAdminTagEnricher.java b/security-admin/src/main/java/org/apache/ranger/common/RangerAdminTagEnricher.java
new file mode 100644
index 0000000..f81184d
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/common/RangerAdminTagEnricher.java
@@ -0,0 +1,112 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.common;
+
+import org.apache.ranger.plugin.contextenricher.RangerTagEnricher;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.store.ServiceStore;
+import org.apache.ranger.plugin.store.TagStore;
+import org.apache.ranger.plugin.util.ServiceTags;
+
+public class RangerAdminTagEnricher extends RangerTagEnricher {
+    private static final Log LOG = LogFactory.getLog(RangerAdminTagEnricher.class);
+
+    private static TagStore tagStore = null;
+
+    private Long serviceId;
+
+    public static void setTagStore(TagStore tagStore) {
+        RangerAdminTagEnricher.tagStore = tagStore;
+    }
+
+    @Override
+    public void init() {
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("==> RangerAdminTagEnricher.init()");
+        }
+        super.init();
+
+        ServiceStore svcStore = tagStore != null ? tagStore.getServiceStore() : null;
+
+        if (tagStore == null || svcStore == null) {
+            LOG.error("ServiceDBStore/TagDBStore is not initialized!! Internal Error!");
+        } else {
+            try {
+                RangerService service = svcStore.getServiceByName(serviceName);
+                serviceId = service.getId();
+            } catch (Exception e) {
+                LOG.error("Cannot find service with name:[" + serviceName + "]", e);
+                LOG.error("This will cause tag-enricher in Ranger-Admin to fail!!");
+            }
+        }
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("<== RangerAdminTagEnricher.init()");
+        }
+    }
+
+    @Override
+    public void enrich(RangerAccessRequest request) {
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("==> RangerAdminTagEnricher.enrich(" + request + ")");
+        }
+
+        refreshTagsIfNeeded();
+        super.enrich(request);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("<== RangerAdminTagEnricher.enrich(" + request + ")");
+        }
+    }
+
+    private void refreshTagsIfNeeded() {
+        ServiceTags serviceTags = null;
+        try {
+            serviceTags = RangerServiceTagsCache.getInstance().getServiceTags(serviceName, serviceId, tagStore);
+        } catch (Exception e) {
+            LOG.error("Could not get cached service-tags, continue to use old ones..", e);
+        }
+
+        if (serviceTags != null) {
+            Long enrichedServiceTagsVersion = getServiceTagsVersion();
+
+            if (enrichedServiceTagsVersion == null || !enrichedServiceTagsVersion.equals(serviceTags.getTagVersion())) {
+                synchronized(this) {
+                    enrichedServiceTagsVersion = getServiceTagsVersion();
+
+                    if (enrichedServiceTagsVersion == null || !enrichedServiceTagsVersion.equals(serviceTags.getTagVersion())) {
+                        setServiceTags(serviceTags);
+                    }
+                }
+            }
+        }
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+        sb.append("RangerAdminTagEnricher={serviceName=").append(serviceName).append(", ");
+        sb.append("serviceId=").append(serviceId).append("}");
+        return sb.toString();
+    }
+}

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
index dbb34bd..fa3c68e 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
@@ -339,6 +339,15 @@ public class PublicAPIsv2 {
 		return serviceREST.getServicePoliciesByName(serviceName, request).getPolicies();
 	}
 
+	@GET
+	@Path("/api/policies/{serviceDefName}/for-resource/")
+	@Produces({ "application/json", "application/xml" })
+	public List<RangerPolicy> getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName,
+													 @DefaultValue("") @QueryParam("serviceName") String serviceName,
+													 @Context HttpServletRequest request) {
+		return serviceREST.getPoliciesForResource(serviceDefName, serviceName, request);
+	}
+
 	@POST
 	@Path("/api/policy/")
 	@Produces({ "application/json", "application/xml" })

http://git-wip-us.apache.org/repos/asf/ranger/blob/a219604a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index c33d044..239081d 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -32,6 +32,7 @@ import java.util.Map.Entry;
 import java.util.Set;
 import java.util.TreeMap;
 
+import javax.annotation.PostConstruct;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.Consumes;
@@ -51,6 +52,7 @@ import javax.ws.rs.core.MediaType;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -86,16 +88,16 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.model.validation.RangerPolicyValidator;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
 import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
 import org.apache.ranger.plugin.model.validation.RangerServiceValidator;
 import org.apache.ranger.plugin.model.validation.RangerValidator.Action;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
 import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
-import org.apache.ranger.plugin.policyengine.RangerPolicyEngineCache;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngineCacheForEngineOptions;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
-import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
 import org.apache.ranger.plugin.service.ResourceLookupContext;
 import org.apache.ranger.plugin.store.PList;
 import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
@@ -201,9 +203,21 @@ public class ServiceREST {
 	@Autowired
     JSONUtil jsonUtil;
 
+	private RangerPolicyEngineOptions delegateAdminOptions;
+	private RangerPolicyEngineOptions policySearchAdminOptions;
+	private RangerPolicyEngineOptions defaultAdminOptions;
+
 	public ServiceREST() {
 	}
 
+	@PostConstruct
+	public void initStore() {
+		tagStore.setServiceStore(svcStore);
+		delegateAdminOptions = getDelegatedAdminPolicyEngineOptions();
+		policySearchAdminOptions = getPolicySearchRangerAdminPolicyEngineOptions();
+		defaultAdminOptions = getDefaultRangerAdminPolicyEngineOptions();
+	}
+
 	@POST
 	@Path("/definitions")
 	@Produces({ "application/json", "application/xml" })
@@ -472,7 +486,130 @@ public class ServiceREST {
 		}
 		return ret;
 	}
-	
+
+	@GET
+	@Path("/policies/{serviceDefName}/for-resource")
+	@Produces({ "application/json", "application/xml" })
+	public List<RangerPolicy> getPoliciesForResource(@PathParam("serviceDefName") String serviceDefName,
+												  @DefaultValue("") @QueryParam("serviceName") String serviceName,
+												  @Context HttpServletRequest request) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ")");
+		}
+
+		List<RangerPolicy> ret = new ArrayList<>();
+
+		List<RangerService> services = new ArrayList<>();
+		Map<String, String> resource = new HashMap<>();
+
+		String validationMessage = validateResourcePoliciesRequest(serviceDefName, serviceName, request, services, resource);
+
+		if (StringUtils.isNotEmpty(validationMessage)) {
+			LOG.error("Invalid request: [" + validationMessage + "]");
+			throw restErrorUtil.createRESTException(validationMessage,
+					MessageEnums.INVALID_INPUT_DATA);
+		} else {
+			RangerService service = services.get(0);
+			if (LOG.isDebugEnabled()) {
+				LOG.debug("getServicePolicies with service-name=" + service.getName());
+			}
+
+			RangerPolicyEngine engine = null;
+
+			try {
+				engine = getPolicySearchPolicyEngine(service.getName());
+			} catch (Exception e) {
+				LOG.error("Cannot initialize Policy-Engine", e);
+				throw restErrorUtil.createRESTException("Cannot initialize Policy Engine",
+						MessageEnums.ERROR_SYSTEM);
+			}
+
+			if (engine != null) {
+				ret = engine.getMatchingPolicies(new RangerAccessResourceImpl(resource));
+			}
+
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== ServiceREST.getPoliciesForResource(service-type=" + serviceDefName + ", service-name=" + serviceName + ") : " + ret.toString());
+		}
+		return ret;
+	}
+
+	private String validateResourcePoliciesRequest(String serviceDefName, String serviceName, HttpServletRequest request, List<RangerService> services, Map<String, String> resource) {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> ServiceREST.validatePoliciesForResourceRequest(service-type=" + serviceDefName + ", service-name=" + serviceName + ")");
+		}
+		final String ret;
+
+		if (MapUtils.isNotEmpty(request.getParameterMap())) {
+			for (Map.Entry<String, String[]> e : request.getParameterMap().entrySet()) {
+				String name = e.getKey();
+				String[] values = e.getValue();
+
+				if (!StringUtils.isEmpty(name) && !ArrayUtils.isEmpty(values)
+						&& name.startsWith(SearchFilter.RESOURCE_PREFIX)) {
+					resource.put(name.substring(SearchFilter.RESOURCE_PREFIX.length()), values[0]);
+				}
+			}
+		}
+		if (MapUtils.isEmpty(resource)) {
+			ret = "No resource specified";
+		} else {
+			RangerServiceDef serviceDef = null;
+			try {
+				serviceDef = svcStore.getServiceDefByName(serviceDefName);
+			} catch (Exception e) {
+				LOG.error("Invalid service-type:[" + serviceDefName + "]", e);
+			}
+			if (serviceDef == null) {
+				ret = "Invalid service-type:[" + serviceDefName + "]";
+			} else {
+				Set<String> resourceDefNames = resource.keySet();
+				RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef);
+				Set<List<RangerServiceDef.RangerResourceDef>> resourceHierarchies = serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS, resourceDefNames);
+				if (CollectionUtils.isEmpty(resourceHierarchies)) {
+					ret = "Invalid resource specified: resource-names:" + resourceDefNames +" are not part of any valid resource hierarchy for service-type:[" + serviceDefName + "]";
+				} else {
+					if (StringUtils.isNotBlank(serviceName)) {
+						RangerService service = null;
+						try {
+							service = svcStore.getServiceByName(serviceName);
+						} catch (Exception e) {
+							LOG.error("Invalid service-name:[" + serviceName + "]");
+						}
+						if (service == null || !StringUtils.equals(service.getType(), serviceDefName)) {
+							ret = "Invalid service-name:[" + serviceName + "] or service-name is not of service-type:[" + serviceDefName + "]";
+						} else {
+							services.add(service);
+							ret = StringUtils.EMPTY;
+						}
+					} else {
+						SearchFilter filter = new SearchFilter();
+						filter.setParam(SearchFilter.SERVICE_TYPE, serviceDefName);
+						List<RangerService> serviceList = null;
+						try {
+							serviceList = svcStore.getServices(filter);
+						} catch (Exception e) {
+							LOG.error("Cannot find service of service-type:[" + serviceDefName + "]");
+						}
+						if (CollectionUtils.isEmpty(serviceList) || serviceList.size() != 1) {
+							ret = "Either 0 or more than 1 services found for service-type :[" + serviceDefName + "]";
+						} else {
+							services.add(serviceList.get(0));
+							ret = StringUtils.EMPTY;
+						}
+					}
+				}
+			}
+		}
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("<== ServiceREST.validatePoliciesForResourceRequest(service-type=" + serviceDefName + ", service-name=" + serviceName + ") : " + ret);
+		}
+		return ret;
+	}
+
 	@POST
 	@Path("/services")
 	@Produces({ "application/json", "application/xml" })
@@ -2821,6 +2958,34 @@ public class ServiceREST {
 		}
 	}
 
+	private RangerPolicyEngineOptions getDelegatedAdminPolicyEngineOptions() {
+		RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions();
+
+		final String propertyPrefix = "ranger.admin";
+
+		opts.configureDelegateAdmin(RangerConfiguration.getInstance(), propertyPrefix);
+
+		return opts;
+	}
+
+	private RangerPolicyEngineOptions getPolicySearchRangerAdminPolicyEngineOptions() {
+		RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions();
+
+		final String propertyPrefix = "ranger.admin";
+
+		opts.configureRangerAdminForPolicySearch(RangerConfiguration.getInstance(), propertyPrefix);
+		return opts;
+	}
+
+	private RangerPolicyEngineOptions getDefaultRangerAdminPolicyEngineOptions() {
+		RangerPolicyEngineOptions opts = new RangerPolicyEngineOptions();
+
+		final String propertyPrefix = "ranger.admin";
+
+		opts.configureDefaultRangerAdmin(RangerConfiguration.getInstance(), propertyPrefix);
+		return opts;
+	}
+
 	private boolean hasAdminAccess(String serviceName, String userName, Set<String> userGroups, Map<String, RangerPolicyResource> resources) {
 		boolean isAllowed = false;
 
@@ -2846,40 +3011,18 @@ public class ServiceREST {
 	}
 
 	private RangerPolicyEngine getDelegatedAdminPolicyEngine(String serviceName) {
-		if(RangerPolicyEngineCache.getInstance().getPolicyEngineOptions() == null) {
-			RangerPolicyEngineOptions options = new RangerPolicyEngineOptions();
-
-			String propertyPrefix = "ranger.admin";
-
-			options.evaluatorType           = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
-			options.cacheAuditResults       = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false);
-			options.disableContextEnrichers = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
-			options.disableCustomConditions = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
-			options.evaluateDelegateAdminOnly = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.evaluate.delegateadmin.only", true);
-
-			RangerPolicyEngineCache.getInstance().setPolicyEngineOptions(options);
-		}
-
-		RangerPolicyEngine ret = RangerPolicyEngineCache.getInstance().getPolicyEngine(serviceName, svcStore);
+		return RangerPolicyEngineCacheForEngineOptions.getInstance().getPolicyEngine(serviceName, svcStore, delegateAdminOptions);
+	}
 
-		return ret;
+	private RangerPolicyEngine getPolicySearchPolicyEngine(String serviceName) throws Exception {
+		return RangerPolicyEngineCacheForEngineOptions.getInstance().getPolicyEngine(serviceName, svcStore, policySearchAdminOptions);
 	}
 
 	private RangerPolicyEngine getPolicyEngine(String serviceName) throws Exception {
-		RangerPolicyEngineOptions options = new RangerPolicyEngineOptions();
-
-		String propertyPrefix = "ranger.admin";
-
-		options.evaluatorType             = RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED;
-		options.cacheAuditResults         = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.cache.audit.results", false);
-		options.disableContextEnrichers   = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.context.enrichers", true);
-		options.disableCustomConditions   = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.custom.conditions", true);
-		options.evaluateDelegateAdminOnly = false;
-		options.disableTrieLookupPrefilter = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".policyengine.option.disable.trie.lookup.prefilter", false);
 
 		ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, -1L);
 
-		RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, options);
+		RangerPolicyEngine ret = new RangerPolicyEngineImpl("ranger-admin", policies, defaultAdminOptions);
 
 		return ret;
 	}


Mime
View raw message