ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ab...@apache.org
Subject [1/2] ranger git commit: RANGER-1962: Simplify Ranger API for reporting results of access authorization
Date Wed, 24 Jan 2018 21:08:41 GMT
Repository: ranger
Updated Branches:
  refs/heads/master c57afe812 -> 796883617


http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index cbad651..8051ec3 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -36,8 +36,6 @@ import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
 import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -45,10 +43,8 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
-import org.apache.ranger.plugin.policyengine.RangerDataMaskResult;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
 import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
-import org.apache.ranger.plugin.policyengine.RangerRowFilterResult;
 import org.apache.ranger.plugin.policyengine.RangerTagAccessRequest;
 import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
@@ -193,7 +189,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 					}
 					if (!result.getIsAccessDetermined()) {
 						if (hasMatchablePolicyItem(request)) {
-							evaluatePolicyItems(request, result, matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT);
+							evaluatePolicyItems(request, matchType, result);
 						}
 					}
 				}
@@ -208,104 +204,6 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
     }
 
 	@Override
-	public void evaluate(RangerAccessRequest request, RangerDataMaskResult result) {
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
-		}
-
-		RangerPerfTracer perf = null;
-
-		if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
-			perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + "," + perfTag + ")");
-		}
-
-		if (request != null && result != null && CollectionUtils.isNotEmpty(dataMaskEvaluators)) {
-
-			if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) {
-				RangerPolicyResourceMatcher.MatchType matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
-
-				final boolean isMatched;
-				if (request.isAccessTypeAny()) {
-					isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
-				} else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-					isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT;
-				} else {
-					isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR;
-				}
-
-				if (isMatched) {
-					if (!result.getIsAuditedDetermined()) {
-						if (isAuditEnabled()) {
-							result.setIsAudited(true);
-							result.setAuditPolicyId(getPolicy().getId());
-						}
-					}
-					if (!result.getIsAccessDetermined()) {
-						if (hasMatchablePolicyItem(request)) {
-							evaluatePolicyItems(request, result);
-						}
-					}
-				}
-			}
-
-		}
-
-		RangerPerfTracer.log(perf);
-
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
-		}
-	}
-
-	@Override
-	public void evaluate(RangerAccessRequest request, RangerRowFilterResult result) {
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
-		}
-
-		RangerPerfTracer perf = null;
-
-		if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_REQUEST_LOG)) {
-			perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_REQUEST_LOG, "RangerPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + "," + perfTag + ")");
-		}
-
-		if (request != null && result != null && CollectionUtils.isNotEmpty(rowFilterEvaluators)) {
-			if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) {
-				RangerPolicyResourceMatcher.MatchType matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
-
-				final boolean isMatched;
-				if (request.isAccessTypeAny()) {
-					isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
-				} else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-					isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT;
-				} else {
-					isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR;
-				}
-
-				if (isMatched) {
-					if (!result.getIsAuditedDetermined()) {
-						if (isAuditEnabled()) {
-							result.setIsAudited(true);
-							result.setAuditPolicyId(getPolicy().getId());
-						}
-					}
-					if (!result.getIsAccessDetermined()) {
-						if (hasMatchablePolicyItem(request)) {
-							evaluatePolicyItems(request, result);
-						}
-					}
-				}
-			}
-		}
-
-		RangerPerfTracer.log(perf);
-
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
-		}
-	}
-
-	@Override
 	public boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerDefaultPolicyEvaluator.isMatch(" + resource + ", " + evalContext + ")");
@@ -463,86 +361,19 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 		}
 	}
 
-
-	protected void evaluatePolicyItems(RangerAccessRequest request, RangerAccessResult result, boolean isResourceMatch) {
+	protected void evaluatePolicyItems(RangerAccessRequest request, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult result) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")");
+			LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
 		}
 
-		RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators);
-
-		if(matchedPolicyItem == null && !result.getIsAllowed()) { // if not denied, evaluate allowItems only if not already allowed
-			matchedPolicyItem = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators);
-		}
+		RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, result);
 
 		if(matchedPolicyItem != null) {
-			RangerPolicy policy = getPolicy();
-
-			if(matchedPolicyItem.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) {
-				if(isResourceMatch) {
-					result.setIsAllowed(false);
-					result.setPolicyId(policy.getId());
-					result.setReason(matchedPolicyItem.getComments());
-				}
-			} else {
-				if(! result.getIsAllowed()) { // if access is not yet allowed by another policy
-					result.setIsAllowed(true);
-					result.setPolicyId(policy.getId());
-					result.setReason(matchedPolicyItem.getComments());
-				}
-			}
-		}
-
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")");
-		}
-	}
-
-	protected void evaluatePolicyItems(RangerAccessRequest request, RangerDataMaskResult result) {
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ")");
-		}
-
-		RangerDataMaskPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, dataMaskEvaluators);
-		RangerPolicyItemDataMaskInfo      dataMaskInfo      = matchedPolicyItem != null ? matchedPolicyItem.getDataMaskInfo() : null;
-
-		if(dataMaskInfo != null) {
-			RangerPolicy policy = getPolicy();
-
-			result.setIsAllowed(true);
-			result.setIsAccessDetermined(true);
-
-			result.setMaskType(dataMaskInfo.getDataMaskType());
-			result.setMaskCondition(dataMaskInfo.getConditionExpr());
-			result.setMaskedValue(dataMaskInfo.getValueExpr());
-			result.setPolicyId(policy.getId());
+			matchedPolicyItem.updateAccessResult(result, matchType, getPolicy().getId());
 		}
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + ")");
-		}
-	}
-
-	protected void evaluatePolicyItems(RangerAccessRequest request, RangerRowFilterResult result) {
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ")");
-		}
-
-		RangerRowFilterPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, rowFilterEvaluators);
-		RangerPolicyItemRowFilterInfo      rowFilterInfo     = matchedPolicyItem != null ? matchedPolicyItem.getRowFilterInfo() : null;
-
-		if(rowFilterInfo != null) {
-			RangerPolicy policy = getPolicy();
-
-			result.setIsAllowed(true);
-			result.setIsAccessDetermined(true);
-
-			result.setFilterExpr(rowFilterInfo.getFilterExpr());
-			result.setPolicyId(policy.getId());
-		}
-
-		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + ")");
+			LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + matchType + ")");
 		}
 	}
 
@@ -851,6 +682,38 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 		return ret;
 	}
 
+	protected RangerPolicyItemEvaluator getMatchingPolicyItem(RangerAccessRequest request, RangerAccessResult result) {
+		RangerPolicyItemEvaluator ret = null;
+
+		Integer policyType = getPolicy().getPolicyType();
+		if (policyType == null) {
+			policyType = RangerPolicy.POLICY_TYPE_ACCESS;
+		}
+
+		switch (policyType) {
+			case RangerPolicy.POLICY_TYPE_ACCESS: {
+				ret = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators);
+
+				if(ret == null && !result.getIsAllowed()) { // if not denied, evaluate allowItems only if not already allowed
+					ret = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators);
+				}
+				break;
+			}
+			case RangerPolicy.POLICY_TYPE_DATAMASK: {
+				ret = getMatchingPolicyItem(request, dataMaskEvaluators);
+				break;
+			}
+			case RangerPolicy.POLICY_TYPE_ROWFILTER: {
+				ret = getMatchingPolicyItem(request, rowFilterEvaluators);
+				break;
+			}
+			default:
+				break;
+		}
+
+		return ret;
+	}
+
 	protected <T extends RangerPolicyItemEvaluator> T getMatchingPolicyItem(RangerAccessRequest request, List<T> evaluators) {
 		T ret = getMatchingPolicyItem(request, evaluators, null);
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
index c763cb5..9564565 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
@@ -38,8 +38,10 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 import org.apache.ranger.plugin.util.RangerPerfTracer;
 
 
@@ -347,6 +349,22 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
 		return ret;
 	}
 
+	@Override
+	public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, Long policyId) {
+		if(getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) {
+			if(matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT) {
+				result.setIsAllowed(false);
+				result.setPolicyId(policyId);
+				result.setReason(getComments());
+			}
+		} else {
+			if(! result.getIsAllowed()) { // if access is not yet allowed by another policy
+				result.setIsAllowed(true);
+				result.setPolicyId(policyId);
+				result.setReason(getComments());
+			}
+		}
+	}
 	RangerPolicyConditionDef getConditionDef(String conditionName) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> RangerDefaultPolicyItemEvaluator.getConditionDef(" + conditionName + ")");

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
index 365661b..cacae5a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
@@ -23,7 +23,9 @@ import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
 import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 
 
 public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPolicyItemEvaluator implements RangerRowFilterPolicyItemEvaluator {
@@ -39,4 +41,17 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli
 	public RangerPolicyItemRowFilterInfo getRowFilterInfo() {
 		return rowFilterPolicyItem == null ? null : rowFilterPolicyItem.getRowFilterInfo();
 	}
+
+	@Override
+	public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, Long policyId) {
+		RangerPolicyItemRowFilterInfo rowFilterInfo = getRowFilterInfo();
+
+		if (rowFilterInfo != null) {
+			result.setIsAllowed(true);
+			result.setIsAccessDetermined(true);
+
+			result.setFilterExpr(rowFilterInfo.getFilterExpr());
+			result.setPolicyId(policyId);
+		}
+	}
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 7165594..7a890b8 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -31,10 +31,8 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
-import org.apache.ranger.plugin.policyengine.RangerDataMaskResult;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
 import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
-import org.apache.ranger.plugin.policyengine.RangerRowFilterResult;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceEvaluator;
 
 
@@ -71,10 +69,6 @@ public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator {
 
 	void evaluate(RangerAccessRequest request, RangerAccessResult result);
 
-	void evaluate(RangerAccessRequest request, RangerDataMaskResult result);
-
-	void evaluate(RangerAccessRequest request, RangerRowFilterResult result);
-
 	boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext);
 
 	boolean isCompleteMatch(RangerAccessResource resource, Map<String, Object> evalContext);

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
index edbde29..e486403 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
@@ -26,6 +26,8 @@ import java.util.Set;
 import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
 
 public interface RangerPolicyItemEvaluator {
 	int POLICY_ITEM_TYPE_ALLOW            = 0;
@@ -63,4 +65,6 @@ public interface RangerPolicyItemEvaluator {
 			return Integer.compare(me.getEvalOrder(), other.getEvalOrder());
 		}
 	}
+	void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, Long policyId);
+
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 4d3731b..aad7834 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -39,12 +39,10 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
-import org.apache.ranger.plugin.policyengine.RangerDataMaskResult;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
 import org.apache.ranger.plugin.policyengine.RangerResourceAccessInfo;
-import org.apache.ranger.plugin.policyengine.RangerRowFilterResult;
 import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
 import org.apache.ranger.plugin.util.PolicyRefresher;
@@ -253,7 +251,7 @@ public class RangerBasePlugin {
 		if(policyEngine != null) {
 			policyEngine.preProcess(request);
 
-			return policyEngine.isAccessAllowed(request, resultProcessor);
+			return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
 		}
 
 		return null;
@@ -265,31 +263,31 @@ public class RangerBasePlugin {
 		if(policyEngine != null) {
 			policyEngine.preProcess(requests);
 
-			return policyEngine.isAccessAllowed(requests, resultProcessor);
+			return policyEngine.evaluatePolicies(requests, RangerPolicy.POLICY_TYPE_ACCESS, resultProcessor);
 		}
 
 		return null;
 	}
 
-	public RangerDataMaskResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
+	public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
 		RangerPolicyEngine policyEngine = this.policyEngine;
 
 		if(policyEngine != null) {
 			policyEngine.preProcess(request);
 
-			return policyEngine.evalDataMaskPolicies(request, resultProcessor);
+			return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, resultProcessor);
 		}
 
 		return null;
 	}
 
-	public RangerRowFilterResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
+	public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor) {
 		RangerPolicyEngine policyEngine = this.policyEngine;
 
 		if(policyEngine != null) {
 			policyEngine.preProcess(request);
 
-			return policyEngine.evalRowFilterPolicies(request, resultProcessor);
+			return policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, resultProcessor);
 		}
 
 		return null;

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 9b4e3b9..b476ed7 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -427,7 +427,7 @@ public class TestPolicyEngine {
 
 			if(test.result != null) {
 				RangerAccessResult expected = test.result;
-				RangerAccessResult result   = policyEngine.isAccessAllowed(request, auditHandler);
+				RangerAccessResult result   = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler);
 
 				assertNotNull("result was null! - " + test.name, result);
 				assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed());
@@ -436,8 +436,8 @@ public class TestPolicyEngine {
 			}
 
 			if(test.dataMaskResult != null) {
-				RangerDataMaskResult expected = test.dataMaskResult;
-				RangerDataMaskResult result   = policyEngine.evalDataMaskPolicies(request, auditHandler);
+				RangerAccessResult expected = test.dataMaskResult;
+				RangerAccessResult result   = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler);
 
 				assertNotNull("result was null! - " + test.name, result);
 				assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType());
@@ -447,8 +447,8 @@ public class TestPolicyEngine {
 			}
 
 			if(test.rowFilterResult != null) {
-				RangerRowFilterResult expected = test.rowFilterResult;
-				RangerRowFilterResult result   = policyEngine.evalRowFilterPolicies(request, auditHandler);
+				RangerAccessResult expected = test.rowFilterResult;
+				RangerAccessResult result   = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler);
 
 				assertNotNull("result was null! - " + test.name, result);
 				assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr());
@@ -480,8 +480,8 @@ public class TestPolicyEngine {
 			public String              name;
 			public RangerAccessRequest request;
 			public RangerAccessResult  result;
-			public RangerDataMaskResult  dataMaskResult;
-			public RangerRowFilterResult rowFilterResult;
+			public RangerAccessResult  dataMaskResult;
+			public RangerAccessResult rowFilterResult;
 			public RangerResourceAccessInfo resourceAccessInfo;
 		}
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json
index d3e0c25..e6dbb4d 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive_mask_filter.json
@@ -131,112 +131,112 @@
         "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}},
         "accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1"
       },
-      "dataMaskResult":{"maskType":"MASK","maskCondition":null,"maskValue":null,"policyId":101}
+      "dataMaskResult":{"additionalInfo": {"maskType":"MASK","maskCondition":null,"maskValue":null},"policyId":101}
     },
     {"name":"'select ssn from employee.personal;' for user2 - maskType=SHUFFLE",
       "request":{
         "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}},
         "accessType":"select","user":"user2","userGroups":[],"requestData":"select ssn from employee.personal;' for user2"
       },
-      "dataMaskResult":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null,"policyId":101}
+      "dataMaskResult":{"additionalInfo":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null},"policyId":101}
     },
     {"name":"'select ssn from employee.personal;' for user3 - no-mask",
       "request":{
         "resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}},
         "accessType":"select","user":"user3","userGroups":[],"requestData":"select ssn from employee.personal;' for user3"
       },
-      "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1}
+      "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1}
     },
     {"name":"'select name from employee.personal;' for user1 - no-mask",
       "request":{
         "resource":{"elements":{"database":"employee", "table":"personal", "column":"name"}},
         "accessType":"select","user":"user1","userGroups":[],"requestData":"select name from employee.personal;' for user1"
       },
-      "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1}
+      "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1}
     },
     {"name":"'select date_of_birth from hr.employee;' for user1 - maskType=MASK",
       "request":{
         "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth"}},
         "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth from hr.employee;' for user1"
       },
-      "dataMaskResult":{"maskType":"MASK","maskCondition":null,"maskValue":null,"policyId":102}
+      "dataMaskResult":{"additionalInfo":{"maskType":"MASK","maskCondition":null,"maskValue":null},"policyId":102}
     },
     {"name":"'select date_of_birth from hr.employee;' for user2 - maskType=SHUFFLE",
       "request":{
         "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth"}},
         "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr.employee2;' for user2"
       },
-      "dataMaskResult":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null,"policyId":102}
+      "dataMaskResult":{"additionalInfo":{"maskType":"SHUFFLE","maskCondition":null,"maskValue":null},"policyId":102}
     },
     {"name":"'select date_of_birth1 from hr.employee;' for user1 - no-mask",
       "request":{
         "resource":{"elements":{"database":"hr", "table":"employee", "column":"date_of_birth1"}},
         "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth1 from hr.employee;' for user1"
       },
-      "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1}
+      "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1}
     },
     {"name":"'select date_of_birth from hr2.employee2;' for user2 - no-mask",
       "request":{
         "resource":{"elements":{"database":"hr2", "table":"employee2", "column":"date_of_birth"}},
         "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr2.employee2;' for user2"
       },
-      "dataMaskResult":{"maskType":null,"maskCondition":null,"maskValue":null,"policyId":-1}
+      "dataMaskResult":{"additionalInfo":{"maskType":null,"maskCondition":null,"maskValue":null},"policyId":-1}
     },
     {"name":"'select ssn from employee.personal;' for user1 - filterExpr=location='US'",
       "request":{
         "resource":{"elements":{"database":"employee", "table":"personal"}},
         "accessType":"select","user":"user1","userGroups":[],"requestData":"select ssn from employee.personal;' for user1"
       },
-      "rowFilterResult":{"filterExpr":"location='US'","policyId":201}
+      "rowFilterResult":{"additionalInfo":{"filterExpr":"location='US'"},"policyId":201}
     },
     {"name":"'select ssn from employee.personal;' for user2 - filterExpr=location='CA'",
       "request":{
         "resource":{"elements":{"database":"employee", "table":"personal"}},
         "accessType":"select","user":"user2","userGroups":[],"requestData":"select ssn from employee.personal;' for user2"
       },
-      "rowFilterResult":{"filterExpr":"location='CA'","policyId":201}
+      "rowFilterResult":{"additionalInfo":{"filterExpr":"location='CA'"},"policyId":201}
     },
     {"name":"'select ssn from employee.personal;' for user3 - no-filter",
       "request":{
         "resource":{"elements":{"database":"employee", "table":"personal"}},
         "accessType":"select","user":"user3","userGroups":[],"requestData":"select ssn from employee.personal;' for user3"
       },
-      "rowFilterResult":{"filterExpr":null,"policyId":-1}
+      "rowFilterResult":{"additionalInfo":{"filterExpr":null},"policyId":-1}
     },
     {"name":"'select name from employee.personal;' for group3 - no-filter",
       "request":{
         "resource":{"elements":{"database":"employee", "table":"personal"}},
         "accessType":"select","user":"user5","userGroups":["group3"],"requestData":"select name from employee.personal;' for user5/group3"
       },
-      "rowFilterResult":{"filterExpr":null,"policyId":-1}
+      "rowFilterResult":{"additionalInfo":{"filterExpr":null},"policyId":-1}
     },
     {"name":"'select date_of_birth from hr.employee;' for user1 - filterExpr=dept='production'",
       "request":{
         "resource":{"elements":{"database":"hr", "table":"employee"}},
         "accessType":"select","user":"user1","userGroups":[],"requestData":"select date_of_birth from hr.employee;' for user1"
       },
-      "rowFilterResult":{"filterExpr":"dept='production'","policyId":202}
+      "rowFilterResult":{"additionalInfo":{"filterExpr":"dept='production'"},"policyId":202}
     },
     {"name":"'select date_of_birth from hr.employee;' for user2 - filterExpr=dept='purchase'",
       "request":{
         "resource":{"elements":{"database":"hr", "table":"employee"}},
         "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr.employee2;' for user2"
       },
-      "rowFilterResult":{"filterExpr":"dept='purchase'","policyId":202}
+      "rowFilterResult":{"additionalInfo":{"filterExpr":"dept='purchase'"},"policyId":202}
     },
     {"name":"'select date_of_birth from hr.employee;' for user3 - no-filter",
       "request":{
         "resource":{"elements":{"database":"hr", "table":"employee"}},
         "accessType":"select","user":"user3","userGroups":[],"requestData":"select date_of_birth from hr.employee;' for user3"
       },
-      "rowFilterResult":{"filterExpr":null,"policyId":-1}
+      "rowFilterResult":{"additionalInfo":{"filterExpr":null},"policyId":-1}
     },
     {"name":"'select date_of_birth from hr2.employee2;' for user2 - no-mask",
       "request":{
         "resource":{"elements":{"database":"hr2", "table":"employee2"}},
         "accessType":"select","user":"user2","userGroups":[],"requestData":"select date_of_birth from hr2.employee2;' for user2"
       },
-      "rowFilterResult":{"filterExpr":null,"policyId":-1}
+      "rowFilterResult":{"additionalInfo":{"filterExpr":null},"policyId":-1}
     }
   ]
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
index 6b2863a..73fe540 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
@@ -283,7 +283,7 @@
       },
       "result":{"isAudited":true,"isAllowed":true,"policyId":2}
     },
-    {"name":"ALLOW 'desc default.table1;' for hive using PII, PII-FINAL tags",
+    {"name":"DENY 'desc default.table1;' for hive using PII, PII-FINAL tags",
       "request":{
         "resource":{"elements":{"database":"default", "table":"table1"}},
         "accessType":"","user":"hive","userGroups":[],"requestData":"desc default.table1;' for hive"

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
index 89bc0d8..ac35d77 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
@@ -28,8 +28,6 @@ import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
-import org.apache.ranger.plugin.policyengine.RangerDataMaskResult;
-import org.apache.ranger.plugin.policyengine.RangerRowFilterResult;
 
 import com.google.common.collect.Lists;
 
@@ -68,25 +66,21 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
 	}
 	
 	AuthzAuditEvent createAuditEvent(RangerAccessResult result) {
+
+		AuthzAuditEvent ret = null;
+
 		RangerAccessRequest  request  = result.getAccessRequest();
 		RangerAccessResource resource = request.getResource();
 		String               resourcePath = resource != null ? resource.getAsString() : null;
+		int                  policyType = result.getPolicyType();
 
-		String accessType = null;
-
-		if(result instanceof RangerDataMaskResult) {
-			accessType = ((RangerDataMaskResult)result).getMaskType();
-
-			if(StringUtils.equals(accessType, RangerPolicy.MASK_TYPE_NONE)) {
-				return null;
-			}
-
-			return createAuditEvent(result, accessType, resourcePath);
-		} else if(result instanceof RangerRowFilterResult) {
-			accessType = ACCESS_TYPE_ROWFILTER;
-
-			return createAuditEvent(result, accessType, resourcePath);
+		if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK && result.isMaskEnabled()) {
+		    ret = createAuditEvent(result, result.getMaskType(), resourcePath);
+        } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
+            ret = createAuditEvent(result, ACCESS_TYPE_ROWFILTER, resourcePath);
 		} else {
+			String accessType = null;
+
 			if (request instanceof RangerHiveAccessRequest) {
 				RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest) request;
 
@@ -97,8 +91,10 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
 				accessType = request.getAccessType();
 			}
 
-			return createAuditEvent(result, accessType, resourcePath);
+			ret = createAuditEvent(result, accessType, resourcePath);
 		}
+
+		return ret;
 	}
 
 	List<AuthzAuditEvent> createAuditEvents(Collection<RangerAccessResult> results) {

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index c131f02..fa84b13 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -66,8 +66,6 @@ import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
-import org.apache.ranger.plugin.policyengine.RangerDataMaskResult;
-import org.apache.ranger.plugin.policyengine.RangerRowFilterResult;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
 import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
@@ -393,11 +391,11 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 					request.setHiveAccessType(HiveAccessType.SELECT); // filtering/masking policies are defined only for SELECT
 					request.setResource(tblResource);
 
-					RangerRowFilterResult rowFilterResult = getRowFilterResult(request);
+					RangerAccessResult rowFilterResult = getRowFilterResult(request);
 
 					if (isRowFilterEnabled(rowFilterResult)) {
 						if(result == null) {
-							result = new RangerAccessResult(rowFilterResult.getServiceName(), rowFilterResult.getServiceDef(), request);
+							result = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, rowFilterResult.getServiceName(), rowFilterResult.getServiceDef(), request);
 						}
 
 						result.setIsAllowed(false);
@@ -407,16 +405,16 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 						// check if masking is enabled for any column in the table/view
 						request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
 
-						RangerDataMaskResult dataMaskResult = getDataMaskResult(request);
+						RangerAccessResult dataMaskResult = getDataMaskResult(request);
 
 						if (isDataMaskEnabled(dataMaskResult)) {
 							if(result == null) {
-								result = new RangerAccessResult(dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request);
+								result = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request);
 							}
 
 							result.setIsAllowed(false);
 							result.setPolicyId(dataMaskResult.getPolicyId());
-							result.setReason("User does not have acces to unmasked column values");
+							result.setReason("User does not have access to unmasked column values");
 						}
 					}
 
@@ -622,12 +620,12 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		return true; // TODO: derive from the policies
 	}
 
-	private RangerDataMaskResult getDataMaskResult(RangerHiveAccessRequest request) {
+	private RangerAccessResult getDataMaskResult(RangerHiveAccessRequest request) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> getDataMaskResult(request=" + request + ")");
 		}
 
-		RangerDataMaskResult ret = hivePlugin.evalDataMaskPolicies(request, null);
+		RangerAccessResult ret = hivePlugin.evalDataMaskPolicies(request, null);
 
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("<== getDataMaskResult(request=" + request + "): ret=" + ret);
@@ -636,12 +634,12 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		return ret;
 	}
 
-	private RangerRowFilterResult getRowFilterResult(RangerHiveAccessRequest request) {
+	private RangerAccessResult getRowFilterResult(RangerHiveAccessRequest request) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> getRowFilterResult(request=" + request + ")");
 		}
 
-		RangerRowFilterResult ret = hivePlugin.evalRowFilterPolicies(request, null);
+		RangerAccessResult ret = hivePlugin.evalRowFilterPolicies(request, null);
 
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("<== getRowFilterResult(request=" + request + "): ret=" + ret);
@@ -650,11 +648,11 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		return ret;
 	}
 
-	private boolean isDataMaskEnabled(RangerDataMaskResult result) {
-		return result != null && result.isMaskEnabled() && !StringUtils.equalsIgnoreCase(result.getMaskType(), RangerPolicy.MASK_TYPE_NONE);
+	private boolean isDataMaskEnabled(RangerAccessResult result) {
+		return result != null && result.isMaskEnabled();
 	}
 
-	private boolean isRowFilterEnabled(RangerRowFilterResult result) {
+	private boolean isRowFilterEnabled(RangerAccessResult result) {
 		return result != null && result.isRowFilterEnabled() && StringUtils.isNotEmpty(result.getFilterExpr());
 	}
 
@@ -682,7 +680,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 			RangerHiveResource      resource       = new RangerHiveResource(objectType, databaseName, tableOrViewName);
 			RangerHiveAccessRequest request        = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, clusterName);
 
-			RangerRowFilterResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);
+			RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);
 
 			if(isRowFilterEnabled(result)) {
 				ret = result.getFilterExpr();
@@ -723,7 +721,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 			RangerHiveResource      resource       = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
 			RangerHiveAccessRequest request        = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, clusterName);
 
-			RangerDataMaskResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);
+			RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);
 
 			ret = isDataMaskEnabled(result);
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
index 8d89794..590c1e7 100644
--- a/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
+++ b/ranger-tools/src/main/java/org/apache/ranger/policyengine/PerfTestEngine.java
@@ -23,6 +23,7 @@ import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.policyengine.*;
 import org.apache.ranger.plugin.util.ServicePolicies;
 
@@ -115,7 +116,7 @@ public class PerfTestEngine {
 
 			policyEvaluationEngine.preProcess(request);
 
-			ret = policyEvaluationEngine.isAccessAllowed(request, null);
+			ret = policyEvaluationEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, null);
 
 			if (LOG.isDebugEnabled()) {
 				LOG.debug("Executed request = {" + request + "}, result={" + ret + "}");

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
----------------------------------------------------------------------
diff --git a/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java b/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
index 6b3fa06..11af0a8 100644
--- a/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
+++ b/ranger-tools/src/test/java/org/apache/ranger/policyengine/RangerPolicyEnginePerformanceTest.java
@@ -32,7 +32,9 @@ import java.util.Set;
 import java.util.concurrent.CountDownLatch;
 
 import org.apache.commons.lang.text.StrSubstitutor;
+import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
 import org.apache.ranger.plugin.util.PerfDataRecorder;
 import org.apache.ranger.plugin.util.PerfDataRecorder.PerfStatistic;
@@ -149,7 +151,7 @@ public class RangerPolicyEnginePerformanceTest {
 
 		for (int iterations = 0; iterations < WARM_UP__ITERATIONS; iterations++) {
 			// using return value of 'isAccessAllowed' with a cheap operation: System#identityHashCode so JIT wont remove it as dead code
-			System.identityHashCode(rangerPolicyEngine.isAccessAllowed(requests.get(iterations % concurrency), null)); 
+			System.identityHashCode(rangerPolicyEngine.evaluatePolicies(requests.get(iterations % concurrency), RangerPolicy.POLICY_TYPE_ACCESS, null));
 			PerfDataRecorder.clearStatistics();
 		}
 
@@ -159,7 +161,7 @@ public class RangerPolicyEnginePerformanceTest {
 			new Thread(new Runnable() {
 				@Override
 				public void run() {
-					System.identityHashCode(rangerPolicyEngine.isAccessAllowed(rangerAccessRequest, null));
+					System.identityHashCode(rangerPolicyEngine.evaluatePolicies(rangerAccessRequest, RangerPolicy.POLICY_TYPE_ACCESS, null));
 					latch.countDown();
 				}
 			}, String.format("Client #%s", i)).start();

http://git-wip-us.apache.org/repos/asf/ranger/blob/79688361/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 9d8f5d2..7aee433 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -2353,14 +2353,11 @@ public class ServiceDBStore extends AbstractServiceStore {
 
 		String policyTypeStr = filter.getParam(SearchFilter.POLICY_TYPE);
 
-		List<Integer> policyTypes = new ArrayList<>();
+		int[] policyTypes = RangerPolicy.POLICY_TYPES;
 
 		if (StringUtils.isNotBlank(policyTypeStr)) {
-			policyTypes.add(Integer.parseInt(policyTypeStr));
-		} else {
-			policyTypes.add(RangerPolicy.POLICY_TYPE_ACCESS);
-			policyTypes.add(RangerPolicy.POLICY_TYPE_DATAMASK);
-			policyTypes.add(RangerPolicy.POLICY_TYPE_ROWFILTER);
+			policyTypes = new int[1];
+			policyTypes[0] = Integer.parseInt(policyTypeStr);
 		}
 
 		for (Integer policyType : policyTypes) {


Mime
View raw message